Weaveworks, profile picture
Uploaded byWeaveworks
PDF, PPTX209 views

Implementing Flux for Scale with Soft Multi-tenancy

The document presents an overview of Flux, a GitOps tool for Kubernetes that facilitates continuous delivery and infrastructure management through declarative configurations. It highlights the benefits of using Flux, including stronger security, increased productivity, and multi-tenancy capabilities, as well as best practices for achieving tenant isolation. Additionally, it provides resources for further exploration of Flux and its multi-cluster setup.

Software
In this document
Powered by AI

Introduction to implementing Flux for scalability, explaining GitOps as a model for continuous delivery.

Highlights the advantages of GitOps like stronger security, productivity, and stability.

Defines Flux as a Git-centric package manager for apps, and its benefits for Kubernetes.

Overview of Flux's architecture, including controllers for managing Kubernetes resources.

Describes how Flux works with various tools and the reasons developers prefer it.

Explains the concepts of hard and soft multi-tenancy, and best practices for isolation.

Details configurations to enable tenant isolation in Flux for better multi-tenancy.

Provides links to Flux documentation, multi-cluster setup, and other resources for users.

Thanks the audience and concludes the presentation.

Download as PDF, PPTX
1 1 Implementing Flux for Scale with Soft Multi-tenancy Russ Parmer Senior Engineer, Weaveworks Priyanka Ravi Developer Experience Engineer, Weaveworks
2 2 Weaveworks is founded on open source ● Flux & Flagger (CNCF): GitOps and Progressive Delivery for k8s ● Weave GitOps: A powerful extension & web UI for Flux ● Weave GitOps Terraform Controller: Flux controller for Terraform resources ● GitOps Tools for Flux: VS Code extension weave.works
3 3 ● Operating model for cloud native applications such as Kubernetes ● Utilizes a version controlled system (Commonly Git) as the “single source of truth” ● Enables continuous delivery through automated deployment, monitoring, and management by a version controlled system ● Managing your infrastructure and applications declaratively What is GitOps
Source: GitOps Working Group https://opengitops.dev/
5 5 Individuals, teams, and organizations who implement GitOps experience many benefits, including: ● Stronger Security Guarantees ● Increased Developer & Operational Productivity ● Enhanced Developer Experience ● Improved Stability ● Higher Reliability ● Consistency and Standardization Why GitOps
6 6 ● A git centric package manager for your applications ● A set of continuous and progressive delivery solutions for Kubernetes What is Flux fluxcd.io
7 7 🤝 Flux provides GitOps for both apps and infrastructure 🤖 Just push to Git and Flux does the rest 🔩 Flux works with your existing tools ☸ Flux works with any Kubernetes and all common Kubernetes tooling 🤹Flux does Multi-Tenancy (and “Multi-everything”) 📞 Flux alerts and notifies 👍 Users trust Flux 💖 Flux has a lovely community that is very easy to work with! Flux in Short fluxcd.io
8 8 ● Reduces developer burden ● Extensible ● Comes with out of the box support for Kustomize and Helm ● Designed For Kubernetes Benefits of Flux fluxcd.io
9 9 Overview of Flux Source controller Notification Controller Image Reflector & Automation Controller Flux Flux is a set of Kubernetes Controllers fluxcd.io Terraform Controller Helm Controller Kustomize controller VS Code Extension
10 10 What Flux’s Controllers do Source Controller - Fetch resources and store as artifacts Kustomize Controller - Apply manifests, Run manifest generation using kustomize Helm Controller - Deployment of Helm Charts Notification Controller - Notification Dispatch Image Reflector Controller - Reflects Image metadata for Automation Controller Image Automation Controller - Updates YAML when new container images are available fluxcd.io
11 11 ● Helm ● Kustomize ● Prometheus ● Grafana ● Jenkins ● EKS ● AKS ● GCP Flux Works with Other Tools ● Traefik ● Falco ● GitHub, GitLab, Bitbucket, s3-compatible buckets ● Terraform ● …and more!!! fluxcd.io
12 12 ● Makes life easier ● Multi-tenancy ● DependsOn ● Helm integration ● Notifications and Alerts ● Bootstrap ● Flux CLI Reasons I and Others Love Flux fluxcd.io
13 13 ● There are two different forms of multi-tenancy ○ Hard multi-tenancy ■ Every tenant has their own cluster ○ Soft multi-tenancy ■ A cluster is shared across many different tenants ■ Tenants need to be isolated What is Multi-Tenancy
14 14 ● Multi-tenancy lock down* ○ Ensure relevant controllers have cross namespace references disabled via `--no-cross-namespace-refs=true` ● Resource Isolation ○ Ensure additional Flux instances are deployed when mission critical tenants/workloads must be assured. ● Node Isolation ○ Ensure worker nodes are not being shared across tenants and the Flux components. ● Network Isolation ○ Ensure the Container Network Interface (CNI) being used in the cluster supports Network Policies. Best Practices for Multi-Tenancy
15 15 ● Add `--no-cross-namespace-refs=true` flag ○ Allow Flux to only reconcile Flux resources that exist in the same namespace ● Add `--default-service-account=default` flag ○ Default Kustomization and HelmRelease objects to not use the cluster scoped service account ● Set the flux-system Kustomization resource to use correct service account ○ This still needs cluster level access and should not use the ‘default’ service account Enable Tenant Isolation for Flux
16 Confidential do not distribute 16 Demo Time!
17 17 Next Steps & Resources ● Try it yourself! Flux Docs: fluxcd.io/flux ○ Flux Multi-cluster setup: ■ https://fluxcd.io/flux/get-started/#multi-cluster-setup ■ https://github.com/fluxcd/flux2-kustomize-helm-example ○ Additional Best Practices for Shared Cluster Multi-tenancy: https://fluxcd.io/flux/security/best-practices/#additional-best-practices-for -shared-cluster-multi-tenancy ○ Flux Bootsrap Cheatsheet: https://fluxcd.io/flux/cheatsheets/bootstrap ● Kyverno Docs to Generate Flux Multi-tenant Resources ○ https://kyverno.io/policies/flux/generate-flux-multi-tenant-resources/gene rate-flux-multi-tenant-resources/
18 Confidential do not distribute 18 weave.works Thank you

