Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove bootstrapping of namespaces by integrating them into the helmfile workflow #1881

Merged
merged 1 commit into from
Jan 9, 2024
Merged

Remove bootstrapping of namespaces by integrating them into the helmfile workflow #1881

merged 1 commit into from
Jan 9, 2024

Conversation

OlleLarsson
Copy link
Contributor

@OlleLarsson OlleLarsson commented Nov 23, 2023
edited
Loading

Warning

This is public repository, ensure not to disclose:

  • personal data beyond what is necessary for interacting with this pull request
  • business confidential information, such as customer names

What kind of PR is this?

Required: Mark one of the following that is applicable:

  • kind/feature
  • kind/improvement
  • kind/deprecation
  • kind/documentation
  • kind/clean-up
  • kind/bug
  • kind/other

Optional: Mark one or more of the following that are applicable:

Important

Breaking changes should be marked kind/admin-change or kind/dev-change depending on type
Critical security fixes should be marked with kind/security

  • kind/admin-change
  • kind/dev-change
  • kind/security
  • kind/adr

What does this PR do / why do we need this PR?

This PR removes the bootstrap step used to install namespaces in a
cluster. The step has been integrated into the new helmfile setup and
namespaces are now managed by helm.

Two new releases are added: "admin-namespaces" and
"dev-namespaces", the latter of which is only relevant for wc clusters
and it only includes the "alertmanager" namespace as of now. The
"admin-namespace" includes all admin namespaces execpt for the "kube-"
namespaces. The "kube-" namespaces are not managed by helm nor do they
get any PSA or "owner=operator" labels set. Furthermore those namespaces
are exempted from the OPA-Gatekeeper validating and mutating webhooks!

Note, namespaces are not removed by Helm! If you destroy the
namespace releases the namespace resources will be left behind.

Furthermore, this PR sets the restricted PSA labels on the "thanos"
namespace and the privileged PSA labels on the "falco" namespace in SC.
In order set the restricted labels on the "thanos" namespace, seccomp
profile and drop all capabilities is set on the thanos components.

Additional information to reviewers

Screenshots

Checklist

  • Proper commit message prefix on all commits
  • Change checks:
    • The change is transparent
    • The change is disruptive
    • The change requires no migration steps
    • The change requires migration steps
  • Metrics checks:
    • The metrics are still exposed and present in Grafana after the change
    • The metrics names didn't change (Grafana dashboards and Prometheus alerts are not affected)
    • The metrics names did change (Grafana dashboards and Prometheus alerts were fixed)
  • Logs checks:
    • The logs do not show any errors after the change
  • Network Policy checks:
    • Any changed pod is covered by Network Policies
    • The change does not cause any dropped packages in the NetworkPolicy Dashboard
  • Pod Security Policy checks:
    • Any changed pod is covered by Pod Security Admission
    • Any changed pod is covered by Gatekeeper Pod Security Policies
    • The change does not cause any pods to be blocked by Pod Security Admission or Policies
  • Falco checks:
    • The change does not cause any alerts to be generated by Falco
  • Audit checks:
    • The change does not cause any unnecessary Kubernetes audit events
    • The change requires changes to Kubernetes audit policy
  • Bug checks:
    • The bug fix is covered by regression tests

@OlleLarsson OlleLarsson force-pushed the ol/remove-bootstrap branch 2 times, most recently from 287fdeb to 6b3a55d Compare November 23, 2023 08:24
@simonklb
Copy link
Contributor

I thought it was worth mentioning because it popped up in my head when reading the title:
If I recall correctly, the reason why we left out namespace creation from Helm before was to prevent an accident that uninstalled the "namespace Helm release" which would cascade delete everything else in the cluster. I assume that with helm.sh/resource-policy: keep this will not be a risk?

@OlleLarsson
Copy link
Contributor Author

I thought it was worth mentioning because it popped up in my head when reading the title: If I recall correctly, the reason why we left out namespace creation from Helm before was to prevent an accident that uninstalled the "namespace Helm release" which would cascade delete everything else in the cluster. I assume that with helm.sh/resource-policy: keep this will not be a risk?

Good point.

So, the helm resource policy keep could be set on all of the namespaces created by the release and that would, as you say, prevent them from being deleted with helm uninstall.

