Write Permissions
Using the Write Permissions section, operators can limit write operations for a given Tenant Control Plane, where no further write actions can be made by its tenants.
This feature ensures consistency during maintenance, migrations, incident recovery, quote enforcement, or when freezing workloads for auditing and compliance purposes.
Write Operations can limit the following actions:
- Create
- Update
- Delete
By default, all write operations are allowed.
Enabling a Read-Only mode
You can enable ReadOnly mode by setting all the boolean fields of TenantControlPlane.spec.writePermissions
to true
.
apiVersion: kamaji.clastix.io/v1alpha1
kind: TenantControlPlane
metadata:
name: my-control-plane
spec:
writePermissions:
blockCreate: true
blockUpdate: true
blockDelete: true
Once applied, the Tenant Control Plane will switch into WriteLimited
status.
Enforcing a quota mode
If your Tenant Control Plane has a Datastore quota, this feature allows freezing write and update operations, but still allowing its tenants to perform a clean-up by deleting exceeding resources.
apiVersion: kamaji.clastix.io/v1alpha1
kind: TenantControlPlane
metadata:
name: my-control-plane
spec:
writePermissions:
blockCreate: true
blockUpdate: true
blockDelete: false
Datastore quota
Kamaji does not enforce storage quota for a given Tenant Control Plane: you have to implement it according to your business logic.
Monitoring the status
You can verify the status of your Tenant Control Plane with kubectl get tcp
:
$: kubectl get tcp k8s-133
NAME VERSION INSTALLED VERSION STATUS CONTROL-PLANE ENDPOINT KUBECONFIG DATASTORE AGE
k8s-133 v1.33.0 v1.33.0 WriteLimited 172.18.255.100:6443 k8s-133-admin-kubeconfig default 50d
The STATUS
field will display WriteLimited
when write permissions are limited.
How it works
When a Tenant Control Plane write status is limited, Kamaji creates a ValidatingWebhookConfiguration
in the Tenant Cluster:
$: kubectl get validatingwebhookconfigurations
NAME WEBHOOKS AGE
kamaji-write-permissions 2 59m
The webhook intercepts all API requests to the Tenant Control Plane and programmatically denies any attempts to modify resources.
As a result, all changes initiated by tenants (such as kubectl apply
, kubectl delete
, or CRD updates) could be blocked.
Operators and Controller
When the write status is limited, all actions are intercepted by the webhook. If a Pod must be rescheduled, the webhook will deny it.
Behaviour with limited write operations
If a tenant user tries to perform non-allowed write operations, such as:
- creating resources when
TenantControlPlane.spec.writePermissions.blockCreate
is set totrue
- updating resources when
TenantControlPlane.spec.writePermissions.blockUpdate
is set totrue
- deleting resources when
TenantControlPlane.spec.writePermissions.blockDelete
is set totrue
the following error is returned:
Error from server (Forbidden): admission webhook "catchall.write-permissions.kamaji.clastix.io" denied the request:
the current Control Plane has limited write permissions, current changes are blocked:
removing the webhook may lead to an inconsistent state upon its completion
This guarantees the cluster remains in a frozen, consistent state, preventing partial updates or drift.
Use Cases
Typical scenarios where ReadOnly mode is useful:
- Planned Maintenance: freeze workloads before performing upgrades or infrastructure changes.
- Disaster Recovery: lock the Tenant Control Plane to prevent accidental modifications during incident handling.
- Auditing & Compliance: ensure workloads cannot be altered during a compliance check or certification process.
- Quota Enforcement: preventing Datastore quote over commit in terms of storage size.
Migrating the DataStore
In a similar manner, when migrating a Tenant Control Plane to a different store, similar enforcement is put in place. This is managed automatically by Kamaji: there's no need to toggle on and off the ReadOnly mode.