Name: k8s-namespace-guard
Owner: Yahoo Inc.
Description: K8s - Admission controller for guarding namespace
Created: 2017-11-01 16:54:42.0
Updated: 2018-05-16 09:50:29.0
Pushed: 2017-11-10 17:54:49.0
Size: 12
Language: Go
GitHub Committers
User | Most Recent Commit | # Commits |
---|
Other Committers
User | Most Recent Commit | # Commits |
---|
k8s-namespace-guard provides an admission control policy that safeguards against accidental deletion of cluster namespaces.
This is implemented as an External Admission Webhook with the k8s-namespace-guard service running as a deployment on each cluster.
The webhook is configured to send admission review requests for DELETE operations on namespace
resources to the k8s-namespace-guard service.
The k8s-namespace-guard service listens on a HTTPS port and on receiving such requests, it lists the workload resources defined under that namespace.
The DELETE operation is allowed to proceed only when the namespace does NOT contain such workload resources.
The following resources are currently checked for existence:
The k8s-namespace-guard policy implementation enforces that the above listed resources under the namespace should be deleted before it can be removed.
go build -i -o k8s-namespace-guard
env GOOS=linux GOARCH=amd64 go build -i -o k8s-namespace-guard
./k8s-namespace-guard
.gofmt -w *.go
E:
admitAll bool True to admit all namespace deletions without validation. (default false)
certFile string The cert file for the https server. (default "/var/lib/kubernetes/kubernetes.pem")
clientAuth bool True to verify client cert/auth during TLS handshake. (default false)
clientCAFile string The cluster root CA that signs the apiserver cert (default "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt")
keyFile string The key file for the https server. (default "/var/lib/kubernetes/kubernetes-key.pem")
logFile string Log file name and full path. (default "/var/log/nslifecycle.log")
logLevel string The log level. (default "info")
port string Server port. (default "443")
Copyright 2017 Yahoo Holdings Inc. Licensed under the terms of the 3-Clause BSD License.