cluster/admitomatic: implement opt-out namespaces
Change-Id: I32d4b019211fa755e2b3b103b88ea3f4c14e500f
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1521
Reviewed-by: informatic <informatic@hackerspace.pl>
diff --git a/cluster/admitomatic/BUILD.bazel b/cluster/admitomatic/BUILD.bazel
index 32437b2..5aa7c0e 100644
--- a/cluster/admitomatic/BUILD.bazel
+++ b/cluster/admitomatic/BUILD.bazel
@@ -60,6 +60,6 @@
image = ":runtime",
format = "Docker",
registry = "registry.k0.hswaw.net",
- repository = "q3k/admitomatic",
+ repository = "cluster/admitomatic",
tag = "{BUILD_TIMESTAMP}-{STABLE_GIT_COMMIT}",
)
diff --git a/cluster/admitomatic/config/config.proto b/cluster/admitomatic/config/config.proto
index 460c571..2bc5b02 100644
--- a/cluster/admitomatic/config/config.proto
+++ b/cluster/admitomatic/config/config.proto
@@ -20,6 +20,9 @@
// appear in this list, it will be allowed to run in any
// namespace.
repeated AllowDomain allow_domain = 1;
+
+ // List of namespaces that do not have any domain/annotation checks.
+ repeated string anything_goes_namespace = 2;
}
message AllowDomain {
diff --git a/cluster/admitomatic/ingress.go b/cluster/admitomatic/ingress.go
index 22e9dab..b7bdf91 100644
--- a/cluster/admitomatic/ingress.go
+++ b/cluster/admitomatic/ingress.go
@@ -36,6 +36,10 @@
type ingressFilter struct {
// allowed is a map from namespace to list of domain matchers.
allowed map[string][]*domain
+
+ // anythingGoesNamespaces are namespaces that are opted out of security
+ // checks.
+ anythingGoesNamespaces []string
}
// domain is a matcher for either a single given domain, or a domain wildcard.
@@ -152,6 +156,11 @@
if req.Namespace == "kube-system" {
return result("")
}
+ for _, ns := range i.anythingGoesNamespaces {
+ if ns == req.Namespace {
+ return result("")
+ }
+ }
switch req.Operation {
case "CREATE":
diff --git a/cluster/admitomatic/ingress_test.go b/cluster/admitomatic/ingress_test.go
index 15a6049..92b1357 100644
--- a/cluster/admitomatic/ingress_test.go
+++ b/cluster/admitomatic/ingress_test.go
@@ -94,6 +94,7 @@
f.allow("personal-q3k", "*.k0.q3k.org")
f.allow("personal-vuko", "shells.vuko.pl")
f.allow("minecraft", "*.k0.q3k.org")
+ f.anythingGoesNamespaces = []string{"opted-out"}
mkReq := func(ns string, annotations map[string]string, is *networking.IngressSpec) *admission.AdmissionRequest {
i := &networking.Ingress{
@@ -185,6 +186,19 @@
},
},
}), ""},
+ // 6: janky annotations, should be allowed by exception
+ {mkReq("opted-out", map[string]string{
+ "nginx.ingress.kubernetes.io/configuration-snippet": "omghax",
+ }, &networking.IngressSpec{
+ Rules: []networking.IngressRule{
+ {Host: "matrix.hackerspace.pl"},
+ },
+ TLS: []networking.IngressTLS{
+ {
+ Hosts: []string{"matrix.hackerspace.pl"},
+ },
+ },
+ }), ""},
} {
res, err := f.admit(el.req)
if err != nil {
diff --git a/cluster/admitomatic/service.go b/cluster/admitomatic/service.go
index 8fa2698..b5f7662 100644
--- a/cluster/admitomatic/service.go
+++ b/cluster/admitomatic/service.go
@@ -39,6 +39,7 @@
}
glog.Infof("Ingress: allowing %s in %s", ad.Dns, ad.Namespace)
}
+ s.ingress.anythingGoesNamespaces = cfg.AnythingGoesNamespace
return &s, nil
}
diff --git a/cluster/kube/k0.libsonnet b/cluster/kube/k0.libsonnet
index 57f3269..756b00f 100644
--- a/cluster/kube/k0.libsonnet
+++ b/cluster/kube/k0.libsonnet
@@ -446,6 +446,11 @@
{ namespace: "q3k", dns: "*.q3k.org" },
{ namespace: "personal-q3k", dns: "*.q3k.org" },
],
+
+ anything_goes_namespace: [
+ // sourcegraph ingress wants a config snippet to set a header.
+ "devtools-prod",
+ ],
},
},
},
diff --git a/cluster/kube/lib/admitomatic.libsonnet b/cluster/kube/lib/admitomatic.libsonnet
index 305df94..d4a2766 100644
--- a/cluster/kube/lib/admitomatic.libsonnet
+++ b/cluster/kube/lib/admitomatic.libsonnet
@@ -32,7 +32,7 @@
cfg:: {
namespace: "admitomatic",
- image: "registry.k0.hswaw.net/q3k/admitomatic:1622912229-383fefa14bddd51c1573fb9b5fcc6ecea958f50a",
+ image: "registry.k0.hswaw.net/cluster/admitomatic:315532800-418f1b77968ac843af2e48cd414c2f8eb19653ba",
proto: {},
},