1
0
Fork 0

first commit

pull/1/head
Max Erenberg 9 months ago committed by root
commit 671a3e1344
  1. 3
      README.md
  2. 105
      csc-clusterroles.yaml
  3. 10
      cscingressconstraint-constraint.yaml
  4. 47
      cscingressconstraint-template.yaml

@ -0,0 +1,3 @@
# Manifests
A collection of miscellaneous Kubernetes manifests used by the Systems Committee.

@ -0,0 +1,105 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: csc-members-kubesystem
rules:
# This is necessary for "kubectl cluster-info" to work
- apiGroups: [""]
resources: ["services"]
verbs: ["list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: csc-members-kubesystem
namespace: kube-system
subjects:
- kind: Group
name: csc-members
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: csc-members-kubesystem
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: csc-members-unnamespaced
rules:
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "list", "watch"]
- apiGroups: ["networking.k8s.io"]
resources: ["ingressclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["rbac.authorization.k8s.io"]
resources: ["clusterroles"]
resourceNames:
- csc-members-kubesystem
- csc-members-unnamespaced
- csc-members-default
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: csc-members-unnamespaced
subjects:
- kind: Group
name: csc-members
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: csc-members-unnamespaced
apiGroup: rbac.authorization.k8s.io
---
# This ClusterRole must be referenced by a RoleBinding in each member's namespace.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: csc-members-default
# See https://kubernetes.io/docs/reference/kubectl/overview/#resource-types
rules:
- apiGroups: [""]
resources:
- configmaps
- endpoints
- events
- limitranges
- persistentvolumeclaims
- pods
- pods/attach
- pods/log
- podtemplates
- replicationcontrollers
- secrets
- services
verbs: ["*"]
- apiGroups: [""]
resources: ["resourcequotas"]
verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
resources:
- daemonsets
- deployments
- replicasets
- statefulsets
verbs: ["*"]
- apiGroups: ["autoscaling"]
resources:
- horizontalpodautoscalers
verbs: ["*"]
- apiGroups: ["batch"]
resources: ["cronjobs", "jobs"]
verbs: ["*"]
- apiGroups: ["extensions", "networking.k8s.io"]
resources: ["ingresses"]
# use Open Policy Agent to restrict which domains can be used
verbs: ["*"]
- apiGroups: ["networking.k8s.io"]
resources: ["networkpolicies"]
verbs: ["*"]
- apiGroups: ["rbac.authorization.k8s.io"]
resources: ["roles", "rolebindings"]
verbs: ["get", "list", "watch"]

@ -0,0 +1,10 @@
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: CSCIngressConstraint
metadata:
name: cscingressconstraint
spec:
match:
kinds:
- apiGroups: ["networking.k8s.io"]
kinds: ["Ingress"]
namespaces: ["csc-*"]

@ -0,0 +1,47 @@
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: cscingressconstraint
spec:
crd:
spec:
names:
kind: CSCIngressConstraint
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package cscingressconstraint
operations = {"CREATE", "UPDATE"}
subdomain = ".k8s.csclub.cloud"
violation[{"msg": msg, "details": {}}] {
input.review.kind.kind == "Ingress"
operations[input.review.operation]
not is_admin_user(input.review.userInfo)
username := input.review.userInfo.username
host := input.review.object.spec.rules[_].host
not is_valid_domain(username, host)
msg := "Invalid domain name, please contact the Systems Committee for assistance"
}
is_admin_user(userInfo) {
userInfo.groups[_] == "system:masters"
}
is_valid_domain(username, host) {
endswith(host, subdomain)
prefix := trim_suffix(host, subdomain)
parts := split(prefix, ".")
last_part := parts[count(parts) - 1]
is_valid_last_part_of_prefix(username, last_part)
}
is_valid_last_part_of_prefix(username, last_part) {
username == last_part
}
is_valid_last_part_of_prefix(username, last_part) {
suffix := concat("", ["-", username])
endswith(last_part, suffix)
}
Loading…
Cancel
Save