Projects

There is an application running in a Kubernetes cluster. Goal is to protect this application from any modifications, except if those modifications are coming from predefined actor. Setup Requirements To start let’s set up the Kind cluster and Klock. I assume you already have installed Kind. Now let’s create a cluster and install all requirements: Create cluster: kind create cluster Install cert-manager: kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.8.2/cert-manager.yaml Install Klock : helm repo add rnemet https://rnemet.dev/helm-charts helm repo update helm install klock rnemet/klock Setup Scenario My application has one Pod and one ConfigMap. By default the Klock supports locking Deployments, Pods, Secrets, and ConfigMaps. So, I’m covered there. ...

Problem In an event-driven system like Kubernetes, access to a resource can be restricted with RBAC. RBAC is not designed to execute a mandatory or exclusive lock on a particular resource. It is not impossible, but I found it complicated and error-prone. Sometimes I want: The CronJob named daily-report is constant. No one can DELETE or UPDATE it. A workload payroll can be modified only by the actor with UID aa-dd-f445-d-55-d and no one else. All resources with the label site: for-fun can be updated, but not deleted. Solution Using RBAC is possible to partially meet requirements, but still when working in teams messing with operators, different automation tools, etc… Always something can go wrong. ...