basic webhook server and user management

https/launch.sh

+#!/usr/bin/bash
+#openssl req -newkey rsa:2048 -nodes -keyout server.key -subj "/C=CN/ST=GD/L=SZ/O=Acme, Inc./CN=172.29.7.11" -out server.csr
+#openssl x509 -req -extfile <(printf "subjectAltName=DNS:172.29.7.11,IP:172.29.7.11") -days 365 -in server.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out server.crt
+python3 -m venv .
+source ./bin/activate
+pip3 install -r requirements.txt 
+python3/server.flask.py

https/requirements.txt

+Flask==3.0.3

https/server.flask.py

+# openssl req -newkey rsa:2048 -nodes -keyout server.key -subj "/C=CN/ST=GD/L=SZ/O=Acme, Inc./CN=172.29.7.11" -out server.csr
+# openssl x509 -req -extfile <(printf "subjectAltName=DNS:172.29.7.11,IP:172.29.7.11") -days 365 -in server.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out server.crt
+# python3 -m venv ~/https
+# source ~/https/bin/activate
+# pip3 install -r requirements.txt 
+
+from flask import Flask, request, jsonify
+app = Flask(__name__)
+
+@app.route("/namespace", methods = ['GET', 'POST'])
+
+def hello():
+    print (request.json)
+    uid = request.json['request']['uid']
+    ns = request.json['request']['name']
+    operation = request.json['request']['operation']
+    username = request.json['request']['userInfo']['username']
+    groups = request.json['request']['userInfo']['groups']
+
+    if "SLICES-RI" not in groups:
+        print ("skip check")
+        msg = { "apiVersion": "admission.k8s.io/v1",
+             "kind": "AdmissionReview",
+             "response": {
+                "uid": f"{uid}",
+                "allowed": True
+            }
+        }
+        return msg
+
+
+    if not ns.startswith(username):
+        if operation == "CREATE":
+            msg = {
+                "apiVersion": "admission.k8s.io/v1",
+                "kind": "AdmissionReview",
+                "response": {
+                    "uid": f"{uid}",
+                    "allowed": False,
+                    "status": {
+                        "code": 403,
+                        "message": f"Invalid namespace, your namsespace must be of the form '{username}-*'"
+                    }
+                }
+            }
+        elif operation == "DELETE":
+            msg = {
+                "apiVersion": "admission.k8s.io/v1",
+                "kind": "AdmissionReview",
+                "response": {
+                    "uid": f"{uid}",
+                    "allowed": False,
+                    "status": {
+                        "code": 403,
+                        "message": f"Invalid namespace, your namsespace to delete  must be of the form '{username}-*'"
+                    }
+                }
+            }
+    else:
+        msg = { "apiVersion": "admission.k8s.io/v1",
+             "kind": "AdmissionReview",
+             "response": {
+                "uid": f"{uid}",
+                "allowed": True
+            }
+        }
+        print ("Should install everything in the ns {}".format(ns))
+    print (request.remote_addr)
+    return msg
+
+if __name__ == "__main__":
+    app.run(host='0.0.0.0', port=8000, ssl_context=('server.crt', 'server.key'))

k8s/add_user.sh

+#!/usr/bin/bash
+USERNAME=pos1
+GROUP=SLICES-RI
+DURATION=7 # in days
+#######API_SERVER_ENDPOINT="https://172.29.7.62:6443"
+CLUSTER_NAME="vwall-production"
+
+DIR=RBAC
+
+USER_KEY=$DIR/$USERNAME/$USERNAME.key
+USER_CSR=$DIR/$USERNAME/$USERNAME.csr
+USER_CRT=$DIR/$USERNAME/$USERNAME.crt
+K8S_SIGN_REQUEST=$DIR/$USERNAME/${USERNAME}_k8s_sign_request.yaml
+
+EXPIRATION_SECONDS=$(( $DURATION * 3600 * 24))
+
+mkdir -p $DIR/$USERNAME
+
+echo "Create private key"
+openssl genrsa -out $USER_KEY 2048
+
+echo "Create CSR"
+openssl req -new -key $USER_KEY -out $USER_CSR -subj "/CN=$USERNAME/O=${GROUP}"
+
+request=$(cat $USER_CSR | base64 | tr -d "\n")
+
+echo "Generate k8s sign request"
+cat > $K8S_SIGN_REQUEST <<EOF
+apiVersion: certificates.k8s.io/v1
+kind: CertificateSigningRequest
+metadata:
+  name: $USERNAME
+spec:
+  request: $request
+  signerName: kubernetes.io/kube-apiserver-client
+  expirationSeconds: $EXPIRATION_SECONDS
+  usages:
+  - client auth
+EOF
+
+echo "Submit k8s sign request"
+kubectl apply -f $K8S_SIGN_REQUEST
+
+echo "Validate the request"
+kubectl certificate approve $USERNAME
+
+echo "Obtain the certificate"
+kubectl get csr $USERNAME -o jsonpath='{.status.certificate}'| base64 -d > $USER_CRT
+
+
+echo "Create the roles"
+kubectl create clusterrole createNamespaces --verb="create" --resource=namespaces
+kubectl create clusterrole deleteNamespaces --verb="delete" --resource=namespaces
+
+echo "Bind the roles to the user"
+kubectl create clusterrolebinding $USERNAME-createNamespaces-binding --clusterrole=createNamespaces --user=$USERNAME
+kubectl create clusterrolebinding $USERNAME-deleteNamespaces-binding --clusterrole=deleteNamespaces --user=$USERNAME
+
+echo "Add user and context to kubeconfig"
+kubectl config set-credentials $USERNAME --client-key=$USER_KEY --client-certificate=$USER_CRT --embed-certs=true
+kubectl config set-context $USERNAME --cluster=$CLUSTER_NAME --user=$USERNAME

k8s/webhook.sh

+cat <<EOF > webhook.yaml
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: my-webhook
+webhooks:
+- name: my-webhook.example.org
+  clientConfig:
+    url: "https://172.29.7.11:8000/namespace"
+    caBundle: $(sudo cat /etc/kubernetes/pki/ca.crt | base64|tr -d "\n")
+  rules:
+  - operations: ["CREATE", "DELETE"]
+    apiGroups: [""] 
+    apiVersions: ["v1"]
+    resources: ["namespaces"]
+  admissionReviewVersions: ["v1"]
+  timeoutSeconds: 5
+  sideEffects: NoneOnDryRun
+EOF
+
+kubectl create -f webhook.yaml