This repository has been archived by the owner on Feb 22, 2022. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 16.8k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[stable/magic-namespace] initial commit (#3966)
* [incubator/magic-namespace] initial commit * [incubator/magic-namespace] fix typos in docs * [incubator/magic-namespace] more fix typos in docs * [incubator/magic-namespace] remove unnecessary italics * move to stable * use $ instead of
- Loading branch information
1 parent
c320e85
commit 8155c3f
Showing
13 changed files
with
473 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
# Patterns to ignore when building packages. | ||
# This supports shell glob matching, relative path matching, and | ||
# negation (prefixed with !). Only one pattern per line. | ||
.DS_Store | ||
# Common VCS dirs | ||
.git/ | ||
.gitignore | ||
.bzr/ | ||
.bzrignore | ||
.hg/ | ||
.hgignore | ||
.svn/ | ||
# Common backup files | ||
*.swp | ||
*.bak | ||
*.tmp | ||
*~ | ||
# Various IDEs | ||
.project | ||
.idea/ | ||
*.tmproj |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
apiVersion: v1 | ||
name: magic-namespace | ||
version: 0.1.0 | ||
appVersion: 2.8.1 | ||
description: Elegantly enables a Tiller per namespace in RBAC-enabled clusters | ||
maintainers: | ||
- name: krancour | ||
email: kent.rancourt@microsoft.com |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
approvers: | ||
- krancour | ||
reviewers: | ||
- krancour |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,141 @@ | ||
# Magic Namespace | ||
|
||
**Magic Namespace** provides an easy, comprehensive option for cluster operators | ||
to manage namespaces and observe good security practices in _multi-tenant, | ||
RBAC-enabled_ Kubernetes clusters. | ||
|
||
## Introduction | ||
|
||
So you've got a multi-tenant cluster? Let's assume your cluster is RBAC-enabled. | ||
If it isn't, _go fix that first_. You're playing with fire. Until you fix that, | ||
you don't need Magic Namespace. Go fix it. We'll wait... | ||
|
||
In a multi-tenant cluster, a cluster operator (someone with full, unrestricted | ||
privileges across the entire cluster), will manage users, groups, service | ||
accounts, roles, and user/group bindings to roles-- all to either permit or | ||
prevent subjects from performing certain actions in different namespaces. | ||
|
||
A common paradigm that has emerged is that _teams_ are given their own namespace | ||
and some degree of latitude to administer that namespace, whilst not being | ||
permitted to perform actions on _other teams'_ namespaces. | ||
|
||
Now bring Helm/Tiller into the equation. In an RBAC-enabled cluster, Tiller is | ||
so often granted the `cluster-admin` role-- which gives it "root" access to the | ||
entire cluster. While such a Tiller may be suitable for use by a cluster | ||
operator, it's _not_ suitable for use by other teams, as it presents them with | ||
an easy avenue for escalating their privileges. | ||
|
||
To compensate for this, a pattern that has emmerged to complement the | ||
namespace-per-team pattern is the _tiller-per-namespace_ pattern. This has been | ||
widely adopted in multi-tenant, RBAC-enabled clusters. Until now, cluster | ||
operators have tended to create their own bespoke scripts for performing all | ||
requisite setup to implement these patterns. | ||
|
||
Magic Namespace takes the pain out of this setup. It offers cluster operators an | ||
easy, comprehensive avenue for using _their_ Tiller to manage namespaces, | ||
service accounts, _other Tillers_, and role bindings for their consituent | ||
teams. Magic Namespace permits cluster operators to manage all of this using | ||
familiar Helm-based workflows. | ||
|
||
## How it Works | ||
|
||
By default, Magic Namespace creates a service account for Tiller in the | ||
designated namespace and binds it to the `admin` role for that namespace. It | ||
