Today we’re announcing the open sourcing of spicedb-operator - a Kubernetes operator for installing, upgrading, and maintaining SpiceDB clusters on Kubernetes. Through previous work at CoreOS and Red Hat, our team developed many of the early ideas around operators. As we began to scale out the deployment of SpiceDB clusters across our fleet to address the needs of our customers, an operator was the natural choice.
Running in production for 4 months
The operator has been quietly managing SpiceDB clusters for Authzed’s Serverless and Dedicated offerings for the past four months. It's production-ready and available today!
To get started yourself, install the operator:
kubectl apply --server-side -k github.com/authzed/spicedb-operator/config
And then create a cluster:
kubectl apply --server-side -f - <<EOF
Once a cluster is running, the operator will automatically run migrations and roll out new SpiceDB releases as they become available. Or, by pinning a cluster to a specific release, the operator can be used to coordinate the rollout of migrations in git-ops workflows.
Listen up, idioms!
We’ve also open-sourced controller-idioms, the library we developed to support SpiceDB Operator and other operators that we use to run Authzed Dedicated. We found ourselves solving some of the same problems in every operator we wrote, and built this microframework to standardize common patterns across our stack.
This new library:
- Works with other (golang-based) tooling like client-go and controller-runtime.
- Uses golang generics to simplify dealing with Kubernetes APIs, informers, and indexes.
- Implements common patterns for resource adoption, ownership, status, and metrics.
- Provides a framework for breaking down large controller statemachines into small, testable pieces.
If you’re developing an operator of your own, please check out controller-idioms and let us know what’s missing in the GitHub issues.
If you’re interested in learning more about Authorization and Google Zanzibar, we recommend reading the following posts:
- Understanding Google Zanzibar: A Comprehensive Overview
- A Primer on Modern Enterprise Authorization (AuthZ) Systems
- Fine-Grained Access Control: Can You Go Too Fine?
- Relationship Based Access Control (ReBAC): Using Graphs to Power your Authorization System
- Pitfalls of JWT Authorization
Join the Conversation
Header image generated with DALL·E 2 with prompt "a robot putting a database icon in a kubernetes cluster"