From e71e5a35300e7f934e86de1ebb24b466cbda803d Mon Sep 17 00:00:00 2001
From: Sheogorath <sheogorath@shivering-isles.com>
Date: Sun, 15 Aug 2021 01:19:03 +0200
Subject: [PATCH] feat(namespace-configuration): Add operator for namespace
management
This patch enables the namespace-configuration-operator, which allows
to deploy object template into all namespaces matching a selector,
making it very useful for management of basic namespace infrastructure.
It also enforces the existence of these objects.
---
infrastructure/kustomization.yaml | 2 +
.../kustomization.yaml | 7 +++
.../namespace-configuration/namespace.yaml | 4 ++
.../network-policy.yaml | 52 +++++++++++++++++++
.../namespace-configuration/subscription.yaml | 10 ++++
infrastructure/postgres/kustomization.yaml | 1 +
.../user-namespace-network-policy.yaml | 25 +++++++++
7 files changed, 101 insertions(+)
create mode 100644 infrastructure/namespace-configuration/kustomization.yaml
create mode 100644 infrastructure/namespace-configuration/namespace.yaml
create mode 100644 infrastructure/namespace-configuration/network-policy.yaml
create mode 100644 infrastructure/namespace-configuration/subscription.yaml
create mode 100644 infrastructure/postgres/user-namespace-network-policy.yaml
diff --git a/infrastructure/kustomization.yaml b/infrastructure/kustomization.yaml
index 85e25e9ba..7cb063434 100644
--- a/infrastructure/kustomization.yaml
+++ b/infrastructure/kustomization.yaml
@@ -3,6 +3,8 @@ kind: Kustomization
resources:
- sources
- rook
+ - namespace-configuration
- postgres
- openshift-monitoring
- cert-manager
+
diff --git a/infrastructure/namespace-configuration/kustomization.yaml b/infrastructure/namespace-configuration/kustomization.yaml
new file mode 100644
index 000000000..d18e9d5e1
--- /dev/null
+++ b/infrastructure/namespace-configuration/kustomization.yaml
@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: zalando-postgres
+resources:
+- namespace.yaml
+- subscription.yaml
+- network-policy.yaml
diff --git a/infrastructure/namespace-configuration/namespace.yaml b/infrastructure/namespace-configuration/namespace.yaml
new file mode 100644
index 000000000..72846f8f3
--- /dev/null
+++ b/infrastructure/namespace-configuration/namespace.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: namespace-configuration-operator
diff --git a/infrastructure/namespace-configuration/network-policy.yaml b/infrastructure/namespace-configuration/network-policy.yaml
new file mode 100644
index 000000000..963ab704b
--- /dev/null
+++ b/infrastructure/namespace-configuration/network-policy.yaml
@@ -0,0 +1,52 @@
+apiVersion: redhatcop.redhat.io/v1alpha1
+kind: NamespaceConfig
+metadata:
+ name: default-networkpolicy
+spec:
+ annotationSelector:
+ matchExpressions:
+ - operator: Exists
+ key: "openshift.io/requester"
+ templates:
+ - objectTemplate: |
+ apiVersion: networking.k8s.io/v1
+ kind: NetworkPolicy
+ metadata:
+ name: allow-from-same-namespace
+ namespace: {{ .Name }}
+ spec:
+ podSelector: {}
+ ingress:
+ - from:
+ - podSelector: {}
+
+ - objectTemplate: |
+ apiVersion: networking.k8s.io/v1
+ kind: NetworkPolicy
+ metadata:
+ name: allow-from-openshift-ingress
+ namespace: {{ .Name }}
+ spec:
+ ingress:
+ - from:
+ - namespaceSelector:
+ matchLabels:
+ network.openshift.io/policy-group: ingress
+ podSelector: {}
+ policyTypes:
+ - Ingress
+ - objectTemplate: |
+ apiVersion: networking.k8s.io/v1
+ kind: NetworkPolicy
+ metadata:
+ name: allow-from-openshift-monitoring
+ namespace: {{ .Name }}
+ spec:
+ ingress:
+ - from:
+ - namespaceSelector:
+ matchLabels:
+ network.openshift.io/policy-group: monitoring
+ podSelector: {}
+ policyTypes:
+ - Ingress
diff --git a/infrastructure/namespace-configuration/subscription.yaml b/infrastructure/namespace-configuration/subscription.yaml
new file mode 100644
index 000000000..43216076b
--- /dev/null
+++ b/infrastructure/namespace-configuration/subscription.yaml
@@ -0,0 +1,10 @@
+apiVersion: operators.coreos.com/v1alpha1
+kind: Subscription
+metadata:
+ name: namespace-configuration-operator
+ namespace: namespace-configuration-operator
+spec:
+ channel: alpha
+ name: namespace-configuration-operator
+ source: community-operators
+ sourceNamespace: openshift-marketplace
diff --git a/infrastructure/postgres/kustomization.yaml b/infrastructure/postgres/kustomization.yaml
index 4a2392914..dd7e5f88d 100644
--- a/infrastructure/postgres/kustomization.yaml
+++ b/infrastructure/postgres/kustomization.yaml
@@ -4,3 +4,4 @@ namespace: zalando-postgres
resources:
- namespace.yaml
- release.yaml
+ - user-namespace-network-policy.yaml
diff --git a/infrastructure/postgres/user-namespace-network-policy.yaml b/infrastructure/postgres/user-namespace-network-policy.yaml
new file mode 100644
index 000000000..fa2530518
--- /dev/null
+++ b/infrastructure/postgres/user-namespace-network-policy.yaml
@@ -0,0 +1,25 @@
+apiVersion: redhatcop.redhat.io/v1alpha1
+kind: NamespaceConfig
+metadata:
+ name: user-namespaces-network-policy-zalando-postgres
+spec:
+ annotationSelector:
+ matchExpressions:
+ - operator: Exists
+ key: "openshift.io/requester"
+ templates:
+ - objectTemplate: |
+ apiVersion: networking.k8s.io/v1
+ kind: NetworkPolicy
+ metadata:
+ name: allow-from-zalando-postgres
+ namespace: {{ .Name }}
+ spec:
+ ingress:
+ - from:
+ - namespaceSelector:
+ matchLabels:
+ name: zalando-postgres
+ podSelector: {}
+ policyTypes:
+ - Ingress
--
GitLab