mirror of https://gerrit.hackerspace.pl/hscloud
cluster/admitomatic: implement opt-out namespaces
Change-Id: I32d4b019211fa755e2b3b103b88ea3f4c14e500f Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1521 Reviewed-by: informatic <informatic@hackerspace.pl>changes/21/1521/3
parent
9f0e1e88f1
commit
c1f372561a
|
@ -60,6 +60,6 @@ container_push(
|
||||||
image = ":runtime",
|
image = ":runtime",
|
||||||
format = "Docker",
|
format = "Docker",
|
||||||
registry = "registry.k0.hswaw.net",
|
registry = "registry.k0.hswaw.net",
|
||||||
repository = "q3k/admitomatic",
|
repository = "cluster/admitomatic",
|
||||||
tag = "{BUILD_TIMESTAMP}-{STABLE_GIT_COMMIT}",
|
tag = "{BUILD_TIMESTAMP}-{STABLE_GIT_COMMIT}",
|
||||||
)
|
)
|
||||||
|
|
|
@ -20,6 +20,9 @@ message Config {
|
||||||
// appear in this list, it will be allowed to run in any
|
// appear in this list, it will be allowed to run in any
|
||||||
// namespace.
|
// namespace.
|
||||||
repeated AllowDomain allow_domain = 1;
|
repeated AllowDomain allow_domain = 1;
|
||||||
|
|
||||||
|
// List of namespaces that do not have any domain/annotation checks.
|
||||||
|
repeated string anything_goes_namespace = 2;
|
||||||
}
|
}
|
||||||
|
|
||||||
message AllowDomain {
|
message AllowDomain {
|
||||||
|
|
|
@ -36,6 +36,10 @@ import (
|
||||||
type ingressFilter struct {
|
type ingressFilter struct {
|
||||||
// allowed is a map from namespace to list of domain matchers.
|
// allowed is a map from namespace to list of domain matchers.
|
||||||
allowed map[string][]*domain
|
allowed map[string][]*domain
|
||||||
|
|
||||||
|
// anythingGoesNamespaces are namespaces that are opted out of security
|
||||||
|
// checks.
|
||||||
|
anythingGoesNamespaces []string
|
||||||
}
|
}
|
||||||
|
|
||||||
// domain is a matcher for either a single given domain, or a domain wildcard.
|
// domain is a matcher for either a single given domain, or a domain wildcard.
|
||||||
|
@ -152,6 +156,11 @@ func (i *ingressFilter) admit(req *admission.AdmissionRequest) (*admission.Admis
|
||||||
if req.Namespace == "kube-system" {
|
if req.Namespace == "kube-system" {
|
||||||
return result("")
|
return result("")
|
||||||
}
|
}
|
||||||
|
for _, ns := range i.anythingGoesNamespaces {
|
||||||
|
if ns == req.Namespace {
|
||||||
|
return result("")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
switch req.Operation {
|
switch req.Operation {
|
||||||
case "CREATE":
|
case "CREATE":
|
||||||
|
|
|
@ -94,6 +94,7 @@ func TestIngressPermitted(t *testing.T) {
|
||||||
f.allow("personal-q3k", "*.k0.q3k.org")
|
f.allow("personal-q3k", "*.k0.q3k.org")
|
||||||
f.allow("personal-vuko", "shells.vuko.pl")
|
f.allow("personal-vuko", "shells.vuko.pl")
|
||||||
f.allow("minecraft", "*.k0.q3k.org")
|
f.allow("minecraft", "*.k0.q3k.org")
|
||||||
|
f.anythingGoesNamespaces = []string{"opted-out"}
|
||||||
|
|
||||||
mkReq := func(ns string, annotations map[string]string, is *networking.IngressSpec) *admission.AdmissionRequest {
|
mkReq := func(ns string, annotations map[string]string, is *networking.IngressSpec) *admission.AdmissionRequest {
|
||||||
i := &networking.Ingress{
|
i := &networking.Ingress{
|
||||||
|
@ -185,6 +186,19 @@ func TestIngressPermitted(t *testing.T) {
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
}), ""},
|
}), ""},
|
||||||
|
// 6: janky annotations, should be allowed by exception
|
||||||
|
{mkReq("opted-out", map[string]string{
|
||||||
|
"nginx.ingress.kubernetes.io/configuration-snippet": "omghax",
|
||||||
|
}, &networking.IngressSpec{
|
||||||
|
Rules: []networking.IngressRule{
|
||||||
|
{Host: "matrix.hackerspace.pl"},
|
||||||
|
},
|
||||||
|
TLS: []networking.IngressTLS{
|
||||||
|
{
|
||||||
|
Hosts: []string{"matrix.hackerspace.pl"},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}), ""},
|
||||||
} {
|
} {
|
||||||
res, err := f.admit(el.req)
|
res, err := f.admit(el.req)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
|
@ -39,6 +39,7 @@ func newService(configuration []byte) (*service, error) {
|
||||||
}
|
}
|
||||||
glog.Infof("Ingress: allowing %s in %s", ad.Dns, ad.Namespace)
|
glog.Infof("Ingress: allowing %s in %s", ad.Dns, ad.Namespace)
|
||||||
}
|
}
|
||||||
|
s.ingress.anythingGoesNamespaces = cfg.AnythingGoesNamespace
|
||||||
return &s, nil
|
return &s, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -446,6 +446,11 @@ local rook = import "lib/rook.libsonnet";
|
||||||
{ namespace: "q3k", dns: "*.q3k.org" },
|
{ namespace: "q3k", dns: "*.q3k.org" },
|
||||||
{ namespace: "personal-q3k", dns: "*.q3k.org" },
|
{ namespace: "personal-q3k", dns: "*.q3k.org" },
|
||||||
],
|
],
|
||||||
|
|
||||||
|
anything_goes_namespace: [
|
||||||
|
// sourcegraph ingress wants a config snippet to set a header.
|
||||||
|
"devtools-prod",
|
||||||
|
],
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
|
|
@ -32,7 +32,7 @@ local prototext = import "../../../kube/prototext.libsonnet";
|
||||||
|
|
||||||
cfg:: {
|
cfg:: {
|
||||||
namespace: "admitomatic",
|
namespace: "admitomatic",
|
||||||
image: "registry.k0.hswaw.net/q3k/admitomatic:1622912229-383fefa14bddd51c1573fb9b5fcc6ecea958f50a",
|
image: "registry.k0.hswaw.net/cluster/admitomatic:315532800-418f1b77968ac843af2e48cd414c2f8eb19653ba",
|
||||||
|
|
||||||
proto: {},
|
proto: {},
|
||||||
},
|
},
|
||||||
|
|
Loading…
Reference in New Issue