Cloud Native Rejekts EU (Valencia) 2022

Leigh Capili

Leigh is an empathetic speaker and developer with niches in cloud-native systems and security.
He has a background in building software to manage infrastructure.

Leigh contributes to Kubernetes and Flux and is frequently working on his next software demo.
He also co-maintains Ignite, the microVM manager with Docker UX. (https://ignite.rtfd.io/)

Leigh works with the VMware Tanzu Advocacy team and previously built Developer Experience and Platform with Weaveworks, Beatport, AT&T, and DIRECTV.

Leigh and his wife enjoy snowboarding and have a 60lb dog named Pepsi.

The speaker's profile picture

Talks

User Impersonation is the Key to Multi-Tenant APIs on Kubernetes

Kubernetes is hard to operate in a multi-tenant manner.
As organizations add API's and privileged controllers to their clusters, it becomes infeasible to build
clusters that teams can share with each other safely.
This is a design issue with the way projects extend Kubernetes.

While policy engines like Gatekeeper and Kyverno enable cluster owners to patch over insecure API
surfaces to protect tenants, there are patterns that produce APIs resistant to cross-tenant issues.
It's possible to extend Kubernetes without relying on admission-based policy engines to restrict API
boundaries and controller implementations.

This session will cover the new strategies being used in Flux 2's APIs and controllers that allow for
multiple organizations and teams to work safely together.
Come learn how RBAC, Impersonation, and kubeConfig Secrets allow Flux to safely compose objects
across Namespaces and Clusters!