Namespace overhaul (google#161)

* s/kube-system/kctf/system/g

* update gcloud

* move netpol creation back to initializer

* remove check for namespace == chalname

* use chal name in app= instead of namespace

* update Makefile not to touch the namespace

* remove namespace from samples and skeleton

* workflow: delete all challenges before starting a new one

* wait until deployment exists

* Automated commit: update images.

Co-authored-by: Stephen Roettger <[email protected]>

.github/workflows/update-images.yaml

@@ -90,7 +90,7 @@ jobs:
       if: steps.modified.outputs.modified
       uses: google-github-actions/setup-gcloud@master
       with:
-        version: '270.0.0'
+        version: '319.0.0'
         service_account_email: ${{ secrets.GCR_EMAIL }}
         service_account_key: ${{ secrets.GCR_KEY }}
 
@@ -152,7 +152,7 @@ jobs:
     - name: Setup gcloud CLI
       uses: google-github-actions/setup-gcloud@master
       with:
-        version: '270.0.0'
+        version: '319.0.0'
         service_account_email: ${{ secrets.GKE_EMAIL }}
         service_account_key: ${{ secrets.GKE_KEY }}
 
@@ -181,12 +181,23 @@ jobs:
       run: |
         export PATH=$PATH:$PWD/bin
         cd samples
+        for challenge_name in $(kctf-kubectl get challenges -o "jsonpath={.items[*].metadata.name}"); do
+          kctf-kubectl delete "challenge/${challenge_name}"
+        done
         for f in *; do
           if [ ! "$f" == "kctf-conf" ]; then
             pushd $f
               CHALLENGE_NAME="$(yq read challenge.yaml 'metadata.name')"
-              make stop || true
               make start
+              # We want to wait for the deployment to be available, but it
+              # might not have been created yet by the operator.
+              # Ideally, we would expose the condition in the operator but I
+              # don't think that's currently possible.
+              for i in {1..5}; do
+                kctf-kubectl get "deployment/${CHALLENGE_NAME}" && break
+                echo "deployment/${CHALLENGE_NAME} doesn't exist yet, sleeping"
+                sleep 5
+              done
               kctf-kubectl wait --for=condition=available --timeout=5m "deployment/${CHALLENGE_NAME}"
               make stop
             popd

base/Makefile

@@ -42,14 +42,13 @@ export REMOTE_IMAGE:=${REGISTRY}/${PROJECT}/${CHALLENGE_NAME}
 export REMOTE_HEALTHCHECK_IMAGE:=${REGISTRY}/${PROJECT}/${CHALLENGE_NAME}-healthcheck
 
 HEALTHCHECK_ENABLED:=$(shell yq read challenge.yaml 'spec.healthcheck.enabled')
-CHALLENGE_NAMESPACE:=$(shell yq read challenge.yaml 'metadata.namespace')
 
 docker: .gen/challenge-image
 
 start: .deploy
 
 stop: .cluster-config
-	kubectl delete namespace ${CHALLENGE_NAMESPACE}
+	kubectl delete -f challenge.yaml
 
 ip: .cluster-config
 	@LB_IP=""
@@ -65,30 +64,30 @@ status: .cluster-config
 	@echo "Challenge execution status"
 	@echo "This shows you how many instances of the challenges are running."
 	@echo
-	@kubectl get pods -l "app=${CHALLENGE_NAMESPACE}" -o wide
+	@kubectl get pods -l "app=${CHALLENGE_NAME}" -o wide
 	@echo
 	@echo
 	@echo "= DEPLOYMENTS ="
 	@echo
 	@echo "Challenge deployment status"
 	@echo "This shows you if the challenge was deployed to the cluster."
 	@echo
-	@kubectl get deployments -l "app=${CHALLENGE_NAMESPACE}" -o wide
+	@kubectl get deployments -l "app=${CHALLENGE_NAME}" -o wide
 	@echo
 	@echo "= EXTERNAL SERVICES ="
 	@echo
 	@echo "Challenge external status"
 	@echo "This shows you if the challenge is exposed externally."
 	@echo
-	@kubectl get services -l "app=${CHALLENGE_NAMESPACE}" -o wide
-	@kubectl get ingress -l "app=${CHALLENGE_NAMESPACE}" -o wide
+	@kubectl get services -l "app=${CHALLENGE_NAME}" -o wide
+	@kubectl get ingress -l "app=${CHALLENGE_NAME}" -o wide
 	@echo
 
