github/capsule
1
0
Fork 0
mirror of https://github.com/projectcapsule/capsule.git synced 2026-03-03 18:20:19 +00:00
Code Issues Packages Projects Releases Wiki Activity
192 Commits 22 Branches 103 Tags
7ca087cac5a060227b9f7db75b5b8ab7b6eee16f
Commit Graph

58 Commits

Author SHA1 Message Date
bsctl
7ca087cac5 feat: update event messages 2021-06-15 21:42:39 +02:00
Dario Tranchitella
accd9ca038 feat: emitting events for policies violations 2021-06-15 21:42:39 +02:00
Dario Tranchitella
630e802708 feat: image PullPolicy webhook enforcer 2021-06-14 10:53:55 +02:00
Dario Tranchitella
9c8b0377dc feat: emitting events for Tenant operations 2021-06-06 22:18:51 +02:00
Dario Tranchitella
7c1592e739 chore(license): switching over SPDX license header (#280) 2021-06-03 19:46:20 +02:00
Dario Tranchitella
3570b02427 feat!: using CapsuleConfiguration CRD with reload at runtime 2021-05-31 16:15:44 +02:00
Dario Tranchitella
0481822555 feat: enforcing Pod Priority Class 2021-05-29 00:31:17 +02:00
Maksim Fedotov
ef6eea62dc fix: wrong order of checks in validating-external-service-ips webhook 2021-05-27 19:27:43 +02:00
Maksim Fedotov
3c9895e498 feat: use multiple groups as capsule-user-group 2021-05-25 14:46:05 +02:00
Maksim Fedotov
e6da507d10 feat: block use of NodePort Services 2021-05-19 16:44:08 +02:00
Dario Tranchitella
c22cb6cc88 refactor: moving to admission/v1 for Kubernetes +1.16 2021-05-14 13:55:51 +02:00
Ludovico Russo
c2cede6287 refactor: better name variables in pkg/webhook/utils 2021-05-04 17:49:13 +02:00
Ludovico Russo
36c90d485e refactor: better name variables in pkg/webhook/tenantprefix 2021-05-04 17:49:13 +02:00
Ludovico Russo
34c958371b refactor: better name variables in pkg/webhook/tenant 2021-05-04 17:49:13 +02:00
Ludovico Russo
e5f17d1e0d refactor: better name variables in pkg/webhook/services 2021-05-04 17:49:13 +02:00
Ludovico Russo
e1b203727d refactor: better name variables in pkg/webhook/registry 2021-05-04 17:49:13 +02:00
Ludovico Russo
cec8cc0573 refactor: better name variables in pkg/webhook/pvc 2021-05-04 17:49:13 +02:00
Ludovico Russo
7ca9fe0c63 refactor: better name variables in pkg/webhook/ownerreference 2021-05-04 17:49:13 +02:00
Ludovico Russo
b87a6c022f refactor: better name variables in pkg/webhook/namespacequota 2021-05-04 17:49:13 +02:00
Ludovico Russo
01b75a5094 refactor: better name variables in pkg/webhook/ingress 2021-05-04 17:49:13 +02:00
Ludovico Russo
2c6dcf0dd7 refactor: better name variables in pkg/webhook 2021-05-04 17:49:13 +02:00
Dario Tranchitella
5ecabaad3e refactor: ignoring requests from kube-system ServiceAccount resources 2021-03-17 11:43:11 +01:00
Dario Tranchitella
4119a69e02 fix: hostname collision between different Tenant namespaces 2021-03-06 20:50:55 +01:00
Dario Tranchitella
dfb7a5e227 feat: allowing Tenants with collided Ingress hostnames 
A new flag (`--allow-tenant-ingress-hostnames-collision`) is added,
defaulted to false: when toggled, Capsule will not check if each
declared hostname in `.spec.IngressHostnames.allowed` is already in use
on any other Tenant.
 2021-03-06 16:58:44 +01:00
Dario Tranchitella
7fef4e5237 bug: type-switching on Ingress webhook for hostname collision 2021-03-06 15:06:18 +01:00
Dario Tranchitella
4fbede0989 feat: Ingress hostnames collision check 
Disabled by default to avoid breaking changes for upcoming release,
although minor will be enabled by default.

Using the new `--allow-ingress-hostname-collision` flag Capsule can
ignore the Ingress hostnames collision allowing the Cluster
Administrator to put in place a non-opinionated hostnames allocation.
 2021-03-05 22:50:35 +01:00
Erin Corson
2ea36db5d6 fix(typo): fixing typo in several webhook error messages (#212) 
Co-authored-by: Erin Corson <ecorson@vmware.com>
 2021-03-04 08:24:11 +01:00
Dario Tranchitella
16906db309 Validating Tenant also on UPDATE (#191) 2021-01-21 07:11:59 +01:00
Dario Tranchitella
51f5bec5a6 Fixing the IngressClass return logic breaking Hostnames check (#185) 2021-01-15 09:45:09 +01:00
Dario Tranchitella
d2700556dd Adding linters and aligning code (#169) 
* Adding linters and aligning code

