Cleanup

vsliouniaev · Apr 28, 2020 · c95bbfb · c95bbfb
1 parent 4359dcc
commit c95bbfb
Show file tree

Hide file tree

Showing 12 changed files with 54 additions and 15 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -6,5 +6,6 @@ RUN go build -mod vendor -o main
 RUN mv main /main
 
 FROM scratch
+EXPOSE 8443
 COPY --from=build /main /guard
 ENTRYPOINT ["/guard"]
diff --git a/README.md b/README.md
@@ -3,3 +3,27 @@
 [![Docker Pulls](https://img.shields.io/docker/pulls/vsliouniaev/k8s-crdguard?color=blue)](https://hub.docker.com/r/vsliouniaev/k8s-crdguard/tags)
 
 # k8s-crdguard
+
+```sh
+$ kubectl delete crd crontabs.stable.example.com
+The request is invalid: : There are still some crontabs.stable.example.com in the cluster
+```
+
+
+Block deletion of CRDs if there are still some of the resources in the cluster.
+Uses [jet/kube-webhook-certgen](https://github.com/jet/kube-webhook-certgen) in the provided chart 
+to simplify provisioning certificates for `validatingwebhookconfigurations`.
+
+```sh
+Usage of k8s-crdguard:
+  -cert-file string
+    	Path to certificate file to serve TLS. (default "/cert/cert")
+  -crds value
+    	List of crds to block deletion of. Default will block all CRDs. (example "prometheuses.monitoring.coreos.com")
+  -key-file string
+    	Path to key file to serve TLS. (default "/cert/key")
+  -kubeconfig string
+    	Path to kubeconfig file: e.g. ~/.kube/kind-config-kind. (default uses in-cluster config)
+  -log-debug
+    	Whether to enable debug log configuration. (default false)
+```
diff --git a/charts/k8s-crdguard/templates/job-patch/clusterrole.yaml b/charts/k8s-crdguard/templates/job-patch/clusterrole.yaml
@@ -1,4 +1,5 @@
-{{ $component := "job-patch" }}
+{{- $component := "job-patch" }}
+{{- if $.Values.patchCertificates.enabled }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -18,3 +19,4 @@ rules:
     verbs:
       - get
       - update
+{{- end }}
diff --git a/charts/k8s-crdguard/templates/job-patch/clusterrolebinding.yaml b/charts/k8s-crdguard/templates/job-patch/clusterrolebinding.yaml
@@ -1,4 +1,5 @@
-{{ $component := "job-patch" }}
+{{- $component := "job-patch" }}
+{{- if $.Values.patchCertificates.enabled }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
@@ -17,3 +18,4 @@ subjects:
   - kind: ServiceAccount
     name: {{ template "k8s-crdguard.fullname" $ }}-{{ $component }}
     namespace: {{ $.Release.Namespace }}
+{{- end }}
diff --git a/charts/k8s-crdguard/templates/job-patch/job-createSecret.yaml b/charts/k8s-crdguard/templates/job-patch/job-createSecret.yaml
@@ -1,4 +1,5 @@
-{{ $component := "job-patch" }}
+{{- $component := "job-patch" }}
+{{- if $.Values.patchCertificates.enabled }}
 apiVersion: batch/v1
 kind: Job
 metadata:
@@ -38,3 +39,4 @@ spec:
       securityContext:
         runAsNonRoot: true
         runAsUser: 2000
+{{- end }}
diff --git a/charts/k8s-crdguard/templates/job-patch/job-patchWebhook.yaml b/charts/k8s-crdguard/templates/job-patch/job-patchWebhook.yaml
@@ -1,4 +1,5 @@
-{{ $component := "job-patch" }}
+{{- $component := "job-patch" }}
+{{- if $.Values.patchCertificates.enabled }}
 apiVersion: batch/v1
 kind: Job
 metadata:
@@ -31,11 +32,11 @@ spec:
             - --patch-mutating=false
             - --patch-validating=true
             - --secret-name={{ template "k8s-crdguard.fullname" $ }}
-            - --patch-failure-policy=Fail
           resources:
 {{ toYaml $.Values.patchCertificates.resources | indent 12 }}
       restartPolicy: OnFailure
       serviceAccountName: {{ template "k8s-crdguard.fullname" $ }}-{{ $component }}
       securityContext:
         runAsNonRoot: true
         runAsUser: 2000
+{{- end }}
diff --git a/charts/k8s-crdguard/templates/job-patch/role.yaml b/charts/k8s-crdguard/templates/job-patch/role.yaml
@@ -1,4 +1,5 @@
-{{ $component := "job-patch" }}
+{{- $component := "job-patch" }}
+{{- if $.Values.patchCertificates.enabled }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
@@ -17,3 +18,4 @@ rules:
     verbs:
       - get
       - create
+{{- end }}
diff --git a/charts/k8s-crdguard/templates/job-patch/rolebinding.yaml b/charts/k8s-crdguard/templates/job-patch/rolebinding.yaml
@@ -1,4 +1,5 @@
-{{ $component := "job-patch" }}
+{{- $component := "job-patch" }}
+{{- if $.Values.patchCertificates.enabled }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
@@ -17,3 +18,4 @@ subjects:
   - kind: ServiceAccount
     name: {{ template "k8s-crdguard.fullname" $ }}-{{ $component }}
     namespace: {{ $.Release.Namespace }}
+{{- end }}
diff --git a/charts/k8s-crdguard/templates/job-patch/serviceaccount.yaml b/charts/k8s-crdguard/templates/job-patch/serviceaccount.yaml
@@ -1,4 +1,5 @@
-{{ $component := "job-patch" }}
+{{- $component := "job-patch" }}
+{{- if $.Values.patchCertificates.enabled }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
@@ -9,3 +10,4 @@ metadata:
   labels:
 {{- include "k8s-crdguard.component" $component | indent 4 }}
 {{- include "k8s-crdguard.labels" $ | indent 4 }}
+{{- end }}
diff --git a/charts/k8s-crdguard/templates/validatingWebhookConfiguration.yaml b/charts/k8s-crdguard/templates/validatingWebhookConfiguration.yaml
@@ -6,7 +6,7 @@ metadata:
 {{- include "k8s-crdguard.labels" $ | indent 4 }}
 webhooks:
   - name: k8s-crdguard.vsliouniaev.github.com
-    failurePolicy: Ignore
+    failurePolicy: Fail
     rules:
       - apiGroups:
           - apiextensions.k8s.io