 logs: .cluster-config
-	kubectl logs -l "app=${CHALLENGE_NAMESPACE}" -c challenge
+	kubectl logs -l "app=${CHALLENGE_NAME}" -c challenge
 
 healthcheck-logs: .cluster-config
-	kubectl logs -l "app=${CHALLENGE_NAMESPACE}" -c healthcheck
+	kubectl logs -l "app=${CHALLENGE_NAME}" -c healthcheck
 
 ssh: .cluster-config
 	kubectl exec deployment/${CHALLENGE_NAME} -c challenge -it -- /bin/bash
@@ -229,9 +228,6 @@ endif
 	@  exit 1
 	@fi
 	kubectl config use-context "kctf_${PROJECT}_${ZONE}_${CLUSTER_NAME}" >&2
-	kubectl config set-context --current --namespace="${CHALLENGE_NAMESPACE}" >&2
-	kubectl create namespace "${CHALLENGE_NAMESPACE}" --dry-run=client -oyaml | kubectl apply -f - >&2
-	kubectl patch ServiceAccount default --patch "automountServiceAccountToken: false" >&2
 	mkdir -p ${CLUSTER_GEN} >&2
 
 .FORCE:

base/challenge-skeleton/challenge.yaml

@@ -2,7 +2,6 @@ apiVersion: kctf.dev/v1alpha1
 kind: Challenge
 metadata:
   name: mychal
-  namespace: mychal
 spec:
   deployed: true
   powDifficultySeconds: 0

base/healthcheck-docker/Dockerfile

@@ -11,7 +11,7 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-FROM gcr.io/kctf-docker/kctf-pwntools@sha256:9e2821935175b2e655da422b1232b685c0a6fb8a251d80b87cb2f518ecf5b63e AS pwntools
+FROM gcr.io/kctf-docker/kctf-pwntools@sha256:6234659a6327d4527a4c01546f0f9f8fa27275108b8b0bb1ea0625de302961e5 AS pwntools
 FROM ubuntu:20.04
 
 RUN apt-get update && apt-get -yq --no-install-recommends install cpio openssl python3 && rm -rf /var/lib/apt/lists/*

base/nsjail-docker/Dockerfile

@@ -11,8 +11,8 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-FROM gcr.io/kctf-docker/kctf-chroot@sha256:a43b64aa6e0e8d63ddaff6aa863747d46f15399b5410fedc920bce602f344166 AS chroot
-FROM gcr.io/kctf-docker/kctf-nsjail@sha256:d8677dc181317016fc7c4a965577881d27016a44a27c59b8807140328d80ec78 AS bin
+FROM gcr.io/kctf-docker/kctf-chroot@sha256:666fdbe9d7508e701a7eeb6ed06f02d61b6c62252fef31fdae4d223354a89339 AS chroot
+FROM gcr.io/kctf-docker/kctf-nsjail@sha256:2b448930a0f8145ef3dcb7045ca0773e6137249ec346ad792b0521c97d90a0c0 AS bin
 FROM ubuntu:20.04
 
 RUN apt-get update \

kctf-operator/deploy/operator.yaml

@@ -2,7 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: kctf-operator
-  namespace: kube-system
+  namespace: kctf-system
 spec:
   replicas: 1
   selector:
@@ -17,7 +17,7 @@ spec:
       containers:
         - name: kctf-operator
           # TODO: Replace this with the built image name
-          image: gcr.io/kctf-docker/kctf-operator@sha256:553b73da0829dd0c8e3a12a5a1465360728d1d6092c5d9de3b0f451668ff4e2d
+          image: gcr.io/kctf-docker/kctf-operator@sha256:360c1db9d3b4cdaa75063cc8bc926e6970f8f84416c3e17af09483afea11b3c3
           command:
           - kctf-operator
           imagePullPolicy: Always

kctf-operator/deploy/rbac.yaml

@@ -2,7 +2,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: kctf-operator
-  namespace: kube-system
+  namespace: kctf-system
 
