2022-09-05 09:06:08 +02:00
/ *
Copyright ( c ) Edgeless Systems GmbH
SPDX - License - Identifier : AGPL - 3.0 - only
* /
2022-06-13 16:23:19 +02:00
package resources
import (
2022-09-21 13:47:57 +02:00
"github.com/edgelesssys/constellation/v2/internal/kubernetes"
"github.com/edgelesssys/constellation/v2/internal/versions"
2022-06-13 16:23:19 +02:00
"google.golang.org/protobuf/proto"
apps "k8s.io/api/apps/v1"
k8s "k8s.io/api/core/v1"
rbac "k8s.io/api/rbac/v1"
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
2022-08-04 16:15:52 +02:00
const accessManagerNamespace = "kube-system"
2022-10-05 15:02:46 +02:00
// AccessManagerDeployment holds the configuration for the SSH user creation pods. User/Key definitions are stored in the ConfigMap, and the manager is deployed on each node by the DaemonSet.
type AccessManagerDeployment struct {
2022-08-28 15:57:08 +02:00
ConfigMap k8s . ConfigMap
ServiceAccount k8s . ServiceAccount
Role rbac . Role
RoleBinding rbac . RoleBinding
DaemonSet apps . DaemonSet
2022-06-13 16:23:19 +02:00
}
// NewAccessManagerDeployment creates a new *accessManagerDeployment which manages the SSH users for the cluster.
2022-10-05 15:02:46 +02:00
func NewAccessManagerDeployment ( sshUsers map [ string ] string ) * AccessManagerDeployment {
return & AccessManagerDeployment {
2022-06-13 16:23:19 +02:00
ServiceAccount : k8s . ServiceAccount {
TypeMeta : v1 . TypeMeta {
APIVersion : "v1" ,
Kind : "ServiceAccount" ,
} ,
ObjectMeta : v1 . ObjectMeta {
Labels : map [ string ] string {
"app.kubernetes.io/instance" : "constellation" ,
"app.kubernetes.io/name" : "constellation-access-manager" ,
"app.kubernetes.io/managed-by" : "Constellation" ,
} ,
Name : "constellation-access-manager" ,
2022-08-04 16:15:52 +02:00
Namespace : accessManagerNamespace ,
2022-06-13 16:23:19 +02:00
} ,
AutomountServiceAccountToken : proto . Bool ( true ) ,
} ,
ConfigMap : k8s . ConfigMap {
TypeMeta : v1 . TypeMeta {
APIVersion : "v1" ,
Kind : "ConfigMap" ,
} ,
ObjectMeta : v1 . ObjectMeta {
Name : "ssh-users" ,
2022-08-04 16:15:52 +02:00
Namespace : accessManagerNamespace ,
2022-06-13 16:23:19 +02:00
} ,
Data : sshUsers ,
} ,
DaemonSet : apps . DaemonSet {
TypeMeta : v1 . TypeMeta {
APIVersion : "apps/v1" ,
Kind : "DaemonSet" ,
} ,
ObjectMeta : v1 . ObjectMeta {
Name : "constellation-access-manager" ,
2022-08-04 16:15:52 +02:00
Namespace : accessManagerNamespace ,
2022-06-13 16:23:19 +02:00
Labels : map [ string ] string {
"app.kubernetes.io/instance" : "constellation" ,
"app.kubernetes.io/name" : "constellation-access-manager" ,
} ,
} ,
Spec : apps . DaemonSetSpec {
Selector : & v1 . LabelSelector {
MatchLabels : map [ string ] string {
"app.kubernetes.io/instance" : "constellation" ,
"app.kubernetes.io/name" : "constellation-access-manager" ,
} ,
} ,
Template : k8s . PodTemplateSpec {
ObjectMeta : v1 . ObjectMeta {
Labels : map [ string ] string {
"app.kubernetes.io/instance" : "constellation" ,
