mirror of
https://gerrit.hackerspace.pl/hscloud
synced 2025-01-15 19:03:54 +00:00
cluster/kube: Centralize namespace admin RoleBindings
Change-Id: Iec3505b2f4a1647e67cf47cf189c77534b5be6ac Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1696 Reviewed-by: q3k <q3k@hackerspace.pl>
This commit is contained in:
parent
fe94c9b649
commit
0776a79df3
6 changed files with 66 additions and 52 deletions
|
@ -1,24 +0,0 @@
|
|||
local kube = import "../../kube/kube.libsonnet";
|
||||
|
||||
// Global resources specific to Matrix deployments. Currently this is only RBAC objects.
|
||||
|
||||
{
|
||||
// Allow non-staff admin access to matrix.0x3c.pl.
|
||||
admin0x3c: kube.RoleBinding("admins") {
|
||||
metadata+: {
|
||||
namespace: "matrix-0x3c",
|
||||
},
|
||||
roleRef: {
|
||||
apiGroup: "rbac.authorization.k8s.io",
|
||||
kind: "ClusterRole",
|
||||
name: "system:admin-namespace",
|
||||
},
|
||||
subjects: [
|
||||
{
|
||||
apiGroup: "rbac.authorization.k8s.io",
|
||||
kind: "User",
|
||||
name: "not7cd@hackerspace.pl",
|
||||
},
|
||||
],
|
||||
},
|
||||
}
|
7
cluster/kube/k0-admins.jsonnet
Normal file
7
cluster/kube/k0-admins.jsonnet
Normal file
|
@ -0,0 +1,7 @@
|
|||
// Only the admins (per-namespace RoleBindings)
|
||||
|
||||
local k0 = (import "k0.libsonnet").k0;
|
||||
|
||||
{
|
||||
admins: k0.admins,
|
||||
}
|
|
@ -11,6 +11,7 @@ local admitomatic = import "lib/admitomatic.libsonnet";
|
|||
local cockroachdb = import "lib/cockroachdb.libsonnet";
|
||||
local registry = import "lib/registry.libsonnet";
|
||||
local rook = import "lib/rook.libsonnet";
|
||||
local admins = import "lib/admins.libsonnet";
|
||||
|
||||
{
|
||||
k0: {
|
||||
|
@ -375,5 +376,37 @@ local rook = import "lib/rook.libsonnet";
|
|||
},
|
||||
},
|
||||
},
|
||||
|
||||
// Configuration of RoleBindings
|
||||
admins: admins.NamespaceAdmins {
|
||||
// Cluster staff have full access to all namespaces
|
||||
// To give non-staff users admin access scoped to a given namespace,
|
||||
// add them to the list below.
|
||||
// (system:admin-namespace role is given to <user>@hackerspace.pl)
|
||||
namespaces:: {
|
||||
"inventory": [
|
||||
"radex",
|
||||
"palid",
|
||||
],
|
||||
"site": [
|
||||
"ar",
|
||||
"radex",
|
||||
],
|
||||
"valheim": [
|
||||
"patryk",
|
||||
"palid",
|
||||
],
|
||||
"matrix-0x3c": [
|
||||
"not7cd",
|
||||
],
|
||||
"hswaw-prod": [
|
||||
"ar",
|
||||
"radex",
|
||||
],
|
||||
"ldapweb": [
|
||||
"radex",
|
||||
],
|
||||
}
|
||||
}
|
||||
},
|
||||
}
|
||||
|
|
26
cluster/kube/lib/admins.libsonnet
Normal file
26
cluster/kube/lib/admins.libsonnet
Normal file
|
@ -0,0 +1,26 @@
|
|||
local kube = import "../../../kube/kube.libsonnet";
|
||||
|
||||
{
|
||||
local createNamespaceRoleBinding(namespace, users) = kube.RoleBinding("admins") {
|
||||
metadata+: {
|
||||
namespace: namespace,
|
||||
},
|
||||
roleRef: {
|
||||
apiGroup: "rbac.authorization.k8s.io",
|
||||
kind: "ClusterRole",
|
||||
name: "system:admin-namespace",
|
||||
},
|
||||
subjects: [
|
||||
kube.User("%s@hackerspace.pl" % [user])
|
||||
for user in users
|
||||
],
|
||||
},
|
||||
NamespaceAdmins: {
|
||||
namespaces:: error "namespaces not set",
|
||||
local namespaces = self.namespaces,
|
||||
roleBindings: [
|
||||
createNamespaceRoleBinding(namespace, namespaces[namespace])
|
||||
for namespace in std.objectFields(namespaces)
|
||||
],
|
||||
},
|
||||
}
|
|
@ -192,19 +192,6 @@ local kube = import "../../kube/kube.libsonnet";
|
|||
# Make namespace for valheim.
|
||||
ns: kube.Namespace("valheim"),
|
||||
|
||||
# Allow patryk and palid to administer this namespace via the namespace-admin clusterrole.
|
||||
adminRB: top.ns.Contain(kube.RoleBinding("sso:admins")) {
|
||||
subjects: [
|
||||
{ apiGroup: "rbac.authorization.k8s.io", kind: "User", name: "%s@hackerspace.pl" % [u] }
|
||||
for u in ["patryk", "palid"]
|
||||
],
|
||||
roleRef: {
|
||||
apiGroup: "rbac.authorization.k8s.io",
|
||||
kind: "ClusterRole",
|
||||
name: "system:admin-namespace",
|
||||
},
|
||||
},
|
||||
|
||||
q3k: top.env(top.ns, "q3k") {
|
||||
cfg+: {
|
||||
ns: "valheim",
|
||||
|
|
|
@ -67,19 +67,4 @@ local cebulacamp = import "cebulacamp.libsonnet";
|
|||
},
|
||||
},
|
||||
},
|
||||
|
||||
admins: kube.RoleBinding("admins") {
|
||||
metadata+: {
|
||||
namespace: "hswaw-prod",
|
||||
},
|
||||
roleRef: {
|
||||
apiGroup: "rbac.authorization.k8s.io",
|
||||
kind: "ClusterRole",
|
||||
name: "system:admin-namespace",
|
||||
},
|
||||
subjects: [
|
||||
kube.User("ar@hackerspace.pl"),
|
||||
kube.User("radex@hackerspace.pl"),
|
||||
],
|
||||
},
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue