search

keikoproj / manager

Multi K8s cluster Namespace Management
Apache License 2.0
9 stars 3 forks source link

Allow users to create Namespace Config Templates #20

Closed mnkg561 closed 4 years ago

mnkg561 commented 4 years ago

Is this a BUG REPORT or FEATURE REQUEST?: FEATURE REQUEST

What happened: We should provide an option to administrator to create a TEMPLATE to control what resources needs to be added as part of the namespace creation.

Templates can be based on environment, compliance (PCI or non-PCI) or based on teams. Also, Templates also should provide a way to configure "dynamic" properties so that values can be replaced during the namespace creation/runtime. i.e, if administrator wants a label with cluster name, template should be able to support that. i.e, host.cluster: ${clusterName} and clusterName can be replaced at the runtime based on namespace create request.

What you expected to happen: Administrator can configure a template so that every namespace creation doesn't have to include the resources to be part of that namespace instead just pass the template name.

How to reproduce it (as minimally and precisely as possible):

Anything else we need to know?:

Environment:

Other debugging information (if applicable):

- controller logs:

$ kubectl logs

mnkg561 commented 4 years ago

NamespaceTemplate provides following in high level exportedParams NamespaceResources Namespace Resources

ExportedParams: Params which can to be replaced runtime and should use ${param} in the manifests DependsOn: By default, Namespace will be created first and any resources under Resources section will be created in parallel. To control the dependency structure one can use DependsOn parameter to force the execution only once its dependent resource has been created. CreateOnly: If any resource needs to be created only once and should not be overwritten can use CreateOnly parameter to enforce it. Resource: Type should dictate what Resource being included in the resource section and any other resource manifests included in that resource section will be ignored. For ex: To create a service account, Type should be ServiceAccount and should include serviceAccount: section

mnkg561 commented 4 years ago

Sample Template:

apiVersion: manager.keikoproj.io/v1alpha1
kind: NamespaceTemplate
metadata:
  name: namespacetemplate-sample
spec:
  exportedParamName:
    - registry
    - env
    - name
  nsResources:
    namespace:
      apiVersion: v1
      kind: Namespace
      metadata:
        annotations:
          imageregistry.com: ${registry}
          something.com/permitted: some-role
        labels:
          environment: ${env}
        name: ${name}
    resources:
      - name: local_service_account1
        type: ServiceAccount
        dependsOn: local_role
        serviceAccount:
          apiVersion: v1
          kind: ServiceAccount
          metadata:
            name: ${env}-sa
            namespace: ${name}
      - name: local_service_account2
        type: ServiceAccount
        serviceAccount:
          apiVersion: v1
          kind: ServiceAccount
          metadata:
            name: ${env}-sa2
            namespace: ${name}
      - name: local_role
        type: Role
        role:
          apiVersion: rbac.authorization.k8s.io/v1
          kind: Role
          metadata:
            name: ${env}-role
          rules:
            - apiGroups:
                - ""
              resources:
                - pods/attach
                - pods/exec
                - pods/portforward
                - pods/proxy
                - secrets
                - services/proxy
              verbs:
                - get
                - list
                - watch
                - create
            - apiGroups:
                - ""
              resources:
                - serviceaccounts
              verbs:
                - impersonate
      - name: local_role_binding
        type: RoleBinding
        dependsOn: local_service_account1
        roleBinding:
          apiVersion: rbac.authorization.k8s.io/v1
          kind: RoleBinding
          metadata:
            name: ${env}-rolebinding
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: Role
            name: ${env}-role
          subjects:
            - kind: ServiceAccount
              name: ${env}-sa
              namespace: ${name}
      - name: pod_count_quota
        type: ResourceQuota
        createOnly: "true"
        resourceQuota:
          apiVersion: v1
          kind: ResourceQuota
          metadata:
            name: ${env}-pod-quota
          spec:
            hard:
              pods: "3"