ATM, the keep resource policy has only been set on the kube* namespaces but for those we are thinking of moving out from this release. So we'd need to either set the owner=operator in some other way or configure gatekeeper in such a way that those namespaces are excluded by default (despite them not having the owner label)

Base automatically changed from aarnq/helmfile-modular to main November 23, 2023 10:54
@OlleLarsson OlleLarsson force-pushed the ol/remove-bootstrap branch 6 times, most recently from cfdbf37 to b87dcc9 Compare November 24, 2023 10:29
OlleLarsson
OlleLarsson commented Nov 27, 2023
View reviewed changes
helmfile/values/gatekeeper/gatekeeper.yaml.gotmpl Outdated
@@ -1,7 +1,17 @@
validatingWebhookFailurePolicy: Fail
validatingWebhookTimeoutSeconds: {{ .Values.opa.validatingWebhookTimeoutSeconds }}
validatingWebhookExemptNamespacesLabels:
kubernetes.io/metadata.name:
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It shouldn't be possible to modify this label of a namespace, so customers shouldn't be able to abuse it.

OlleLarsson
OlleLarsson commented Nov 27, 2023
View reviewed changes
helmfile.yaml Outdated Show resolved Hide resolved
@OlleLarsson OlleLarsson force-pushed the ol/remove-bootstrap branch 2 times, most recently from 5550e38 to fb34e7c Compare December 20, 2023 12:12
OlleLarsson
OlleLarsson commented Jan 2, 2024
View reviewed changes
helmfile.d/values/admin-namespaces-sc.yaml.gotmpl
Comment on lines +14 to +17
labels:
pod-security.kubernetes.io/audit: privileged
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/warn: privileged
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Noticied that we didn't set any psa labels on the falco namespace here which I assume that we want to do.

@OlleLarsson OlleLarsson force-pushed the ol/remove-bootstrap branch 5 times, most recently from 80a465a to c5fead4 Compare January 3, 2024 15:26
@OlleLarsson OlleLarsson marked this pull request as ready for review January 3, 2024 15:28
@OlleLarsson
Copy link
Contributor Author

Still doing some testing but feel free to take a look

@OlleLarsson OlleLarsson changed the title helmify bootstrap Remove bootstrapping of namespaces by integrating them into the helmfile workflow Jan 5, 2024
davidumea
davidumea approved these changes Jan 5, 2024
View reviewed changes
Copy link
Contributor

@davidumea davidumea left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@OlleLarsson OlleLarsson force-pushed the ol/remove-bootstrap branch 6 times, most recently from f73b829 to 9eede30 Compare January 5, 2024 10:12
viktor-f
viktor-f reviewed Jan 5, 2024
View reviewed changes
Copy link
Contributor

@viktor-f viktor-f left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, but I have not tested it.
Just one minor thing.

helmfile.d/values/admin-namespaces-sc.yaml.gotmpl Outdated Show resolved Hide resolved
@OlleLarsson OlleLarsson requested a review from aarnq January 9, 2024 09:27
@OlleLarsson
all: remove bootstrapping of namespaces
482debc 
This commit removes the bootstrap step used to install namespaces in a
cluster. The step has been integrated into the new helmfile setup and
namespaces are now managed by helm.

Two new releases are added: "admin-namespaces" and
"dev-namespaces", the latter of which is only relevant for wc clusters
and it only includes the "alertmanager" namespace as of now. The
"admin-namespace" includes all admin namespaces execpt for the "kube-*"
namespaces. The "kube-*" namespaces are not managed by helm nor do they
get any PSA or "owner=operator" labels set. Furthermore those namespaces
are exempted from the OPA-Gatekeeper validating and mutating webhooks!

Note, namespaces are not removed by Helm! If you destroy the
namespace releases the namespace resources will be left behind.

Furthermore, this commits sets the restricted PSA labels on the "thanos"
namespace and the privileged PSA labels on the "falco" and
"opensearch-system" namespaces.
In order set the restricted labels on the "thanos" namespace, seccomp
profile and drop all capabilities is set on the thanos components.
@OlleLarsson OlleLarsson merged commit 852bfa2 into main Jan 9, 2024
9 checks passed
@OlleLarsson OlleLarsson deleted the ol/remove-bootstrap branch January 9, 2024 09:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@viktor-f viktor-f viktor-f approved these changes

@Xartos Xartos Xartos approved these changes

@davidumea davidumea davidumea approved these changes

@aarnq aarnq aarnq approved these changes

@lunkan93 lunkan93 Awaiting requested review from lunkan93

@Pavan-Gunda Pavan-Gunda Awaiting requested review from Pavan-Gunda

@crssnd crssnd Awaiting requested review from crssnd

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Remove bootstrap - helmify
6 participants
@OlleLarsson @simonklb @Xartos @davidumea @viktor-f @aarnq