This section documents the different components of the Signadot Operator with a description of their functionality and usage of permissions that they request.
The roles specified below are cluster-wide unless stated otherwise. Sandboxes can be created to test different versions of Kubernetes workloads that are running in different namespaces within a Kubernetes cluster. When a Sandbox is created, it forks a specified "baseline" workload and creates a modified version for testing in the same namespace. This is required to ensure that it can function correctly by attaching the same secrets and configmaps as the baseline workload.
The Agent component connects to the Signadot control plane and is responsible for creating an encrypted tunnel between the control plane and your cluster. It enables the creation and management of Sandboxes.
|SignadotSandboxes SignadotRoutes||read / write||Used to declaratively specify Signadot Sandboxes and Routing for those Sandboxes.|
|Pods Pods/log Services||read||Monitoring and reporting status of pods / services that belong within a Sandbox.|
|ConfigMaps||read||Used to enable users to read ConfigMaps associated with workloads running within a Sandbox via the Signadot Dashboard.|
|Namespaces||read||Used to obtain a list of namespaces to present options when creating Sandboxes via the Dashboard.|
|Events||read / write||Used to create Kubernetes events for reporting status from the Signadot operator.|
|Deployments Replicasets Argo Rollouts||read||Reporting runtime information of workloads running within each Sandbox.|
The Route Server component is responsible for serving specific routes corresponding to a particular Sandbox. These routes ensure that requests intended for a particular Sandbox reach it correctly.
|SignadotRoutes||read||The route server reads from instances of the SignadotRoute CRD to determine valid Sandbox routes.|
The Controller Manager component is responsible for setting up all resources associated with a Sandbox. This includes forking a workload (Deployment, Argo Rollout, etc), setting up a SignadotRoute, a Kubernetes service and running any additional provisioning logic required per Sandbox.
|SignadotSandboxes SignadotRoutes SignadotResources||read / write||CRD objects created and managed by Signadot that contain declarative specifications of Sandboxes, Routes and Resources associated with them.|
|Deployments Replicasets Argo Rollouts Istio Virtualservices Jobs ConfigMaps Services||read / write||Used to create and manage workloads associated with Sandboxes. Note that resources not associated with a Sandbox are never modified by the controller-manager.|
|Signadot Mutating Webhook Configuration||read / write||Used to manage the Signadot mutating webhook that is used to dynamically inject routing sidecars to enable dynamic routing.|