diff --git a/charts/k8s-crdguard/values.yaml b/charts/k8s-crdguard/values.yaml
@@ -1,4 +1,5 @@
 patchCertificates:
+  enabled: true
   resources:
     limits:
       cpu: 100m
@@ -9,7 +10,7 @@ patchCertificates:
     pullPolicy: IfNotPresent
 
 image:
-  repository: #vsliouniaev/k8s-crdguard
+  repository: vsliouniaev/k8s-crdguard
   tag: v0.0.1
   pullPolicy: IfNotPresent
 resources:

diff --git a/main.go b/main.go
@@ -170,11 +170,11 @@ func serve(w http.ResponseWriter, r *http.Request, admit admitFunc) {
 
 func main() {
 
-	flag.StringVar(&kubeconfigPath, "kubeconfig", "", "Path to kubeconfig file: e.g. ~/.kube/kind-config-kind")
-	logDebug := *flag.Bool("log-debug", false, "Whether to enable debug log configuration")
-	certFile := *flag.String("cert-file", "/cert/cert", "Path to certificate file to serve TLS")
-	keyFile := *flag.String("key-file", "/cert/key", "Path to key file to serve TLS")
-	flag.Var(&explicitCrds, "crds", "List of crds to block deletion of. Default will block all CRDs. e.g. 'prometheuses.monitoring.coreos.com'")
+	flag.StringVar(&kubeconfigPath, "kubeconfig", "", "Path to kubeconfig file: e.g. ~/.kube/kind-config-kind. (default uses in-cluster config)")
+	logDebug := *flag.Bool("log-debug", false, "Whether to enable debug log configuration. (default false)")
+	certFile := *flag.String("cert-file", "/cert/cert", "Path to certificate file to serve TLS.")
+	keyFile := *flag.String("key-file", "/cert/key", "Path to key file to serve TLS.")
+	flag.Var(&explicitCrds, "crds", "List of crds to block deletion of. Default will block all CRDs. (example \"prometheuses.monitoring.coreos.com\")")
 	flag.Parse()
 
 	configLogging(logDebug)