What is TFY Agent?

  • TFY Agent runs on the compute plane cluster and connects the cluster to the control plane.
  • TFY Agent allows the control plane to deploy applications (Service, Job, SSH Server, etc.) and track their status.
  • TFY Agent does not require an open endpoint (Load balancer Service or Node Port) in your cluster.
    • TFY Agent initiates secure WebSocket connections to the control plane, which uses these connections for all activities.

How is TFY Agent installed in the cluster?

Architecture

  • TFY Agent consists of two parts: TFY Agent and TFY Agent Proxy. Each runs independently and uses a secure WebSocket connection to connect to the control plane.

TFY Agent

  • TFY Agent streams the state of the compute plane cluster to the control plane. This state includes but is not limited to the status of Nodes, Pods, Argo Applications, etc., in the cluster.

TFY Agent Proxy

  • TFY Agent Proxy enables the control plane to access the compute plane cluster’s Kubernetes API server and other Services.
    • This enables the control plane to create namespace (Workspace) and deploy applications to the compute plane cluster.

Authorization

TFY Agent

  • TFY Agent runs informers to stream kubernetes resource changes and sends it to the control plane.
  • To run informers, the TFY Agent must be able to list and watch those resource types across all the namespaces in the cluster.
    • The config.allowedNamespaces field on the helm chart allows you to configure a list of allowed namespaces. TFY Agent will filter out any namespaced resource’s update if the resource is not part of the allowed namespaces. 
      • config:
  tenantName: your-tenant-name
  controlPlaneURL: your-controlplane-url
  clusterTokenSecret: your-cluster-token-secret
  allowedNamespaces:
    - tfy-agent
    - argocd
    - your-namespace

TFY Agent Proxy

  • By default, the TFY Agent Proxy enables the control plane to access all resources on the compute cluster.
Strict Mode
config:
  tenantName: your-tenant-name
  controlPlaneURL: your-controlplane-url
  clusterTokenSecret: your-cluster-token-secret
tfyAgentProxy:
  clusterRole:
    strictMode: true
  • If you want to give minimum authorization, please set the field tfyAgentProxy.clusterRole.strictMode to true on the helm chart.
  • In this mode, we set up minimum required authorization rules for the control plane to function correctly.
  • If you give a list of allowed namespaces using the config.allowedNamespaces field, we will always run on strict mode, regardless of the value of the tfyAgentProxy.clusterRole.strictMode field.
  • In strict mode, we allow the control plane to create namespaces (Workspace) in the cluster. But if you give a list of allowed namespaces using the config.allowedNamespaces field, the control plane will not be allowed to create new namespaces.
Cluster Scope resource access
  • This file documents all the authorization rules we set for the resources for which we require cluster-scope access.
  • Note that if you have configured a list of allowed namespaces, the control plane cannot create any new namespace in the cluster.
Namespace Scope resource access
  • This file documents all the authorization rules we set for the resources the control plane can work with namespace-scope access.
  • If you give a list of allowed namespaces using the config.allowedNamespaces field, we setup role binding only for those namespaces.
  • If the list of allowed namespaces is empty. We set up cluster-wide access for these namespaced resources.