More Related Content

PDF
Intro to GitOps with Weave GitOps, Flagger and Linkerd
byWeaveworks
 
PPTX
Prometheus - Intro, CNCF, TSDB,PromQL,Grafana
bySridhar Kumar N
 
PDF
Kubernetes - A Comprehensive Overview
byBob Killen
 
PPTX
CNCF Introduction - Feb 2018
byKrishna-Kumar
 
PPTX
Azure DevOps in Action
byCallon Campbell
 
PDF
Gitops Hands On
byBrice Fernandes
 
PPTX
Docker Swarm for Beginner
byShahzad Masud
 
PDF
Advanced GitHub Enterprise Administration
byLars Schneider
 
Intro to GitOps with Weave GitOps, Flagger and Linkerd
byWeaveworks
 
Prometheus - Intro, CNCF, TSDB,PromQL,Grafana
bySridhar Kumar N
 
Kubernetes - A Comprehensive Overview
byBob Killen
 
CNCF Introduction - Feb 2018
byKrishna-Kumar
 
Azure DevOps in Action
byCallon Campbell
 
Gitops Hands On
byBrice Fernandes
 
Docker Swarm for Beginner
byShahzad Masud
 
Advanced GitHub Enterprise Administration
byLars Schneider
 

What's hot

PDF
Intro to GitOps & Flux.pdf
byWeaveworks
 
PDF
GitOps for Helm Users by Scott Rigby
byWeaveworks
 
PDF
The Power of GitOps with Flux & GitOps Toolkit
byWeaveworks
 
PPTX
Prometheus and Grafana
byLhouceine OUHAMZA
 
PPTX
DevOps Roadmap.pptx
byHARSH MANVAR
 
PPTX
About DevOps in simple steps
byIhor Odynets
 
PDF
Kubernetes
byerialc_w
 
PPSX
Docker Kubernetes Istio
byAraf Karsh Hamid
 
PDF
Infrastructure as Code
byAlbert Suwandhi
 
PPTX
DevOps Training | DevOps Training Video | DevOps Tools | DevOps Tutorial For ...
bySimplilearn
 
