Self-Service Namespaces with Policy as Code (PaC)

This repository contains a demo of self-service namespaces (aka namespaces-as-a-service) and apps, using ArgoCD for GitOps and Kyverno for Policy as Code (PaC).

The setup runs ArgoCD on its own hub cluster and creates namespaces and applications on a shared cluster. For the demo, we will use kind clusters for both. In a production setup the shared cluster will have auto-scalers for resizing.

Installation

1. Install kind and create a cluster for ArgoCD:

kind create cluster --name argocd

2. Install and configure ArgoCD

kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml

kubectl patch svc argocd-server -n argocd -p '{"spec": {"type": "LoadBalancer"}}'

kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d; echo

kubectl port-forward svc/argocd-server -n argocd 8080:443

 argocd login 127.0.0.1:8080 --username admin --password <SECRET>

Navigate to: https://127.0.0.1:8080/

Install the argocd CLI and login:

argocd login localhost:8080 --username admin --password <SECRET>

Update the ArgoCD ConfigMap to track resources based on annotations. This is required to clean up self-service namespaces:

argoproj/argo-cd#7875 (comment)

kubectl -n argocd patch configmap argocd-cm --type merge -p '{"data":{"application.resourceTrackingMethod": "annotation+label"}}'

kubectl -n argocd patch configmap argocd-cm --type merge -p '{"data":{"application.instanceLabelKey": "argocd.argoproj.io/instance"}}'

Install ArgoCD application sets

kubectl apply -f config/argocd-cluster/appsets/

3. Install and configure Kyverno

Install latest Kyverno (not recommended for production):

kubectl create -f https://github.com/kyverno/kyverno/raw/main/config/install-latest-testing.yaml

Install Kyverno policies for the argocd cluster:

kubectl apply -f config/argocd-cluster/roles/

kubectl apply -f config/argocd-cluster/policies/

4. Create a shared cluster

To allow ArgoCD on the argocd cluster to communicate with the shared cluster, the shared cluster needs to be configured to use an external IP address i.e. your local machine address.

Run this script to create a kind configuration:

./config/shared-cluster/kind/create.sh

Create the kind cluster:

kind create cluster --name shared --config /tmp/kind-config.yaml

Register the kind cluster with ArgoCD:

argocd cluster add kind-shared  -y

5. Create secure self-service apps and namespaces

When the shared cluster is registered with ArgoCD a secret is created. The Kyverno policy create-cluster-appset.yaml watches the secret and will automatically create an ApplicationSet that watches a Git directory https://github.com/nirmata/demo-namespaces-as-a-service/tree/main/kind-shared for new values file with requests for applications.

NOTE: If you fork the repository, please update the policy to point to your own location for the Git commits.

Check-in Applications or ApplicationSets to the https://github.com/nirmata/demo-namespaces-as-a-service/tree/main/kind-shared respository.

See sample-apps for examples.

Cleanup

To cleanup, delete the two kind clusters:

kind delete cluster --name shared
kind delete cluster --name argocd