forked from cloud/manifests
commit
671a3e1344
@ -0,0 +1,3 @@ |
||||
# Manifests |
||||
|
||||
A collection of miscellaneous Kubernetes manifests used by the Systems Committee. |
@ -0,0 +1,105 @@ |
||||
apiVersion: rbac.authorization.k8s.io/v1 |
||||
kind: ClusterRole |
||||
metadata: |
||||
name: csc-members-kubesystem |
||||
rules: |
||||
# This is necessary for "kubectl cluster-info" to work |
||||
- apiGroups: [""] |
||||
resources: ["services"] |
||||
verbs: ["list"] |
||||
--- |
||||
apiVersion: rbac.authorization.k8s.io/v1 |
||||
kind: RoleBinding |
||||
metadata: |
||||
name: csc-members-kubesystem |
||||
namespace: kube-system |
||||
subjects: |
||||
- kind: Group |
||||
name: csc-members |
||||
apiGroup: rbac.authorization.k8s.io |
||||
roleRef: |
||||
kind: ClusterRole |
||||
name: csc-members-kubesystem |
||||
apiGroup: rbac.authorization.k8s.io |
||||
--- |
||||
apiVersion: rbac.authorization.k8s.io/v1 |
||||
kind: ClusterRole |
||||
metadata: |
||||
name: csc-members-unnamespaced |
||||
rules: |
||||
- apiGroups: [""] |
||||
resources: ["nodes"] |
||||
verbs: ["get", "list", "watch"] |
||||
- apiGroups: ["networking.k8s.io"] |
||||
resources: ["ingressclasses"] |
||||
verbs: ["get", "list", "watch"] |
||||
- apiGroups: ["rbac.authorization.k8s.io"] |
||||
resources: ["clusterroles"] |
||||
resourceNames: |
||||
- csc-members-kubesystem |
||||
- csc-members-unnamespaced |
||||
- csc-members-default |
||||
verbs: ["get"] |
||||
--- |
||||
apiVersion: rbac.authorization.k8s.io/v1 |
||||
kind: ClusterRoleBinding |
||||
metadata: |
||||
name: csc-members-unnamespaced |
||||
subjects: |
||||
- kind: Group |
||||
name: csc-members |
||||
apiGroup: rbac.authorization.k8s.io |
||||
roleRef: |
||||
kind: ClusterRole |
||||
name: csc-members-unnamespaced |
||||
apiGroup: rbac.authorization.k8s.io |
||||
--- |
||||
# This ClusterRole must be referenced by a RoleBinding in each member's namespace. |
||||
apiVersion: rbac.authorization.k8s.io/v1 |
||||
kind: ClusterRole |
||||
metadata: |
||||
name: csc-members-default |
||||
# See https://kubernetes.io/docs/reference/kubectl/overview/#resource-types |
||||
rules: |
||||
- apiGroups: [""] |
||||
resources: |
||||
- configmaps |
||||
- endpoints |
||||
- events |
||||
- limitranges |
||||
- persistentvolumeclaims |
||||
- pods |
||||
- pods/attach |
||||
- pods/log |
||||
- podtemplates |
||||
- replicationcontrollers |
||||
- secrets |
||||
- services |
||||
verbs: ["*"] |
||||
- apiGroups: [""] |
||||
resources: ["resourcequotas"] |
||||
verbs: ["get", "list", "watch"] |
||||
- apiGroups: ["apps"] |
||||
resources: |
||||
- daemonsets |
||||
- deployments |
||||
- replicasets |
||||
- statefulsets |
||||
verbs: ["*"] |
||||
- apiGroups: ["autoscaling"] |
||||
resources: |
||||
- horizontalpodautoscalers |
||||
verbs: ["*"] |
||||
- apiGroups: ["batch"] |
||||
resources: ["cronjobs", "jobs"] |
||||
verbs: ["*"] |
||||
- apiGroups: ["extensions", "networking.k8s.io"] |
||||
resources: ["ingresses"] |
||||
# use Open Policy Agent to restrict which domains can be used |
||||
verbs: ["*"] |
||||
- apiGroups: ["networking.k8s.io"] |
||||
resources: ["networkpolicies"] |
||||
verbs: ["*"] |
||||
- apiGroups: ["rbac.authorization.k8s.io"] |
||||
resources: ["roles", "rolebindings"] |
||||
verbs: ["get", "list", "watch"] |
@ -0,0 +1,10 @@ |
||||
apiVersion: constraints.gatekeeper.sh/v1beta1 |
||||
kind: CSCIngressConstraint |
||||
metadata: |
||||
name: cscingressconstraint |
||||
spec: |
||||
match: |
||||
kinds: |
||||
- apiGroups: ["networking.k8s.io"] |
||||
kinds: ["Ingress"] |
||||
namespaces: ["csc-*"] |
@ -0,0 +1,47 @@ |
||||
apiVersion: templates.gatekeeper.sh/v1beta1 |
||||
kind: ConstraintTemplate |
||||
metadata: |
||||
name: cscingressconstraint |
||||
spec: |
||||
crd: |
||||
spec: |
||||
names: |
||||
kind: CSCIngressConstraint |
||||
targets: |
||||
- target: admission.k8s.gatekeeper.sh |
||||
rego: | |
||||
package cscingressconstraint |
||||
|
||||
operations = {"CREATE", "UPDATE"} |
||||
subdomain = ".k8s.csclub.cloud" |
||||
|
||||
violation[{"msg": msg, "details": {}}] { |
||||
input.review.kind.kind == "Ingress" |
||||
operations[input.review.operation] |
||||
not is_admin_user(input.review.userInfo) |
||||
username := input.review.userInfo.username |
||||
host := input.review.object.spec.rules[_].host |
||||
not is_valid_domain(username, host) |
||||
msg := "Invalid domain name, please contact the Systems Committee for assistance" |
||||
} |
||||
|
||||
is_admin_user(userInfo) { |
||||
userInfo.groups[_] == "system:masters" |
||||
} |
||||
|
||||
is_valid_domain(username, host) { |
||||
endswith(host, subdomain) |
||||
prefix := trim_suffix(host, subdomain) |
||||
parts := split(prefix, ".") |
||||
last_part := parts[count(parts) - 1] |
||||
is_valid_last_part_of_prefix(username, last_part) |
||||
} |
||||
|
||||
is_valid_last_part_of_prefix(username, last_part) { |
||||
username == last_part |
||||
} |
||||
|
||||
is_valid_last_part_of_prefix(username, last_part) { |
||||
suffix := concat("", ["-", username]) |
||||
endswith(last_part, suffix) |
||||
} |
Loading…
Reference in new issue