"app.kubernetes.io/name" : "constellation-access-manager" ,
} ,
} ,
Spec : k8s . PodSpec {
Tolerations : [ ] k8s . Toleration {
{
Key : "node-role.kubernetes.io/master" ,
Operator : k8s . TolerationOpExists ,
Effect : k8s . TaintEffectNoSchedule ,
} ,
{
Key : "node-role.kubernetes.io/control-plane" ,
Operator : k8s . TolerationOpExists ,
Effect : k8s . TaintEffectNoSchedule ,
} ,
} ,
Containers : [ ] k8s . Container {
{
Name : "pause" ,
Image : "gcr.io/google_containers/pause" ,
ImagePullPolicy : k8s . PullIfNotPresent ,
} ,
} ,
InitContainers : [ ] k8s . Container {
{
Name : "constellation-access-manager" ,
2022-07-18 12:28:02 +02:00
Image : versions . AccessManagerImage ,
2022-06-13 16:23:19 +02:00
VolumeMounts : [ ] k8s . VolumeMount {
{
Name : "host" ,
MountPath : "/host" ,
} ,
} ,
SecurityContext : & k8s . SecurityContext {
Capabilities : & k8s . Capabilities {
Add : [ ] k8s . Capability {
"SYS_CHROOT" ,
} ,
} ,
} ,
} ,
} ,
ServiceAccountName : "constellation-access-manager" ,
Volumes : [ ] k8s . Volume {
{
Name : "host" ,
VolumeSource : k8s . VolumeSource {
HostPath : & k8s . HostPathVolumeSource {
Path : "/" ,
} ,
} ,
} ,
} ,
} ,
} ,
} ,
} ,
Role : rbac . Role {
TypeMeta : v1 . TypeMeta {
APIVersion : "rbac.authorization.k8s.io/v1" ,
Kind : "Role" ,
} ,
ObjectMeta : v1 . ObjectMeta {
Labels : map [ string ] string {
"app.kubernetes.io/instance" : "constellation" ,
"app.kubernetes.io/name" : "constellation-access-manager" ,
"app.kubernetes.io/managed-by" : "Constellation" ,
} ,
Name : "constellation-access-manager" ,
2022-08-04 16:15:52 +02:00
Namespace : accessManagerNamespace ,
2022-06-13 16:23:19 +02:00
} ,
Rules : [ ] rbac . PolicyRule {
{
APIGroups : [ ] string { "" } ,
Resources : [ ] string {
"configmaps" ,
} ,
ResourceNames : [ ] string {
"ssh-users" ,
} ,
Verbs : [ ] string {
"get" ,
} ,
} ,
} ,
} ,
RoleBinding : rbac . RoleBinding {
TypeMeta : v1 . TypeMeta {
APIVersion : "rbac.authorization.k8s.io/v1" ,
Kind : "RoleBinding" ,
} ,
ObjectMeta : v1 . ObjectMeta {
Labels : map [ string ] string {
"app.kubernetes.io/instance" : "constellation" ,
"app.kubernetes.io/name" : "constellation-access-manager" ,
"app.kubernetes.io/managed-by" : "Constellation" ,
} ,
Name : "constellation-access-manager" ,
2022-08-04 16:15:52 +02:00
Namespace : accessManagerNamespace ,
2022-06-13 16:23:19 +02:00
} ,
RoleRef : rbac . RoleRef {
APIGroup : "rbac.authorization.k8s.io" ,
Kind : "Role" ,
Name : "constellation-access-manager" ,
} ,
Subjects : [ ] rbac . Subject {
{
Kind : "ServiceAccount" ,
Name : "constellation-access-manager" ,
2022-08-04 16:15:52 +02:00
Namespace : accessManagerNamespace ,
2022-06-13 16:23:19 +02:00
} ,
} ,
} ,
}
}
// Marshal marshals the access-manager deployment as YAML documents.
2022-10-05 15:02:46 +02:00
func ( c * AccessManagerDeployment ) Marshal ( ) ( [ ] byte , error ) {
2022-08-29 14:30:20 +02:00
return kubernetes . MarshalK8SResources ( c )
2022-06-13 16:23:19 +02:00
}