commit b13b7ffcdb3d37022d4cad4603b9bdacc6c54936
author Sergiusz Bazanski <q3k@hackerspace.pl> Thu Aug 29 20:12:24 2019 +0200
committer Sergiusz Bazanski <q3k@hackerspace.pl> Fri Aug 30 23:08:18 2019 +0200
tree fa2309b04edc36fe855f9e344dae4a91ef376add
parent d16454badc639bcec7ab4b54e7fe6a897b6052af

prod{access,vider}: implement

Prodaccess/Prodvider allow issuing short-lived certificates for all SSO
users to access the kubernetes cluster.

Currently, all users get a personal-$username namespace in which they
have adminitrative rights. Otherwise, they get no access.

In addition, we define a static CRB to allow some admins access to
everything. In the future, this will be more granular.

We also update relevant documentation.

Change-Id: Ia18594eea8a9e5efbb3e9a25a04a28bbd6a42153

cluster/clustercfg/clustercfg.py

diff --git a/cluster/clustercfg/clustercfg.py b/cluster/clustercfg/clustercfg.py
index 24fa745..b6d790b 100644
--- a/cluster/clustercfg/clustercfg.py
+++ b/cluster/clustercfg/clustercfg.py
@@ -57,7 +57,7 @@
 def configure_k8s(username, ca, cert, key):
     subprocess.check_call([
         'kubectl', 'config',
-        'set-cluster', cluster,
+        'set-cluster', 'admin.' + cluster,
         '--certificate-authority=' + ca,
         '--embed-certs=true',
         '--server=https://' + cluster + ':4001',
@@ -71,13 +71,13 @@
     ])
     subprocess.check_call([
         'kubectl', 'config',
-        'set-context', cluster,
-        '--cluster=' + cluster,
+        'set-context', 'admin.' + cluster,
+        '--cluster=' + 'admin.' + cluster,
         '--user=' + username,
     ])
     subprocess.check_call([
         'kubectl', 'config',
-        'use-context', cluster,
+        'use-context', 'admin.' + cluster,
     ])
 
 
@@ -86,6 +86,18 @@
         sys.stderr.write("Usage: admincreds q3k\n")
         return 1
     username = args[0]
+    print("")
+    print("WARNING WARNING WARNING WARNING WARNING WARNING")
+    print("===============================================")
+    print("")
+    print("You are requesting ADMIN credentials.")
+    print("")
+    print("You likely shouldn't be doing this, and")
+    print("instead should be using `prodaccess`.")
+    print("")
+    print("===============================================")
+    print("WARNING WARNING WARNING WARNING WARNING WARNING")
+    print("")
 
     ## Make kube certificates.
     certs_root = os.path.join(local_root, 'cluster/certs')
@@ -169,6 +181,10 @@
         ## Make kube certificates.
         ca_kube = ca.CA(ss, certs_root, 'kube', 'kubernetes main CA')
 
+        # Make prodvider intermediate CA.
+        c = ca_kube.make_cert('ca-kube-prodvider', o='Warsaw Hackerspace', ou='kubernetes prodvider intermediate', hosts=['kubernetes prodvider intermediate CA'], profile='intermediate')
+        c.ensure()
+
         # Make kubelet certificate (per node).
         c = ca_kube.make_cert('kube-kubelet-'+fqdn, o='system:nodes', ou='Kubelet', hosts=['system:node:'+fqdn, fqdn])
         c.upload_pki(r, pki_config('kube.kubelet'))