Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Programmatic Tenant prefix for the Capsule namespaces #41

Merged
merged 1 commit into from Aug 7, 2020
Merged

Programmatic Tenant prefix for the Capsule namespaces #41

merged 1 commit into from Aug 7, 2020

Conversation

prometherion
Copy link
Member

@prometherion prometherion commented Aug 6, 2020
edited

Closes #34: just need to use the arg --force-tenant-prefix to setup the proper webhook.

INFO    setup   Operator Version: 0.0.1
INFO    setup   Go Version: go1.13.14
INFO    setup   Go OS/Arch: linux/amd64
INFO    controller-runtime.metrics      metrics server is starting to listen    {"addr": "127.0.0.1:8080"}
INFO    setup   Enabling the Namespace Tenant Prefix webhook

Once done, create a Tenant (oil, our sample Tenant) and issue a Namespace creation as Tenant owner:

# kubectl create ns production
namespace/oil-production created

@prometherion prometherion requested a review from bsctl August 6, 2020 12:50
@prometherion
Copy link
Member Author

@bsctl && @gabrilabs75 please review.

@bsctl
Copy link
Member

bsctl commented Aug 6, 2020

@prometherion this build looks to be totally broken :(

enable the --force-tenant-prefix

as tenant owner:

$ export KUBECONFIG=alice-oil.kubeconfig
$ kubectl create ns oil-production
namespace/oil-oil-production created

$ kubectl delete ns oil-oil-production
Error from server (Forbidden): namespaces "oil-oil-production" is forbidden: User "alice" cannot delete resource "namespaces" in API group "" in the namespace "oil-oil-production"

$ kubectl create ns production
namespace/oil-production created

$ kubectl delete ns oil-production
Error from server (Forbidden): namespaces "oil-production" is forbidden: User "alice" cannot delete resource "namespaces" in API group "" in the namespace "oil-production"

as cluster admin:

$ kubectl get tenants
NAME   NAMESPACE QUOTA   NAMESPACE COUNT   OWNER   AGE
oil    3                 0                 alice   17m

$ kubectl describe ns oil-production
Name:         oil-production
Labels:       capsule.clastix.io/tenant=oil
Annotations:  <none>
Status:       Active
No resource quota.
No LimitRange resource.

IMHO, the logic to implement should be the following:

  • disable the --force-tenant-prefix -> no checks on the name of the namespaces

  • enable the --force-tenant-prefix -> check if the name of the namespace is in the form "tenant-namespace", otherwise just deny the request with an appropriate error message telling the owner to follow the naming convention "tenant-namespace".

@prometherion
Copy link
Member Author

IMHO, the logic to implement should be the following:

disable the --force-tenant-prefix -> no checks on the name of the namespaces

enable the --force-tenant-prefix -> check if the name of the namespace is in the form "tenant-namespace", otherwise just deny > the request with an appropriate error message telling the owner to follow the naming convention "tenant-namespace".

I get your point, and honestly patching resource names isn't neat.

@prometherion
Copy link
Member Author

@bsctl I discovered a huge bug, so thanks a lot for double-checking this! 🤝

Please, can you try again? Keep in mind to apply new manifest changes with make deploy, first, since we're adding a new validating webhook.

@bsctl
Copy link
Member

bsctl commented Aug 7, 2020

verified

$ kubectl create ns test
Error from server (The namespace doesn't match the tenant prefix, expected oil-test): admission webhook "prefix.namespace.capsule.clastix.io" denied the request: The namespace doesn't match the tenant prefix, expected oil-test

$ kubectl create ns oil-test
namespace/oil-test created

$ kubectl create ns oil-training
Error from server (Cannot exceed Namespace quota: please, reach out the system administrators): admission webhook "quota.namespace.capsule.clastix.io" denied the request: Cannot exceed Namespace quota: please, reach out the system administrators

$ kubectl create ns training
Error from server (The namespace doesn't match the tenant prefix, expected oil-training): admission webhook "prefix.namespace.capsule.clastix.io" denied the request: The namespace doesn't match the tenant prefix, expected oil-training

as admin

$ kubectl get tenants -w
NAME   NAMESPACE QUOTA   NAMESPACE COUNT   OWNER   AGE
oil    3                 1                 alice   17m
oil    3                 1                 alice   17m
oil    3                 2                 alice   18m
oil    3                 2                 alice   18m
oil    3                 3                 alice   18m

$ kubectl describe tenant oil
...
Status:
  Namespaces:
    oil-development
    oil-test
    production <-- created before to enable --force-tenant-prefix on capsule
  Size:  3

@prometherion prometherion merged commit 38cd3be into master Aug 7, 2020
@prometherion prometherion deleted the issues/34 branch August 7, 2020 08:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bsctl bsctl Awaiting requested review from bsctl

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Simple implementation of control naming of namespaces
2 participants
@prometherion @bsctl