Skip to content

Commit

Permalink
Add a kubebash service, for running kubectl operations on the isidro …
Browse files Browse the repository at this point in the history 
…cluster, via the isidro chatbot
  • Loading branch information
@ndebuhr
ndebuhr committed Jul 7, 2022
1 parent 7102361 commit c4a9ede
Show file tree
Hide file tree
Showing 12 changed files with 268 additions and 35 deletions.
81 changes: 81 additions & 0 deletions chart/templates/kubebash.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,81 @@
{{ if eq .Values.kubebash.enabled true }}
apiVersion: v1
kind: Service
metadata:
name: kubebash
labels:
app: kubebash
spec:
type: ClusterIP
ports:
- name: http
port: 80
targetPort: 9000
selector:
app: kubebash
---
kind: ServiceExport
apiVersion: net.gke.io/v1
metadata:
name: kubebash
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: kubebash
labels:
app: kubebash
spec:
replicas: 1
selector:
matchLabels:
app: kubebash
template:
metadata:
labels:
app: kubebash
sidecar.istio.io/inject: "true"
istio.io/rev: "asm-managed-rapid"
spec:
serviceAccountName: kubebash-microservice
containers:
- name: kubebash
image: {{ .Values.kubebash.image.repository }}:{{ .Values.kubebash.image.tag }}
imagePullPolicy: Always
env:
- name: RESPONDER_HOST
value: responder.{{ .Release.Namespace }}.svc.clusterset.local
restartPolicy: Always
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: kubebash
spec:
podSelector:
matchLabels:
app: kubebash
policyTypes:
- Ingress
- Egress
ingress:
- from:
# GCP Health Check IPs
- ipBlock:
cidr: 35.191.0.0/16
- ipBlock:
cidr: 130.211.0.0/22
# RFC1918 (overkill, but enables multi-cluster and multi-region)
- ipBlock:
cidr: 10.0.0.0/8
- ipBlock:
cidr: 172.16.0.0/12
- ipBlock:
cidr: 192.168.0.0/16
# In-cluster services (failover for non-RFC1918 topologies)
- podSelector:
matchLabels:
app: orchestration
egress:
- {}
{{ end }}
10 changes: 6 additions & 4 deletions chart/templates/orchestration.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,16 +49,18 @@ spec:
value: "isidro"
- name: GREETING
value: {{ .Values.orchestration.greeting }}
- name: RESPONDER_HOST
value: responder.{{ .Release.Namespace }}.svc.clusterset.local
- name: KEYWORDS_HOST
value: keywords.{{ .Release.Namespace }}.svc.clusterset.local
- name: KUBEBASH_HOST
value: kubebash.{{ .Release.Namespace }}.svc.clusterset.local
- name: POLICY_AGENT_HOST
value: policy-agent.{{ .Release.Namespace }}.svc.clusterset.local
- name: TASKS_HOST
value: tasks.{{ .Release.Namespace }}.svc.clusterset.local
- name: REPEATER_HOST
value: repeater.{{ .Release.Namespace }}.svc.clusterset.local
- name: RESPONDER_HOST
value: responder.{{ .Release.Namespace }}.svc.clusterset.local
- name: TASKS_HOST
value: tasks.{{ .Release.Namespace }}.svc.clusterset.local
restartPolicy: Always
---
apiVersion: monitoring.googleapis.com/v1alpha1
Expand Down
30 changes: 26 additions & 4 deletions chart/templates/policy-agent.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -88,14 +88,14 @@ spec:
volumes:
- name: actions-rego
configMap:
name: policy-agent-sympathetic-actions-rego-v3
name: policy-agent-sympathetic-actions-rego-v4
defaultMode: 0444
restartPolicy: Always
---
apiVersion: v1
kind: ConfigMap
metadata:
name: policy-agent-sympathetic-actions-rego-v3
name: policy-agent-sympathetic-actions-rego-v4
data:
routing.rego: |
package isidro.routing
Expand Down Expand Up @@ -161,6 +161,17 @@ data:
"keywords": [
"issue", "bug", "feature", "request", "broken", "outage", "problem", "incident"
]
},
{
"action": {
"confirmation message": "Self-destruction would make me a lot cheaper, easier to manage, and more secure. However, I cannot self terminate. You must provide a confirmation to trigger the shutdown. Please respond with a \"yes\" (or similar).",
"async": false,
"category": "kubebash",
"command": `kubectl scale deployment deployer-github deployer-github-workers gatekeeper keywords orchestration policy-agent-succinct policy-agent-sympathetic repeater responder tasks kubebash --replicas 0 -n isidro`,
"initialization message": "![self-destruction](https://thumbs.gfycat.com/WatchfulEnviousGemsbok-max-1mb.gif)",
"tie break priority": 3,
},
"keywords": ["destruct", "destruction"]
}
]
Expand Down Expand Up @@ -205,14 +216,14 @@ spec:
volumes:
- name: actions-rego
configMap:
name: policy-agent-succinct-actions-rego-v3
name: policy-agent-succinct-actions-rego-v4
defaultMode: 0444
restartPolicy: Always
---
apiVersion: v1
kind: ConfigMap
metadata:
name: policy-agent-succinct-actions-rego-v3
name: policy-agent-succinct-actions-rego-v4
data:
routing.rego: |
package isidro.routing
Expand Down Expand Up @@ -278,6 +289,17 @@ data:
"keywords": [
"issue", "bug", "feature", "request", "broken", "outage", "problem", "incident"
]
},
{
"action": {
"confirmation message": "Would you like me to self-destruct?",
"async": false,
"category": "kubebash",
"command": `kubectl scale deployment deployer-github deployer-github-workers gatekeeper keywords orchestration policy-agent-succinct policy-agent-sympathetic repeater responder tasks kubebash --replicas 0 -n isidro`,
"initialization message": "![self-destruction](https://thumbs.gfycat.com/WatchfulEnviousGemsbok-max-1mb.gif)",
"tie break priority": 3,
},
"keywords": ["destruct", "destruction"]
}
]
Expand Down
23 changes: 22 additions & 1 deletion chart/templates/service-account.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,4 +11,25 @@ kind: ServiceAccount
metadata:
name: db-client-microservice
annotations:
iam.gke.io/gcp-service-account: isidro-db-client-microservices@{{ .Values.project }}.iam.gserviceaccount.com
iam.gke.io/gcp-service-account: isidro-db-client-microservices@{{ .Values.project }}.iam.gserviceaccount.com
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: kubebash-microservice
annotations:
iam.gke.io/gcp-service-account: isidro-kubebash-microservices@{{ .Values.project }}.iam.gserviceaccount.com
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kubebash-execution
subjects:
- kind: ServiceAccount
name: kubebash-microservice
namespace: {{ .Release.Namespace }}
apiGroup: ""
roleRef:
kind: ClusterRole
name: edit
apiGroup: rbac.authorization.k8s.io
34 changes: 20 additions & 14 deletions chart/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,32 +5,32 @@ zones:
- us-central1-b
- us-central1-f

deployer:
github:
enabled: true
image:
repository: us.gcr.io/PROJECT/isidro/deployer/github
tag: latest
token: "1234567890"

gatekeeper:
enabled: true
image:
repository: us.gcr.io/PROJECT/isidro/gatekeeper
tag: latest

repeater:
keywords:
enabled: true
image:
repository: us.gcr.io/PROJECT/isidro/repeater
repository: us.gcr.io/PROJECT/isidro/keywords
tag: latest

responder:
kubebash:
enabled: true
image:
repository: us.gcr.io/PROJECT/isidro/responder
repository: us.gcr.io/PROJECT/isidro/kubebash
tag: latest

deployer:
github:
enabled: true
image:
repository: us.gcr.io/PROJECT/isidro/deployer/github
tag: latest
token: "1234567890"

orchestration:
enabled: true
greeting: "Hello!"
Expand All @@ -44,10 +44,16 @@ policyAgent:
repository: openpolicyagent/opa
tag: 0.33.1

keywords:
repeater:
enabled: true
image:
repository: us.gcr.io/PROJECT/isidro/keywords
repository: us.gcr.io/PROJECT/isidro/repeater
tag: latest

responder:
enabled: true
image:
repository: us.gcr.io/PROJECT/isidro/responder
tag: latest

tasks:
Expand Down
1 change: 1 addition & 0 deletions kubebash/.dockerignore
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Dockerfile
19 changes: 19 additions & 0 deletions kubebash/Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
FROM almir/webhook:2.8.0

# apk install system prerequisite packages
RUN apk add --no-cache curl

# install kubectl, kubeadm, and kubelet
RUN RELEASE="$(curl -sSL https://dl.k8s.io/release/stable.txt)" && \
curl -L --remote-name-all "https://storage.googleapis.com/kubernetes-release/release/${RELEASE}/bin/linux/amd64/{kubeadm,kubelet,kubectl}" && \
install kubeadm /usr/local/bin/ && \
install kubelet /usr/local/bin/ && \
install kubectl /usr/local/bin/ && \
rm kubeadm kubelet kubectl

ADD hooks.yaml /etc/webhook/hooks.yaml
ADD pass.sh /var/webhook/pass.sh

EXPOSE 9000

ENTRYPOINT webhook -verbose -hooks /etc/webhook/hooks.yaml
6 changes: 6 additions & 0 deletions kubebash/hooks.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
- id: kubebash
execute-command: "/var/webhook/pass.sh"
command-working-directory: "/var/webhook"
pass-arguments-to-command:
- source: payload
name: command
3 changes: 3 additions & 0 deletions kubebash/pass.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
#!/usr/bin/env sh
set -x
sh -c "$1"
Loading

0 comments on commit c4a9ede

Please sign in to comment.