From a059fd6b17ea6504566af90f73ada013c914c240 Mon Sep 17 00:00:00 2001 From: sd109 Date: Mon, 19 Feb 2024 17:07:58 +0000 Subject: [PATCH 1/5] First draft of documentation for ACLs --- docs/configuration/10-kubernetes-clusters.md | 30 ++++++++++++++++++++ docs/configuration/11-kubernetes-apps.md | 19 +++++++++++++ docs/configuration/12-caas.md | 19 +++++++++++++ 3 files changed, 68 insertions(+) diff --git a/docs/configuration/10-kubernetes-clusters.md b/docs/configuration/10-kubernetes-clusters.md index fe933d1c..5bd0aed3 100644 --- a/docs/configuration/10-kubernetes-clusters.md +++ b/docs/configuration/10-kubernetes-clusters.md @@ -43,6 +43,36 @@ set: azimuth_kubernetes_enabled: no ``` +### Tenancy-based Access Controls + +Alternatively, Kubernetes support can be restricted on a per-tenancy basis using the following variables: + +```yaml title="environments/my-site/inventory/group_vars/all/variables.yml" +# List of allowed tenancy IDs +azimuth_capi_operator_cluster_templates_tenancy_allow_list: +# List of denied tenancy IDs +azimuth_capi_operator_cluster_templates_tenancy_deny_list: +# Regex pattern to allow tenancies by name +azimuth_capi_operator_cluster_templates_tenancy_allow_regex: +# Regex pattern to block tenancies by name +azimuth_capi_operator_cluster_templates_tenancy_deny_regex: +``` + +In the event that a given tenancy matches more than one of the above restrictions, +the following priorities are applied: + - IDs are prioritized over Regex pattern matches (e.g. if a tenancy ID is +present in the 'deny' list *and* the tenancies name matches an 'allow' pattern then access is *denied*) +- Deny is prioritized over allow (e.g. if a tenancy ID is present in both 'allow' and 'deny' lists then +access is *denied*) +- The presence of either (or both) of the 'allow' restrictions are defined then a deny-by-default policy is enacted so that +any tenancies not matching the one of the 'allow' specifications are denied + +!!! info + + Restricting access to Kubernetes cluster templates automatically applies the same + access restrictions to all [Kubernetes Apps](./11-kubernetes-apps.md). + + ## Kubernetes configuration Kubernetes configuration is very similar for both the diff --git a/docs/configuration/11-kubernetes-apps.md b/docs/configuration/11-kubernetes-apps.md index 2fe6ba4f..b9cd139c 100644 --- a/docs/configuration/11-kubernetes-apps.md +++ b/docs/configuration/11-kubernetes-apps.md @@ -69,6 +69,25 @@ azimuth_capi_operator_app_templates_daskhub_enabled: false azimuth_capi_operator_app_templates_kubeflow_enabled: false ``` +### Tenancy-based Access Controls + +Each app can also be restricted to specific tenancies by setting: + +```yaml title="environments/my-site/inventory/group_vars/all/variables.yml" +# List of allowed tenancy IDs +azimuth_capi_operator_app_templates_{name}_tenancy_allow_list: +# List of denied tenancy IDs +azimuth_capi_operator_app_templates_{name}_tenancy_deny_list: +# Regex pattern to allow tenancies by name +azimuth_capi_operator_app_templates_{name}_tenancy_allow_regex: +# Regex pattern to block tenancies by name +azimuth_capi_operator_app_templates_{name}_tenancy_deny_regex: +``` + +In the case where a tenancy matches multiple restrictions, the same priorities listed in the corresponding +Kubernetes cluster configuration [section](./10-kubernetes-clusters.md#tenancy-based-access-controls) +are applicable. + ## Custom app templates If you have Helm charts that you want to make available as apps, you can define them as follows: diff --git a/docs/configuration/12-caas.md b/docs/configuration/12-caas.md index 8a3cade9..9c173be1 100644 --- a/docs/configuration/12-caas.md +++ b/docs/configuration/12-caas.md @@ -103,6 +103,25 @@ To disable the repo2docker appliance, use the following: azimuth_caas_stackhpc_repo2docker_enabled: no ``` +### Tenancy-based Access Controls + +Each of the StackHPC reference appliances can also be restricted to specific tenancies by setting: + +```yaml title="environments/my-site/inventory/group_vars/all/variables.yml" +# List of allowed tenancy IDs +azimuth_caas_stackhpc_{name}_tenancy_allow_list: +# List of denied tenancy IDs +azimuth_caas_stackhpc_{name}_tenancy_deny_list: +# Regex