namespace-creator

command module

v0.0.0-...-3daf094 Latest Latest Go to latest Published: Oct 24, 2019 License: MIT Imports: 14 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/CognotektGmbH/namespace-creator

README ¶

Motivation

"Namespace Creator" is a tool to create namespaces in multi-team (or multi-tenant) Kubernetes clusters. In addition to the actual namespace resource, several other Kubernetes resources are automatically applied. The goal of this tool is to:

Allow a development team to deploy independently into 'their' namespaces while keeping confidentiality, integrity and available of the other teams' namespaces.
Differentiate between dev environments and prod environments. In prod environments, no manual modifications of the deployment should be possible.
Provide a fast and reproducible way to set up namespaces for disaster recovery.

High-level workflow

The namespace creator iterates over a manifest file and sets up a namespace for each element. The following steps are done in order:

Ensures a naming convention is adhered to. See Namespace naming conventions
Creates the namespace
Creates a limit range resource with a default memory range and limit of 64Mi. This is low on purpose as we want to encourage to set a reasonable limit in the pod spec.
Creates network policies for team-namespaces to restrict communication within in the cluster
Creates a role binding to enforce a pod security policy based on configuration in the manifest.
Creates another role binding for namespace access. A differentiation is made depending on the stage. In "dev" namespaces, both users and the CI-bot have R/W permissions. In "prod"-namespaces, users only have read permissions.

Installation and Usage

The namespace creator is written in Go and can be compiled with make build.

Pre-requisites

The namespace creator assumes certain cluster-wide resources have been applied beforehand :

The role binding assumes a valid cluster role and pod security policy. This yaml file applies those resources for privileged access, unprivileged access and unprivileged access but allowing running a container as root. The pod security policy admission controller needs to be activated so PSPs get enforced.
The role binding binds to a group which is identical to the team-name (for non-prod namespaces) or the team-name+ci (for ci in prod namespaces). This file provides more background information

Customization

In order to include a custom routine in the namespace creator a plugin can be used. The plugin must implement a func CustomFunction(*kubernetes.Clientset, Namespace function. When the binary is called with -p followed by the path to the plugin, CustomFunction is executed one namspace creation as the penultimate step (before the rolebindings that allow namespace access). An example is available as a starting point.

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
pkg
definitions
network
utils
plugins

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL