Skip to content
This repository has been archived by the owner on Jan 23, 2024. It is now read-only.
/ locked-down-flux Public archive

Running weaveworks/flux with least privileges

5 stars 2 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

zeeZ/locked-down-flux

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit

flux-system

flux-system

 
 

helloworld-flux

helloworld-flux

 
 

helloworld-rbac

helloworld-rbac

 
 

.gitignore

.gitignore

 
 

README.md

README.md

 
 

Repository files navigation

This repository is an attempt to lock down weaveowrks/flux as much as possible without error messages from Flux.

flux-system/ contains a Flux deployment that is limited to resources in the helloworld namespace.

helloworld-rbac/ contains the namespace and minimum Role and RoleBinding necessary to give Flux access to manage the simple hello world service defined in helloworld-flux/.

Setup

Deploy Flux to the cluster:

kubectl apply -f flux-system -f helloworld-rbac

This will create two namespaces:

  • flux-system with deployments for memcached and Flux limited to the other namespace,
  • helloworld, which contains a Role giving Flux permissions required to manage our hello world service

Point fluxctl at our Flux instance and print the SSH key:

export FLUX_FORWARD_NAMESPACE=flux-system
export FLUX_FORWARD_LABELS="app=flux,component=weave-flux"

fluxctl identity

Flux should now be able to just manage our hello world service without giving any errors.

About

Running weaveworks/flux with least privileges

Resources

Readme
Activity

Stars

5 stars

Watchers

1 watching

Forks

2 forks
Report repository

Releases

1 tags

Packages

No packages published