* Aligning ingressHostnames to AllowedListSpec
 2021-01-13 23:49:11 +01:00
Paolo Carta
89c66de7c6 Implementing allowed Ingress hostnames (#162) 
Co-authored-by: Dario Tranchitella <dario@tranchitella.eu>
 2021-01-13 22:18:09 +01:00
Dario Tranchitella
98e441f1e9 Enforcing Service external IPs (#161) 2020-12-11 19:17:46 +01:00
Dario Tranchitella
007bdff512 Only owner Tenant specification key is mandatory (#153) 
* Only Tenant owner specification key is mandatory

* Increasing default timeout to avoid e2e flakiness on GH Actions

* Ensuring also empty Namespace annotations and labels
 2020-12-11 15:47:29 +01:00
Dario Tranchitella
5aed7a01d5 Enforcing container registry via list or regex (#142) 
Adding also NamespaceSelector to specific webhooks in order to decrease
the chance ov breaking other critical Namespaces in case of Capsule
failures.
 2020-11-24 00:40:40 +01:00
Dario Tranchitella
d3bc9f4870 Provide a more meaningful error message when not admitted Storage/Ingress Classes are used (#141) 
* Providing further details on non allowed Storage Classes

* Providing further details on non allowed Ingress Classes
 2020-11-17 23:44:08 +01:00
Maxim Fedotov
078588acb5 migrating service webhook to controller p1 (#130) 
migrating service webhook to controller p2

migrating service webhook to controller p3. add tests

Using an abstract reconciler to avoid copy/paste code

update tests. remove service_labels webhook. fix bug in sync labels\endpoint func

apply review notes

disable EndpointSlicesLabelsReconciler for kubernetes versions <=1.16

Co-authored-by: Maksim Fedotov <m_fedotov@wargaming.net>
 2020-11-10 19:43:30 +03:00
Dario Tranchitella
2c54d91306 Enforcing back tenant selection using closest match (#129) 2020-11-05 11:20:48 +01:00
Dario Tranchitella
e764b976aa Allowing dash on Tenant namespace (#118) 
* Allowing dashes in the Tenant name as DNS RFC-1123

* Allowing force tenant prefix with Namespaces with dash
 2020-10-31 19:43:46 +01:00
Maxim Fedotov
7ae1c0ae32 issues/115. fix endpoint creation for services with selectors when servicesMetadata is specified for tenant (#116) 
apply review notes

Co-authored-by: Maksim Fedotov <m_fedotov@wargaming.net>
 2020-10-31 15:10:08 +03:00
Dario Tranchitella
39d6638669 Duplicated code, can be easily removed (#119) 2020-10-31 12:50:51 +01:00
Dario Tranchitella
ee6e3aa0df Using matrix strategy for e2e on multiple k8s versions (#111) 
* Using matrix strategy for e2e on multiple k8s versions

* EndpointSlice version support according to Kubernetes release

* Utility helper for testing various Kubernetes versions
 2020-10-29 09:39:22 +01:00
Dario Tranchitella
a7f7c00558 Supporting ingresses.networking.k8s.io/v1 (#110) 
* Updating to controller-runtime v0.7.0-alpha.4 and k8s 0.19.3

* Implementing ingresses.networking.k8s.io/v1

* Aligning to latest zap signatures
 2020-10-23 21:19:14 +02:00
Dario Tranchitella
b0310cd42f Handling all the events from Storage and Ingress classes (#108) 2020-10-17 14:40:07 +02:00
Maxim Fedotov
d0028d483b Fix null pointer exception in Ingress validating webhook (#94) 
Co-authored-by: Maksim Fedotov <m_fedotov@wargaming.net>
 2020-09-15 11:54:52 +02:00
Maxim Fedotov
875650f185 Regexp support for Ingress and Storage classes (#89) 
Co-authored-by: Maksim Fedotov <m_fedotov@wargaming.net>
 2020-09-15 11:08:14 +02:00
Maxim Fedotov
303fc4d69c Support Groups as Subject Kind for Tenant Namespace RoleBindings created by Capsule (#71) 
Modified CRD to support Owner struct.

Added Tenant name validation webhook.

Rewrote owner_reference hook logic.

Updated and added new e2e tests.

Co-authored-by: Maksim Fedotov <m_fedotov@wargaming.net>
 2020-09-10 17:02:22 +02:00
Dario Tranchitella
f4c41985d8 Using pointers and internal handler for Namespace OwnerReferences (#86) 
* Using pointers and internal handler for Namespace OwnerReferences

* Missing go fmt
 2020-09-10 15:27:27 +02:00
Maxim Fedotov
e8362f739f Add Service labelling and annotating webhook (#84) 
Co-authored-by: Maksim Fedotov <m_fedotov@wargaming.net>
 2020-09-10 11:56:51 +02:00
Dario Tranchitella
a4b0c0fe27 Using HTTP handlers as closures (#82) 
* Using HTTP handlers as closures

* Avoiding variable shadowing

* Optimizing Ingress webhook

* Missing license header
 2020-09-09 13:33:25 +02:00
Maxim Fedotov
a99153cbe7 Add protected-namespace-regex (#73) 2020-09-02 12:43:02 +02:00