[stable/magic-namespace] initial commit (#3966)

* [incubator/magic-namespace] initial commit * [incubator/magic-namespace] fix typos in docs * [incubator/magic-namespace] more fix typos in docs * [incubator/magic-namespace] remove unnecessary italics * move to stable * use $ instead of
helm · Mar 19, 2018 · 8155c3f · 8155c3f
1 parent c320e85
commit 8155c3f
Show file tree

Hide file tree

Showing 13 changed files with 473 additions and 0 deletions.
diff --git a/stable/magic-namespace/.helmignore b/stable/magic-namespace/.helmignore
@@ -0,0 +1,21 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
diff --git a/stable/magic-namespace/Chart.yaml b/stable/magic-namespace/Chart.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+name: magic-namespace
+version: 0.1.0
+appVersion: 2.8.1
+description: Elegantly enables a Tiller per namespace in RBAC-enabled clusters
+maintainers:
+- name: krancour
+  email: kent.rancourt@microsoft.com
diff --git a/stable/magic-namespace/OWNERS b/stable/magic-namespace/OWNERS
@@ -0,0 +1,4 @@
+approvers:
+- krancour
+reviewers:
+- krancour
diff --git a/stable/magic-namespace/README.md b/stable/magic-namespace/README.md
@@ -0,0 +1,141 @@
+# Magic Namespace
+
+**Magic Namespace** provides an easy, comprehensive option for cluster operators
+to manage namespaces and observe good security practices in _multi-tenant,
+RBAC-enabled_ Kubernetes clusters.
+
+## Introduction
+
+So you've got a multi-tenant cluster? Let's assume your cluster is RBAC-enabled.
+If it isn't, _go fix that first_. You're playing with fire. Until you fix that,
+you don't need Magic Namespace. Go fix it. We'll wait...
+
+In a multi-tenant cluster, a cluster operator (someone with full, unrestricted
+privileges across the entire cluster), will manage users, groups, service
+accounts, roles, and user/group bindings to roles-- all to either permit or
+prevent subjects from performing certain actions in different namespaces.
+
+A common paradigm that has emerged is that _teams_ are given their own namespace
+and some degree of latitude to administer that namespace, whilst not being
+permitted to perform actions on _other teams'_ namespaces.
+
+Now bring Helm/Tiller into the equation. In an RBAC-enabled cluster, Tiller is
+so often granted the `cluster-admin` role-- which gives it "root" access to the
+entire cluster. While such a Tiller may be suitable for use by a cluster
+operator, it's _not_ suitable for use by other teams, as it presents them with
+an easy avenue for escalating their privileges.
+
+To compensate for this, a pattern that has emmerged to complement the
+namespace-per-team pattern is the _tiller-per-namespace_ pattern. This has been
+widely adopted in multi-tenant, RBAC-enabled clusters. Until now, cluster
+operators have tended to create their own bespoke scripts for performing all
+requisite setup to implement these patterns.
+
+Magic Namespace takes the pain out of this setup. It offers cluster operators an
+easy, comprehensive avenue for using _their_ Tiller to manage namespaces,
+service accounts, _other Tillers_, and role bindings for their consituent
+teams. Magic Namespace permits cluster operators to manage all of this using
+familiar Helm-based workflows.
+
+## How it Works
+
+By default, Magic Namespace creates a service account for Tiller in the
+designated namespace and binds it to the `admin` role for that namespace. It
+also creates a deployment that utilizes this service account. This can be
+disabled or configured further, but the default behavior is sensible. In fact,
+the defaults _closes_ a variety of known Tiller-based attack vectors.
+
+Magic Namespace also offers cluster operators to define additional service
+accounts and role bindings for use within the namespace. _Typically, it would
+be a good idea to define at least one role binding that grants a user or group
+administrative privileges in the namespace._ Absent this, the namespace's own
+Tiller will function, but no user (other than the cluster operator) will be
+capable of interacting with it via Helm. 
+
+## Prerequisites
+
+- A Kubernetes cluster with RBAC enabled
+
+## Installing the Chart
+
+To install the chart to create the `foo` namespace (if it doesn't already exist)
+and useful resources (Tiller, service accounts, etc.) within that namespace:
+
+```bash
+$ helm install stable/magic-namespace --name foo --namespace foo
+```
+
+Typically, you will want to bind at least one user or group to the `admin` role
+in this namespace. Here are steps to follow:
+
+First, make a copy of the default `values.yaml`:
+
+```bash
+$ helm inspect values stable/magic-namespace > ~/my-values.yaml
+```
+
+Edit `~/my-values.yaml` accordingly. Here is a sample role binding:
+
+```
+...
+
+roleBindings:
+- name: admin-group-admin
+  role:
+    ## Valid values are "Role" or "ClusterRole"
+    kind: ClusterRole
+    name: admin
+  subject:
+    ## Valid values are "User", "Group", or "ServiceAccount"
+    kind: Group
+    name: <group>
+
+...
+```
+
+Deploy as follows:
+
+```bash
+$ helm install stable/magic-namespace \
+  --name foo \
+  --namespace foo \
+  --values ~/my-values.yaml
+```
+
+## Uninstalling the Chart
+
+Deleting a release of a Magic Namespace will _not_ delete the namespace. It will
+only delete the Tiller, service accounts, role bindings, etc. from that
+namespace. This is actually desireable behavior, as anything the team has
+deployed within that namespace is likely to be unaffected, though further
+deployments to and management of that namespace will not be possible by anyone
+other than the cluster operator.
+
+```bash
+$ helm delete foo --purge
+```
+
+## Configuration
+
+The following table lists the most common, useful, and interesting configuration
+parameters of the Magic Namespace chart and their default values. Please
+reference the default `values.yaml` to understand further options.
+
+| Parameter | Description | Default |
+|-----------|-------------|---------|
+| `tiller.enabled` | Whether to include a Tiller in the namespace | `true` |
+| `tiller.replicaCount` | The number of Tiller replicas to run | `1` |
+| `tiller.image.repository` | The Docker image to use for Tiller, minus version/label | `gcr.io/kubernetes-helm/tiller` |
+| `tiller.image.tag` | The specific version/label of the Docker image used for Tiller | `v2.8.1` |
+| `tiller.image.pullPolicy` | The pull policy to utilize when pulling Tiller images from a Docker repsoitory | `IfNotPresent` |
+| `tiller.maxHistory` | The maximum number of releases Tiller should remember. A value of `0` is interpreted as no limit. | `0` |
+| `tiller.role.type` | Identify the kind of role (`Role` or `ClusterRole`) that will be referenced in the role binding for Tiller's service account. There is seldom any reason to override this. | `ClusterRole` |
+| `tiller.role.type` | Identify the name of the `Role` or `ClusterRole` that will be referenced in the role binding for Tiller's service account. There is seldom any reason to override this. | `admin` |
+| `tiller.includeService` | This deploys a service resource for Tiller. This is not generally needed. Please understand the security implications of this before overriding the default. | `false` |
+| `tiller.onlyListenOnLocalhost` | This prevents Tiller from binding to `0.0.0.0`. This is generally advisable to close known Tiller-based attack vectors. Please understand the security implications of this before overriding the default. | `true` |
+| `serviceAccounts` | An optional array of names of additional service account to create | `nil` |
+| `roleBindings` | An optional array of objects that define role bindings | `nil` |
+| `roleBindings[n].role.kind` | Identify the kind of role (`Role` or `ClusterRole`) to be used in the role binding | |
+| `roleBindings[n].role.name` | Identify the name of the role to be used in the role binding | |
+| `roleBindings[n].subject.kind` | Identify the kind of subject (`User`, `Group`, or `ServiceAccount` ) to be used in the role binding | |
+| `roleBindings[n].subject.name` | Identify the name of the subject to be used in the role binding | |
diff --git a/stable/magic-namespace/templates/NOTES.txt b/stable/magic-namespace/templates/NOTES.txt
@@ -0,0 +1,26 @@
+
+The namespace "{{ .Release.Namespace }}" has been created if it didn't already exist.
