Closed mnkg561 closed 4 years ago
NamespaceTemplate provides following in high level exportedParams NamespaceResources Namespace Resources
ExportedParams: Params which can to be replaced runtime and should use ${param} in the manifests DependsOn: By default, Namespace will be created first and any resources under Resources section will be created in parallel. To control the dependency structure one can use DependsOn parameter to force the execution only once its dependent resource has been created. CreateOnly: If any resource needs to be created only once and should not be overwritten can use CreateOnly parameter to enforce it. Resource: Type should dictate what Resource being included in the resource section and any other resource manifests included in that resource section will be ignored. For ex: To create a service account, Type should be ServiceAccount and should include serviceAccount: section
Sample Template:
apiVersion: manager.keikoproj.io/v1alpha1
kind: NamespaceTemplate
metadata:
name: namespacetemplate-sample
spec:
exportedParamName:
- registry
- env
- name
nsResources:
namespace:
apiVersion: v1
kind: Namespace
metadata:
annotations:
imageregistry.com: ${registry}
something.com/permitted: some-role
labels:
environment: ${env}
name: ${name}
resources:
- name: local_service_account1
type: ServiceAccount
dependsOn: local_role
serviceAccount:
apiVersion: v1
kind: ServiceAccount
metadata:
name: ${env}-sa
namespace: ${name}
- name: local_service_account2
type: ServiceAccount
serviceAccount:
apiVersion: v1
kind: ServiceAccount
metadata:
name: ${env}-sa2
namespace: ${name}
- name: local_role
type: Role
role:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: ${env}-role
rules:
- apiGroups:
- ""
resources:
- pods/attach
- pods/exec
- pods/portforward
- pods/proxy
- secrets
- services/proxy
verbs:
- get
- list
- watch
- create
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- impersonate
- name: local_role_binding
type: RoleBinding
dependsOn: local_service_account1
roleBinding:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: ${env}-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: ${env}-role
subjects:
- kind: ServiceAccount
name: ${env}-sa
namespace: ${name}
- name: pod_count_quota
type: ResourceQuota
createOnly: "true"
resourceQuota:
apiVersion: v1
kind: ResourceQuota
metadata:
name: ${env}-pod-quota
spec:
hard:
pods: "3"
Is this a BUG REPORT or FEATURE REQUEST?: FEATURE REQUEST
What happened: We should provide an option to administrator to create a TEMPLATE to control what resources needs to be added as part of the namespace creation.
Templates can be based on environment, compliance (PCI or non-PCI) or based on teams. Also, Templates also should provide a way to configure "dynamic" properties so that values can be replaced during the namespace creation/runtime. i.e, if administrator wants a label with cluster name, template should be able to support that. i.e, host.cluster: ${clusterName} and clusterName can be replaced at the runtime based on namespace create request.
What you expected to happen: Administrator can configure a template so that every namespace creation doesn't have to include the resources to be part of that namespace instead just pass the template name.
How to reproduce it (as minimally and precisely as possible):
Anything else we need to know?:
Environment:
Other debugging information (if applicable):
$ kubectl logs