first commit
This commit is contained in:
commit
671a3e1344
|
@ -0,0 +1,3 @@
|
|||
# Manifests
|
||||
|
||||
A collection of miscellaneous Kubernetes manifests used by the Systems Committee.
|
|
@ -0,0 +1,105 @@
|
|||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: csc-members-kubesystem
|
||||
rules:
|
||||
# This is necessary for "kubectl cluster-info" to work
|
||||
- apiGroups: [""]
|
||||
resources: ["services"]
|
||||
verbs: ["list"]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: csc-members-kubesystem
|
||||
namespace: kube-system
|
||||
subjects:
|
||||
- kind: Group
|
||||
name: csc-members
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
roleRef:
|
||||
kind: ClusterRole
|
||||
name: csc-members-kubesystem
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: csc-members-unnamespaced
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["nodes"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: ["networking.k8s.io"]
|
||||
resources: ["ingressclasses"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: ["rbac.authorization.k8s.io"]
|
||||
resources: ["clusterroles"]
|
||||
resourceNames:
|
||||
- csc-members-kubesystem
|
||||
- csc-members-unnamespaced
|
||||
- csc-members-default
|
||||
verbs: ["get"]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: csc-members-unnamespaced
|
||||
subjects:
|
||||
- kind: Group
|
||||
name: csc-members
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
roleRef:
|
||||
kind: ClusterRole
|
||||
name: csc-members-unnamespaced
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
---
|
||||
# This ClusterRole must be referenced by a RoleBinding in each member's namespace.
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: csc-members-default
|
||||
# See https://kubernetes.io/docs/reference/kubectl/overview/#resource-types
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources:
|
||||
- configmaps
|
||||
- endpoints
|
||||
- events
|
||||
- limitranges
|
||||
- persistentvolumeclaims
|
||||
- pods
|
||||
- pods/attach
|
||||
- pods/log
|
||||
- podtemplates
|
||||
- replicationcontrollers
|
||||
- secrets
|
||||
- services
|
||||
verbs: ["*"]
|
||||
- apiGroups: [""]
|
||||
resources: ["resourcequotas"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: ["apps"]
|
||||
resources:
|
||||
- daemonsets
|
||||
- deployments
|
||||
- replicasets
|
||||
- statefulsets
|
||||
verbs: ["*"]
|
||||
- apiGroups: ["autoscaling"]
|
||||
resources:
|
||||
- horizontalpodautoscalers
|
||||
verbs: ["*"]
|
||||
- apiGroups: ["batch"]
|
||||
resources: ["cronjobs", "jobs"]
|
||||
verbs: ["*"]
|
||||
- apiGroups: ["extensions", "networking.k8s.io"]
|
||||
resources: ["ingresses"]
|
||||
# use Open Policy Agent to restrict which domains can be used
|
||||
verbs: ["*"]
|
||||
- apiGroups: ["networking.k8s.io"]
|
||||
resources: ["networkpolicies"]
|
||||
verbs: ["*"]
|
||||
- apiGroups: ["rbac.authorization.k8s.io"]
|
||||
resources: ["roles", "rolebindings"]
|
||||
verbs: ["get", "list", "watch"]
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: constraints.gatekeeper.sh/v1beta1
|
||||
kind: CSCIngressConstraint
|
||||
metadata:
|
||||
name: cscingressconstraint
|
||||
spec:
|
||||
match:
|
||||
kinds:
|
||||
- apiGroups: ["networking.k8s.io"]
|
||||
kinds: ["Ingress"]
|
||||
namespaces: ["csc-*"]
|
|
@ -0,0 +1,47 @@
|
|||
apiVersion: templates.gatekeeper.sh/v1beta1
|
||||
kind: ConstraintTemplate
|
||||
metadata:
|
||||
name: cscingressconstraint
|
||||
spec:
|
||||
crd:
|
||||
spec:
|
||||
names:
|
||||
kind: CSCIngressConstraint
|
||||
targets:
|
||||
- target: admission.k8s.gatekeeper.sh
|
||||
rego: |
|
||||
package cscingressconstraint
|
||||
|
||||
operations = {"CREATE", "UPDATE"}
|
||||
subdomain = ".k8s.csclub.cloud"
|
||||
|
||||
violation[{"msg": msg, "details": {}}] {
|
||||
input.review.kind.kind == "Ingress"
|
||||
operations[input.review.operation]
|
||||
not is_admin_user(input.review.userInfo)
|
||||
username := input.review.userInfo.username
|
||||
host := input.review.object.spec.rules[_].host
|
||||
not is_valid_domain(username, host)
|
||||
msg := "Invalid domain name, please contact the Systems Committee for assistance"
|
||||
}
|
||||
|
||||
is_admin_user(userInfo) {
|
||||
userInfo.groups[_] == "system:masters"
|
||||
}
|
||||
|
||||
is_valid_domain(username, host) {
|
||||
endswith(host, subdomain)
|
||||
prefix := trim_suffix(host, subdomain)
|
||||
parts := split(prefix, ".")
|
||||
last_part := parts[count(parts) - 1]
|
||||
is_valid_last_part_of_prefix(username, last_part)
|
||||
}
|
||||
|
||||
is_valid_last_part_of_prefix(username, last_part) {
|
||||
username == last_part
|
||||
}
|
||||
|
||||
is_valid_last_part_of_prefix(username, last_part) {
|
||||
suffix := concat("", ["-", username])
|
||||
endswith(last_part, suffix)
|
||||
}
|
Loading…
Reference in New Issue