Skip to content

[RFC-0010] Add multi-tenancy lockdown for decryption and kubeconfig #1495

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 17, 2025
Merged

[RFC-0010] Add multi-tenancy lockdown for decryption and kubeconfig #1495

merged 1 commit into from
Aug 17, 2025

Conversation

@cappyzawa
Copy link
Member

@cappyzawa cappyzawa commented Aug 16, 2025

matheuscscp
matheuscscp reviewed Aug 16, 2025
View reviewed changes
Copy link
Member

@matheuscscp matheuscscp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👌

@matheuscscp
Copy link
Member

matheuscscp commented Aug 16, 2025

Please bump also fluxcd/pkg/runtime 🙏

@matheuscscp matheuscscp mentioned this pull request Aug 16, 2025
Closed
71 tasks
@cappyzawa cappyzawa force-pushed the rfc-0010-multi-tenancy-lockdown branch 2 times, most recently from 32ee08f to 4ab943a Compare August 17, 2025 07:09
matheuscscp
matheuscscp approved these changes Aug 17, 2025
View reviewed changes
Copy link
Member

@matheuscscp matheuscscp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! 🚀

One last nit

@cappyzawa cappyzawa force-pushed the rfc-0010-multi-tenancy-lockdown branch from 4ab943a to bddf652 Compare August 17, 2025 08:06
@cappyzawa
[RFC-0010] Add multi-tenancy lockdown for decryption and kubeconfig
c5f0efd 
Adds two new controller flags to enforce ServiceAccount usage in
multi-tenant clusters where administrators need to lock down workload
identity access:

- --default-decryption-service-account
- --default-kubeconfig-service-account

These flags complement the existing --default-service-account flag to
provide complete multi-tenancy lockdown coverage for all three classes
of ServiceAccount fields in the Kustomization API.

Signed-off-by: cappyzawa <[email protected]>
@cappyzawa cappyzawa force-pushed the rfc-0010-multi-tenancy-lockdown branch from bddf652 to c5f0efd Compare August 17, 2025 08:11
@matheuscscp matheuscscp merged commit e7aaaf2 into fluxcd:main Aug 17, 2025
5 checks passed
@matheuscscp matheuscscp mentioned this pull request Aug 17, 2025
Closed
@cappyzawa cappyzawa mentioned this pull request Aug 17, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@matheuscscp matheuscscp matheuscscp approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cappyzawa @matheuscscp