Skip to content

Provisions a ready to use Kubernetes Namespace including Limit Range, RBAC Service Accounts, Network Policies and more

License

Notifications You must be signed in to change notification settings

goci-io/k8s-namespace-provisioning

Repository files navigation

k8s-namespace-provisioning

terraform

This Terraform Module provisions a ready to use Kubernetes Namespace with Docker Registry Secrets, Resource-Quotas and Limit Ranges, as well as additional Service Accounts, Roles and RoleBindings. You can also restrict Ingress- and Egress Traffic to and from Namespaces as well as CIDRs. It can also allow Access to your Pod Security Policies

Usage

Look into the terraform.tfvars example file or find more variables in the variables.tf.

module "namespace" {
  source     = "git::https://github.com/goci-io/k8s-namespace-provisioning.git?ref=tags/<latest-version>"
  namespace  = "goci"
  stage      = "staging"
  attributes = ["team"]
  name       = "sub-org"
  max_cpu    = "600m"
  max_memory = "728Mi"
  max_pods   = 50 // hard limit
  image_pull_secrets = {
    "secret-1" = "docker config file",
    "secret-2" = "docker config file"
  }
}

Verify

Verify the namespace by running kubectl describe ns <namespace>-<stage>-<name>-<attributes>

Pod Security Policy

Pod Security Policies can be used to add an additional Layer of Security to your Namespaces, preventing unauthorized people to create Pods with dangerous settings. This module does not create a Pod Security Policy for you as it is a global Cluster Resource. You need to provide a non empty value to pod_security_policy_name to enable PSP Permissions.

By default we allow system:serviceaccounts:<namespace> to use the PSP which enables for example default Service Accounts in your Namespace, created for your Deployments to create Pods matching the criterias specified in your PSP. If you want to allow for example humans creating Pods you will need to specify corresponding RBAC policies using roles variable which creates a Role and RoleBinding.

Network Policies

Network Policies can restrict In- and Outbound Traffic. This is really useful in Multi-Tenant Clusters or in Situations where you dont fully Trust a specific Namespace. To setup Network Policies you need to enable enable_network_policies (true).

The following Options are available when configuring Network Policies:

network_policy_type (Ingress, Egress)
network_deny_all_policy (true)
network_egress_namespaces, network_egress_ip_blocks, network_egress_ports
network_ingress_namespaces, network_ingress_ip_blocks, network_ingress_ports

Example:

module "namespace" {
  ...
  enable_network_policies    = true
  network_egress_ip_blocks   = ["0.0.0.0/0"]
  network_egress_namespaces  = [{ someLabel = "value" }]
  network_ingress_namespaces = [{ someLabel = "value" }]
}

This would allow the Namespace to talk to the Internet and a Namespace labeled with someLabel containing value. Additionally it allows Namespaces with a Label of someLabel=value to send Traffic to your Namespace.

Note: Namespace Restrictions apply on Labels, not on Namespace Fields!

This Module can only apply Policies to all Pods within your Namespace. To enable fine grained Control for Apps within the created Namespace, create your own Network Policies for now.

Context

This module is used at goci.io to provision Kubernetes Namespaces for our Customers.

About

Provisions a ready to use Kubernetes Namespace including Limit Range, RBAC Service Accounts, Network Policies and more

Topics

Resources

License

Stars

Watchers

Forks

Languages