diff --git a/hooks/hook.env.example b/hooks/hook.env.example index e4fc305ba6..106b19625f 100644 --- a/hooks/hook.env.example +++ b/hooks/hook.env.example @@ -6,3 +6,5 @@ CLIENT_ID="changeme" CLIENT_SECRET="changeme" IMAGE_PULL_SECRET="" REGISTRY_DOCKER_CONFIG_JSON="/some/path/to/docker/config.json" +USE_POD_SECURITY_POLICY=false +USE_JOB_POD_REAPER=false diff --git a/hooks/k8s-bootstrap-job-pod-reaper.sh b/hooks/k8s-bootstrap-job-pod-reaper.sh deleted file mode 100755 index cc2e228889..0000000000 --- a/hooks/k8s-bootstrap-job-pod-reaper.sh +++ /dev/null @@ -1,41 +0,0 @@ -#!/bin/bash - -ONDEMAND_USERNAME="$1" -if [ "x${ONDEMAND_USERNAME}" = "x" ]; then - echo "Must specify username" - exit 1 -fi -HOOK_ENV="$2" -if [ "x${HOOK_ENV}" = "x" ]; then - echo "Must specify hook.env path" - exit 1 -fi - -set -e - -# shellcheck disable=SC1090 -source "$HOOK_ENV" - -NAMESPACE="${NAMESPACE_PREFIX}${ONDEMAND_USERNAME}" - -TMPFILE=$(mktemp "/tmp/k8-bootstrap-job-pod-reaper-${ONDEMAND_USERNAME}.XXXXXX") -cat > "$TMPFILE" < "$TMPFILE" envsubst < "${YAML_DIR}/network-policy.yaml" >> "$TMPFILE" envsubst < "${YAML_DIR}/rolebinding.yaml" >> "$TMPFILE" +if $USE_POD_SECURITY_POLICY ; then + PASSWD=$(getent passwd "$ONDEMAND_USERNAME") + if ! [[ "$PASSWD" =~ "${ONDEMAND_USERNAME}:"* ]]; then + echo "level=error msg=\"Unable to perform lookup of user\" user=$ONDEMAND_USERNAME" + exit 1 + fi + UID=$(echo "$PASSWD" | cut -d':' -f3) + GID=$(echo "$PASSWD" | cut -d':' -f4) + export USER_UID=$UID + export USER_GID=$GID + envsubst < "${YAML_DIR}/pod-security-policy.yaml" >> "$TMPFILE" +fi + +if $USE_JOB_POD_REAPER ; then + envsubst < "${YAML_DIR}/job-pod-reaper.yaml" >> "$TMPFILE" +fi + kubectl apply -f "$TMPFILE" rm -f "$TMPFILE" diff --git a/hooks/k8s-bootstrap/job-pod-reaper.yaml b/hooks/k8s-bootstrap/job-pod-reaper.yaml new file mode 100644 index 0000000000..e7170cd028 --- /dev/null +++ b/hooks/k8s-bootstrap/job-pod-reaper.yaml @@ -0,0 +1,15 @@ +--- +# allow job-pod-reaper to see this namespace +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: "$ONDEMAND_USERNAME-job-pod-reaper-rolebinding" + namespace: "$NAMESPACE" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: job-pod-reaper +subjects: +- kind: ServiceAccount + name: job-pod-reaper + namespace: job-pod-reaper diff --git a/hooks/k8s-bootstrap-pod-security-policy.sh b/hooks/k8s-bootstrap/pod-security-policy.yaml old mode 100755 new mode 100644 similarity index 71% rename from hooks/k8s-bootstrap-pod-security-policy.sh rename to hooks/k8s-bootstrap/pod-security-policy.yaml index 3d1e833b73..b1063d03ed --- a/hooks/k8s-bootstrap-pod-security-policy.sh +++ b/hooks/k8s-bootstrap/pod-security-policy.yaml @@ -1,32 +1,3 @@ -#!/bin/bash - -ONDEMAND_USERNAME="$1" -if [ "x${ONDEMAND_USERNAME}" = "x" ]; then - echo "Must specify username" - exit 1 -fi -HOOK_ENV="$2" -if [ "x${HOOK_ENV}" = "x" ]; then - echo "Must specify hook.env path" - exit 1 -fi - -set -e - -# shellcheck disable=SC1090 -source "$HOOK_ENV" - -TMPFILE=$(mktemp "/tmp/k8-ondemand-bootstrap-${ONDEMAND_USERNAME}.XXXXXX") -PASSWD=$(getent passwd "$ONDEMAND_USERNAME") -if ! [[ "$PASSWD" =~ "${ONDEMAND_USERNAME}:"* ]]; then - echo "level=error msg=\"Unable to perform lookup of user\" user=$ONDEMAND_USERNAME" - exit 1 -fi -USER_UID=$(echo "$PASSWD" | cut -d':' -f3) -USER_GID=$(echo "$PASSWD" | cut -d':' -f4) -NAMESPACE="${NAMESPACE_PREFIX}${ONDEMAND_USERNAME}" - -cat > "$TMPFILE" <