README
¶
node-operation-validator
This project is a webhook that enforces restrictions on certain operations performed on nodes in a cluster. The webhook handles four operation cases: delete, create, cordon, uncordon. Depending on the operation and the user performing it, certain requirements must be met, such as adding a reason annotation or being a privileged user.
Each operation has its own set of requirements that must be met in order for the operation to be performed.
Validated Operations
Delete
Can only be performed by a privileged user who is not in the forbidden users list, and a reason annotation must be added to explain the reason for the deletion.
Create
Can be performed by any privileged user, but including a reason annotation is not allowed.
Cordon
Requires a reason annotation and can only be performed by a privileged user.
Uncordon
Not allowed if there is a reason annotation present.
Additional Features
Forbidden Users
The webhook also maintains a list of forbidden users who are not allowed to perform certain operations.
Logs
The logs of the webhook provide details about the operations performed on the nodes, including the user who performed the operation, the reason for doing it, and the date and time it occurred.
Getting started
Deploying the controller
$ make deploy IMG=ghcr.io/dana-team/node-operation-validator:<release>
Install with Helm
Helm chart docs are available on charts/node-operation-validator directory.
Make sure cert-manager is installed as a prerequisite.
$ helm upgrade --install node-operation-validator --namespace node-operation-webhook-system --create-namespace oci://ghcr.io/dana-team/helm-charts/node-operation-validator --version <release>
Build your own image
$ make docker-build docker-push IMG=<registry>/node-operation-validator:<tag>
Directories