cluster/kube: deploy admitomatic
This doesn't yet enable a webhook, but deploys admitomatic itself.
Change-Id: Id177bc8841c873031f9c196b8ff3c12dd846ba8e
diff --git a/cluster/kube/k0.libsonnet b/cluster/kube/k0.libsonnet
index f393dbe..b5feb05 100644
--- a/cluster/kube/k0.libsonnet
+++ b/cluster/kube/k0.libsonnet
@@ -7,6 +7,7 @@
local cluster = import "cluster.libsonnet";
+local admitomatic = import "lib/admitomatic.libsonnet";
local cockroachdb = import "lib/cockroachdb.libsonnet";
local registry = import "lib/registry.libsonnet";
local rook = import "lib/rook.libsonnet";
@@ -308,5 +309,57 @@
# TODO(implr): restricted policy with CAP_NET_ADMIN and tuntap, but no full root
policies.AllowNamespaceInsecure("implr-vpn"),
],
+
+ # Admission controller that permits non-privileged users to manage
+ # their namespaces without danger of hijacking important URLs.
+ admitomatic: admitomatic.Environment {
+ cfg+: {
+ proto: {
+ // Domains allowed in given namespaces. If a domain exists
+ // anywhere, ingresses will only be permitted to be created
+ // within namespaces in which it appears here. This works
+ // the same way for wildcards, if a wildcard exists in this
+ // list it blocks all unauthorized uses of that domain
+ // elsewhere.
+ //
+ // See //cluster/admitomatic for more information.
+ //
+ // Or, tl;dr:
+ //
+ // If you do a wildcard CNAME onto the k0 ingress, you
+ // should explicitly state *.your.name.com here.
+ //
+ // If you just want to protect your host from being
+ // hijacked by other cluster users, you should also state
+ // it here (either as a wildcard, or unary domains).
+ allow_domain: [
+ { namespace: "covid-formity", dns: "covid19.hackerspace.pl" },
+ { namespace: "covid-formity", dns: "covid.hackerspace.pl" },
+ { namespace: "covid-formity", dns: "www.covid.hackerspace.pl" },
+ { namespace: "devtools-prod", dns: "hackdoc.hackerspace.pl" },
+ { namespace: "devtools-prod", dns: "cs.hackerspace.pl" },
+ { namespace: "engelsystem-prod", dns: "engelsystem.hackerspace.pl" },
+ { namespace: "gerrit", dns: "gerrit.hackerspace.pl" },
+ { namespace: "gitea-prod", dns: "gitea.hackerspace.pl" },
+ { namespace: "hswaw-prod", dns: "*.hackerspace.pl" },
+ { namespace: "internet", dns: "internet.hackerspace.pl" },
+ { namespace: "matrix", dns: "matrix.hackerspace.pl" },
+ { namespace: "onlyoffice-prod", dns: "office.hackerspace.pl" },
+ { namespace: "redmine", dns: "issues.hackerspace.pl" },
+ { namespace: "speedtest", dns: "speedtest.hackerspace.pl" },
+ { namespace: "sso", dns: "sso.hackerspace.pl" },
+
+ { namespace: "ceph-waw3", dns: "ceph-waw3.hswaw.net" },
+ { namespace: "ceph-waw3", dns: "object.ceph-waw3.hswaw.net" },
+ { namespace: "monitoring-global-k0", dns: "*.hswaw.net" },
+ { namespace: "registry", dns: "*.hswaw.net" },
+
+ // q3k's legacy namespace (pre-prodvider)
+ { namespace: "q3k", dns: "*.q3k.org" },
+ { namespace: "personal-q3k", dns: "*.q3k.org" },
+ ],
+ },
+ },
+ },
},
}