implement ns-authz

ns-authz/Chart.yaml

@@ -0,0 +1,6 @@
+apiVersion: v2
+name: ns-authz
+description: A Helm chart to automatically grant cluster-admin to the default ServiceAccount in every new namespace.
+type: application
+version: 0.1.0
+appVersion: "1.0.0"

ns-authz/README.md

@@ -0,0 +1,35 @@
+# ns-authz Helm Chart
+
+This chart deploys a lightweight namespace watcher that automatically grants the \`cluster-admin\` role to the default ServiceAccount in every new namespace.
+
+## Features
+
+- Automatic Namespace Detection
+- RoleBinding Creation for each new namespace
+- Idempotent operation
+- Minimal logging
+- Self-contained using a lightweight kubectl image
+- Helm-based install/uninstall
+
+## Installation
+
+```bash
+helm install ns-authz ./ns-authz --namespace kube-system
+```
+
+## Uninstallation
+
+```bash
+helm uninstall ns-authz --namespace kube-system
+```
+
+## Verification
+
+1. Create a new namespace:
+   ```bash
+   kubectl create namespace test-ns
+   ```
+2. Check the watcher pod logs:
+   ```bash
+   kubectl logs -l app=ns-authz -n kube-system
+   ```

ns-authz/templates/clusterrolebinding.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: ns-authz-crb
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- kind: ServiceAccount
+  name: {{ .Values.serviceAccount.name }}
+  namespace: {{ .Release.Namespace }}

ns-authz/templates/configmap.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: ns-authz-script
+data:
+  watcher.sh: |-
+{{ (.Files.Get "watcher.sh") | indent 4 }}

ns-authz/templates/deployment.yaml

@@ -0,0 +1,32 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: ns-authz
+  labels:
+    app: ns-authz
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      app: ns-authz
+  template:
+    metadata:
+      labels:
+        app: ns-authz
+    spec:
+      serviceAccountName: {{ .Values.serviceAccount.name }}
+      containers:
+      - name: ns-authz
+        image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+        imagePullPolicy: {{ .Values.image.pullPolicy }}
+        command: ["/bin/sh", "/scripts/watcher.sh"]
+        volumeMounts:
+        - name: script-volume
+          mountPath: /scripts
+      volumes:
+      - name: script-volume
+        configMap:
+          name: ns-authz-script
+      nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8 }}
+      tolerations: {{ toYaml .Values.tolerations | nindent 8 }}
+      affinity: {{ toYaml .Values.affinity | nindent 8 }}

ns-authz/templates/serviceaccount.yaml

@@ -0,0 +1,7 @@
+{{- if .Values.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Values.serviceAccount.name }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}

ns-authz/values.yaml

@@ -0,0 +1,18 @@
+replicaCount: 1
+
+image:
+  repository: bitnami/kubectl
+  tag: latest
+  pullPolicy: IfNotPresent
+
+serviceAccount:
+  name: ns-authz-sa
+  create: true
+
+resources: {}
+
+nodeSelector: {}
+
+tolerations: []
+
+affinity: {}

ns-authz/watcher.sh

@@ -0,0 +1,32 @@
+#!/bin/bash
+
+ROLEBINDING_NAME="cluster-admin-binding"
+
+echo "starting namespace watcher..."
+
+ensureClusterRoleBinding() {
+    local ns="$1"
+    local sa="$2"
+
+    # Strip off the leading 'namespace/'
+    local nsName="${1#namespace/}"
+    local clusterRoleBindingName="${ROLEBINDING_NAME}-${nsName}-${sa}"
+
+    echo "ensuring CRB '$clusterRoleBindingName'..."
+
+    if kubectl get clusterrolebinding "$clusterRoleBindingName" -o name >/dev/null 2>&1; then
+       echo "CRB already exists, skipping"
+       return
+    fi
+
+    echo "creating CRB '$clusterRoleBindingName'..."
+
+    kubectl create clusterrolebinding "$clusterRoleBindingName" \
+        --clusterrole=cluster-admin \
+        --serviceaccount="${nsName}:${sa}"
+}
+
+kubectl get namespaces --watch -o name | while read ns; do
+    ensureClusterRoleBinding $ns "default"
+    ensureClusterRoleBinding $ns "kurtosis-api"
+done