+
+{{ if or .Values.tiller.enabled .Values.serviceAccounts -}}
+The following service accounts have been created in the namespace:
+{{ if .Values.tiller.enabled }}
+  - tiller
+{{- end }}
+{{- range .Values.serviceAccounts }}
+  - {{ . }}
+{{- end }}
+{{ end }}
+{{ if or .Values.tiller.enabled .Values.roleBindings -}}
+The following role bindings have been created in the namespace:
+{{ if .Values.tiller.enabled }}
+  - ServiceAccount[tiller] --> {{ .Values.tiller.role.kind }}[{{ .Values.tiller.role.name }}]
+{{- end }}
+{{- range .Values.roleBindings }}
+  - {{ .subject.kind }}[{{ .subject.name }}] --> {{ .role.kind }}[{{ .role.name }}]
+{{- end }}
+{{ end }}
+{{ if .Values.tiller.enabled -}}
+Utilize the Tiller in your new namespace like so:
+
+  $ helm <command> --tiller-namespace {{ .Release.Namespace }}
+{{- end }}
diff --git a/stable/magic-namespace/templates/_helpers.tpl b/stable/magic-namespace/templates/_helpers.tpl
@@ -0,0 +1,32 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "magic-namespace.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "magic-namespace.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "magic-namespace.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
diff --git a/stable/magic-namespace/templates/rolebindings.yaml b/stable/magic-namespace/templates/rolebindings.yaml
@@ -0,0 +1,19 @@
+
+{{- range .Values.roleBindings }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ .name }}
+  labels:
+    chart: {{ template "magic-namespace.chart" $ }}
+    release: {{ $.Release.Name }}
+    heritage: {{ $.Release.Service }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: {{ .role.kind }}
+  name: {{ .role.name }}
+subjects:
+- kind: {{ .subject.kind }}
+  name: {{ .subject.name }}
+{{- end }}
diff --git a/stable/magic-namespace/templates/serviceaccounts.yaml b/stable/magic-namespace/templates/serviceaccounts.yaml
@@ -0,0 +1,11 @@
+{{- range .Values.serviceAccounts }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ . }}
+  labels:
+    chart: {{ template "magic-namespace.chart" $ }}
+    release: {{ $.Release.Name }}
+    heritage: {{ $.Release.Service }}
+{{- end }}
diff --git a/stable/magic-namespace/templates/tiller-deployment.yaml b/stable/magic-namespace/templates/tiller-deployment.yaml
@@ -0,0 +1,84 @@
+{{- if .Values.tiller.enabled }}
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: tiller-deploy
+  labels:
+    app: helm
+    name: tiller
+    chart: {{ template "magic-namespace.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+spec:
+  replicas: {{ .Values.tiller.replicaCount }}
+  selector:
+    matchLabels:
+      app: helm
+      name: tiller
+      release: {{ .Release.Name }}
+  template:
+    metadata:
+      labels:
+        app: helm
+        name: tiller
+        chart: {{ template "magic-namespace.chart" . }}
+        release: {{ .Release.Name }}
+        heritage: {{ .Release.Service }}
+    spec:
+      serviceAccountName: tiller
+      containers:
+        - name: {{ .Chart.Name }}
+          image: "{{ .Values.tiller.image.repository }}:{{ .Values.tiller.image.tag }}"
+          imagePullPolicy: {{ .Values.tiller.image.pullPolicy }}
+          env:
+          - name: TILLER_NAMESPACE
+            value: {{ .Release.Namespace }}
+          - name: TILLER_HISTORY_MAX
+            value: {{ quote .Values.tiller.maxHistory }}
+          {{- if .Values.tiller.onlyListenOnLocalhost }}
+          command: ["/tiller"]
+          args: ["--listen=localhost:44134"]
+          {{- else }}
+          ports:
+          - containerPort: 44134
+            name: tiller
+            protocol: TCP
+          - containerPort: 44135
+            name: http
+            protocol: TCP
+          {{- end }}
+          livenessProbe:
+            failureThreshold: 3
+            httpGet:
+              path: /liveness
+              port: 44135
+              scheme: HTTP
+            initialDelaySeconds: 1
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 1
+          readinessProbe:
+            failureThreshold: 3
+            httpGet:
+              path: /readiness
+              port: 44135
+              scheme: HTTP
+            initialDelaySeconds: 1
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 1
+          resources:
+{{ toYaml .Values.tiller.resources | indent 12 }}
+    {{- with .Values.tiller.nodeSelector }}
+      nodeSelector:
+{{ toYaml . | indent 8 }}
+    {{- end }}
+    {{- with .Values.tiller.affinity }}
+      affinity:
+{{ toYaml . | indent 8 }}
+    {{- end }}
+    {{- with .Values.tiller.tolerations }}
+      tolerations:
+{{ toYaml . | indent 8 }}
+    {{- end }}
+{{- end }}
diff --git a/stable/magic-namespace/templates/tiller-rolebinding.yaml b/stable/magic-namespace/templates/tiller-rolebinding.yaml
@@ -0,0 +1,20 @@
+{{- if .Values.tiller.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: tiller-{{ .Values.tiller.role.name }}
+  labels:
+    app: helm
+    name: tiller
+    chart: {{ template "magic-namespace.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: {{ .Values.tiller.role.type }}
+  name: {{ .Values.tiller.role.name }}
+subjects:
+- kind: ServiceAccount
+  name: tiller
+  namespace: {{ .Release.Namespace }}
+{{- end }}
diff --git a/stable/magic-namespace/templates/tiller-service.yaml b/stable/magic-namespace/templates/tiller-service.yaml
@@ -0,0 +1,22 @@
+{{- if and .Values.tiller.enabled .Values.tiller.includeService }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: tiller-deploy
+  labels:
+    app: helm
+    name: tiller
+    chart: {{ template "magic-namespace.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+spec:
+  type: ClusterIP
+  selector:
+    app: helm
+    name: tiller
+  ports:
+  - name: tiller
+    port: 44134
+    protocol: TCP
+    targetPort: tiller
+{{- end }}