PPTX
Getting Started with Azure Artifacts
byCallon Campbell
 
PDF
SRE and GitOps for Building Robust Kubernetes Platforms.pdf
byWeaveworks
 
PDF
OWASP DefectDojo - Open Source Security Sanity
byMatt Tesauro
 
PPTX
Kubernetes Basics
byAntonin Stoklasek
 
PDF
Kubernetes Networking
byCJ Cullen
 
PDF
Jenkins Pipeline Tutorial | Continuous Delivery Pipeline Using Jenkins | DevO...
byEdureka!
 
PDF
Application & Account Monitoring in AWS
byBhuvaneswari Subramani
 
PDF
Julien Maitrehenry - Docker, ça mange quoi au printemps
byWeb à Québec
 
PDF
What Is Helm
byAMELIAOLIVIA2
 
PDF
Observability
byMartin Gross
 
Intro to GitOps & Flux.pdf
byWeaveworks
 
GitOps for Helm Users by Scott Rigby
byWeaveworks
 
The Power of GitOps with Flux & GitOps Toolkit
byWeaveworks
 
Prometheus and Grafana
byLhouceine OUHAMZA
 
DevOps Roadmap.pptx
byHARSH MANVAR
 
About DevOps in simple steps
byIhor Odynets
 
Kubernetes
byerialc_w
 
Docker Kubernetes Istio
byAraf Karsh Hamid
 
Infrastructure as Code
byAlbert Suwandhi
 
DevOps Training | DevOps Training Video | DevOps Tools | DevOps Tutorial For ...
bySimplilearn
 
Getting Started with Azure Artifacts
byCallon Campbell
 
SRE and GitOps for Building Robust Kubernetes Platforms.pdf
byWeaveworks
 
OWASP DefectDojo - Open Source Security Sanity
byMatt Tesauro
 
Kubernetes Basics
byAntonin Stoklasek
 
Kubernetes Networking
byCJ Cullen
 
Jenkins Pipeline Tutorial | Continuous Delivery Pipeline Using Jenkins | DevO...
byEdureka!
 
Application & Account Monitoring in AWS
byBhuvaneswari Subramani
 
Julien Maitrehenry - Docker, ça mange quoi au printemps
byWeb à Québec
 
What Is Helm
byAMELIAOLIVIA2
 
Observability
byMartin Gross
 

Similar to Implementing Flux for Scale with Soft Multi-tenancy

PDF
WTF is GitOps and Why You Should Care?
byWeaveworks
 
PDF
KubeCon 2022 EU Flux Security.pdf
byWeaveworks
 
PDF
Get started with gitops and flux
byLibbySchulze1
 
PDF
Setting up Notifications, Alerts & Webhooks with Flux v2 by Alison Dowdney
byWeaveworks
 
PDF
Flux is incubating + the road ahead
byLibbySchulze
 
PDF
GitOps & Flux - A Refresher with Priyanka Ravi
byWeaveworks
 
PDF
A GitOps model for High Availability and Disaster Recovery on EKS
byWeaveworks
 
PDF
WTF is GitOps & Why Should You Care?
byAll Things Open
 
PDF
How to manage Kubernetes at scale with just git
byWeaveworks
 
PDF
Rejekts 24 EU No GitOps Pain, No Platform Gain
byŁukasz Piątkowski
 
PDF
Reconcile Terraform Resources the GitOps Way with Priyanka Ravi
byWeaveworks
 
PDF
The Story of Flux Reaching Graduation in the CNCF
byWeaveworks
 
PDF
GitOps (& Flux) for Helm Users with Scott Rigby
byWeaveworks
 
PDF
Get Started with Flux
byWeaveworks
 
PDF
Gérer vos clusters Kubernetes avec Flux 2 et la méthode GitOps
byOpen Source Experience
 
