Add and enable k3s profile with namespace for jack

https://computingforgeeks.com/restrict-kubernetes-service-account-users-to-a-namespace-with-rbac/
2 years ago · 804ddfa89d
parent 157346f2db
commit 804ddfa89d
5 changed files with 117 additions and 2 deletions
--- a/etc/hiera/nodes/02.ht.cubieserver.de.yaml
+++ b/etc/hiera/nodes/02.ht.cubieserver.de.yaml
@ -43,6 +43,11 @@ profile::wireguard::conf_dir: /etc/wireguard
 profile::swarm::wg_gen_web::wireguard_conf_dir: /etc/wireguard
 profile::swarm::wg_gen_web::version: 8b4038c2

+# https://github.com/k3s-io/k3s/releases/tag/v1.21.1+k3s1
+profile::k3s::version: 'v1.21.1+k3s1'
+profile::k3s::node_labels:
+  - storage=true
+
 profile::ssh_client::authorized_keys:
  'jack@ZenBook 2018-02-27':
    ensure: present
@ -78,8 +83,17 @@ profile::packages::packages:
    ensure: present

 profile::firewall::ignore_purge:
+  # libvirt VM stuff:
  - '-i lxcbr0'
  - '-o lxcbr0'
+  - '-i virbr0'
+  - '-o virbr0'
+  - '-s 192.168.122.0/24'
+  - '-d 192.168.122.0/24'
+  # k3s stuff:
+  - '-j KUBE-*'
+  - '-s 10.42.0.0/16'
+  - '-d 10.42.0.0/16'

 profile::admin_xmpp::xmta_server_url: >
    ENC[PKCS7,MIIBqQYJKoZIhvcNAQcDoIIBmjCCAZYCAQAxggEhMIIBHQIBADAFMAACAQEw
@ -456,8 +470,8 @@ profile::mariadb::backup_dir: '/var/backups/mariadb/'
 # Hetzner DNS servers
 profile::dns::primary_dns_servers:
  - '213.133.100.100'
-  - '213.133.99.99'
-  - '2a01:4f8:0:1::add:9999'
+#  - '213.133.99.99'
+#  - '2a01:4f8:0:1::add:9999'
  - '2a01:4f8:0:1::add:1010'
 # TODO: use local DNS server cache for docker
 # profile::docker::dns: ["127.0.0.53"]
--- a/manifests/site.pp
+++ b/manifests/site.pp
@ -56,6 +56,9 @@ node '02.ht.cubieserver.de' {
  # set up notifications upon user login
  contain profile::login_notification

+  # setup k3s cluster
+  contain profile::k3s
+
  # # wireguard VPN server (without config, just setup)
  # contain profile::wireguard
 }
--- a/site/profile/manifests/k3s.pp
+++ b/site/profile/manifests/k3s.pp
@ -0,0 +1,50 @@
+class profile::k3s (
+  String $version = 'stable',
+  Array[String] $node_labels = [],
+  ) {
+
+  exec { 'download k3s installer':
+    command => '/usr/bin/curl -o /opt/k3s-install.sh https://get.k3s.io',
+    creates => '/opt/k3s-install.sh',
+    timeout => 10,
+  }
+
+  file { '/etc/k3s-config.yaml':
+    ensure  => present,
+    content => template('profile/k3s-config.yaml.erb'),
+  }
+
+  exec { 'ensure k3s is installed':
+    path        => '/usr/local/bin:/usr/bin:/bin',
+    provider    => shell,
+    command     => 'bash /opt/k3s-install.sh -c /etc/k3s-config.yaml --no-deploy traefik',
+    environment => ["INSTALL_K3S_VERSION=${version}"],
+    unless      => "k3s --version | grep 'k3s version ${version}'",
+    timeout     => 60,
+  }
+
+  firewall { '100 allow kubernetes control plane traffic from external':
+    dport  => 6443,
+    proto  => tcp,
+    action => accept,
+  }
+
+  # create cluster definitions directory
+  file { '/etc/k8s-applies/':
+    ensure => directory,
+    mode   => '0750',
+  }
+
+  # setup jacks namespace
+  file { '/etc/k8s-applies/jack.yaml':
+    ensure  => present,
+    content => template('profile/k8s/jack.yaml'),
+    require => File['/etc/k8s-applies'],
+  }
+
+  exec { 'apply cluster definitions':
+    command => '/usr/local/bin/k3s kubectl apply -R -f /etc/k8s-applies/ --wait',
+    require => File['/etc/k8s-applies'],
+  }
+
+}
--- a/site/profile/templates/k3s-config.yaml.erb
+++ b/site/profile/templates/k3s-config.yaml.erb
@ -0,0 +1,11 @@
+# This file is managed by Puppet
+---
+disable-cloud-controller: true
+tls-san:
+  - "02.ht.cubieserver.de"
+<% if @node_labels.length != 0 -%>
+node-label:
+<% @node_labels.each do |labels| -%>
+  - '<%= labels %>'
+<% end -%>
+<% end -%>
--- a/site/profile/templates/k8s/jack.yaml
+++ b/site/profile/templates/k8s/jack.yaml
@ -0,0 +1,37 @@
+# This file is managed by Puppet
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: jack
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: jack-sa
+  namespace: jack
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: jack-role
+  namespace: jack
+rules:
+  - apiGroups: ["*"]
+    resources: ["*"]
+    verbs: ["*"]
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: jack-rb
+  namespace: jack
+subjects:
+  - kind: ServiceAccount
+    name: jack-sa
+    namespace: jack
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: jack-role
+---