-
Notifications
You must be signed in to change notification settings - Fork 109
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow Shared Namespace Ownership for Projects #1654
Comments
@isugimpy thanks for the suggestion. I can see how this is a problem for you. The reason for the current behavior is that it is meant to prevent "hijacking" an existing namespace. I'd love if we could do what you're suggesting, but I'm not sure yet how we could mitigate that risk. Happy to hear your thoughts. |
The concern is totally valid! That's actually why I suggested a gate on the CR saying that Project is allowed to share ownership of the namespace, so that it isn't the default, but rather an opt-in behavior. I could also be fine with a label or annotation on the namespace that is a cue to Kargo to accept that shared ownership model. That may actually be safer, because then it's preventing an unprivileged user from doing something like creating a Project that could assume ownership of kube-system or something like that. |
My concern there was that it only prevents an accidental hijacking and not an intentional one.
I quite like this idea. It's actually what we do for Argo CD
Given the revised approach -- we'd absolutely love to have you contribute that! Thank you! |
Opened #1667 with the proposed solution! |
Checklist
kargo version
, if applicable.Proposed Feature
Allow the Project resource to share ownership of a Namespace by appending to the OwnerReferences instead of giving up.
Motivation
As a platform owner, I've already got a managed mechanism for creation of Namespaces. This directly conflicts with the Project implementation in Kargo because Kargo will only adopt a namespace if the OwnerReferences field has no items in it.
Suggested Implementation
Add additional control flow to
kargo/internal/controller/management/projects/projects.go
Lines 240 to 254 in 33247fe
Additional Notes
I'm willing to toss a contribution for this if it'd be accepted. I'll openly admit, I haven't tried Kargo yet, hoping to do so yet this week, but the current behavior is a potential blocker for my organization because we manage namespaces via an in-house controller that maintains ownership.
The text was updated successfully, but these errors were encountered: