Skip to content

Instantly share code, notes, and snippets.

@mlbiam

mlbiam/create-user-namespace.yaml

Last active October 20, 2021 00:16
Show Gist options
  • Save mlbiam/a7d8e6cb5ee4afb49f2bb19a0da8a726 to your computer and use it in GitHub Desktop.
Save mlbiam/a7d8e6cb5ee4afb49f2bb19a0da8a726 to your computer and use it in GitHub Desktop.
Download ZIP
Creates a namespace owned by the logged in user
Raw
create-user-namespace.yaml
---
apiVersion: openunison.tremolo.io/v1
kind: Workflow
metadata:
name: create-user-namespace
namespace: openunison
labels:
app.kubernetes.io/name: openunison
app.kubernetes.io/instance: openunison-orchestra
app.kubernetes.io/component: openunison-workflows
app.kubernetes.io/part-of: openunison
spec:
description: JIT - Generate User Namespace
inList: false
label: JIT - Generate User Namespace
orgId: 687da09f-8ec1-48ac-b035-f2f182b9bd1e
dynamicConfiguration:
dynamic: false
className: ""
params: []
tasks: |-
# Map the user's uid to something that can be used
# as a namespace
- taskType: customTask
className: com.tremolosecurity.provisioning.customTasks.JavaScriptTask
params:
javaScript: |-
// Maps external groups to local groups
System = Java.type("java.lang.System");
DN = Java.type("com.novell.ldap.util.DN");
Attribute = Java.type("com.tremolosecurity.saml.Attribute");
SetupGroupMetadataWatch = Java.type("com.tremolosecurity.proxy.filters.SetupGroupMetadataWatch");
HashMap = Java.type("java.util.HashMap");
function init(task,params) {
// nothing to do
}
function reInit(task) {
// do nothing
}
function doTask(user,request) {
uid = user.getAttribs().get("uid").getValues().get(0);
var namespaceName = "";
for (var i=0;i<uid.length;i++) {
var c = uid.charAt(i);
if ( ((c >= 'a') && (c <= 'z')) || ((c >= 'A') && (c <= 'Z')) || ((c >= '0') && (c <= '9')) ) {
namespaceName = namespaceName + c;
} else if (c == '-') {
if (i == 0 || i == (uid.length - 1)) {
namespaceName = namespaceName + 'x-' + c.charCodeAt(0) + '-x';
} else {
namespaceName = namespaceName + c;
}
} else {
namespaceName = namespaceName + 'x-' + c.charCodeAt(0) + '-x';
}
}
namespaceName = "user-ns-" + namespaceName.toLowerCase();
request.put("namespaceName",namespaceName);
return true;
}
# create the group that will have admin access to the new namespace
- taskType: customTask
className: com.tremolosecurity.provisioning.customTasks.AddGroupToStore
params:
target: jitdb
name: k8s-namespace-administrators-k8s-$namespaceName$
attributes:
- unison.group.create.sql=INSERT INTO localGroups (name,description) VALUES (?,?)
- unison.group.create.param.2=View kubernetes namespace $namespaceName$
# add the admin group to the logged in user
- taskType: addGroup
name: k8s-namespace-administrators-k8s-$namespaceName$
# provision the new group to the user
- taskType: provision
sync: false
target: jitdb
setPassword: false
onlyPassedInAttributes: true
attributes:
- sub
# Create the namespace, this is an idempotent operation
- taskType: customTask
className: com.tremolosecurity.provisioning.tasks.CreateK8sObject
params:
targetName: k8s
template: |-
kind: Namespace
apiVersion: v1
metadata:
name: "$namespaceName$"
labels:
name: "$namespaceName$"
kind: Namespace
url: /api/v1/namespaces
srcType: yaml
# create the RoleBinding, this is an idempotent operation
- taskType: customTask
className: com.tremolosecurity.provisioning.tasks.CreateK8sObject
params:
targetName: k8s
template: |-
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: admins-binding
namespace: "$namespaceName$"
subjects:
- kind: Group
name: k8s-namespace-administrators-k8s-$namespaceName$
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: admin
apiGroup: rbac.authorization.k8s.io
kind: RoleBinding
url: /apis/rbac.authorization.k8s.io/v1/namespaces/$namespaceName$/rolebindings
srcType: yaml
# refresh the user's internal authenticated object
- taskType: resync
keepExternalAttrs: false
changeRoot: true
newRoot: o=Tremolo
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment