Security Templates
Security Templates can either be Helm charts or plain Kubernetes manifests which are instantiated in spaces automatically as part of the space creation settings of an account.
Security Templates
Create Security Templates
Loft provides 2 default templates which will be added to each connected cluster:
loft-limit-range
for an example of a LimitRangeloft-network-policy
for an example of a NetworkPolicy
You can edit these templates if you want to or you can create your own templates as shown below.
- UI
- kubectl
Create file template.yaml
:
apiVersion: config.kiosk.sh/v1alpha1
kind: Template
metadata:
creationTimestamp: "2020-06-02T19:30:48Z"
generation: 1
name: network-isolation
resourceVersion: "705504"
selfLink: /apis/config.kiosk.sh/v1alpha1/templates/network-isolation
uid: efc3e5c0-7f35-4f83-8987-6258bfd33dec
resources:
manifests:
- apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: ingress-deny-all
spec:
podSelector: {}
policyTypes:
- Ingress
- apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: ingress-allow-same-namespace
spec:
ingress:
- from:
- podSelector: {}
podSelector: {}
policyTypes:
- Ingress
- apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: ingress-allow-internet-access
labels:
# You can also use template parameters such as ${namespace} or ${account}
created-in-namespace: ${namespace}
spec:
ingress:
- {}
podSelector:
matchLabels:
isolation.loft.sh/allow-internet-access: "true"
policyTypes:
- Ingress
Create the template using kubectl
:
# IMPORTANT: Make sure to switch to the context of the connected cluster!
kubectl create -f template.yaml
Enforce Security Templates
One of the most popular use cases for templates is to ensure cluster security and enforce isolation among users and spaces. However, creating a Template per se does nothing at all if you do not enforce the template.
You can enforce that certain templates are always applied to namespaces when they are being created by adding these templates as part of the "Space Creation Settings" of an account. See the examples below for instructions.
- UI
- kubectl
Create file template.yaml
:
apiVersion: config.kiosk.sh/v1alpha1
kind: Template
metadata:
creationTimestamp: "2020-06-02T19:30:48Z"
generation: 1
name: network-isolation
resourceVersion: "705504"
selfLink: /apis/config.kiosk.sh/v1alpha1/templates/network-isolation
uid: efc3e5c0-7f35-4f83-8987-6258bfd33dec
resources:
manifests:
- apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: ingress-deny-all
spec:
podSelector: {}
policyTypes:
- Ingress
- apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: ingress-allow-same-namespace
spec:
ingress:
- from:
- podSelector: {}
podSelector: {}
policyTypes:
- Ingress
- apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: ingress-allow-internet-access
spec:
ingress:
- {}
podSelector:
matchLabels:
isolation.loft.sh/allow-internet-access: "true"
policyTypes:
- Ingress
Create the template using kubectl
:
# IMPORTANT: Make sure to switch to the context of the connected cluster!
kubectl create -f template.yaml
Enforced templates are part of the "Space Creation Settings" which means that they are only looked at during the creation of new spaces. Changing the enforced templates will not be reflected in existing space nor will template instances be removed when a template is removed from the list of enforced templates.
Delete Security Templates
- UI
- kubectl
Delete a template using kubectl
:
# IMPORTANT: Make sure to switch to the context of the connected cluster!
kubectl delete template [TEMPLATE_NAME]
Deleting a template will not automatically delete the template instances nor will it automatically delete the Kubernetes objects or Helm charts created by the template instance. To delete the Kubernetes objects or Helm charts created by the template, remove the manifests and Helm chart definition from the template and wait until the controller has synchonized the changes to the template instances.
Deleting a template will not automatically delete the template from the list of enforced templates in any cluster account.
Security Template Instances
After enforcing a template for a certain account, Loft will instantiate the template in every new space that is being created with this account. These instances of a template can be tracked with the Loft CRD TemplateInstance.
To list all TemplateInstances in a certain namespace, run the following command:
kubectl get templateinstance -n [NAMESPACE]
Template instances keep track of the Helm charts and manifests they are creating. When the underlying template changes, the instance will automatically update the Helm chart or the modified manifests to keep everything in sync with the template.
Instantiate Security Templates
Of course, you can also manually instantiate a template by creating a TemplateInstance using kubectl
. By default, users will not be permitted to create/update/delete TemplateInstances but you can change this using standard Kubernetes RBAC.
Create file template-instance.yaml
:
apiVersion: config.kiosk.sh/v1alpha1
kind: TemplateInstance
metadata:
name: network-isolation-instance
namespace: some-namespace
spec:
sync: true
template: network-isolation
Create TemplateInstance using kubectl
:
kubectl apply -f template-instance.yaml
Delete Instances
Deleting template instances is only possible via kubectl
:
# IMPORTANT: Make sure to switch to the context of the connected cluster!
kubectl delete templateinstance -n [NAMESPACE] [TEMPLATE_INSTANCE_NAME]
Security Template Parameters
Template parameters are a way to allow template instances to change certain parts of a template. Currently, they can only be configured in the Loft UI via the Show Yaml
button or via kubectl
directly. Furthermore, there are several predefined parameters that can be used within a template, to change the deployed resources based on which namespace they got deployed in.
Parameters can be defined in the parameters
section of a template:
apiVersion: config.kiosk.sh/v1alpha1
kind: Template
metadata:
name: space-restrictions
# This section defines parameters that can be used for this template
# Can be used in resources.manifests and resources.helm.values
parameters:
# Name of the parameter
- name: DEFAULT_CPU_LIMIT
# The default value of the parameter
value: "1"
- name: DEFAULT_CPU_REQUESTS
value: "0.5"
# If a parameter is required the template instance will need to set it
# required: true
# Make sure only values are entered for this parameter
validation: "^[0-9]*\\.?[0-9]+$"
resources:
manifests:
- apiVersion: v1
kind: LimitRange
metadata:
name: space-limit-range
annotations:
# Parameters can also be used inside a string
# with ${namespace.metadata.annotations.myAnnotation}
example-parameter: "Hello from ${namespace} - ${WILL_NOT_BE_REPLACED}"
spec:
limits:
- default:
# Use the DEFAULT_CPU_LIMIT parameter here and
# parse it as json, which renders the "1" as 1.
cpu: "${{DEFAULT_CPU_LIMIT}}"
defaultRequest:
cpu: "${{DEFAULT_CPU_REQUESTS}}"
type: Container
The available predefined parameters that can be used without specifying them in the parameters
section are:
${namespace}
: Kubernetes name of the namespace / space the template got deployed in${account}
: Kubernetes name of the account that owns the namespace where the template got deployed in. Fails if the namespace is not owned by an account${namespace.metadata.annotations.MYANNOTATION}
: Value of the annotation on a namespace. If the annotation does not exist, instantiation of the template will fail.${namespace.metadata.labels.MYLABEL}
: Value of the label on a namespace. If the label does not exist, instantiation of the template will fail.${account.metadata.annotations.MYANNOTATION}
: Value of the annotation on the account that owns the namespace. If the annotation does not exist, instantiation of the template will fail.${account.metadata.labels.MYLABEL}
: Value of the label on the account that owns the namespace. If the label does not exist, instantiation of the template will fail.
Sync Security Template <> Instance
Template instances keep track of the Helm charts and manifests they are creating. When the underlying template changes, the instance will automatically update the Helm chart or the modified manifests to keep everything in sync with the template.