Skip to content

Allowing multiple service accounts to act as owner of a Tenant #1578

New issue
New issue
Open
Feature
Open
Allowing multiple service accounts to act as owner of a Tenant#1578
Feature
Assignees
Svarrogh1337
Labels
enhancementNew feature or request
Milestone
v0.11.0
@Svarrogh1337

Description

@Svarrogh1337
Svarrogh1337
opened on Aug 12, 2025

Discussed in #1311

Originally posted by KristianTrifork January 14, 2025
Hello Capsule!

Me and a colleague have been talking to the awesome people at Capsule on Slack, about a challenge we encountered when implementing multi tenancy, and using Flux.

Context

We have a tenant called "demo-tenant". We follow Capsules guide and bootstrap a namespace and create a Serviceaccount as the owner.

apiVersion: capsule.clastix.io/v1beta2
kind: Tenant
metadata:
  name: demo-tenant
spec:
  owners:
    - name: system:serviceaccount:demo-tenant-bootstrap:tenant-gitops
      kind: ServiceAccount
      clusterRoles:
        - cluster-admin
  additionalRoleBindings:
    - clusterRoleName: cluster-admin
      subjects:
        - name: tenant-gitops
          kind: ServiceAccount

We add the service account to our HelmRelease:

manager.capsuleUserGroups:
      - system:serviceaccounts:demo-tenant-bootstrap

The Tenant creates their new namespace:

---
apiVersion: v1
kind: Namespace
metadata:
  name: demo-tenant-default

Now the Tenant deploys a HelmRelease which is creating new namespaces.

The Tenant is required to do two things:

  • Supply a service account in the HelmRlease manifest. Under spec.serviceAccountName
  • The service account has to be in the same namespace as the HelmRelease.

We make sure each namespace in the Tenant has a service account called tenant-gitops, by using GlobalTenantResource.

apiVersion: capsule.clastix.io/v1beta2
kind: GlobalTenantResource
metadata:
  name: tenant-base-resources
spec:
  resources:
    - namespaceSelector:
        matchExpressions:
          - key: capsule.clastix.io/tenant
            operator: Exists
      rawItems:
        - apiVersion: v1
          kind: ServiceAccount
          metadata:
            name: tenant-gitops
  resyncPeriod: 60s

This service account system:serviceaccount:demo-tenant-default:tenant-gitops is not TenantOwner, and is not part of CapsuleUserGroups so it is not allowed to create the namespace.

Feature request

This could be done in the tenant.spec.additionalRoleBindings.[index].actAsOwner. This would allow us to make all tenant-gitops service accounts tenant owners dynamically.

This would allow the Tenant to deploy HelmRelease in any namespace in the Tenant, and create new namespace from that HelmRelease.

This would also be GitOps compliant as we don't rely on mutating manifests after deployment.

We would love to hear your input on this feature!

Metadata

Metadata

Assignees

Labels

enhancementNew feature or request

Type

Feature

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions