mirror of
https://gerrit.hackerspace.pl/hscloud
synced 2025-02-10 22:06:44 +00:00
cluster/prodaccess: practice proper savoir-vivre
important meme Change-Id: If23019d03069ebfbbf98217f5d215533507dd291 Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/2089 Reviewed-by: noisersup <noisersup@hackerspace.pl> Reviewed-by: q3k <q3k@hackerspace.pl>
This commit is contained in:
parent
042eafadc4
commit
2ba5310aa9
2 changed files with 30 additions and 5 deletions
|
@ -1,12 +1,12 @@
|
|||
prodvider
|
||||
=========
|
||||
prodvider/prodaccess
|
||||
====================
|
||||
|
||||
It provides access, yo.
|
||||
|
||||
Architecture
|
||||
------------
|
||||
|
||||
Prodvider uses an intermedaite CA (the prodvider CA, signed by the kube CA), to generate the following:
|
||||
Prodvider uses an intermediate CA (the prodvider CA, signed by the kube CA), to generate the following:
|
||||
- a cert for prodvider to present itself over gRPC for prodaccess clients
|
||||
- a cert for prodvider to authenticate itself to the kube apiserver
|
||||
- client certificates for prodaccess consumers.
|
||||
|
@ -21,6 +21,6 @@ Prodvider customers get certificates with a CN=`username@hackerspace.pl` and O=`
|
|||
Kubernetes Structure
|
||||
--------------------
|
||||
|
||||
After generating a user certificate, prodvider will also call kubernetes to set up a personal user namespace (`personal-username`), a RoleBinding to `system:admin-namespace` from their `User` in their namespace (thus, giving them full rights in it) and a ClusterRoleBinding to `system:viewer` from their `User` (thus, giving them some read access for all resources, but not to secure data (like secrets).
|
||||
After generating a user certificate, prodvider will also call kubernetes to set up a personal user namespace (`personal-username`), a RoleBinding to `system:admin-namespace` from their `User` in their namespace (thus, giving them full rights in it) and a ClusterRoleBinding to `system:viewer` from their `User`, thus, giving them some read access for all resources, but not to secure data (like secrets).
|
||||
|
||||
`system:admin-namespace` and `system:viewer` are defined in `//cluster/kube`.
|
||||
|
|
|
@ -4,6 +4,7 @@ import (
|
|||
"context"
|
||||
"crypto/x509"
|
||||
"flag"
|
||||
"strings"
|
||||
"fmt"
|
||||
"os"
|
||||
"os/user"
|
||||
|
@ -71,7 +72,7 @@ func main() {
|
|||
os.Exit(1)
|
||||
}
|
||||
} else {
|
||||
fmt.Printf("Good evening professor. I see you have driven here in your Ferrari.\n")
|
||||
greetings(strings.ToLower(flagUsername))
|
||||
os.Exit(0)
|
||||
}
|
||||
}
|
||||
|
@ -115,3 +116,27 @@ func password() string {
|
|||
fmt.Printf("\n")
|
||||
return string(bytePassword)
|
||||
}
|
||||
|
||||
func greetings(username string) {
|
||||
fmt.Printf("Good evening %s. I see you have driven here in your %s.\n", userTitle(username), userVehicle(username))
|
||||
}
|
||||
|
||||
func userTitle(username string) string {
|
||||
switch username {
|
||||
case "drozdziak1":
|
||||
return "Dr. Oździak"
|
||||
case "radex":
|
||||
return "Mr. Secretary"
|
||||
default:
|
||||
return "professor"
|
||||
}
|
||||
}
|
||||
|
||||
func userVehicle(username string) string {
|
||||
switch username {
|
||||
case "drozdziak1", "krnlexception":
|
||||
return "Ford Focus"
|
||||
default:
|
||||
return "Ferrari"
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Add table
Reference in a new issue