diff --git a/docs/configuration/10-kubernetes-clusters.md b/docs/configuration/10-kubernetes-clusters.md index fe933d1c..58093fa1 100644 --- a/docs/configuration/10-kubernetes-clusters.md +++ b/docs/configuration/10-kubernetes-clusters.md @@ -43,6 +43,39 @@ set: azimuth_kubernetes_enabled: no ``` +### Tenancy-based Access Controls + +Alternatively, Kubernetes support can be restricted on a per-tenancy basis using the following variables: + +```yaml title="environments/my-site/inventory/group_vars/all/variables.yml" +# List of allowed tenancy IDs +azimuth_capi_operator_cluster_templates_tenancy_allow_list: +# List of denied tenancy IDs +azimuth_capi_operator_cluster_templates_tenancy_deny_list: +# Regex pattern to allow tenancies by name +azimuth_capi_operator_cluster_templates_tenancy_allow_regex: +# Regex pattern to block tenancies by name +azimuth_capi_operator_cluster_templates_tenancy_deny_regex: +``` + +In the event that a given tenancy matches more than one of the above restrictions, +the following priorities are applied: + - IDs are prioritized over Regex pattern matches (e.g. if a tenancy ID is +present in the 'deny' list *and* the tenancies name matches an 'allow' pattern then access is *denied*) +- Deny is prioritized over allow (e.g. if a tenancy ID is present in both 'allow' and 'deny' lists then +access is *denied*) +- The presence of either (or both) of the 'allow' restrictions triggers a deny-by-default policy meaning that +any tenancies not matching one of the 'allow' specifications are denied + +!!! info + + Restricting access to Kubernetes cluster templates automatically applies the same + access restrictions to all [Kubernetes Apps](./11-kubernetes-apps.md). + +Any restrictions which are applied to tenancies where clusters are already deployed will not delete existing clusters. +Instead, new cluster creation will be disabled and the 'update' and 'upgrade' functionality on existing clusters will also +be disabled so that only the 'delete' operation remains available. + ## Kubernetes configuration Kubernetes configuration is very similar for both the diff --git a/docs/configuration/11-kubernetes-apps.md b/docs/configuration/11-kubernetes-apps.md index 2fe6ba4f..b9cd139c 100644 --- a/docs/configuration/11-kubernetes-apps.md +++ b/docs/configuration/11-kubernetes-apps.md @@ -69,6 +69,25 @@ azimuth_capi_operator_app_templates_daskhub_enabled: false azimuth_capi_operator_app_templates_kubeflow_enabled: false ``` +### Tenancy-based Access Controls + +Each app can also be restricted to specific tenancies by setting: + +```yaml title="environments/my-site/inventory/group_vars/all/variables.yml" +# List of allowed tenancy IDs +azimuth_capi_operator_app_templates_{name}_tenancy_allow_list: +# List of denied tenancy IDs +azimuth_capi_operator_app_templates_{name}_tenancy_deny_list: +# Regex pattern to allow tenancies by name +azimuth_capi_operator_app_templates_{name}_tenancy_allow_regex: +# Regex pattern to block tenancies by name +azimuth_capi_operator_app_templates_{name}_tenancy_deny_regex: +``` + +In the case where a tenancy matches multiple restrictions, the same priorities listed in the corresponding +Kubernetes cluster configuration [section](./10-kubernetes-clusters.md#tenancy-based-access-controls) +are applicable. + ## Custom app templates If you have Helm charts that you want to make available as apps, you can define them as follows: diff --git a/docs/configuration/12-caas.md b/docs/configuration/12-caas.md index 8a3cade9..9c173be1 100644 --- a/docs/configuration/12-caas.md +++ b/docs/configuration/12-caas.md @@ -103,6 +103,25 @@ To disable the repo2docker appliance, use the following: azimuth_caas_stackhpc_repo2docker_enabled: no ``` +### Tenancy-based Access Controls + +Each of the StackHPC reference appliances can also be restricted to specific tenancies by setting: + +```yaml title="environments/my-site/inventory/group_vars/all/variables.yml" +# List of allowed tenancy IDs +azimuth_caas_stackhpc_{name}_tenancy_allow_list: +# List of denied tenancy IDs +azimuth_caas_stackhpc_{name}_tenancy_deny_list: +# Regex pattern to allow tenancies by name +azimuth_caas_stackhpc_{name}_tenancy_allow_regex: +# Regex pattern to block tenancies by name +azimuth_caas_stackhpc_{name}_tenancy_deny_regex: +``` + +In the case where a tenancy matches multiple restrictions, the same priorities listed in the corresponding +Kubernetes cluster configuration [section](./10-kubernetes-clusters.md#tenancy-based-access-controls) +are applicable. + ## Custom appliances It is possible to make custom appliances available in the Azimuth interface for users to deploy. diff --git a/requirements.yml b/requirements.yml index f4b59a6f..f1241d2f 100644 --- a/requirements.yml +++ b/requirements.yml @@ -1,6 +1,8 @@ --- collections: + - name: ansible.utils + version: 3.1.0 - name: https://github.com/stackhpc/ansible-collection-azimuth-ops.git type: git version: 0.4.2