diff --git a/Dockerfile b/Dockerfile index c6798da..e6844c5 100644 --- a/Dockerfile +++ b/Dockerfile @@ -6,5 +6,6 @@ RUN go build -mod vendor -o main RUN mv main /main FROM scratch +EXPOSE 8443 COPY --from=build /main /guard ENTRYPOINT ["/guard"] \ No newline at end of file diff --git a/README.md b/README.md index 4669e48..c338ac4 100644 --- a/README.md +++ b/README.md @@ -3,3 +3,27 @@ [![Docker Pulls](https://img.shields.io/docker/pulls/vsliouniaev/k8s-crdguard?color=blue)](https://hub.docker.com/r/vsliouniaev/k8s-crdguard/tags) # k8s-crdguard + +```sh +$ kubectl delete crd crontabs.stable.example.com +The request is invalid: : There are still some crontabs.stable.example.com in the cluster +``` + + +Block deletion of CRDs if there are still some of the resources in the cluster. +Uses [jet/kube-webhook-certgen](https://github.com/jet/kube-webhook-certgen) in the provided chart +to simplify provisioning certificates for `validatingwebhookconfigurations`. + +```sh +Usage of k8s-crdguard: + -cert-file string + Path to certificate file to serve TLS. (default "/cert/cert") + -crds value + List of crds to block deletion of. Default will block all CRDs. (example "prometheuses.monitoring.coreos.com") + -key-file string + Path to key file to serve TLS. (default "/cert/key") + -kubeconfig string + Path to kubeconfig file: e.g. ~/.kube/kind-config-kind. (default uses in-cluster config) + -log-debug + Whether to enable debug log configuration. (default false) +``` diff --git a/charts/k8s-crdguard/templates/job-patch/clusterrole.yaml b/charts/k8s-crdguard/templates/job-patch/clusterrole.yaml index 15a0b3a..782c9f3 100644 --- a/charts/k8s-crdguard/templates/job-patch/clusterrole.yaml +++ b/charts/k8s-crdguard/templates/job-patch/clusterrole.yaml @@ -1,4 +1,5 @@ -{{ $component := "job-patch" }} +{{- $component := "job-patch" }} +{{- if $.Values.patchCertificates.enabled }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -18,3 +19,4 @@ rules: verbs: - get - update +{{- end }} \ No newline at end of file diff --git a/charts/k8s-crdguard/templates/job-patch/clusterrolebinding.yaml b/charts/k8s-crdguard/templates/job-patch/clusterrolebinding.yaml index 4ae0a89..c099498 100644 --- a/charts/k8s-crdguard/templates/job-patch/clusterrolebinding.yaml +++ b/charts/k8s-crdguard/templates/job-patch/clusterrolebinding.yaml @@ -1,4 +1,5 @@ -{{ $component := "job-patch" }} +{{- $component := "job-patch" }} +{{- if $.Values.patchCertificates.enabled }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -17,3 +18,4 @@ subjects: - kind: ServiceAccount name: {{ template "k8s-crdguard.fullname" $ }}-{{ $component }} namespace: {{ $.Release.Namespace }} +{{- end }} diff --git a/charts/k8s-crdguard/templates/job-patch/job-createSecret.yaml b/charts/k8s-crdguard/templates/job-patch/job-createSecret.yaml index 453a67a..10e38b1 100644 --- a/charts/k8s-crdguard/templates/job-patch/job-createSecret.yaml +++ b/charts/k8s-crdguard/templates/job-patch/job-createSecret.yaml @@ -1,4 +1,5 @@ -{{ $component := "job-patch" }} +{{- $component := "job-patch" }} +{{- if $.Values.patchCertificates.enabled }} apiVersion: batch/v1 kind: Job metadata: @@ -38,3 +39,4 @@ spec: securityContext: runAsNonRoot: true runAsUser: 2000 +{{- end }} diff --git a/charts/k8s-crdguard/templates/job-patch/job-patchWebhook.yaml b/charts/k8s-crdguard/templates/job-patch/job-patchWebhook.yaml index b8e88dc..1f5215a 100644 --- a/charts/k8s-crdguard/templates/job-patch/job-patchWebhook.yaml +++ b/charts/k8s-crdguard/templates/job-patch/job-patchWebhook.yaml @@ -1,4 +1,5 @@ -{{ $component := "job-patch" }} +{{- $component := "job-patch" }} +{{- if $.Values.patchCertificates.enabled }} apiVersion: batch/v1 kind: Job metadata: @@ -31,7 +32,6 @@ spec: - --patch-mutating=false - --patch-validating=true - --secret-name={{ template "k8s-crdguard.fullname" $ }} - - --patch-failure-policy=Fail resources: {{ toYaml $.Values.patchCertificates.resources | indent 12 }} restartPolicy: OnFailure @@ -39,3 +39,4 @@ spec: securityContext: runAsNonRoot: true runAsUser: 2000 +{{- end }} diff --git