ibm-namespace-scope-operator

command module
v1.0.0-alpha Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 30, 2020 License: Apache-2.0 Imports: 10 Imported by: 0

README

NamspaceScope - Manage operator and operand authority across namespaces

This operator automates the extension of operator watch and service account permission scope to other namespaces in an openshift cluster.

The operator runs in the namespace whose operator WATCH statements and roles/rolebindings are to be extended to other namespaces as specified in a NamespaceScope CR.

A sample CR is below:

apiVersion: operator.ibm.com/v1
kind: NamespaceScope
metadata:
  name: namespacescope
spec:
  # Namespaces that are part of this scope
  namespaceMembers:
  - cp4i
  - default

  # ConfigMap name that will contain the list of namespaces to be watched
  configmapName: namespace-scope

  # Restart pods with the following labels when the namspace list changes
  restartLabels:
    intent: projected

  • The namespaceMembers contains a list of other namespace in the cluster that:

    • should be watched by operators running in the current namespace
    • to which roles and rolebindings for service accounts in the current namespace should be authorized for service accounts in this namespace

  • The namespaceMembers list ALWAYS contains the current namespace whether specifically listed or not (it is implicit)

  • The configmapName identifies a ConfigMap that is created to contain a common-separated list of the namespaces to be watched in its namespaces key. All operators that want to participate in namespace extension should be configured to watch the key on this configmap. An example of this is in the operator deployment fragment below (the latest operator SDK support watching multiple namespaces in a comma-separated list). The configmap is created and maintained ONLY by the NamespaceScope operator.

    ...
env:
  - name: WATCH_NAMESPACE
    valueFrom:
      configMapKeyRef:
        name: namespace-scope
        key: namespaces
...

  • The restartLabels list specifies the labels for operator pods that are to be restarted when the namespace-scope list changes so they can reset their WATCH parameters. The default label is "intent=projected". All operator Pods that are configured as above should also be labelled so that the operator will auto-restart them the configmap changes the list of namespaces to watch. An example of this label is below.

    apiVersion: apps/v1
kind: Deployment
metadata:
  name: secretman
spec:
  replicas: 1
  selector:
    matchLabels:
      name: secretman
  template:
    metadata:
      labels:
        name: secretman
        intent: projected
    spec:
    ...

How does it work

Namespace Scope Operator runs in ibm-common-services namespace with namespace admin permission.

When the NamespaceScope CR is created/updated, it will:

  • Generate a ConfigMap with key namespaces and value is the comma separated namespaceMembers

    apiVersion: v1
kind: ConfigMap
metadata:
  name: namespace-scope
  namespace: ibm-common-services
data:
  namespaces: default,cp4i

  • Restart the pods with label selector restartLabels

    apiVersion: apps/v1
kind: Deployment
metadata:
  name: secretman
spec:
  replicas: 1
  selector:
    matchLabels:
      name: secretman
  template:
    metadata:
      labels:
        name: secretman
        intent: projected
    spec:
    ...

  • Create role/rolebinding with service accounts from the pods who have label selector restartLabels

    apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: ibm-namespace-scope-operator-managed-role
  namespace: FROM_namespaceMembers
rules:
- apiGroups:
  - '*'
  resources:
  - '*'
  verbs:
  - '*'
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: ibm-namespace-scope-operator-managed-rolebinding
  namespace: FROM_namespaceMembers
subjects:
- kind: ServiceAccount
  name: GET_FROM_PODS_WHO_HAVE_restartLabels
  namespace: ibm-common-services
roleRef:
  kind: Role
  name: ibm-namespace-scope-operator-managed-role
  apiGroup: rbac.authorization.k8s.io

How to deploy it

git clone https://github.com/IBM/ibm-namespace-scope-operator.git
cd ibm-namespace-scope-operator

oc create ns ibm-common-services

oc apply -f deploy/operator.ibm.com_namespacescopes.yaml
oc -n ibm-common-services apply -f deploy/service_account.yaml
oc -n ibm-common-services apply -f deploy/role.yaml
oc -n ibm-common-services apply -f deploy/role_binding.yaml
oc -n ibm-common-services apply -f deploy/operator.yaml

oc -n ibm-common-services apply -f deploy/cr.yaml

Documentation

The Go Gopher

There is no documentation for this package.

Source Files

View all Source files

Directories

Path Synopsis
api
v1
Package v1 contains API Schema definitions for the operator v1 API group +kubebuilder:object:generate=true +groupName=operator.ibm.com
 Package v1 contains API Schema definitions for the operator v1 API group +kubebuilder:object:generate=true +groupName=operator.ibm.com
common

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.