pattern to allow tenancies by name +azimuth_caas_stackhpc_{name}_tenancy_allow_regex: +# Regex pattern to block tenancies by name +azimuth_caas_stackhpc_{name}_tenancy_deny_regex: +``` + +In the case where a tenancy matches multiple restrictions, the same priorities listed in the corresponding +Kubernetes cluster configuration [section](./10-kubernetes-clusters.md#tenancy-based-access-controls) +are applicable. + ## Custom appliances It is possible to make custom appliances available in the Azimuth interface for users to deploy. From 49822aec43841927b62715c793c8203d3693eeb6 Mon Sep 17 00:00:00 2001 From: sd109 Date: Tue, 20 Feb 2024 10:37:54 +0000 Subject: [PATCH 2/5] Add ansible.utils collection --- requirements.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/requirements.yml b/requirements.yml index f4b59a6f..f1241d2f 100644 --- a/requirements.yml +++ b/requirements.yml @@ -1,6 +1,8 @@ --- collections: + - name: ansible.utils + version: 3.1.0 - name: https://github.com/stackhpc/ansible-collection-azimuth-ops.git type: git version: 0.4.2 From 1e4434d85d83c060f78c31b1bc44068ce54a351b Mon Sep 17 00:00:00 2001 From: sd109 Date: Tue, 20 Feb 2024 11:24:34 +0000 Subject: [PATCH 3/5] Add note about applying restrictions to existing clusters --- docs/configuration/10-kubernetes-clusters.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docs/configuration/10-kubernetes-clusters.md b/docs/configuration/10-kubernetes-clusters.md index 5bd0aed3..580d031a 100644 --- a/docs/configuration/10-kubernetes-clusters.md +++ b/docs/configuration/10-kubernetes-clusters.md @@ -72,6 +72,9 @@ any tenancies not matching the one of the 'allow' specifications are denied Restricting access to Kubernetes cluster templates automatically applies the same access restrictions to all [Kubernetes Apps](./11-kubernetes-apps.md). +Any restrictions which are applied to tenancies where clusters are already deployed will not delete existing clusters. +Instead, new cluster creation will be disabled and the 'update' and 'upgrade' functionality on existing clusters will also +be disabled so that only the 'delete' operation remains available. ## Kubernetes configuration From 459ddeff85bb661d12959c24a8c4777833f3adff Mon Sep 17 00:00:00 2001 From: sd109 Date: Mon, 4 Mar 2024 14:14:13 +0000 Subject: [PATCH 4/5] Fix wording --- docs/configuration/10-kubernetes-clusters.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuration/10-kubernetes-clusters.md b/docs/configuration/10-kubernetes-clusters.md index 580d031a..a9d6bb91 100644 --- a/docs/configuration/10-kubernetes-clusters.md +++ b/docs/configuration/10-kubernetes-clusters.md @@ -64,7 +64,7 @@ the following priorities are applied: present in the 'deny' list *and* the tenancies name matches an 'allow' pattern then access is *denied*) - Deny is prioritized over allow (e.g. if a tenancy ID is present in both 'allow' and 'deny' lists then access is *denied*) -- The presence of either (or both) of the 'allow' restrictions are defined then a deny-by-default policy is enacted so that +- The presence of either (or both) of the 'allow' restrictions triggers a deny-by-default policy meaning that any tenancies not matching the one of the 'allow' specifications are denied !!! info From 4e2598ed3df474002fe9c18c682299332380e8ed Mon Sep 17 00:00:00 2001 From: sd109 Date: Mon, 4 Mar 2024 14:14:46 +0000 Subject: [PATCH 5/5] Remove word --- docs/configuration/10-kubernetes-clusters.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuration/10-kubernetes-clusters.md b/docs/configuration/10-kubernetes-clusters.md index a9d6bb91..58093fa1 100644 --- a/docs/configuration/10-kubernetes-clusters.md +++ b/docs/configuration/10-kubernetes-clusters.md @@ -65,7 +65,7 @@ present in the 'deny' list *and* the tenancies name matches an 'allow' pattern t - Deny is prioritized over allow (e.g. if a tenancy ID is present in both 'allow' and 'deny' lists then access is *denied*) - The presence of either (or both) of the 'allow' restrictions triggers a deny-by-default policy meaning that -any tenancies not matching the one of the 'allow' specifications are denied +any tenancies not matching one of the 'allow' specifications are denied !!! info