Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Documentation and default config for tenancy-based platform access controls #105

Closed
wants to merge 5 commits into from
Closed

Documentation and default config for tenancy-based platform access controls #105

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
a059fd6
First draft of documentation for ACLs
Feb 19, 2024
49822ae
Add ansible.utils collection
Feb 20, 2024
1e4434d
Add note about applying restrictions to existing clusters
Feb 20, 2024
459ddef
Fix wording
Mar 4, 2024
4e2598e
Remove word
Mar 4, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 33 additions & 0 deletions docs/configuration/10-kubernetes-clusters.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,39 @@ set:
azimuth_kubernetes_enabled: no
```

### Tenancy-based Access Controls

Alternatively, Kubernetes support can be restricted on a per-tenancy basis using the following variables:

```yaml title="environments/my-site/inventory/group_vars/all/variables.yml"
# List of allowed tenancy IDs
azimuth_capi_operator_cluster_templates_tenancy_allow_list:
# List of denied tenancy IDs
azimuth_capi_operator_cluster_templates_tenancy_deny_list:
# Regex pattern to allow tenancies by name
azimuth_capi_operator_cluster_templates_tenancy_allow_regex:
# Regex pattern to block tenancies by name
azimuth_capi_operator_cluster_templates_tenancy_deny_regex:
```

In the event that a given tenancy matches more than one of the above restrictions,
the following priorities are applied:
- IDs are prioritized over Regex pattern matches (e.g. if a tenancy ID is
present in the 'deny' list *and* the tenancies name matches an 'allow' pattern then access is *denied*)
- Deny is prioritized over allow (e.g. if a tenancy ID is present in both 'allow' and 'deny' lists then
access is *denied*)
- The presence of either (or both) of the 'allow' restrictions triggers a deny-by-default policy meaning that
any tenancies not matching one of the 'allow' specifications are denied

!!! info

Restricting access to Kubernetes cluster templates automatically applies the same
access restrictions to all [Kubernetes Apps](./11-kubernetes-apps.md).

Any restrictions which are applied to tenancies where clusters are already deployed will not delete existing clusters.
Instead, new cluster creation will be disabled and the 'update' and 'upgrade' functionality on existing clusters will also
be disabled so that only the 'delete' operation remains available.

## Kubernetes configuration

Kubernetes configuration is very similar for both the
Expand Down
19 changes: 19 additions & 0 deletions docs/configuration/11-kubernetes-apps.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,25 @@ azimuth_capi_operator_app_templates_daskhub_enabled: false
azimuth_capi_operator_app_templates_kubeflow_enabled: false
```

### Tenancy-based Access Controls

Each app can also be restricted to specific tenancies by setting:

```yaml title="environments/my-site/inventory/group_vars/all/variables.yml"
# List of allowed tenancy IDs
azimuth_capi_operator_app_templates_{name}_tenancy_allow_list:
# List of denied tenancy IDs
azimuth_capi_operator_app_templates_{name}_tenancy_deny_list:
# Regex pattern to allow tenancies by name
azimuth_capi_operator_app_templates_{name}_tenancy_allow_regex:
# Regex pattern to block tenancies by name
azimuth_capi_operator_app_templates_{name}_tenancy_deny_regex:
```

In the case where a tenancy matches multiple restrictions, the same priorities listed in the corresponding
Kubernetes cluster configuration [section](./10-kubernetes-clusters.md#tenancy-based-access-controls)
are applicable.

## Custom app templates

If you have Helm charts that you want to make available as apps, you can define them as follows:
Expand Down
19 changes: 19 additions & 0 deletions docs/configuration/12-caas.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -103,6 +103,25 @@ To disable the repo2docker appliance, use the following:
azimuth_caas_stackhpc_repo2docker_enabled: no
```

### Tenancy-based Access Controls

Each of the StackHPC reference appliances can also be restricted to specific tenancies by setting:

```yaml title="environments/my-site/inventory/group_vars/all/variables.yml"
# List of allowed tenancy IDs
azimuth_caas_stackhpc_{name}_tenancy_allow_list:
# List of denied tenancy IDs
azimuth_caas_stackhpc_{name}_tenancy_deny_list:
# Regex pattern to allow tenancies by name
azimuth_caas_stackhpc_{name}_tenancy_allow_regex:
# Regex pattern to block tenancies by name
azimuth_caas_stackhpc_{name}_tenancy_deny_regex:
```

In the case where a tenancy matches multiple restrictions, the same priorities listed in the corresponding
Kubernetes cluster configuration [section](./10-kubernetes-clusters.md#tenancy-based-access-controls)
are applicable.

## Custom appliances

It is possible to make custom appliances available in the Azimuth interface for users to deploy.
Expand Down
2 changes: 2 additions & 0 deletions requirements.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
---

collections:
- name: ansible.utils
version: 3.1.0
- name: https://github.com/stackhpc/ansible-collection-azimuth-ops.git
type: git
version: 0.4.2
Expand Down
Loading