Merge branch 'develop' into issue_241

Author: ecsmyth

docs/SUMMARY.md

@@ -13,6 +13,9 @@
   - [The `chime-live` Cluster](./operations/chime-live-cluster.md)
   - [Deploy to Heroku](./operations/heroku.md)
   - [Deploy to Your Own Cluster](./operations/byok8s.md)
+  - [Limited Cluster Access for Deployment][1]
 - [Code of Conduct](CODE_OF_CONDUCT.md)
 - [Maintainers](MAINTAINERS.md)
 - [Glossary](GLOSSARY.md)
+
+[1]: ./operations/limited-kubeconfigs/limited-kubeconfigs.md

docs/operations/limited-kubeconfigs/limited-kubeconfigs.md

@@ -0,0 +1,147 @@
+# Creating Kubeconfigs with Limited Permissions
+
+## Create a Role
+
+Kubernetes has two primary resources which represent a set of permissions,
+Roles and ClusterRoles. ClusterRoles apply to resources in all namespaces,
+whereas Roles are limited to a specific namespace. Let's create a Role in the
+chime namespace which will allow read/write access to Deployments and
+read-only access to Pods.
+
+deployer.yaml:
+
+```
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: deployer
+  namespace: chime
+rules:
+- apiGroups:
+    - apps
+  resources:
+    - deployments
+  verbs:
+    # we are _not_ including 'create' and 'delete'
+    - get
+    - list
+    - watch
+    - update
+    - patch
+- apiGroups:
+    - ""
+  resources:
+    - pods
+  verbs:
+    # so that we can observe our pods getting created
+    - get
+    - list
+    - watch
+```
+
+## Create a ServiceAccount
+
+One of the subjects which can take on a Role is a ServiceAccount. Let's
+create a ServiceAccount called penn-deployer in the chime namespace:
+
+```
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: penn-deployer
+  namespace: chime
+```
+
+## Create a RoleBinding
+
+We can now give the ServiceAccount the Role that we created earlier using a
+RoleBinding in the chime namespace.
+
+```
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: penn-deployer:deployer
+  namespace: chime
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: deployer
+subjects:
+  - kind: ServiceAccount
+    name: penn-deployer
+    namespace: chime
+```
+
+## Grabbing the token for the ServiceAccount
+
+Every ServiceAccount gets a token, lets grab it.
+
+```
+k get secrets -n chime
+```
+
+Look for `penn-deployer-token-<hash>`
+
+```
+k get secrets -n chime penn-deployer-token-<hash>
+```
+
+Grab the "token:" base64 encoded token.
+
+*base64 decode this token, which will produce base64*
+
+## Creating a token-based kubeconfig
+
+Now take a look at the Kubeconfig that you are currently using. Does it use a
+token? If so, you can construct a Kubeconfig for this ServiceAccount by copying
+your kubeconfig and replacing the token and user name with this decoded token
+and the user name "penn-deployer".
+
+It will look something like this:
+
+```
+apiVersion: v1
+kind: Config
+preferences: {}
+
+clusters:
+- name: chime-cluster
+  cluster:
+    certificate-authority-data: <ca-cert-base64, same as existing>
+    server: https://<server-hostname>:<server-port>
+
+users:
+- name: penn-deployer
+  user:
+    as-user-extra: {}
+    token: <ServiceAccount token! Be very sure that this is the ServiceAccount token!>
+
+contexts:
+- name: penn-deployer-chime
+  context:
+    cluster: chime-cluster
+    user: penn-deployer
+    namespace: chime
+
+current-context: penn-deployer-chime
+```
+
+## Test out your token-based Kubeconfig
+
+You can now use this ServiceAccount to modify Deployments, and view Pods, but do nothing else.
+
+```
+$ k get pods -A
+Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:chime:penn-deployer" cannot list resource "pods" in API group "" at the cluster scope
+```
+
+```
+$ export KUBECONFIG=new-kubeconfig.yaml
+$ k get pods -n chime
+$ k get deployments -n chime
+# deploy version 0.5.0
+$ k set image deployment/chime -n chime chime=docker.pkg.github.com/codeforphilly/chime/penn-chime:0.5.0 --record
+# observe status of deployment
+$ k get pods -n chime
+```