PDF
20221130 - Luxembourg HUG Meetup
byStéphane Este-Gracias
 
PDF
Webinar: Capabilities, Confidence and Community – What Flux GA Means for You
byWeaveworks
 
PDF
Flux Security & Scalability using VS Code GitOps Extension
byWeaveworks
 
PDF
Hands-on GitOps Patterns for Helm Users
byWeaveworks
 
PDF
GitOps with Flux - IPC Munich 2022
byRobert Lemke
 
WTF is GitOps and Why You Should Care?
byWeaveworks
 
KubeCon 2022 EU Flux Security.pdf
byWeaveworks
 
Get started with gitops and flux
byLibbySchulze1
 
Setting up Notifications, Alerts & Webhooks with Flux v2 by Alison Dowdney
byWeaveworks
 
Flux is incubating + the road ahead
byLibbySchulze
 
GitOps & Flux - A Refresher with Priyanka Ravi
byWeaveworks
 
A GitOps model for High Availability and Disaster Recovery on EKS
byWeaveworks
 
WTF is GitOps & Why Should You Care?
byAll Things Open
 
How to manage Kubernetes at scale with just git
byWeaveworks
 
Rejekts 24 EU No GitOps Pain, No Platform Gain
byŁukasz Piątkowski
 
Reconcile Terraform Resources the GitOps Way with Priyanka Ravi
byWeaveworks
 
The Story of Flux Reaching Graduation in the CNCF
byWeaveworks
 
GitOps (& Flux) for Helm Users with Scott Rigby
byWeaveworks
 
Get Started with Flux
byWeaveworks
 
Gérer vos clusters Kubernetes avec Flux 2 et la méthode GitOps
byOpen Source Experience
 
20221130 - Luxembourg HUG Meetup
byStéphane Este-Gracias
 
Webinar: Capabilities, Confidence and Community – What Flux GA Means for You
byWeaveworks
 
Flux Security & Scalability using VS Code GitOps Extension
byWeaveworks
 
Hands-on GitOps Patterns for Helm Users
byWeaveworks
 
GitOps with Flux - IPC Munich 2022
byRobert Lemke
 

More from Weaveworks

PDF
GitOps Testing in Kubernetes with Flux and Testkube.pdf
byWeaveworks
 
PDF
Six Signs You Need Platform Engineering
byWeaveworks
 
PDF
Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...
byWeaveworks
 
PDF
Building internal developer platform with EKS and GitOps
byWeaveworks
 
PDF
Robust Network Security and Observability with GitOps and Cilium
byWeaveworks
 
PDF
Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...
byWeaveworks
 
PDF
Webinar: End to End Security & Operations with Chainguard and Weave GitOps
byWeaveworks
 
PDF
Weave AI Controllers (Weave GitOps Office Hours)
byWeaveworks
 
PDF
Automated Provisioning, Management & Cost Control for Kubernetes Clusters
byWeaveworks
 
PDF
Flamingo: Expand ArgoCD with Flux (Office Hours)
byWeaveworks
 
PDF
Simplifying Hybrid Kubernetes with Weaveworks and EKS.pdf
byWeaveworks
 
PDF
Weave GitOps 2022.09 Release: A Fast & Reliable Path to Production with Progr...
byWeaveworks
 
PDF
Flux Beyond Git Harnessing the Power of OCI
byWeaveworks
 
PDF
Flux’s Security & Scalability with OCI & Helm Slides.pdf
byWeaveworks
 
PDF
DevOps Automation with GitOps: Consistent and Secure End to End Deployments
byWeaveworks
 
PDF
Deploying Stateful Applications Securely & Confidently with Ondat & Weave GitOps
byWeaveworks
 
