| Sergiusz Bazanski | dbfa988 | 2020-06-06 01:21:45 +0200 | [diff] [blame] | 1 | # Common cluster configuration. |
| 2 | # This defines what Kubernetes resources are required to turn a bare k8s |
| 3 | # deployment into a fully working cluster. |
| 4 | # These assume that you're running on bare metal, and using the corresponding |
| 5 | # NixOS deployment that we do. |
| 6 | |
| 7 | local kube = import "../../kube/kube.libsonnet"; |
| 8 | local policies = import "../../kube/policies.libsonnet"; |
| 9 | |
| 10 | local calico = import "lib/calico.libsonnet"; |
| 11 | local certmanager = import "lib/cert-manager.libsonnet"; |
| 12 | local coredns = import "lib/coredns.libsonnet"; |
| Serge Bazanski | 2414afe | 2021-05-24 15:08:06 +0200 | [diff] [blame] | 13 | local identd = import "lib/identd.libsonnet"; |
| Sergiusz Bazanski | dbfa988 | 2020-06-06 01:21:45 +0200 | [diff] [blame] | 14 | local metallb = import "lib/metallb.libsonnet"; |
| 15 | local metrics = import "lib/metrics.libsonnet"; |
| 16 | local nginx = import "lib/nginx.libsonnet"; |
| 17 | local prodvider = import "lib/prodvider.libsonnet"; |
| 18 | local rook = import "lib/rook.libsonnet"; |
| 19 | local pki = import "lib/pki.libsonnet"; |
| 20 | |
| 21 | { |
| 22 | Cluster(short, realm):: { |
| 23 | local cluster = self, |
| 24 | local cfg = cluster.cfg, |
| 25 | |
| 26 | short:: short, |
| 27 | realm:: realm, |
| 28 | fqdn:: "%s.%s" % [cluster.short, cluster.realm], |
| 29 | |
| 30 | cfg:: { |
| 31 | // Storage class used for internal services (like registry). This must |
| 32 | // be set to a valid storage class. This can either be a cloud provider class |
| 33 | // (when running on GKE &co) or a storage class created using rook. |
| 34 | storageClassNameRedundant: error "storageClassNameRedundant must be set", |
| 35 | }, |
| 36 | |
| 37 | // These are required to let the API Server contact kubelets. |
| 38 | crAPIServerToKubelet: kube.ClusterRole("system:kube-apiserver-to-kubelet") { |
| 39 | metadata+: { |
| 40 | annotations+: { |
| 41 | "rbac.authorization.kubernetes.io/autoupdate": "true", |
| 42 | }, |
| 43 | labels+: { |
| 44 | "kubernetes.io/bootstrapping": "rbac-defaults", |
| 45 | }, |
| 46 | }, |
| 47 | rules: [ |
| 48 | { |
| 49 | apiGroups: [""], |
| 50 | resources: ["nodes/%s" % r for r in [ "proxy", "stats", "log", "spec", "metrics" ]], |
| 51 | verbs: ["*"], |
| 52 | }, |
| 53 | ], |
| 54 | }, |
| 55 | crbAPIServer: kube.ClusterRoleBinding("system:kube-apiserver") { |
| 56 | roleRef: { |
| 57 | apiGroup: "rbac.authorization.k8s.io", |
| 58 | kind: "ClusterRole", |
| 59 | name: cluster.crAPIServerToKubelet.metadata.name, |
| 60 | }, |
| 61 | subjects: [ |
| 62 | { |
| 63 | apiGroup: "rbac.authorization.k8s.io", |
| 64 | kind: "User", |
| 65 | # A cluster API Server authenticates with a certificate whose CN is == to the FQDN of the cluster. |
| 66 | name: cluster.fqdn, |
| 67 | }, |
| 68 | ], |
| 69 | }, |
| 70 | |
| 71 | // This ClusterRole is bound to all humans that log in via prodaccess/prodvider/SSO. |
| 72 | // It should allow viewing of non-sensitive data for debugability and openness. |
| 73 | crViewer: kube.ClusterRole("system:viewer") { |
| 74 | rules: [ |
| 75 | { |
| 76 | apiGroups: [""], |
| 77 | resources: [ |
| 78 | "nodes", |
| 79 | "namespaces", |
| 80 | "pods", |
| 81 | "configmaps", |
| 82 | "services", |
| 83 | ], |
| 84 | verbs: ["list"], |
| 85 | }, |
| 86 | { |
| 87 | apiGroups: ["metrics.k8s.io"], |
| 88 | resources: [ |
| 89 | "nodes", |
| 90 | "pods", |
| 91 | ], |
| 92 | verbs: ["list"], |
| 93 | }, |
| 94 | { |
| 95 | apiGroups: ["apps"], |
| 96 | resources: [ |
| 97 | "statefulsets", |
| 98 | ], |
| 99 | verbs: ["list"], |
| 100 | }, |
| 101 | { |
| 102 | apiGroups: ["extensions"], |
| 103 | resources: [ |
| 104 | "deployments", |
| 105 | "ingresses", |
