Skip to content

Commit

Permalink
Unified bootstrap script with everything in one script, opt-in portio…
Browse files Browse the repository at this point in the history 
…ns are handled by hook.env. Reduces duplicate scripting logic and ensures fewer executions of kubectl
  • Loading branch information
@treydock
treydock committed Mar 19, 2021
1 parent 2372299 commit 719859b
Show file tree
Hide file tree
Showing 5 changed files with 34 additions and 77 deletions.
2 changes: 2 additions & 0 deletions hooks/hook.env.example
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,3 +6,5 @@ CLIENT_ID="changeme"
CLIENT_SECRET="changeme"
IMAGE_PULL_SECRET=""
REGISTRY_DOCKER_CONFIG_JSON="/some/path/to/docker/config.json"
USE_POD_SECURITY_POLICY=false
USE_JOB_POD_REAPER=false
41 changes: 0 additions & 41 deletions hooks/k8s-bootstrap-job-pod-reaper.sh
View file

This file was deleted.

17 changes: 17 additions & 0 deletions hooks/k8s-bootstrap-ondemand.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,23 @@ envsubst < "${YAML_DIR}/namespace.yaml" > "$TMPFILE"
envsubst < "${YAML_DIR}/network-policy.yaml" >> "$TMPFILE"
envsubst < "${YAML_DIR}/rolebinding.yaml" >> "$TMPFILE"

if $USE_POD_SECURITY_POLICY ; then
PASSWD=$(getent passwd "$ONDEMAND_USERNAME")
if ! [[ "$PASSWD" =~ "${ONDEMAND_USERNAME}:"* ]]; then
echo "level=error msg=\"Unable to perform lookup of user\" user=$ONDEMAND_USERNAME"
exit 1
fi
UID=$(echo "$PASSWD" | cut -d':' -f3)
GID=$(echo "$PASSWD" | cut -d':' -f4)
export USER_UID=$UID
export USER_GID=$GID
envsubst < "${YAML_DIR}/pod-security-policy.yaml" >> "$TMPFILE"
fi

if $USE_JOB_POD_REAPER ; then
envsubst < "${YAML_DIR}/job-pod-reaper.yaml" >> "$TMPFILE"
fi

kubectl apply -f "$TMPFILE"
rm -f "$TMPFILE"

Expand Down
15 changes: 15 additions & 0 deletions hooks/k8s-bootstrap/job-pod-reaper.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
---
# allow job-pod-reaper to see this namespace
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: "$ONDEMAND_USERNAME-job-pod-reaper-rolebinding"
namespace: "$NAMESPACE"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: job-pod-reaper
subjects:
- kind: ServiceAccount
name: job-pod-reaper
namespace: job-pod-reaper
36 changes: 0 additions & 36 deletions hooks/k8s-bootstrap-pod-security-policy.sh → hooks/k8s-bootstrap/pod-security-policy.yaml
100755 → 100644
View file
Original file line number Diff line number Diff line change
@@ -1,32 +1,3 @@
#!/bin/bash

ONDEMAND_USERNAME="$1"
if [ "x${ONDEMAND_USERNAME}" = "x" ]; then
echo "Must specify username"
exit 1
fi
HOOK_ENV="$2"
if [ "x${HOOK_ENV}" = "x" ]; then
echo "Must specify hook.env path"
exit 1
fi

set -e

# shellcheck disable=SC1090
source "$HOOK_ENV"

TMPFILE=$(mktemp "/tmp/k8-ondemand-bootstrap-${ONDEMAND_USERNAME}.XXXXXX")
PASSWD=$(getent passwd "$ONDEMAND_USERNAME")
if ! [[ "$PASSWD" =~ "${ONDEMAND_USERNAME}:"* ]]; then
echo "level=error msg=\"Unable to perform lookup of user\" user=$ONDEMAND_USERNAME"
exit 1
fi
USER_UID=$(echo "$PASSWD" | cut -d':' -f3)
USER_GID=$(echo "$PASSWD" | cut -d':' -f4)
NAMESPACE="${NAMESPACE_PREFIX}${ONDEMAND_USERNAME}"

cat > "$TMPFILE" <<EOF
---
# the pod security policy such that you can only run pods as a single uid/gid pair
apiVersion: policy/v1beta1
Expand Down Expand Up @@ -103,10 +74,3 @@ subjects:
kind: User
name: "$ONDEMAND_USERNAME"
namespace: "$NAMESPACE"
EOF


export PATH=/usr/local/bin:/bin:$PATH
kubectl apply -f "$TMPFILE"

rm -f "$TMPFILE"

0 comments on commit 719859b

Please sign in to comment.