search

redhat-cop / namespace-configuration-operator

The namespace-configuration-operator helps keeping configurations related to Users, Groups and Namespaces aligned with one of more policies specified as a CRs
Apache License 2.0
204 stars 55 forks source link

support complex template processing #67

Closed everpeace closed 4 years ago

everpeace commented 4 years ago

Hi, Thanks for sharing the great project. I have hundreds of personal namespaces for each employees in my company internal cluster.

I'm planning to use NamespaceConfig to setup pre-defined resources for them. But, I noticed LockedResource.templateObject uses very vanilla golang's text/template package (in operator-utils).

https://github.com/redhat-cop/operator-utils/blob/master/pkg/util/lockedresourcecontroller/lockedresource/locked-resource.go#L69-L106

Vanilla text/template library doesn't support useful/complex functions. As a result, this doesn't allow to generate complex template processing.

For example(from my usecase):

apiVersion: redhatcop.redhat.io/v1alpha1
kind: NamespaceConfig
metadata:
  name: personal
spec:  
  labelSelector:
    matchLabels:
      namespaceconfig/type: personal
  templates:
  # This generates PodSecurityPolicy which restricts uid/gid/supplementalGids
  # ids will be read from namespace annotations
  - objectTemplate: |
      apiVersion: extensions/v1beta1
      kind: PodSecurityPolicy
      metadata:
          seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default
          seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default
        name: {{ .Name }}
      spec:
      # ...
        fsGroup:
          ranges:
          - max: {{index .Annotations "gid"}}
            min: {{index .Annotations "gid"}}
          rule: MustRunAs
      runAsUser:
        ranges:
        - max: {{index .Annotations "uid"}}
          min: {{index .Annotations "uid"}}
        rule: MustRunAs
      seLinux:
        rule: RunAsAny
      supplementalGroups:
        ranges:
        # Current version can't support 'split' function!!!
        {{range $gid := (split .Annotations "supplemental-gids" ",")}}
        - max: {{$gid}}
          min: {{$gid}}
        {{end}}
        rule: MustRunAs      
---
kind: Namespace
apiVersion: v1
metadata:
  name: user-bob
  annotations:
    uid: "1000"
    gid: "1000"
    supplemental-gids: "5000,6000"
  labels:
    namespaceconfig/type: personal

I would like to propose supporting sprig in processing objectTemplate.

Note: I will post a PR to support this.

everpeace commented 4 years ago

As mentioned in redhat-cop/operator-utils#35, redhat-cop/operator-utils#34 is supporting sprig functions an more (helm functions e.g. toYaml, etc.). Once the PR is released, it should upgrade to it.