manifests/gatekeeper

Gatekeeper and Kubeflow

Gatekeeper is a validating webhook for Kubernetes that enforces CRD-based access control policies. In Kubeflow, we use Gatekeeper to restrict controllers to their own namespaces. The details can be found here.

Installation

1. Follow the instructions here to install Gatekeeper controller.

2. Apply the constraint template in this directory:

kubectl apply -f constraint-template.yaml

Configuration

1. In order to configure contraints for your controllers, edit the ns-required-annotations.yaml file.

    # Fill in the service account name
    usernames: ["system:serviceaccount:(NAMESPACE):(SERVICEACCOUNT)"]
    # Replace with your own labels
    annotations: ["kubeflow-admins", "kubeflow-users"]

• Under usernames, enter the names of the service accounts used to deploy Kubeflow resources.
• Under annotations, enter your own label names.

2. Deploy the constraint:

kubectl apply -f ns-required-annotations.yaml

Usage

The constraint is now enabled. You can test that the constraint is working by creating a namespace without the required labels:

apiVersion: v1
kind: Namespace
metadata:
  name: kubeflow

Then try to create any resource under this namespace using one of the restricted users' credentials. This should result in an access violation:

Missing labels for user SERVICEACCOUNT namespace kubeflow: Required one of labels: ["kubeflow-admins", "kubeflow-users"] Actual labels: None

Now add the required labels to the namespace:

apiVersion: v1
kind: Namespace
metadata:
  name: kubeflow
  annotations:
    category: kubeflow-admins

Then try to create the same source again, and it should work.