-
Notifications
You must be signed in to change notification settings - Fork 131
/
namespaces.go
117 lines (97 loc) · 3.48 KB
/
namespaces.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
// Copyright (c) 2019-2024 Tigera, Inc. All rights reserved.
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package render
import (
rmeta "github.com/tigera/operator/pkg/render/common/meta"
"github.com/tigera/operator/pkg/render/common/secret"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"sigs.k8s.io/controller-runtime/pkg/client"
operatorv1 "github.com/tigera/operator/api/v1"
"github.com/tigera/operator/pkg/common"
)
func Namespaces(cfg *NamespaceConfiguration) Component {
return &namespaceComponent{
cfg: cfg,
}
}
// NamespaceConfiguration contains all the config information needed to render the component.
type NamespaceConfiguration struct {
Installation *operatorv1.InstallationSpec
PullSecrets []*corev1.Secret
Terminating bool
}
type namespaceComponent struct {
cfg *NamespaceConfiguration
}
func (c *namespaceComponent) ResolveImages(is *operatorv1.ImageSet) error {
// No images on a namespace
return nil
}
func (c *namespaceComponent) SupportedOSType() rmeta.OSType {
return rmeta.OSTypeAny
}
func (c *namespaceComponent) Objects() ([]client.Object, []client.Object) {
ns := []client.Object{
CreateNamespace(common.CalicoNamespace, c.cfg.Installation.KubernetesProvider, PSSPrivileged),
}
// If we're terminating, we don't want to delete the namespace right away.
// It will be cleaned up by Kubernetes when the Installation object is finally released.
if c.cfg.Terminating {
ns = []client.Object{}
}
if c.cfg.Installation.Variant == operatorv1.TigeraSecureEnterprise {
// We need to always have ns tigera-dex even when the Authentication CR is not present, so policies can be added to this namespace.
ns = append(ns, CreateNamespace(DexObjectName, c.cfg.Installation.KubernetesProvider, PSSRestricted))
}
if len(c.cfg.PullSecrets) > 0 {
ns = append(ns, secret.ToRuntimeObjects(secret.CopyToNamespace(common.CalicoNamespace, c.cfg.PullSecrets...)...)...)
}
if c.cfg.Terminating {
return nil, ns
}
return ns, nil
}
func (c *namespaceComponent) Ready() bool {
return true
}
type PodSecurityStandard string
const (
PSSPrivileged = "privileged"
PSSBaseline = "baseline"
PSSRestricted = "restricted"
)
func CreateNamespace(name string, provider operatorv1.Provider, pss PodSecurityStandard) *corev1.Namespace {
ns := &corev1.Namespace{
TypeMeta: metav1.TypeMeta{Kind: "Namespace", APIVersion: "v1"},
ObjectMeta: metav1.ObjectMeta{
Name: name,
Labels: map[string]string{
"name": name,
},
Annotations: map[string]string{},
},
}
// Add in labels for configuring pod security standards.
// https://kubernetes.io/docs/concepts/security/pod-security-standards/
ns.Labels["pod-security.kubernetes.io/enforce"] = string(pss)
ns.Labels["pod-security.kubernetes.io/enforce-version"] = "latest"
switch provider {
case operatorv1.ProviderOpenShift:
ns.Labels["openshift.io/run-level"] = "0"
ns.Annotations["openshift.io/node-selector"] = ""
case operatorv1.ProviderAKS:
ns.Labels["control-plane"] = "true"
}
return ns
}