docs/operations/limited-kubeconfigs/manifests/deployer.yaml

@@ -0,0 +1,26 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: deployer
+  namespace: chime
+rules:
+- apiGroups:
+  - apps/v1
+  resources:
+  - deployments
+  verbs:
+  # we are _not_ including 'create' and 'delete'
+  - get
+  - list
+  - watch
+  - update
+  - patch
+- apiGroups:
+    - ""
+  resources:
+    - pods
+  verbs:
+    # so that we can observe our pods getting created
+    - get
+    - list
+    - watch

docs/operations/limited-kubeconfigs/manifests/rolebinding.yaml

@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: penn-deployer:deployer
+  namespace: chime
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: deployer
+subjects:
+  - kind: ServiceAccount
+    name: penn-deployer
+    namespace: chime

docs/operations/limited-kubeconfigs/manifests/serviceaccount.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: penn-deployer
+  namespace: chime

k8s-preprod/app.yaml

@@ -0,0 +1,141 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: chime
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: chime
+  namespace: chime
+  labels:
+    app: chime
+spec:
+  replicas: 15
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app: chime
+  template:
+    metadata:
+      labels:
+        app: chime
+    spec:
+      containers:
+      - image: docker.pkg.github.com/codeforphilly/chime/penn-chime:0.4.1
+        name: chime
+        ports:
+        - containerPort: 8000
+          name: http
+          protocol: TCP
+      imagePullSecrets:
+      - name: regcred
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: chime
+  namespace: chime
+  labels:
+    app: chime
+spec:
+  selector:
+    app: chime
+  ports:
+  - name: http
+    port: 80
+    protocol: TCP
+    targetPort: 8000
+
+---
+
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: chime
+  namespace: chime
+  labels:
+    app: chime
+  annotations:
+    kubernetes.io/ingress.class: nginx
+    certmanager.k8s.io/cluster-issuer: letsencrypt-prod
+    nginx.ingress.kubernetes.io/proxy-body-size: "0"
+spec:
+  tls:
+  - hosts:
+    - penn-chime.bus.phl.io
+    - penn-chime-alt.bus.phl.io
+    secretName: tls-secret
+  rules:
+  - host: penn-chime.bus.phl.io
+    http:
+      paths:
+      - path: /
+        backend:
+          serviceName: chime
+          servicePort: 80
+  - host: penn-chime-alt.bus.phl.io
+    http:
+      paths:
+      - path: /
+        backend:
+          serviceName: chime
+          servicePort: 80
+
+---
+
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: chime-static
+  namespace: chime
+  labels:
+    app: chime
+  annotations:
+    nginx.ingress.kubernetes.io/proxy-buffering: "on"  # Important!
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+      location / {
+      sub_filter </head>
+        '<!-- Google Tag Manager -->
+        <script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
+        new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
+        j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=
+        'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);
+        })(window,document,'script','dataLayer','GTM-KBZ6ZKX');</script>
+        <!-- End Google Tag Manager -->';
+      sub_filter </body>
+        '<!-- Google Tag Manager (noscript) -->
+        <noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-KBZ6ZKX"
+        height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>
+        <!-- End Google Tag Manager (noscript) -->'
+        sub_filter_once on;
+      }
+      proxy_cache static-cache;
+      proxy_cache_valid 404 1m;
+      proxy_cache_valid 200 10m;
+      proxy_cache_use_stale error timeout updating http_404 http_500 http_502 http_503 http_504;
+      proxy_cache_bypass $http_x_purge;
+      proxy_cache_key $proxy_upstream_name$request_uri;
+      proxy_cache_lock on;
+      proxy_cache_use_stale updating;
+      add_header X-Cache-Status $upstream_cache_status;
+spec:
+  rules:
+  - host: penn-chime.bus.phl.io
+    http:
+      paths:
+      - path: /static/
+        backend:
+          serviceName: chime
+          servicePort: 80
+  - host: penn-chime-alt.bus.phl.io
+    http:
+      paths:
+      - path: /static/
+        backend:
+          serviceName: chime
+          servicePort: 80