a/charts/k8s-crdguard/templates/job-patch/role.yaml b/charts/k8s-crdguard/templates/job-patch/role.yaml index 2c0a352..1bbe074 100644 --- a/charts/k8s-crdguard/templates/job-patch/role.yaml +++ b/charts/k8s-crdguard/templates/job-patch/role.yaml @@ -1,4 +1,5 @@ -{{ $component := "job-patch" }} +{{- $component := "job-patch" }} +{{- if $.Values.patchCertificates.enabled }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -17,3 +18,4 @@ rules: verbs: - get - create +{{- end }} \ No newline at end of file diff --git a/charts/k8s-crdguard/templates/job-patch/rolebinding.yaml b/charts/k8s-crdguard/templates/job-patch/rolebinding.yaml index 9c1dd4d..08d635b 100644 --- a/charts/k8s-crdguard/templates/job-patch/rolebinding.yaml +++ b/charts/k8s-crdguard/templates/job-patch/rolebinding.yaml @@ -1,4 +1,5 @@ -{{ $component := "job-patch" }} +{{- $component := "job-patch" }} +{{- if $.Values.patchCertificates.enabled }} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -17,3 +18,4 @@ subjects: - kind: ServiceAccount name: {{ template "k8s-crdguard.fullname" $ }}-{{ $component }} namespace: {{ $.Release.Namespace }} +{{- end }} diff --git a/charts/k8s-crdguard/templates/job-patch/serviceaccount.yaml b/charts/k8s-crdguard/templates/job-patch/serviceaccount.yaml index cc40b8f..6cdc60c 100644 --- a/charts/k8s-crdguard/templates/job-patch/serviceaccount.yaml +++ b/charts/k8s-crdguard/templates/job-patch/serviceaccount.yaml @@ -1,4 +1,5 @@ -{{ $component := "job-patch" }} +{{- $component := "job-patch" }} +{{- if $.Values.patchCertificates.enabled }} apiVersion: v1 kind: ServiceAccount metadata: @@ -9,3 +10,4 @@ metadata: labels: {{- include "k8s-crdguard.component" $component | indent 4 }} {{- include "k8s-crdguard.labels" $ | indent 4 }} +{{- end }} diff --git a/charts/k8s-crdguard/templates/validatingWebhookConfiguration.yaml b/charts/k8s-crdguard/templates/validatingWebhookConfiguration.yaml index b0e305f..c6b9120 100644 --- a/charts/k8s-crdguard/templates/validatingWebhookConfiguration.yaml +++ b/charts/k8s-crdguard/templates/validatingWebhookConfiguration.yaml @@ -6,7 +6,7 @@ metadata: {{- include "k8s-crdguard.labels" $ | indent 4 }} webhooks: - name: k8s-crdguard.vsliouniaev.github.com - failurePolicy: Ignore + failurePolicy: Fail rules: - apiGroups: - apiextensions.k8s.io diff --git a/charts/k8s-crdguard/values.yaml b/charts/k8s-crdguard/values.yaml index c07caa8..5fb92e5 100644 --- a/charts/k8s-crdguard/values.yaml +++ b/charts/k8s-crdguard/values.yaml @@ -1,4 +1,5 @@ patchCertificates: + enabled: true resources: limits: cpu: 100m @@ -9,7 +10,7 @@ patchCertificates: pullPolicy: IfNotPresent image: - repository: #vsliouniaev/k8s-crdguard + repository: vsliouniaev/k8s-crdguard tag: v0.0.1 pullPolicy: IfNotPresent resources: diff --git a/main.go b/main.go index c227285..30117f4 100644 --- a/main.go +++ b/main.go @@ -170,11 +170,11 @@ func serve(w http.ResponseWriter, r *http.Request, admit admitFunc) { func main() { - flag.StringVar(&kubeconfigPath, "kubeconfig", "", "Path to kubeconfig file: e.g. ~/.kube/kind-config-kind") - logDebug := *flag.Bool("log-debug", false, "Whether to enable debug log configuration") - certFile := *flag.String("cert-file", "/cert/cert", "Path to certificate file to serve TLS") - keyFile := *flag.String("key-file", "/cert/key", "Path to key file to serve TLS") - flag.Var(&explicitCrds, "crds", "List of crds to block deletion of. Default will block all CRDs. e.g. 'prometheuses.monitoring.coreos.com'") + flag.StringVar(&kubeconfigPath, "kubeconfig", "", "Path to kubeconfig file: e.g. ~/.kube/kind-config-kind. (default uses in-cluster config)") + logDebug := *flag.Bool("log-debug", false, "Whether to enable debug log configuration. (default false)") + certFile := *flag.String("cert-file", "/cert/cert", "Path to certificate file to serve TLS.") + keyFile := *flag.String("key-file", "/cert/key", "Path to key file to serve TLS.") + flag.Var(&explicitCrds, "crds", "List of crds to block deletion of. Default will block all CRDs. (example \"prometheuses.monitoring.coreos.com\")") flag.Parse() configLogging(logDebug)