Gitiles
Code Review Sign In
gerrit.hackerspace.pl / hscloud / 0776a79df33b33145452918f8fbd3cc6dc9affbe^! / . / cluster
commit0776a79df33b33145452918f8fbd3cc6dc9affbe[log] [tgz]
authorradex <radex@hackerspace.pl>Tue Oct 10 00:02:29 2023 +0200
committerq3k <q3k@hackerspace.pl>Tue Oct 10 17:34:22 2023 +0000
treee9e5c06343f8026f9a58a09fb2e2254b910efc83
parentfe94c9b649c143a91d29f5496234a40146fbfef5 [diff]
cluster/kube: Centralize namespace admin RoleBindings

Change-Id: Iec3505b2f4a1647e67cf47cf189c77534b5be6ac
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1696
Reviewed-by: q3k <q3k@hackerspace.pl>

diff --git a/cluster/kube/k0-admins.jsonnet b/cluster/kube/k0-admins.jsonnet
new file mode 100644
index 0000000..96e44ad
--- /dev/null
+++ b/cluster/kube/k0-admins.jsonnet

@@ -0,0 +1,7 @@
+// Only the admins (per-namespace RoleBindings)
+
+local k0 = (import "k0.libsonnet").k0;
+
+{
+    admins: k0.admins,
+}

diff --git a/cluster/kube/k0.libsonnet b/cluster/kube/k0.libsonnet
index 7a0f69b..81627ac 100644
--- a/cluster/kube/k0.libsonnet
+++ b/cluster/kube/k0.libsonnet

@@ -11,6 +11,7 @@
 local cockroachdb = import "lib/cockroachdb.libsonnet";
 local registry = import "lib/registry.libsonnet";
 local rook = import "lib/rook.libsonnet";
+local admins = import "lib/admins.libsonnet";
 
 {
     k0: {
@@ -375,5 +376,37 @@
                 },
             },
         },
+
+        // Configuration of RoleBindings
+        admins: admins.NamespaceAdmins {
+            // Cluster staff have full access to all namespaces
+            // To give non-staff users admin access scoped to a given namespace,
+            // add them to the list below.
+            // (system:admin-namespace role is given to <user>@hackerspace.pl)
+            namespaces:: {
+                "inventory": [
+                    "radex",
+                    "palid",
+                ],
+                "site": [
+                    "ar",
+                    "radex",
+                ],
+                "valheim": [
+                    "patryk",
+                    "palid",
+                ],
+                "matrix-0x3c": [
+                    "not7cd",
+                ],
+                "hswaw-prod": [
+                    "ar",
+                    "radex",
+                ],
+                "ldapweb": [
+                    "radex",
+                ],
+            }
+        }
     },
 }

diff --git a/cluster/kube/lib/admins.libsonnet b/cluster/kube/lib/admins.libsonnet
new file mode 100644
index 0000000..a0e1553
--- /dev/null
+++ b/cluster/kube/lib/admins.libsonnet

@@ -0,0 +1,26 @@
+local kube = import "../../../kube/kube.libsonnet";
+
+{
+    local createNamespaceRoleBinding(namespace, users) = kube.RoleBinding("admins") {
+        metadata+: {
+            namespace: namespace,
+        },
+        roleRef: {
+            apiGroup: "rbac.authorization.k8s.io",
+            kind: "ClusterRole",
+            name: "system:admin-namespace",
+        },
+        subjects: [
+            kube.User("%s@hackerspace.pl" % [user])
+            for user in users
+        ],
+    },
+    NamespaceAdmins: {
+        namespaces:: error "namespaces not set",
+        local namespaces = self.namespaces,
+        roleBindings: [
+            createNamespaceRoleBinding(namespace, namespaces[namespace])
+            for namespace in std.objectFields(namespaces)
+        ],
+    },
+}