forked from hswaw/hscloud
cluster/admitomatic: implement opt-out namespaces
Change-Id: I32d4b019211fa755e2b3b103b88ea3f4c14e500f Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1521 Reviewed-by: informatic <informatic@hackerspace.pl>
This commit is contained in:
parent
9f0e1e88f1
commit
c1f372561a
7 changed files with 34 additions and 2 deletions
|
@ -60,6 +60,6 @@ container_push(
|
|||
image = ":runtime",
|
||||
format = "Docker",
|
||||
registry = "registry.k0.hswaw.net",
|
||||
repository = "q3k/admitomatic",
|
||||
repository = "cluster/admitomatic",
|
||||
tag = "{BUILD_TIMESTAMP}-{STABLE_GIT_COMMIT}",
|
||||
)
|
||||
|
|
|
@ -20,6 +20,9 @@ message Config {
|
|||
// appear in this list, it will be allowed to run in any
|
||||
// namespace.
|
||||
repeated AllowDomain allow_domain = 1;
|
||||
|
||||
// List of namespaces that do not have any domain/annotation checks.
|
||||
repeated string anything_goes_namespace = 2;
|
||||
}
|
||||
|
||||
message AllowDomain {
|
||||
|
|
|
@ -36,6 +36,10 @@ import (
|
|||
type ingressFilter struct {
|
||||
// allowed is a map from namespace to list of domain matchers.
|
||||
allowed map[string][]*domain
|
||||
|
||||
// anythingGoesNamespaces are namespaces that are opted out of security
|
||||
// checks.
|
||||
anythingGoesNamespaces []string
|
||||
}
|
||||
|
||||
// domain is a matcher for either a single given domain, or a domain wildcard.
|
||||
|
@ -152,6 +156,11 @@ func (i *ingressFilter) admit(req *admission.AdmissionRequest) (*admission.Admis
|
|||
if req.Namespace == "kube-system" {
|
||||
return result("")
|
||||
}
|
||||
for _, ns := range i.anythingGoesNamespaces {
|
||||
if ns == req.Namespace {
|
||||
return result("")
|
||||
}
|
||||
}
|
||||
|
||||
switch req.Operation {
|
||||
case "CREATE":
|
||||
|
|
|
@ -94,6 +94,7 @@ func TestIngressPermitted(t *testing.T) {
|
|||
f.allow("personal-q3k", "*.k0.q3k.org")
|
||||
f.allow("personal-vuko", "shells.vuko.pl")
|
||||
f.allow("minecraft", "*.k0.q3k.org")
|
||||
f.anythingGoesNamespaces = []string{"opted-out"}
|
||||
|
||||
mkReq := func(ns string, annotations map[string]string, is *networking.IngressSpec) *admission.AdmissionRequest {
|
||||
i := &networking.Ingress{
|
||||
|
@ -185,6 +186,19 @@ func TestIngressPermitted(t *testing.T) {
|
|||
},
|
||||
},
|
||||
}), ""},
|
||||
// 6: janky annotations, should be allowed by exception
|
||||
{mkReq("opted-out", map[string]string{
|
||||
"nginx.ingress.kubernetes.io/configuration-snippet": "omghax",
|
||||
}, &networking.IngressSpec{
|
||||
Rules: []networking.IngressRule{
|
||||
{Host: "matrix.hackerspace.pl"},
|
||||
},
|
||||
TLS: []networking.IngressTLS{
|
||||
{
|
||||
Hosts: []string{"matrix.hackerspace.pl"},
|
||||
},
|
||||
},
|
||||
}), ""},
|
||||
} {
|
||||
res, err := f.admit(el.req)
|
||||
if err != nil {
|
||||
|
|
|
@ -39,6 +39,7 @@ func newService(configuration []byte) (*service, error) {
|
|||
}
|
||||
glog.Infof("Ingress: allowing %s in %s", ad.Dns, ad.Namespace)
|
||||
}
|
||||
s.ingress.anythingGoesNamespaces = cfg.AnythingGoesNamespace
|
||||
return &s, nil
|
||||
}
|
||||
|
||||
|
|
|
@ -446,6 +446,11 @@ local rook = import "lib/rook.libsonnet";
|
|||
{ namespace: "q3k", dns: "*.q3k.org" },
|
||||
{ namespace: "personal-q3k", dns: "*.q3k.org" },
|
||||
],
|
||||
|
||||
anything_goes_namespace: [
|
||||
// sourcegraph ingress wants a config snippet to set a header.
|
||||
"devtools-prod",
|
||||
],
|
||||
},
|
||||
},
|
||||
},
|
||||
|
|
|
@ -32,7 +32,7 @@ local prototext = import "../../../kube/prototext.libsonnet";
|
|||
|
||||
cfg:: {
|
||||
namespace: "admitomatic",
|
||||
image: "registry.k0.hswaw.net/q3k/admitomatic:1622912229-383fefa14bddd51c1573fb9b5fcc6ecea958f50a",
|
||||
image: "registry.k0.hswaw.net/cluster/admitomatic:315532800-418f1b77968ac843af2e48cd414c2f8eb19653ba",
|
||||
|
||||
proto: {},
|
||||
},
|
||||
|
|
Loading…
Reference in a new issue