[ETCD CMR - RFE] Enable RBAC on ETCD and enforce etcd to create a role per application
Bug #1864470 reported by
Pedro Guimarães
This bug affects 2 people
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Etcd Charm |
Incomplete
|
Undecided
|
Unassigned | ||
Bug Description
Sharing ETCD cluster with multiple applications can cause conflicts if they try to access the same file on the cluster. That is specially complicated if ETCD cluster is shared across with multiple applications of the same charm (e.g. LP #1864468 and multiple calico deployments).
An alternative for that is to enable RBAC and ensure that each application will get its own namespace within ETCD, separated by model and application names.
Every new connection on ETCD "db" interface should render a new space on ETCD reserved for that application.
Revision history for this message
| George Kraft (cynerva) wrote | #1 |
| Changed in charm-etcd: | |
| status: | New → Incomplete |
To post a comment you must log in.
I'm not convinced this is the right way forward. Calico requires all nodes to be able to share information through etcd. If they're connected to different etcd clusters, or a single etcd with namespaced data, then the nodes won't know about eachother. They will essentially be isolated networks.
I think the correct approach, if possible, is to fix the conflicts you're seeing when using a shared ETCD. What conflicts are you seeing?