cheshire
/
hscloud
forked from hswaw/hscloud
1
0
Fork 0
Code Pull Requests Activity

cluster/kube: Centralize namespace admin RoleBindings 

Change-Id: Iec3505b2f4a1647e67cf47cf189c77534b5be6ac
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1696
Reviewed-by: q3k <q3k@hackerspace.pl>
master
radex 2023-10-10 00:02:29 +02:00 committed by q3k
parent fe94c9b649
commit 0776a79df3
6 changed files with 66 additions and 52 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
app/matrix/global.jsonnet
View File

@ -1,24 +0,0 @@
local kube = import "../../kube/kube.libsonnet";
// Global resources specific to Matrix deployments. Currently this is only RBAC objects.
{
// Allow non-staff admin access to matrix.0x3c.pl.
admin0x3c: kube.RoleBinding("admins") {
metadata+: {
namespace: "matrix-0x3c",
},
roleRef: {
apiGroup: "rbac.authorization.k8s.io",
kind: "ClusterRole",
name: "system:admin-namespace",
},
subjects: [
{
apiGroup: "rbac.authorization.k8s.io",
kind: "User",
name: "not7cd@hackerspace.pl",
},
],
},
}

7
cluster/kube/k0-admins.jsonnet Normal file
View File

@ -0,0 +1,7 @@
// Only the admins (per-namespace RoleBindings)
local k0 = (import "k0.libsonnet").k0;
{
admins: k0.admins,
}

33
cluster/kube/k0.libsonnet
View File

@ -11,6 +11,7 @@ local admitomatic = import "lib/admitomatic.libsonnet";
local cockroachdb = import "lib/cockroachdb.libsonnet";
local registry = import "lib/registry.libsonnet";
local rook = import "lib/rook.libsonnet";
local admins = import "lib/admins.libsonnet";
{
k0: {
@ -375,5 +376,37 @@ local rook = import "lib/rook.libsonnet";
},
},
},
// Configuration of RoleBindings
admins: admins.NamespaceAdmins {
// Cluster staff have full access to all namespaces
// To give non-staff users admin access scoped to a given namespace,
// add them to the list below.
// (system:admin-namespace role is given to <user>@hackerspace.pl)
namespaces:: {
"inventory": [
"radex",
"palid",
],
"site": [
"ar",
"radex",
],
"valheim": [
"patryk",
"palid",
],
"matrix-0x3c": [
"not7cd",
],
"hswaw-prod": [
"ar",
"radex",
],
"ldapweb": [
"radex",
],
}
}
},
}

26
cluster/kube/lib/admins.libsonnet Normal file
View File

@ -0,0 +1,26 @@
local kube = import "../../../kube/kube.libsonnet";
{
local createNamespaceRoleBinding(namespace, users) = kube.RoleBinding("admins") {
metadata+: {
namespace: namespace,
},
roleRef: {
apiGroup: "rbac.authorization.k8s.io",
kind: "ClusterRole",
name: "system:admin-namespace",
},
subjects: [
kube.User("%s@hackerspace.pl" % [user])
for user in users
],
},
NamespaceAdmins: {
namespaces:: error "namespaces not set",
local namespaces = self.namespaces,
roleBindings: [
createNamespaceRoleBinding(namespace, namespaces[namespace])
for namespace in std.objectFields(namespaces)
],
},
}

13
games/valheim/prod.jsonnet
View File

@ -192,19 +192,6 @@ local kube = import "../../kube/kube.libsonnet";
# Make namespace for valheim.
ns: kube.Namespace("valheim"),
# Allow patryk and palid to administer this namespace via the namespace-admin clusterrole.
adminRB: top.ns.Contain(kube.RoleBinding("sso:admins")) {
subjects: [
{ apiGroup: "rbac.authorization.k8s.io", kind: "User", name: "%s@hackerspace.pl" % [u] }
for u in ["patryk", "palid"]
],
roleRef: {
apiGroup: "rbac.authorization.k8s.io",
kind: "ClusterRole",
name: "system:admin-namespace",
},
},
q3k: top.env(top.ns, "q3k") {
cfg+: {
ns: "valheim",

15
hswaw/kube/hswaw.jsonnet
View File

@ -67,19 +67,4 @@ local cebulacamp = import "cebulacamp.libsonnet";
},
},
},
admins: kube.RoleBinding("admins") {
metadata+: {
namespace: "hswaw-prod",
},
roleRef: {
apiGroup: "rbac.authorization.k8s.io",
kind: "ClusterRole",
name: "system:admin-namespace",
},
subjects: [
kube.User("ar@hackerspace.pl"),
kube.User("radex@hackerspace.pl"),
],
},
}