cluster/admitomatic: implement opt-out namespaces

Change-Id: I32d4b019211fa755e2b3b103b88ea3f4c14e500f
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1521
Reviewed-by: informatic <informatic@hackerspace.pl>

cluster/admitomatic/BUILD.bazel

@@ -60,6 +60,6 @@ container_push(
     image = ":runtime",
     format = "Docker",
     registry = "registry.k0.hswaw.net",
-    repository = "q3k/admitomatic",
+    repository = "cluster/admitomatic",
     tag = "{BUILD_TIMESTAMP}-{STABLE_GIT_COMMIT}",
 )

cluster/admitomatic/config/config.proto

@@ -20,6 +20,9 @@ message Config {
     // appear in this list, it will be allowed to run in any
     // namespace.
     repeated AllowDomain allow_domain = 1;
+
+    // List of namespaces that do not have any domain/annotation checks.
+    repeated string anything_goes_namespace = 2;
 }
 
 message AllowDomain {

cluster/admitomatic/ingress.go

@@ -36,6 +36,10 @@ import (
 type ingressFilter struct {
 	// allowed is a map from namespace to list of domain matchers.
 	allowed map[string][]*domain
+
+	// anythingGoesNamespaces are namespaces that are opted out of security
+	// checks.
+	anythingGoesNamespaces []string
 }
 
 // domain is a matcher for either a single given domain, or a domain wildcard.
@@ -152,6 +156,11 @@ func (i *ingressFilter) admit(req *admission.AdmissionRequest) (*admission.Admis
 	if req.Namespace == "kube-system" {
 		return result("")
 	}
+	for _, ns := range i.anythingGoesNamespaces {
+		if ns == req.Namespace {
+			return result("")
+		}
+	}
 
 	switch req.Operation {
 	case "CREATE":

cluster/admitomatic/ingress_test.go

@@ -94,6 +94,7 @@ func TestIngressPermitted(t *testing.T) {
 	f.allow("personal-q3k", "*.k0.q3k.org")
 	f.allow("personal-vuko", "shells.vuko.pl")
 	f.allow("minecraft", "*.k0.q3k.org")
+	f.anythingGoesNamespaces = []string{"opted-out"}
 
 	mkReq := func(ns string, annotations map[string]string, is *networking.IngressSpec) *admission.AdmissionRequest {
 		i := &networking.Ingress{
@@ -185,6 +186,19 @@ func TestIngressPermitted(t *testing.T) {
 				},
 			},
 		}), ""},
+		// 6: janky annotations, should be allowed by exception
+		{mkReq("opted-out", map[string]string{
+			"nginx.ingress.kubernetes.io/configuration-snippet": "omghax",
+		}, &networking.IngressSpec{
+			Rules: []networking.IngressRule{
+				{Host: "matrix.hackerspace.pl"},
+			},
+			TLS: []networking.IngressTLS{
+				{
+					Hosts: []string{"matrix.hackerspace.pl"},
+				},
+			},
+		}), ""},
 	} {
 		res, err := f.admit(el.req)
 		if err != nil {

cluster/admitomatic/service.go

@@ -39,6 +39,7 @@ func newService(configuration []byte) (*service, error) {
 		}
 		glog.Infof("Ingress: allowing %s in %s", ad.Dns, ad.Namespace)
 	}
+	s.ingress.anythingGoesNamespaces = cfg.AnythingGoesNamespace
 	return &s, nil
 }
 

cluster/kube/k0.libsonnet

@@ -446,6 +446,11 @@ local rook = import "lib/rook.libsonnet";
                         { namespace: "q3k", dns: "*.q3k.org" },
                         { namespace: "personal-q3k", dns: "*.q3k.org" },
                     ],
+
+                    anything_goes_namespace: [
+                        // sourcegraph ingress wants a config snippet to set a header.
+                        "devtools-prod",
+                    ],
                 },
             },
         },

cluster/kube/lib/admitomatic.libsonnet

@@ -32,7 +32,7 @@ local prototext = import "../../../kube/prototext.libsonnet";
 
         cfg:: {
             namespace: "admitomatic",
-            image: "registry.k0.hswaw.net/q3k/admitomatic:1622912229-383fefa14bddd51c1573fb9b5fcc6ecea958f50a",
+            image: "registry.k0.hswaw.net/cluster/admitomatic:315532800-418f1b77968ac843af2e48cd414c2f8eb19653ba",
 
             proto: {},
         },