| 106 | ], |
| 107 | verbs: ["list"], |
| 108 | } |
| 109 | ], |
| 110 | }, |
| 111 | // This ClusterRole is applied (scoped to personal namespace) to all humans. |
| 112 | crFullInNamespace: kube.ClusterRole("system:admin-namespace") { |
| 113 | rules: [ |
| 114 | { |
| 115 | apiGroups: ["", "extensions", "apps"], |
| 116 | resources: ["*"], |
| 117 | verbs: ["*"], |
| 118 | }, |
| 119 | { |
| 120 | apiGroups: ["batch"], |
| 121 | resources: ["jobs", "cronjobs"], |
| 122 | verbs: ["*"], |
| 123 | }, |
| Serge Bazanski | f40c924 | 2021-02-07 19:23:43 +0000 | [diff] [blame] | 124 | { |
| 125 | apiGroups: ["networking.k8s.io"], |
| 126 | resources: ["ingresses"], |
| 127 | verbs: ["*"], |
| 128 | }, |
| Sergiusz Bazanski | dbfa988 | 2020-06-06 01:21:45 +0200 | [diff] [blame] | 129 | ], |
| 130 | }, |
| 131 | // This ClusterRoleBindings allows root access to cluster admins. |
| 132 | crbAdmins: kube.ClusterRoleBinding("system:admins") { |
| 133 | roleRef: { |
| 134 | apiGroup: "rbac.authorization.k8s.io", |
| 135 | kind: "ClusterRole", |
| 136 | name: "cluster-admin", |
| 137 | }, |
| 138 | subjects: [ |
| 139 | { |
| 140 | apiGroup: "rbac.authorization.k8s.io", |
| 141 | kind: "User", |
| 142 | name: user + "@hackerspace.pl", |
| 143 | } for user in [ |
| 144 | "q3k", |
| 145 | "implr", |
| 146 | "informatic", |
| 147 | ] |
| 148 | ], |
| 149 | }, |
| 150 | |
| 151 | podSecurityPolicies: policies.Cluster {}, |
| 152 | |
| 153 | allowInsecureNamespaces: [ |
| 154 | policies.AllowNamespaceInsecure("kube-system"), |
| 155 | policies.AllowNamespaceInsecure("metallb-system"), |
| 156 | ], |
| 157 | |
| 158 | // Allow all service accounts (thus all controllers) to create secure pods. |
| 159 | crbAllowServiceAccountsSecure: kube.ClusterRoleBinding("policy:allow-all-secure") { |
| 160 | roleRef_: cluster.podSecurityPolicies.secureRole, |
| 161 | subjects: [ |
| 162 | { |
| 163 | kind: "Group", |
| 164 | apiGroup: "rbac.authorization.k8s.io", |
| 165 | name: "system:serviceaccounts", |
| 166 | } |
| 167 | ], |
| 168 | }, |
| 169 | |
| 170 | // Calico network fabric |
| 171 | calico: calico.Environment {}, |
| 172 | |
| 173 | // CoreDNS for this cluster. |
| 174 | dns: coredns.Environment { |
| 175 | cfg+: { |
| 176 | cluster_domains: [ |
| 177 | "cluster.local", |
| 178 | cluster.fqdn, |
| 179 | ], |
| 180 | }, |
| 181 | }, |
| 182 | |
| 183 | // Metrics Server |
| 184 | metrics: metrics.Environment {}, |
| 185 | |
| 186 | // Metal Load Balancer |
| 187 | metallb: metallb.Environment {}, |
| 188 | |
| 189 | // Main nginx Ingress Controller |
| 190 | nginx: nginx.Environment {}, |
| 191 | |
| 192 | // Cert-manager (Let's Encrypt, CA, ...) |
| 193 | certmanager: certmanager.Environment {}, |
| 194 | |
| 195 | issuer: kube.ClusterIssuer("letsencrypt-prod") { |
| 196 | spec: { |
| 197 | acme: { |
| 198 | server: "https://acme-v02.api.letsencrypt.org/directory", |
| 199 | email: "bofh@hackerspace.pl", |
| 200 | privateKeySecretRef: { |
| 201 | name: "letsencrypt-prod" |
| 202 | }, |
| 203 | http01: {}, |
| 204 | }, |
| 205 | }, |
| 206 | }, |
| 207 | |
| Serge Bazanski | 2414afe | 2021-05-24 15:08:06 +0200 | [diff] [blame] | 208 | // Ident service |
| 209 | identd: identd.Environment {}, |
| 210 | |
| Sergiusz Bazanski | dbfa988 | 2020-06-06 01:21:45 +0200 | [diff] [blame] | 211 | // Rook Ceph storage operator. |
| 212 | rook: rook.Operator { |
| 213 | operator+: { |
| 214 | spec+: { |
| 215 | replicas: 1, |
| 216 | }, |
| 217 | }, |
| 218 | }, |
| 219 | |
| 220 | // TLS PKI machinery (compatibility with mirko) |
| 221 | pki: pki.Environment(cluster.short, cluster.realm), |
| 222 | |
| 223 | // Prodvider |
| 224 | prodvider: prodvider.Environment { |
| 225 | cfg+: { |
| 226 | apiEndpoint: "kubernetes.default.svc.%s" % [cluster.fqdn], |
| 227 | }, |
| 228 | }, |
| 229 | }, |
| 230 | } |