also creates a deployment that utilizes this service account. This can be | ||
disabled or configured further, but the default behavior is sensible. In fact, | ||
the defaults _closes_ a variety of known Tiller-based attack vectors. | ||
|
||
Magic Namespace also offers cluster operators to define additional service | ||
accounts and role bindings for use within the namespace. _Typically, it would | ||
be a good idea to define at least one role binding that grants a user or group | ||
administrative privileges in the namespace._ Absent this, the namespace's own | ||
Tiller will function, but no user (other than the cluster operator) will be | ||
capable of interacting with it via Helm. | ||
|
||
## Prerequisites | ||
|
||
- A Kubernetes cluster with RBAC enabled | ||
|
||
## Installing the Chart | ||
|
||
To install the chart to create the `foo` namespace (if it doesn't already exist) | ||
and useful resources (Tiller, service accounts, etc.) within that namespace: | ||
|
||
```bash | ||
$ helm install stable/magic-namespace --name foo --namespace foo | ||
``` | ||
|
||
Typically, you will want to bind at least one user or group to the `admin` role | ||
in this namespace. Here are steps to follow: | ||
|
||
First, make a copy of the default `values.yaml`: | ||
|
||
```bash | ||
$ helm inspect values stable/magic-namespace > ~/my-values.yaml | ||
``` | ||
|
||
Edit `~/my-values.yaml` accordingly. Here is a sample role binding: | ||
|
||
``` | ||
... | ||
roleBindings: | ||
- name: admin-group-admin | ||
role: | ||
## Valid values are "Role" or "ClusterRole" | ||
kind: ClusterRole | ||
name: admin | ||
subject: | ||
## Valid values are "User", "Group", or "ServiceAccount" | ||
kind: Group | ||
name: <group> | ||
... | ||
``` | ||
|
||
Deploy as follows: | ||
|
||
```bash | ||
$ helm install stable/magic-namespace \ | ||
--name foo \ | ||
--namespace foo \ | ||
--values ~/my-values.yaml | ||
``` | ||
|
||
## Uninstalling the Chart | ||
|
||
Deleting a release of a Magic Namespace will _not_ delete the namespace. It will | ||
only delete the Tiller, service accounts, role bindings, etc. from that | ||
namespace. This is actually desireable behavior, as anything the team has | ||
deployed within that namespace is likely to be unaffected, though further | ||
deployments to and management of that namespace will not be possible by anyone | ||
other than the cluster operator. | ||
|
||
```bash | ||
$ helm delete foo --purge | ||
``` | ||
|
||
## Configuration | ||
|
||
The following table lists the most common, useful, and interesting configuration | ||
parameters of the Magic Namespace chart and their default values. Please | ||
reference the default `values.yaml` to understand further options. | ||
|
||
| Parameter | Description | Default | | ||
|-----------|-------------|---------| | ||
| `tiller.enabled` | Whether to include a Tiller in the namespace | `true` | | ||
| `tiller.replicaCount` | The number of Tiller replicas to run | `1` | | ||
| `tiller.image.repository` | The Docker image to use for Tiller, minus version/label | `gcr.io/kubernetes-helm/tiller` | | ||
| `tiller.image.tag` | The specific version/label of the Docker image used for Tiller | `v2.8.1` | | ||
| `tiller.image.pullPolicy` | The pull policy to utilize when pulling Tiller images from a Docker repsoitory | `IfNotPresent` | | ||
| `tiller.maxHistory` | The maximum number of releases Tiller should remember. A value of `0` is interpreted as no limit. | `0` | | ||
| `tiller.role.type` | Identify the kind of role (`Role` or `ClusterRole`) that will be referenced in the role binding for Tiller's service account. There is seldom any reason to override this. | `ClusterRole` | | ||
| `tiller.role.type` | Identify the name of the `Role` or `ClusterRole` that will be referenced in the role binding for Tiller's service account. There is seldom any reason to override this. | `admin` | | ||
| `tiller.includeService` | This deploys a service resource for Tiller. This is not generally needed. Please understand the security implications of this before overriding the default. | `false` | | ||
| `tiller.onlyListenOnLocalhost` | This prevents Tiller from binding to `0.0.0.0`. This is generally advisable to close known Tiller-based attack vectors. Please understand the security implications of this before overriding the default. | `true` | | ||
| `serviceAccounts` | An optional array of names of additional service account to create | `nil` | | ||
| `roleBindings` | An optional array of objects that define role bindings | `nil` | | ||
| `roleBindings[n].role.kind` | Identify the kind of role (`Role` or `ClusterRole`) to be used in the role binding | | | ||
| `roleBindings[n].role.name` | Identify the name of the role to be used in the role binding | | | ||
| `roleBindings[n].subject.kind` | Identify the kind of subject (`User`, `Group`, or `ServiceAccount` ) to be used in the role binding | | | ||
| `roleBindings[n].subject.name` | Identify the name of the subject to be used in the role binding | | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
|
||
The namespace "{{ .Release.Namespace }}" has been created if it didn't already exist. | ||
|
||
{{ if or .Values.tiller.enabled .Values.serviceAccounts -}} | ||
The following service accounts have been created in the namespace: | ||
{{ if .Values.tiller.enabled }} | ||
- tiller | ||
{{- end }} | ||
{{- range .Values.serviceAccounts }} | ||
- {{ . }} | ||
{{- end }} | ||
{{ end }} | ||
{{ if or .Values.tiller.enabled .Values.roleBindings -}} | ||
The following role bindings have been created in the namespace: | ||
{{ if .Values.tiller.enabled }} | ||
- ServiceAccount[tiller] --> {{ .Values.tiller.role.kind }}[{{ .Values.tiller.role.name }}] | ||
{{- end }} | ||
{{- range .Values.roleBindings }} | ||
- {{ .subject.kind }}[{{ .subject.name }}] --> {{ .role.kind }}[{{ .role.name }}] | ||
{{- end }} | ||
{{ end }} | ||
{{ if .Values.tiller.enabled -}} | ||
Utilize the Tiller in your new namespace like so: | ||
|
||
$ helm <command> --tiller-namespace {{ .Release.Namespace }} | ||
{{- end }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
{{/* vim: set filetype=mustache: */}} | ||
{{/* | ||
Expand the name of the chart. | ||
*/}} | ||
{{- define "magic-namespace.name" -}} | ||
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} | ||
{{- end -}} | ||
|
||
{{/* | ||
Create a default fully qualified app name. | ||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). | ||
If release name contains chart name it will be used as a full name. | ||
*/}} | ||
{{- define "magic-namespace.fullname" -}} | ||
{{- if .Values.fullnameOverride -}} | ||
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} | ||
{{- else -}} | ||
{{- $name := default .Chart.Name .Values.nameOverride -}} | ||
{{- if contains $name .Release.Name -}} | ||
{{- .Release.Name | trunc 63 | trimSuffix "-" -}} | ||
{{- else -}} | ||
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} | ||
{{- end -}} | ||
{{- end -}} | ||
{{- end -}} | ||
|
||
{{/* | ||
Create chart name and version as used by the chart label. | ||
*/}} | ||
{{- define "magic-namespace.chart" -}} | ||
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} | ||
{{- end -}} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
|
||
{{- range .Values.roleBindings }} | ||
--- | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: RoleBinding | ||
metadata: | ||
name: {{ .name }} | ||
labels: | ||
chart: {{ template "magic-namespace.chart" $ }} | ||
release: {{ $.Release.Name }} | ||
heritage: {{ $.Release.Service }} | ||
roleRef: | ||
apiGroup: rbac.authorization.k8s.io | ||
kind: {{ .role.kind }} | ||
name: {{ .role.name }} | ||
subjects: | ||
