Explain how the proposed solution compares to alternatives

Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
fluxcd · Jan 14, 2022 · c08ef5c · c08ef5c
1 parent fb306d5
commit c08ef5c
Showing 1 changed file with 26 additions and 5 deletions.
diff --git a/rfcs/0002-source-acl/README.md b/rfcs/0002-source-acl/README.md
@@ -146,19 +146,40 @@ spec:
 
 ### Alternatives
 
+#### Admission controllers
+
 An alternative solution to source ACLs is showcased in the current multi-tenancy example, where an
 admission controller such as Kyverno or OPA Gatekeeper is used to block cross-namespace access to sources.
 
+The current proposal offers the same feature but without the need to manage yet another controller to guard
+sources.
+
+#### Kubernetes RBAC
+
 Another alternative is to rely on impersonation and create a `ClusterRoleBinding` per named source and tenant account
 as described in [fluxcd/flux2#582](https://github.com/fluxcd/flux2/pull/582). 
 
-Yes another alternative is to introduce a new API kind `SourceReflection` as described in
+The current proposal is more flexible than RBAC and implies less work for Flux users. ALCs act more like
+Kubernetes Network Policies where access is define based on labels, with RBAC every time a namespace is added,
+the platform admins have to create new RBAC rules to target that namespace.
+
+#### Source reflection CRD
+
+Yet another alternative is to introduce a new API kind `SourceReflection` as described in
 [fluxcd/flux2#582-821027543](https://github.com/fluxcd/flux2/pull/582#issuecomment-821027543).
 
-And finally, this is more of an improvement of the current proposal, is for source-controller to compile the ACLs
-to Kubernetes RBAC and dynamically create `ClusterRoleBindings` for all tenants accounts
-every time a source or namespace changes as described in
-[fluxcd/flux2#582-821388906](https://github.com/fluxcd/flux2/pull/582#issuecomment-821388906).
+The current proposal allows the owner to define the access control list on the source object, instead
+of creating objects in namespaces where it has no control over.
+
+#### Remove cross-namespace refs
+
+An alternative is to simply remove cross-namespace references from the Flux API.
+
+This would break with current behavior, and users would have to make substantial changes to their
+repository structure and workflow. In cases where e.g. a resource is common (across many namespaces),
+this would mean the source-controller would use way more memory and network bandwidth that grows with
+each namespace that uses the same Git or Helm repository due to the requirement of having to duplicate
+"common" resources.
 
 ## Implementation History