4
0
Fork 2
mirror of https://gerrit.hackerspace.pl/hscloud synced 2025-02-10 23:26:46 +00:00
hscloud/cluster/prodaccess
radex 63f0adde2f cluster/prodaccess: add multi-cluster support
- allow passing -cluster to select another cluster (k0 remains the default for the time being)
- default prodvider dns to prodvider.<cluster>.hswaw.net
- scope kube config username and certs storage by cluster name

additionally:

- force username to be lowercase (LDAP is case-insensitive, but e.g. kubernetes namespaces are not)
- fix some Go deprecations

Change-Id: Ibf4a6ced7a635940f6a7c568c79714cd8ac60ce9
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/2101
Reviewed-by: radex <radex@hackerspace.pl>
2025-01-11 15:22:45 +00:00
..
BUILD.bazel cluster/prodaccess: add multi-cluster support 2025-01-11 15:22:45 +00:00
hspki.go cluster/prodaccess: add multi-cluster support 2025-01-11 15:22:45 +00:00
kubernetes.go cluster/prodaccess: add multi-cluster support 2025-01-11 15:22:45 +00:00
prodaccess.go cluster/prodaccess: add multi-cluster support 2025-01-11 15:22:45 +00:00
README.md cluster/prodaccess: practice proper savoir-vivre 2025-01-08 14:28:11 +00:00

prodvider/prodaccess

It provides access, yo.

Architecture

Prodvider uses an intermediate CA (the prodvider CA, signed by the kube CA), to generate the following:

  • a cert for prodvider to present itself over gRPC for prodaccess clients
  • a cert for prodvider to authenticate itself to the kube apiserver
  • client certificates for prodaccess consumers.

Any time someone runs 'prodaccess', they get a certificate from the intermediate CA, and the intermediate CA is included as part of the chain that they receive. They can then use this chain to authenticate against kubernetes.

Naming

Prodvider customers get certificates with a CN=username@hackerspace.pl and O=sso:username. This means that they appear to Kubernetes as being a User named username@hackerspace.pl and Group named sso:username. In the future, another group might be given to users, do not rely on this relationship.

Kubernetes Structure

After generating a user certificate, prodvider will also call kubernetes to set up a personal user namespace (personal-username), a RoleBinding to system:admin-namespace from their User in their namespace (thus, giving them full rights in it) and a ClusterRoleBinding to system:viewer from their User, thus, giving them some read access for all resources, but not to secure data (like secrets).

system:admin-namespace and system:viewer are defined in //cluster/kube.