PDF
Accelerating Hybrid Multistage Delivery with Weave GitOps on EKS
byWeaveworks
 
PDF
Building a Security First Approach Across Hybrid Cloud with GitOps and Policy...
byWeaveworks
 
PDF
Security & Resiliency of Cloud Native Apps with Weave GitOps & Tetrate Servic...
byWeaveworks
 
PDF
How to Avoid Kubernetes Multi-tenancy Catastrophes
byWeaveworks
 
GitOps Testing in Kubernetes with Flux and Testkube.pdf
byWeaveworks
 
Six Signs You Need Platform Engineering
byWeaveworks
 
Shift Deployment Security Left with Weave GitOps & Upbound’s Universal Crossp...
byWeaveworks
 
Building internal developer platform with EKS and GitOps
byWeaveworks
 
Robust Network Security and Observability with GitOps and Cilium
byWeaveworks
 
Securing Your App Deployments with Tunnels, OIDC, RBAC, and Progressive Deliv...
byWeaveworks
 
Webinar: End to End Security & Operations with Chainguard and Weave GitOps
byWeaveworks
 
Weave AI Controllers (Weave GitOps Office Hours)
byWeaveworks
 
Automated Provisioning, Management & Cost Control for Kubernetes Clusters
byWeaveworks
 
Flamingo: Expand ArgoCD with Flux (Office Hours)
byWeaveworks
 
Simplifying Hybrid Kubernetes with Weaveworks and EKS.pdf
byWeaveworks
 
Weave GitOps 2022.09 Release: A Fast & Reliable Path to Production with Progr...
byWeaveworks
 
Flux Beyond Git Harnessing the Power of OCI
byWeaveworks
 
Flux’s Security & Scalability with OCI & Helm Slides.pdf
byWeaveworks
 
DevOps Automation with GitOps: Consistent and Secure End to End Deployments
byWeaveworks
 
Deploying Stateful Applications Securely & Confidently with Ondat & Weave GitOps
byWeaveworks
 
Accelerating Hybrid Multistage Delivery with Weave GitOps on EKS
byWeaveworks
 
Building a Security First Approach Across Hybrid Cloud with GitOps and Policy...
byWeaveworks
 
Security & Resiliency of Cloud Native Apps with Weave GitOps & Tetrate Servic...
byWeaveworks
 
How to Avoid Kubernetes Multi-tenancy Catastrophes
byWeaveworks
 

Recently uploaded

PPTX
Python_Lecture13_Introduction to PyQt.pptx
byamanaydana
 
PDF
Building production-ready AI Agents with Spring AI and Amazon Bedrock AgentCo...
byVadym Kazulkin
 
PDF
PyData Paris keynote: Big ideas shaping scientific Python: the quest for perf...
byRalf Gommers
 
PDF
Google Developer Groups on Campus CSUEB: Intro to Google Agent Development Kit
byugoti
 
PPTX
Cache management across scenarios_version5.pptx
bykamarajsindhuja1
 
PPTX
Intoduction_to_Maven best java tool for project management
byparasbramhankar02
 
PDF
Build Vs. Buy: Cloud Cost Management and FinOps
byAmnic
 
PDF
Speculative Automated Refactoring of Imperative Deep Learning Programs to Gra...
byRaffi Khatchadourian
 
PPTX
PharmaAI techinical architecture and data flows
byiliyapav1999
 
PDF
Everything You Need to Know About Resource-Constrained Scheduling
byOrangescrum
 
PDF
Zoople Technologies: Premier Data Science Institute in Kozhikode
byaromalcsunil761
 
PDF
Evolution of Microsoft Project Portfolio Management - What Modern PMOs Are Do...
byOnePlan Solutions
 
PPTX
How Embedded Analytics Drives SaaS Growth in Fintech.pptx
byVarsha Nayak
 
PDF
AstuteAP - AI-enabled Supplier Invoice Processing Automation Tool.pdf
byAstuteBusiness
 
PPTX
AI in Payroll Automate & Optimize Workforce Management
byMatellio
 
PDF
Top 10 Ways AI Can Improve SEO Strategies in 2025.pdf
bybpractseo
 
PDF
Simplify Finances with Qandle’s Expense Software.pdf
byQandle
 
PPTX
EMR software | Best EMR software | EasyClinic
byEasy Clinic
 
PDF
The future of software delivery is agentic
byMaxim Salnikov
 
PPTX
How an AI Chatbot for Mental Health Is Redefining Patient Care and Emotional ...
byMatellio
 
Python_Lecture13_Introduction to PyQt.pptx
byamanaydana
 
Building production-ready AI Agents with Spring AI and Amazon Bedrock AgentCo...
byVadym Kazulkin
 
PyData Paris keynote: Big ideas shaping scientific Python: the quest for perf...
byRalf Gommers
 
Google Developer Groups on Campus CSUEB: Intro to Google Agent Development Kit
byugoti
 
Cache management across scenarios_version5.pptx
bykamarajsindhuja1
 
Intoduction_to_Maven best java tool for project management
byparasbramhankar02
 
Build Vs. Buy: Cloud Cost Management and FinOps
byAmnic
 
Speculative Automated Refactoring of Imperative Deep Learning Programs to Gra...
byRaffi Khatchadourian
 
PharmaAI techinical architecture and data flows
byiliyapav1999
 
Everything You Need to Know About Resource-Constrained Scheduling
byOrangescrum
 
Zoople Technologies: Premier Data Science Institute in Kozhikode
byaromalcsunil761
 
Evolution of Microsoft Project Portfolio Management - What Modern PMOs Are Do...
byOnePlan Solutions
 
How Embedded Analytics Drives SaaS Growth in Fintech.pptx
byVarsha Nayak
 
AstuteAP - AI-enabled Supplier Invoice Processing Automation Tool.pdf
byAstuteBusiness
 
AI in Payroll Automate & Optimize Workforce Management
byMatellio
 
Top 10 Ways AI Can Improve SEO Strategies in 2025.pdf
bybpractseo
 
Simplify Finances with Qandle’s Expense Software.pdf
byQandle
 
EMR software | Best EMR software | EasyClinic
byEasy Clinic
 
The future of software delivery is agentic
byMaxim Salnikov
 
How an AI Chatbot for Mental Health Is Redefining Patient Care and Emotional ...
byMatellio
 

Implementing Flux for Scale with Soft Multi-tenancy

  • 1.
    1 1 Implementing Flux forScale with Soft Multi-tenancy Russ Parmer Senior Engineer, Weaveworks Priyanka Ravi Developer Experience Engineer, Weaveworks
  • 2.
    2 2 Weaveworks is foundedon open source ● Flux & Flagger (CNCF): GitOps and Progressive Delivery for k8s ● Weave GitOps: A powerful extension & web UI for Flux ● Weave GitOps Terraform Controller: Flux controller for Terraform resources ● GitOps Tools for Flux: VS Code extension weave.works
  • 3.
    3 3 ● Operating modelfor cloud native applications such as Kubernetes ● Utilizes a version controlled system (Commonly Git) as the “single source of truth” ● Enables continuous delivery through automated deployment, monitoring, and management by a version controlled system ● Managing your infrastructure and applications declaratively What is GitOps
  • 4.
    Source: GitOps WorkingGroup https://opengitops.dev/
  • 5.
    5 5 Individuals, teams, andorganizations who implement GitOps experience many benefits, including: ● Stronger Security Guarantees ● Increased Developer & Operational Productivity ● Enhanced Developer Experience ● Improved Stability ● Higher Reliability ● Consistency and Standardization Why GitOps
  • 6.
    6 6 ● A gitcentric package manager for your applications ● A set of continuous and progressive delivery solutions for Kubernetes What is Flux fluxcd.io
  • 7.
    7 7 🤝 Flux providesGitOps for both apps and infrastructure 🤖 Just push to Git and Flux does the rest 🔩 Flux works with your existing tools ☸ Flux works with any Kubernetes and all common Kubernetes tooling 🤹Flux does Multi-Tenancy (and “Multi-everything”) 📞 Flux alerts and notifies 👍 Users trust Flux 💖 Flux has a lovely community that is very easy to work with! Flux in Short fluxcd.io
  • 8.
    8 8 ● Reduces developerburden ● Extensible ● Comes with out of the box support for Kustomize and Helm ● Designed For Kubernetes Benefits of Flux fluxcd.io
  • 9.
    9 9 Overview of Flux Source controller Notification Controller ImageReflector & Automation Controller Flux Flux is a set of Kubernetes Controllers fluxcd.io Terraform Controller Helm Controller Kustomize controller VS Code Extension
  • 10.
    10 10 What Flux’s Controllersdo Source Controller - Fetch resources and store as artifacts Kustomize Controller - Apply manifests, Run manifest generation using kustomize Helm Controller - Deployment of Helm Charts Notification Controller - Notification Dispatch Image Reflector Controller - Reflects Image metadata for Automation Controller Image Automation Controller - Updates YAML when new container images are available fluxcd.io
  • 11.
    11 11 ● Helm ● Kustomize ●Prometheus ● Grafana ● Jenkins ● EKS ● AKS ● GCP Flux Works with Other Tools ● Traefik ● Falco ● GitHub, GitLab, Bitbucket, s3-compatible buckets ● Terraform ● …and more!!! fluxcd.io
  • 12.
    12 12 ● Makes lifeeasier ● Multi-tenancy ● DependsOn ● Helm integration ● Notifications and Alerts ● Bootstrap ● Flux CLI Reasons I and Others Love Flux fluxcd.io
  • 13.
    13 13 ● There aretwo different forms of multi-tenancy ○ Hard multi-tenancy ■ Every tenant has their own cluster ○ Soft multi-tenancy ■ A cluster is shared across many different tenants ■ Tenants need to be isolated What is Multi-Tenancy
  • 14.
    14 14 ● Multi-tenancy lockdown* ○ Ensure relevant controllers have cross namespace references disabled via `--no-cross-namespace-refs=true` ● Resource Isolation ○ Ensure additional Flux instances are deployed when mission critical tenants/workloads must be assured. ● Node Isolation ○ Ensure worker nodes are not being shared across tenants and the Flux components. ● Network Isolation ○ Ensure the Container Network Interface (CNI) being used in the cluster supports Network Policies. Best Practices for Multi-Tenancy
  • 15.
    15 15 ● Add `--no-cross-namespace-refs=true` flag ○Allow Flux to only reconcile Flux resources that exist in the same namespace ● Add `--default-service-account=default` flag ○ Default Kustomization and HelmRelease objects to not use the cluster scoped service account ● Set the flux-system Kustomization resource to use correct service account ○ This still needs cluster level access and should not use the ‘default’ service account Enable Tenant Isolation for Flux
  • 16.
    16 Confidential do notdistribute 16 Demo Time!
  • 17.
    17 17 Next Steps &Resources ● Try it yourself! Flux Docs: fluxcd.io/flux ○ Flux Multi-cluster setup: ■ https://fluxcd.io/flux/get-started/#multi-cluster-setup ■ https://github.com/fluxcd/flux2-kustomize-helm-example ○ Additional Best Practices for Shared Cluster Multi-tenancy: https://fluxcd.io/flux/security/best-practices/#additional-best-practices-for -shared-cluster-multi-tenancy ○ Flux Bootsrap Cheatsheet: https://fluxcd.io/flux/cheatsheets/bootstrap ● Kyverno Docs to Generate Flux Multi-tenant Resources ○ https://kyverno.io/policies/flux/generate-flux-multi-tenant-resources/gene rate-flux-multi-tenant-resources/
  • 18.
    18 Confidential do notdistribute 18 weave.works Thank you