0

I've got a cluster with a number of already existing namespaces, and an automatization process that creates (and manages) new namespaces using Terraform.

The service account used for TF got the roles with permission to all namespaces - as I believe this is the only possible solution (TF needs them to manage namespaces).
But due to that, it is also able to modify (& delete) the namespaces that were created before, outside the Terraform processing - and this is something I'd like to prevent/block.

So here's my question - is it possible to restrict this automatization process from modifying already existing namespaces?
The idea to distinguish between old and new namespace is to simply add labels to the new ones created by TF, but I am not aware of any mechanism that could then prohibit modifications based on such labels...

*Admission controllers seem remotely suitable, but I'm completely new to that topic and not sure if those can be used for such purposes.

jarobar435
  • 85
  • 1
  • 8
  • Do you want to restrict this automatization process in the Terraform or in other place? – Mikołaj Głodziak Dec 01 '21 at 07:34
  • Terraform is just a tool to process user input in this scenario, it needs to be restricted on the cluster/k8s level. – jarobar435 Dec 01 '21 at 10:03
  • Which version of Kubernetes did you use and how did you set up the cluster? Did you use bare metal installation or some cloud providor? It is important to reproduce your problem. – Mikołaj Głodziak Dec 03 '21 at 14:25
  • I think there might have been a misunderstanding. I don't have a problem to reproduce, I have a working process that I want to secure against improper usage/user input, and hence the question - whether it is possible. To recap and simplify, the scenario is as follows: happy path - user provides valid config, then resources (new namespace etc.) on cluster are created; Path I want to prohibit - user provides invalid (but working) config or somehow reference already existing namespace -> the existing namespaces could be affected (e.g. new, unwanted resource added). – jarobar435 Dec 03 '21 at 17:50
  • Did you see [this page](https://kubernetes.io/docs/concepts/services-networking/network-policies/#behavior-of-to-and-from-selectors) and [this one](https://istio.io/latest/docs/reference/config/security/authorization-policy/)? Can they help you solve the problem? – Mikołaj Głodziak Dec 08 '21 at 14:14

0 Answers0