- kind: {{ .subject.kind }} | ||
name: {{ .subject.name }} | ||
{{- end }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
{{- range .Values.serviceAccounts }} | ||
--- | ||
apiVersion: v1 | ||
kind: ServiceAccount | ||
metadata: | ||
name: {{ . }} | ||
labels: | ||
chart: {{ template "magic-namespace.chart" $ }} | ||
release: {{ $.Release.Name }} | ||
heritage: {{ $.Release.Service }} | ||
{{- end }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,84 @@ | ||
{{- if .Values.tiller.enabled }} | ||
apiVersion: extensions/v1beta1 | ||
kind: Deployment | ||
metadata: | ||
name: tiller-deploy | ||
labels: | ||
app: helm | ||
name: tiller | ||
chart: {{ template "magic-namespace.chart" . }} | ||
release: {{ .Release.Name }} | ||
heritage: {{ .Release.Service }} | ||
spec: | ||
replicas: {{ .Values.tiller.replicaCount }} | ||
selector: | ||
matchLabels: | ||
app: helm | ||
name: tiller | ||
release: {{ .Release.Name }} | ||
template: | ||
metadata: | ||
labels: | ||
app: helm | ||
name: tiller | ||
chart: {{ template "magic-namespace.chart" . }} | ||
release: {{ .Release.Name }} | ||
heritage: {{ .Release.Service }} | ||
spec: | ||
serviceAccountName: tiller | ||
containers: | ||
- name: {{ .Chart.Name }} | ||
image: "{{ .Values.tiller.image.repository }}:{{ .Values.tiller.image.tag }}" | ||
imagePullPolicy: {{ .Values.tiller.image.pullPolicy }} | ||
env: | ||
- name: TILLER_NAMESPACE | ||
value: {{ .Release.Namespace }} | ||
- name: TILLER_HISTORY_MAX | ||
value: {{ quote .Values.tiller.maxHistory }} | ||
{{- if .Values.tiller.onlyListenOnLocalhost }} | ||
command: ["/tiller"] | ||
args: ["--listen=localhost:44134"] | ||
{{- else }} | ||
ports: | ||
- containerPort: 44134 | ||
name: tiller | ||
protocol: TCP | ||
- containerPort: 44135 | ||
name: http | ||
protocol: TCP | ||
{{- end }} | ||
livenessProbe: | ||
failureThreshold: 3 | ||
httpGet: | ||
path: /liveness | ||
port: 44135 | ||
scheme: HTTP | ||
initialDelaySeconds: 1 | ||
periodSeconds: 10 | ||
successThreshold: 1 | ||
timeoutSeconds: 1 | ||
readinessProbe: | ||
failureThreshold: 3 | ||
httpGet: | ||
path: /readiness | ||
port: 44135 | ||
scheme: HTTP | ||
initialDelaySeconds: 1 | ||
periodSeconds: 10 | ||
successThreshold: 1 | ||
timeoutSeconds: 1 | ||
resources: | ||
{{ toYaml .Values.tiller.resources | indent 12 }} | ||
{{- with .Values.tiller.nodeSelector }} | ||
nodeSelector: | ||
{{ toYaml . | indent 8 }} | ||
{{- end }} | ||
{{- with .Values.tiller.affinity }} | ||
affinity: | ||
{{ toYaml . | indent 8 }} | ||
{{- end }} | ||
{{- with .Values.tiller.tolerations }} | ||
tolerations: | ||
{{ toYaml . | indent 8 }} | ||
{{- end }} | ||
{{- end }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
{{- if .Values.tiller.enabled }} | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: RoleBinding | ||
metadata: | ||
name: tiller-{{ .Values.tiller.role.name }} | ||
labels: | ||
app: helm | ||
name: tiller | ||
chart: {{ template "magic-namespace.chart" . }} | ||
release: {{ .Release.Name }} | ||
heritage: {{ .Release.Service }} | ||
roleRef: | ||
apiGroup: rbac.authorization.k8s.io | ||
kind: {{ .Values.tiller.role.type }} | ||
name: {{ .Values.tiller.role.name }} | ||
subjects: | ||
- kind: ServiceAccount | ||
name: tiller | ||
namespace: {{ .Release.Namespace }} | ||
{{- end }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
{{- if and .Values.tiller.enabled .Values.tiller.includeService }} | ||
apiVersion: v1 | ||
kind: Service | ||
metadata: | ||
name: tiller-deploy | ||
labels: | ||
app: helm | ||
name: tiller | ||
chart: {{ template "magic-namespace.chart" . }} | ||
release: {{ .Release.Name }} | ||
heritage: {{ .Release.Service }} | ||
spec: | ||
type: ClusterIP | ||
selector: | ||
app: helm | ||
name: tiller | ||
ports: | ||
- name: tiller | ||
port: 44134 | ||
protocol: TCP | ||
targetPort: tiller | ||
{{- end }} |
Oops, something went wrong.