Page MenuHomePhabricator
Create Task
Maniphest T364312

toolforge: introduce some logic to backfill maintain-kubeuser resources (like per-tool kyverno policies)
Open, MediumPublic
Actions

Description

In the context of T279110: [infra] Replace PodSecurityPolicy in Toolforge Kubernetes, we need create some mechanism that can backfill existing tools with the new kyverno policies. Otherwise, maintain-kubeusers will only create them for new accounts.

Since this is a problem we have had in the past -and we'll have every time we change the maintain-kubueusers resources- we could make such mechanism generic.

See also:

Related Objects
Search...

Event Timeline

aborrero triaged this task as Medium priority.Mon, May 6, 2:11 PM
aborrero created this task.
aborrero moved this task from Backlog to Next on the User-aborrero board.
aborrero moved this task from Backlog to Ready to be worked on on the Toolforge board.
aborrero updated the task description. (Show Details)Mon, May 6, 2:18 PM
aborrero added a comment.EditedThu, May 9, 12:56 PM

We can have maintain-kubeusers to inject a couple of labels to all resources:

  • app.kubernetes.io/managed-by: maintain-kubeusers
  • toolforge.org/maintain-kubeusers-git-id: 5bf5e0447b258c3925d248509c5f9c250d2d85d3

Both a missing namespaces or a namespace with the wrong git-id are triggers for maintain-kubeusers to operate.

This means, that when we deploy a new version of maintain-kubeusers, it will loop at least once over all tool account namespaces to:

  • query for all namespaced objects that match the first label, but not the second, which is an indication of a resource that needs to be refreshed/recreated.
  • add maybe-missing resources (new with this git-id)
  • remove maybe-leftover resources (no longer tracked in this git-id)
  • refresh the git-id in the namespace resource.
taavi added a comment.Thu, May 9, 1:01 PM

The basic idea sounds good to me. Using the Git hash means that all tools will be processed on the first boot after every maintain-kubeusers commit, which is fine as long as the processing code is written correctly.

There is currently a ConfigMap in each namespace used to track certificate expiration and quota versions already, can we re-use that instead of introducing a new mechanism (namespace label) for tracking per-tool state?

aborrero added a comment.Wed, May 15, 8:41 AM

working on a resource abstraction that would allow to store state of each resource in the configmap

Code here: https://gitlab.wikimedia.org/repos/cloud/toolforge/maintain-kubeusers/-/merge_requests/23

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL