Skip to content

konflux-ci/namespace-lister

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

23 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Namespace-Lister

The Namespace-Lister is a simple REST Server that implements the endpoint /api/v1/namespaces. It returns the list of Kubernetes namespaces the user has get access on.

Requests Authentication

Requests authentication is out of scope. Another component (e.g. a reverse proxy) is required to implement authentication.

The Namespace-Lister will retrieve the user information from an HTTP Header. It is possible to declare which Header to use via Environment Variables.

How it builds the reply

For performance reasons, the Namespace-Lister caches Namespaces, Roles, ClusterRoles, RoleBindings, and ClusterRoleBindings and performs in-memory authorization.

For each request it loops on all existing Namespaces and returns the namespaces on which the user has get access to. To grant get access to a Namespace to a user, a ClusterRole or a Role can be used together with a RoleBinding.

In the following an example using a ClusterRole:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: namespace-get
rules:
- apiGroups:
  - ""
  resources:
  - namespaces
  verbs:
  - get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: user-access
  namespace: my-namespace
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: namespace-get
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: user

Try

The easiest way of trying this component locally is using make -C acceptance prepare. This command will build the image, create the Kind cluster, load the image in it, and deploy all needed components.

You will find a valid kubeconfig that you can use in /tmp/namespace-lister-acceptance-tests-user.kcfg. To access the namespace-lister you need to target the url https://localhost:10443 and skip TLS verification.

KUBECONFIG=/tmp/namespace-lister-acceptance-tests-user.kcfg kubectl get namespaces --server=https://localhost:10443 --insecure-skip-tls-verify

Take a look at the Tests section for more info.

Tests

Acceptance tests are implemented in the acceptance folder.

Behavior-Driven Development is enforced through godog. You can find the specification of the implemented Features at in the acceptance/features folder.

They rely on kind and can be executed by just running the following commands:

make -C acceptance prepare # required just the first time
make -C acceptance test
  • prepare will build the image, create the Kind cluster, load the image in it, and deploy all needed components.
  • test will run the tests on the provisioned infrastructure

Proxy

The prepare target will deploy an NGINX Proxy that is in charge of authenticating user requests. The proxy forwards the /api/v1/namespaces ones to the Namespace-Lister and the others to the Kubernetes APIServer.

To forward authentication details to the API Server, a token is required from the user. This means that the default certificate-based authentication is not supported.

The test preparation phase creates a ServiceAccount and binds it to the cluster-admin role. Finally, a kubeconfig is generated for this ServiceAccount and stored at /tmp/namespace-lister-acceptance-tests-user.kcfg.

Token validation is not implemented in the NGINX as it is not required in this setup. This means that any request to /api/v1/namespaces will just work, the only required field is the Impersonate-User Header.

In other words, the following command will work:

curl -sk -X GET https://localhost:10443/api/v1/namespaces -H 'Impersonate-User: any-user-i-like'

The other requests will be forwarded to the Kubernetes APIServer that will validate them.

About

No description, website, or topics provided.

Resources

License

Code of conduct

Security policy

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published