Page MenuHomePhabricator
Create Task
Maniphest T133999

Provision a .kube/config file for all tools
Closed, ResolvedPublic
Actions

Description

All tools should have a .kube/config file and a namespace created for them. This should happen automatically on new tool creation. The config file would set the path to the kube master as well as credentials to access it. This allows people to use kubectl if they want to, but primary use case will be the 'webservice' command which will read this file as well.

It should probably be only readable by the tool since there's no reason for them to modify it.

Details

SubjectRepoBranchLines +/-
tools: Provision accounts for all toolsoperations/puppetproduction+385 -37
Customize query in gerrit

Related Objects
Search...

Event Timeline

yuvipanda created this task.Apr 29 2016, 7:12 PM
yuvipanda added a subtask: T133515: Write a k8s admission controller to enforce that all containers running come from our private repository.
yuvipanda added a comment.May 9 2016, 11:44 AM

Small python script that does the following:

  1. Look at all tool users in LDAP
  2. Check if there's an entry in token auth for all of them
  3. For the users that do not have an token auth entry:
    1. Add an entry with an autogenerated password
    2. Create a namespace with proper RunAsUser annotation
    3. Add an entry to abac.json allowing the user access to this namespace
    4. Write a .kube/config file in the user's homedir, readable by them but not writeable
  4. If there were any changes in (3), then restart kube-apiserver.

In the long run, we should replace it with perhaps a CA based authentication setup, but that is a while off.

yuvipanda closed subtask T133515: Write a k8s admission controller to enforce that all containers running come from our private repository as Resolved.May 13 2016, 1:59 AM
valhallasw moved this task from Backlog to Ready to be worked on on the Toolforge board.May 27 2016, 1:17 PM
gerritbot subscribed.Jun 30 2016, 7:06 PM

Change 296747 had a related patch set uploaded (by Yuvipanda):
tools: Provision accounts for all tools

https://gerrit.wikimedia.org/r/296747

gerritbot added a project: Patch-For-Review.Jun 30 2016, 7:06 PM
yuvipanda mentioned this in rOPUPc17b3126edc6: tools: Provision accounts for all tools.Jun 30 2016, 7:08 PM
yuvipanda mentioned this in rOPUP2de57a5cf158: tools: Provision accounts for all tools.Jun 30 2016, 8:36 PM
yuvipanda mentioned this in rOPUPe94f52294161: tools: Provision accounts for all tools.Jul 4 2016, 2:53 PM
yuvipanda mentioned this in rOPUP557a506fce72: tools: Provision accounts for all tools.Jul 4 2016, 3:01 PM
yuvipanda mentioned this in rOPUPf645060f9f72: tools: Provision accounts for all tools.Jul 4 2016, 3:52 PM
yuvipanda mentioned this in rOPUPff2186db8b68: tools: Provision accounts for all tools.Jul 4 2016, 4:38 PM
yuvipanda mentioned this in rOPUP6d3849c2fcb4: tools: Provision accounts for all tools.Jul 4 2016, 4:49 PM
yuvipanda mentioned this in rOPUPddf623af5899: tools: Provision accounts for all tools.Jul 4 2016, 5:01 PM
yuvipanda mentioned this in rOPUP58a5a965eb3f: tools: Provision accounts for all tools.Jul 4 2016, 5:22 PM
yuvipanda mentioned this in rOPUPe453842cca12: tools: Provision accounts for all tools.
yuvipanda mentioned this in rOPUPe147a4078eaa: tools: Provision accounts for all tools.Jul 4 2016, 5:30 PM
yuvipanda mentioned this in rOPUP9096dbcf178a: tools: Provision accounts for all tools.Jul 4 2016, 5:34 PM
yuvipanda mentioned this in rOPUPdf258abf627e: tools: Provision accounts for all tools.
yuvipanda mentioned this in rOPUPd00069e7c863: tools: Provision accounts for all tools.Jul 4 2016, 5:46 PM
yuvipanda mentioned this in rOPUP1a0384c4fd7f: tools: Provision accounts for all tools.Jul 4 2016, 5:54 PM
yuvipanda mentioned this in T112824: Kubernetes Beta Signup List.Jul 5 2016, 12:25 PM
yuvipanda mentioned this in rOPUP820913532558: tools: Provision accounts for all tools.Jul 5 2016, 2:45 PM
yuvipanda mentioned this in rOPUP3597827e26e2: tools: Provision accounts for all tools.Jul 5 2016, 4:07 PM
yuvipanda mentioned this in rOPUP060317367936: tools: Provision accounts for all tools.Jul 5 2016, 6:01 PM
yuvipanda mentioned this in rOPUP86152524d042: tools: Provision accounts for all tools.Jul 5 2016, 7:01 PM
yuvipanda mentioned this in rOPUPc9bf96612acf: tools: Provision accounts for all tools.Jul 6 2016, 2:45 PM
gerritbot added a comment.Jul 6 2016, 5:18 PM

Change 296747 merged by Yuvipanda:
tools: Provision accounts for all tools

https://gerrit.wikimedia.org/r/296747

yuvipanda mentioned this in rOPUPdbf1605d6984: tools: Provision accounts for all tools.Jul 6 2016, 5:23 PM
yuvipanda closed this task as Resolved.Jul 6 2016, 5:31 PM
yuvipanda claimed this task.

Done too!

Phabricator_maintenance removed a subscriber: yuvipanda.Jun 7 2017, 6:42 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL