Skip to content

Clarify whether CRDs are cluster scoped in multitenancy page #48156

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 4 commits into from
Closed

Clarify whether CRDs are cluster scoped in multitenancy page #48156

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
2b69bae
Multi-tenancy Doc
aryasoni98 Oct 1, 2024
2903146
Update multi-tenancy file
aryasoni98 Oct 2, 2024
5e3948f
Update custom-resource-definition-versioning file
aryasoni98 Oct 3, 2024
4f420f5
Clarify whether CRDs are cluster scoped in multitenancy page
aryasoni98 Oct 17, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 3 additions & 2 deletions content/en/docs/concepts/security/multi-tenancy.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -422,8 +422,9 @@ Priority and Fairness, is also recommended.

Namespace isolation is well-supported by Kubernetes, has a negligible resource cost, and provides
mechanisms to allow tenants to interact appropriately, such as by allowing service-to-service
communication. However, it can be difficult to configure, and doesn't apply to Kubernetes
resources that can't be namespaced, such as Custom Resource Definitions, Storage Classes, and Webhooks.
communication. However, it can be difficult to configure, and it doesn't apply to Kubernetes resources
that aren't namespaced, such as APIServices, StorageClasses, ClusterTrustBundles.
Note that CustomResourceDefinitions (CRDs) are cluster scoped, though the custom resources they define can be namespaced.

Control plane virtualization allows for isolation of non-namespaced resources at the cost of
somewhat higher resource usage and more difficult cross-tenant sharing. It is a good option when
Expand Down
5 changes: 4 additions & 1 deletion ...sks/extend-kubernetes/custom-resources/custom-resource-definition-versioning.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -563,12 +563,15 @@ spec:
conversion:
# the Webhook strategy instructs the API server to call an external webhook for any conversion between custom resources.
strategy: Webhook
# Ensuring compatibility with v1 and v1beta1
conversionReviewVersions: ["v1", "v1beta1"]
# webhookClientConfig is required when strategy is `Webhook` and it configures the webhook endpoint to be called by API server.
webhookClientConfig:
service:
namespace: default
name: example-conversion-webhook-server
path: /crdconvert
# Optionally configure mutual TLS authentication here
caBundle: "Ci0tLS0tQk...<base64-encoded PEM bundle>...tLS0K"
# either Namespaced or Cluster
scope: Namespaced
Expand Down Expand Up @@ -979,7 +982,7 @@ If conversion fails, a webhook should return a `response` stanza containing the

{{< warning >}}
Failing conversion can disrupt read and write access to the custom resources,
including the ability to update or delete the resources. Conversion failures
including the ability to update or delete the resources. Conversion failures
should be avoided whenever possible, and should not be used to enforce validation
constraints (use validation schemas or webhook admission instead).
{{< /warning >}}
Expand Down