 ---
 
@@ -13,7 +13,7 @@ metadata:
 subjects:
 - kind: ServiceAccount
   name: kctf-operator
-  namespace: kube-system
+  namespace: kctf-system
 roleRef:
   kind: ClusterRole
   name: kctf-operator

kctf-operator/pkg/controller/challenge/challenge_controller.go

@@ -9,21 +9,18 @@ import (
 	"github.com/google/kctf/pkg/controller/challenge/autoscaling"
 	"github.com/google/kctf/pkg/controller/challenge/deployment"
 	"github.com/google/kctf/pkg/controller/challenge/dns"
-	"github.com/google/kctf/pkg/controller/challenge/network-policy"
 	"github.com/google/kctf/pkg/controller/challenge/pow"
 	"github.com/google/kctf/pkg/controller/challenge/secrets"
 	"github.com/google/kctf/pkg/controller/challenge/service"
 	"github.com/google/kctf/pkg/controller/challenge/set"
 	"github.com/google/kctf/pkg/controller/challenge/status"
 	"github.com/google/kctf/pkg/controller/challenge/volumes"
-	"github.com/prometheus/common/log"
 	appsv1 "k8s.io/api/apps/v1"
 	autoscalingv1 "k8s.io/api/autoscaling/v1"
 	corev1 "k8s.io/api/core/v1"
 	netv1beta1 "k8s.io/api/networking/v1beta1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller"
 	"sigs.k8s.io/controller-runtime/pkg/handler"
@@ -109,20 +106,6 @@ func (r *ReconcileChallenge) Reconcile(request reconcile.Request) (reconcile.Res
 		return reconcile.Result{}, err
 	}
 
-	// Checks if namespace is acceptable and if not, it deletes the challenge
-	if !isNamespaceAcceptable(request.NamespacedName) {
-		reqLogger.Info("Can't accept namespace different from name of the challenge. Please change namespace.",
-			request.Name, " with namespace ", request.Namespace)
-		reqLogger.Info("Deleting challenge")
-		err = r.client.Delete(ctx, challenge)
-		if err != nil {
-			status.Update(false, err, challenge, r.client,
-				r.log, ctx)
-			log.Error(err, "Failed to delete challenge")
-		}
-		return reconcile.Result{}, err
-	}
-
 	// Set default values not configured by kubebuilder
 	set.DefaultValues(challenge, r.scheme)
 
@@ -165,20 +148,11 @@ func (r *ReconcileChallenge) fetchChallenge(challenge *kctfv1alpha1.Challenge,
 	return false, nil
 }
 
-// Function that returns if the chosen namespace is acceptable or no to prevent errors
-func isNamespaceAcceptable(namespacedName types.NamespacedName) bool {
-	if namespacedName.Name != namespacedName.Namespace ||
-		namespacedName.Namespace == "default" || namespacedName.Namespace == "kube-system" {
-		return false
-	}
-	return true
-}
-
 func updateConfigurations(challenge *kctfv1alpha1.Challenge, cl client.Client, scheme *runtime.Scheme,
 	log logr.Logger, ctx context.Context) (bool, error) {
 	// We check if there's an error in each update
 	updateFunctions := []func(challenge *kctfv1alpha1.Challenge, client client.Client, scheme *runtime.Scheme,
-		log logr.Logger, ctx context.Context) (bool, error){network.Update, volumes.Update,
+		log logr.Logger, ctx context.Context) (bool, error){volumes.Update,
 		pow.Update, secrets.Update, deployment.Update, service.Update, dns.Update,
 		autoscaling.Update}