platform-operator

module
v0.6.3 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 9, 2021 License: Apache-2.0

README

Platform Operator

Platform Operator is Kubernetes operator designed to be run in a multi-tenanted environment.

Namespaced Tolerations

Applies tolerations to all pods in a namespace, based on annotations on the namespace

e.g. using--enable-pod-mutations=true --namespace-tolerations-prefix=tolerations

apiVersion: v1
kind: Namespace
metadata:
  name: dedicate-to-node-group-b
  annotations:
    tolerations/node-group: b

Will then result in all pods created in that namespace receiving a toleration of:

apiVersion: v1
kind: Pod
spec:
   tolerations:
     key: node-group
     value: b
     effect: NoSchedule
Namespace Annotation Defaults

e.g. with --enable-pod-mutations=true --annotations=co.elastic

apiVersion: v1
kind: Namespace
metadata:
  name: dedicate-to-node-group-b
  annotations:
    co.elastic.logs/enabled: true

Will then result in all pods created in that namespace defaulting to:

apiVersion: v1
kind: Pod
metadata:
  annotations:
    co.elastic.logs/enabled: true
Registry Defaults

e.g. with --enable-pod-mutations=true --default-registry-prefix==registry.corp

When creating a pod with a busybox:latest such as:

apiVersion: v1
kind: Pod
spec:
  containers:
  - image: busybox:latest

It will get mutated to:

apiVersion: v1
kind: Pod
spec:
  containers:
  - image: registry.corp/busybox:latest

To prevent some images from being prefixed use --registry-whitelist e.g. --registry-whitelist=k8s.gcr.io

Add a default image pull secret to all pods using --default-image-pull-secret

Auto Delete
  • --cleanup=true - Delete resources with auto-delete annotations specified in duration from creation
    • --cleanup-interval - Interval to check for resources to cleanup
apiVersion: v1
kind: Namespace
metadata:
  name: pr-workflow-123
  annotations:
     auto-delete: 24h # delete this namespace 24h after creation
Cluster Resource Quotas
  • --enable-cluster-resource-quota - Allow resource quotas to be defined at cluster level
apiVersion: platform.flanksource.com/v1
kind: ClusterResourceQuota
metadata:
  name: dynamic-pr-compute-resources
spec:
  matchLabels:
    owner: dynamic-pr
  hard:
    requests.cpu: "1"
    requests.memory: 1Gi
    limits.cpu: "1"
    limits.memory: 1Gi
    pods: "10"
    services.loadbalancers: "0"
    services.nodeports: "0"

Ingress SSO

Depends on karina ingress as is normally deployed only via karina using:

karina.yml

domain: ACMP.corp
ldap:
	....
dex:
  version: v2.27.0
oauth2Proxy:
  version: v6.1.1
platformOperator:
  version: v0.6.0
  • --enable-ingress-sso enable ingress SSO using platform.flanksource.com/restrict-to-groups annotations
    • --oauth2-proxy-service-name
    • --oauth2-proxy-service-namespace
    • --domain

See https://karina.docs.flanksource.com/admin-guide/ingress/ for more details on how to configure the ingress, before using the platform-operator.

Once installed ingresses can be restricted using:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: podinfo-ing
  namespace: default
  annotations:
    kubernetes.io/tls-acme: "true"
    platform.flanksource.com/restrict-to-groups: ADMINS
Annotation Description
platform.flanksource.com/restrict-to-groups A semi-colon delimited list of LDAP groups to restrict an ingress to
platform.flanksource.com/extra-configuration-snippet Any additional nginx snippets to apply to the location
platform.flanksource.com/pass-auth-headers Specify true to pass authentication headers all the way through to the ingress upstream

Directories

Path Synopsis
cmd
pkg
apis/platform/v1
Package v1 contains API Schema definitions for the platform v1 API group +kubebuilder:object:generate=true +groupName=platform.flanksource.com
Package v1 contains API Schema definitions for the platform v1 API group +kubebuilder:object:generate=true +groupName=platform.flanksource.com

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL