prod{access,vider}: implement Prodaccess/Prodvider allow issuing short-lived certificates for all SSO users to access the kubernetes cluster. Currently, all users get a personal-$username namespace in which they have adminitrative rights. Otherwise, they get no access. In addition, we define a static CRB to allow some admins access to everything. In the future, this will be more granular. We also update relevant documentation. Change-Id: Ia18594eea8a9e5efbb3e9a25a04a28bbd6a42153

commit: b13b7ffcdb3d37022d4cad4603b9bdacc6c54936 [log] [tgz]
author: Sergiusz Bazanski <q3k@hackerspace.pl> Thu Aug 29 20:12:24 2019 +0200
committer: Sergiusz Bazanski <q3k@hackerspace.pl> Fri Aug 30 23:08:18 2019 +0200
tree: fa2309b04edc36fe855f9e344dae4a91ef376add
parent: d16454badc639bcec7ab4b54e7fe6a897b6052af [diff] [blame]
diff --git a/cluster/nix/cluster-configuration.nix b/cluster/nix/cluster-configuration.nix
index 7357f14..fdfcbed 100644
--- a/cluster/nix/cluster-configuration.nix
+++ b/cluster/nix/cluster-configuration.nix

@@ -161,7 +161,7 @@
       serviceClusterIpRange = "10.10.12.0/24";
       runtimeConfig = "api/all,authentication.k8s.io/v1beta1";
       authorizationMode = ["Node" "RBAC"];
-      enableAdmissionPlugins = ["Initializers" "NamespaceLifecycle" "NodeRestriction" "LimitRanger" "ServiceAccount" "DefaultStorageClass" "ResourceQuota"];
+      enableAdmissionPlugins = ["Initializers" "NamespaceLifecycle" "NodeRestriction" "LimitRanger" "ServiceAccount" "DefaultStorageClass" "ResourceQuota" "PodSecurityPolicy"];
       extraOpts = ''
         --apiserver-count=3 \
         --proxy-client-cert-file=${pki.kubeFront.apiserver.cert} \
commit	b13b7ffcdb3d37022d4cad4603b9bdacc6c54936	[log] [tgz]
author	Sergiusz Bazanski <q3k@hackerspace.pl>	Thu Aug 29 20:12:24 2019 +0200
committer	Sergiusz Bazanski <q3k@hackerspace.pl>	Fri Aug 30 23:08:18 2019 +0200
tree	fa2309b04edc36fe855f9e344dae4a91ef376add
parent	d16454badc639bcec7ab4b54e7fe6a897b6052af [diff] [blame]