namespace-creator

command module
v0.0.0-...-3daf094 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 24, 2019 License: MIT Imports: 14 Imported by: 0

README

Motivation

"Namespace Creator" is a tool to create namespaces in multi-team (or multi-tenant) Kubernetes clusters. In addition to the actual namespace resource, several other Kubernetes resources are automatically applied. The goal of this tool is to:

  • Allow a development team to deploy independently into 'their' namespaces while keeping confidentiality, integrity and available of the other teams' namespaces.
  • Differentiate between dev environments and prod environments. In prod environments, no manual modifications of the deployment should be possible.
  • Provide a fast and reproducible way to set up namespaces for disaster recovery.

High-level workflow

The namespace creator iterates over a manifest file and sets up a namespace for each element. The following steps are done in order:

  1. Ensures a naming convention is adhered to. See Namespace naming conventions
  2. Creates the namespace
  3. Creates a limit range resource with a default memory range and limit of 64Mi. This is low on purpose as we want to encourage to set a reasonable limit in the pod spec.
  4. Creates network policies for team-namespaces to restrict communication within in the cluster
  5. Creates a role binding to enforce a pod security policy based on configuration in the manifest.
  6. Creates another role binding for namespace access. A differentiation is made depending on the stage. In "dev" namespaces, both users and the CI-bot have R/W permissions. In "prod"-namespaces, users only have read permissions.

Installation and Usage

  • The namespace creator is written in Go and can be compiled with make build.

Pre-requisites

The namespace creator assumes certain cluster-wide resources have been applied beforehand :

  1. The role binding assumes a valid cluster role and pod security policy. This yaml file applies those resources for privileged access, unprivileged access and unprivileged access but allowing running a container as root. The pod security policy admission controller needs to be activated so PSPs get enforced.
  2. The role binding binds to a group which is identical to the team-name (for non-prod namespaces) or the team-name+ci (for ci in prod namespaces). This file provides more background information

Customization

In order to include a custom routine in the namespace creator a plugin can be used. The plugin must implement a func CustomFunction(*kubernetes.Clientset, Namespace function. When the binary is called with -p followed by the path to the plugin, CustomFunction is executed one namspace creation as the penultimate step (before the rolebindings that allow namespace access). An example is available as a starting point.

Documentation

The Go Gopher

There is no documentation for this package.

Source Files

View all Source files

Directories

Path Synopsis
pkg
definitions
network
utils

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.