From 5dfc7e8871bd00f951c93b57625f8a7e4f3a7505 Mon Sep 17 00:00:00 2001 From: Joel Wetzell Date: Tue, 28 Oct 2025 16:03:26 -0500 Subject: [PATCH] add role and validation policy for namespaces --- apps/stage-maker/cluster-role-binding.yaml | 21 +++++++++ apps/stage-maker/deployment.yaml | 44 ------------------- apps/stage-maker/ingress.yaml | 18 -------- apps/stage-maker/kustomization.yaml | 6 +-- apps/stage-maker/namespace-prefix-policy.yaml | 31 +++++++++++++ apps/stage-maker/service.yaml | 15 ------- 6 files changed, 54 insertions(+), 81 deletions(-) delete mode 100644 apps/stage-maker/deployment.yaml delete mode 100644 apps/stage-maker/ingress.yaml create mode 100644 apps/stage-maker/namespace-prefix-policy.yaml delete mode 100644 apps/stage-maker/service.yaml diff --git a/apps/stage-maker/cluster-role-binding.yaml b/apps/stage-maker/cluster-role-binding.yaml index 5bbf1e0..e1dcdbb 100644 --- a/apps/stage-maker/cluster-role-binding.yaml +++ b/apps/stage-maker/cluster-role-binding.yaml @@ -1,3 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: edit-namespaces +rules: +- apiGroups: [""] + resources: ["namespaces"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -10,4 +18,17 @@ subjects: roleRef: kind: ClusterRole name: ontime-operator-stage-editor-role + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: edit-namespaces-clusterrolebinding +subjects: +- kind: ServiceAccount + name: stage-editor + namespace: stage-maker +roleRef: + kind: ClusterRole + name: edit-namespaces apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/apps/stage-maker/deployment.yaml b/apps/stage-maker/deployment.yaml deleted file mode 100644 index fe44ece..0000000 --- a/apps/stage-maker/deployment.yaml +++ /dev/null @@ -1,44 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: stage-maker - namespace: stage-maker - labels: - app: stage-maker -spec: - replicas: 1 - selector: - matchLabels: - app: stage-maker - template: - metadata: - labels: - app: stage-maker - spec: - serviceAccountName: stage-editor - volumes: - - name: storage - nfs: - path: /volume1/docker/ontime-k8s - server: 10.0.0.17 - containers: - - name: stage-maker - image: git.jwetzell.com/jwetzell/stage-maker:v0.0.18 - env: - - name: ONTIME_HOSTNAME - value: "ontime.jwetzell.com" - - name: NFS_SERVER - value: "10.0.0.17" - - name: NFS_BASE_PATH - value: "/volume1/docker/ontime-k8s" - - name: STORAGE_BASE_PATH - value: "/data" - resources: - limits: - memory: "1024Mi" - requests: - cpu: 1000m - memory: "512Mi" - volumeMounts: - - name: storage - mountPath: "/data" \ No newline at end of file diff --git a/apps/stage-maker/ingress.yaml b/apps/stage-maker/ingress.yaml deleted file mode 100644 index 699d13d..0000000 --- a/apps/stage-maker/ingress.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: stage-maker-ingress - namespace: stage-maker -spec: - ingressClassName: nginx - rules: - - host: ontime.jwetzell.com - http: - paths: - - path: /api/v1/stage - pathType: Prefix - backend: - service: - name: stage-maker-service - port: - number: 3000 diff --git a/apps/stage-maker/kustomization.yaml b/apps/stage-maker/kustomization.yaml index 11ff0e6..7b83e20 100644 --- a/apps/stage-maker/kustomization.yaml +++ b/apps/stage-maker/kustomization.yaml @@ -1,9 +1,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - namespace.yaml - - deployment.yaml - - ingress.yaml - cluster-role-binding.yaml + - namespace-prefix-policy.yaml + - namespace.yaml - service-account.yaml - - service.yaml diff --git a/apps/stage-maker/namespace-prefix-policy.yaml b/apps/stage-maker/namespace-prefix-policy.yaml new file mode 100644 index 0000000..97d63c1 --- /dev/null +++ b/apps/stage-maker/namespace-prefix-policy.yaml @@ -0,0 +1,31 @@ +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicy +metadata: + name: "force-ns-prefix-for-stage-editor" +spec: + failurePolicy: Fail + matchConstraints: + resourceRules: + - apiGroups: [""] + apiVersions: ["v1"] + operations: ["CREATE", "UPDATE"] + resources: ["namespaces"] + matchConditions: + - name: 'only-stage-editor' + value: "request.userInfo.username == 'system:serviceaccount:stage-maker:stage-editor'" + validations: + - expression: "object.metadata.namespace.startsWith('team-')" + message: "All namespace requests by stage-editor must start with 'team-'" +--- +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: "force-ns-prefix-for-stage-editor-binding" +spec: + policyName: "force-ns-prefix-for-stage-editor" + matchResources: + resourceRules: + - apiGroups: [""] + apiVersions: ["v1"] + operations: ["CREATE", "UPDATE"] + resources: ["namespaces"] \ No newline at end of file diff --git a/apps/stage-maker/service.yaml b/apps/stage-maker/service.yaml deleted file mode 100644 index 13ae807..0000000 --- a/apps/stage-maker/service.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: stage-maker-service - namespace: stage-maker -spec: - selector: - app: stage-maker - ports: - - protocol: "TCP" - port: 3000 - targetPort: 3000 - name: web - -