From 2d09842027d44af1b4d492f7d6c65d4e01fbfae5 Mon Sep 17 00:00:00 2001
From: Lachlan Evenson <lachlan.evenson@gmail.com>
Date: Mon, 29 Jan 2024 21:49:09 -0800
Subject: [PATCH] Chapter 19 updates

Signed-off-by: Lachlan Evenson <lachlan.evenson@gmail.com>
---
 19-1-kuard-pod-securitycontext.yaml           | 21 +++++++++++++++
 19-10-kuard-pod.yaml                          | 14 ++++++++++
 19-11-networkpolicy-default-deny.yaml         |  8 ++++++
 ...networkpolicy-kuard-allow-test-source.yaml | 13 ++++++++++
 19-2-amicontained-pod.yaml                    | 10 +++++++
 19-3-amicontained-pod-securitycontext.yaml    | 26 +++++++++++++++++++
 19-4-baseline-ns.yaml                         | 11 ++++++++
 19-5-baseline-ns.yaml                         | 11 ++++++++
 19-6-kuard-pod.yaml                           | 14 ++++++++++
 19-7-service-account.yaml                     |  5 ++++
 19-8-kuard-pod-runtimeclass.yaml              | 15 +++++++++++
 19-9-networkpolicy-default-deny.yaml          |  8 ++++++
 12 files changed, 156 insertions(+)
 create mode 100644 19-1-kuard-pod-securitycontext.yaml
 create mode 100644 19-10-kuard-pod.yaml
 create mode 100644 19-11-networkpolicy-default-deny.yaml
 create mode 100644 19-12-networkpolicy-kuard-allow-test-source.yaml
 create mode 100644 19-2-amicontained-pod.yaml
 create mode 100644 19-3-amicontained-pod-securitycontext.yaml
 create mode 100644 19-4-baseline-ns.yaml
 create mode 100644 19-5-baseline-ns.yaml
 create mode 100644 19-6-kuard-pod.yaml
 create mode 100644 19-7-service-account.yaml
 create mode 100644 19-8-kuard-pod-runtimeclass.yaml
 create mode 100644 19-9-networkpolicy-default-deny.yaml

diff --git a/19-1-kuard-pod-securitycontext.yaml b/19-1-kuard-pod-securitycontext.yaml
new file mode 100644
index 0000000..fce9adb
--- /dev/null
+++ b/19-1-kuard-pod-securitycontext.yaml
@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: kuard
+spec:
+  securityContext:
+    runAsNonRoot: true
+    runAsUser: 1000
+    runAsGroup: 3000
+    fsGroup: 2000
+  containers:
+    - image: gcr.io/kuar-demo/kuard-amd64:blue
+      name: kuard
+      securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          privileged: false
+      ports:
+        - containerPort: 8080
+          name: http
+          protocol: TCP
diff --git a/19-10-kuard-pod.yaml b/19-10-kuard-pod.yaml
new file mode 100644
index 0000000..77f5ae9
--- /dev/null
+++ b/19-10-kuard-pod.yaml
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: kuard
+  labels:
+    app: kuard
+spec:
+  containers:
+    - image: gcr.io/kuar-demo/kuard-amd64:blue
+      name: kuard
+      ports:
+        - containerPort: 8080
+          name: http
+          protocol: TCP
diff --git a/19-11-networkpolicy-default-deny.yaml b/19-11-networkpolicy-default-deny.yaml
new file mode 100644
index 0000000..1a97947
--- /dev/null
+++ b/19-11-networkpolicy-default-deny.yaml
@@ -0,0 +1,8 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny-ingress
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress
diff --git a/19-12-networkpolicy-kuard-allow-test-source.yaml b/19-12-networkpolicy-kuard-allow-test-source.yaml
new file mode 100644
index 0000000..8930a13
--- /dev/null
+++ b/19-12-networkpolicy-kuard-allow-test-source.yaml
@@ -0,0 +1,13 @@
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: access-kuard
+spec:
+  podSelector:
+    matchLabels:
+      app: kuard
+  ingress:
+    - from:
+      - podSelector:
+          matchLabels:
+            run: test-source
diff --git a/19-2-amicontained-pod.yaml b/19-2-amicontained-pod.yaml
new file mode 100644
index 0000000..0535dc5
--- /dev/null
+++ b/19-2-amicontained-pod.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: amicontained
+spec:
+  containers:
+    - image: jess/amicontained:v0.4.9
+      name: amicontained
+      command: [ "/bin/sh", "-c", "--" ]
+      args: [ "amicontained" ]
diff --git a/19-3-amicontained-pod-securitycontext.yaml b/19-3-amicontained-pod-securitycontext.yaml
new file mode 100644
index 0000000..18a8276
--- /dev/null
+++ b/19-3-amicontained-pod-securitycontext.yaml
@@ -0,0 +1,26 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: amicontained
+  annotations:
+    container.apparmor.security.beta.kubernetes.io/amicontained: "runtime/default"
+spec:
+  securityContext:
+    runAsNonRoot: true
+    runAsUser: 1000
+    runAsGroup: 3000
+    fsGroup: 2000
+    seccompProfile:
+      type: RuntimeDefault
+  containers:
+    - image: jess/amicontained:v0.4.9
+      name: amicontained
+      command: [ "/bin/sh", "-c", "--" ]
+      args: [ "amicontained" ]
+      securityContext:
+        capabilities:
+            add: ["SYS_TIME"]
+            drop: ["NET_BIND_SERVICE"]
+        allowPrivilegeEscalation: false
+        readOnlyRootFilesystem: true
+        privileged: false
diff --git a/19-4-baseline-ns.yaml b/19-4-baseline-ns.yaml
new file mode 100644
index 0000000..6767d14
--- /dev/null
+++ b/19-4-baseline-ns.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: baseline-ns
+  labels:
+    pod-security.kubernetes.io/enforce: baseline
+    pod-security.kubernetes.io/enforce-version: v1.22
+    pod-security.kubernetes.io/audit: restricted
+    pod-security.kubernetes.io/audit-version: v1.22
+    pod-security.kubernetes.io/warn: restricted
+    pod-security.kubernetes.io/warn-version: v1.22
diff --git a/19-5-baseline-ns.yaml b/19-5-baseline-ns.yaml
new file mode 100644
index 0000000..6767d14
--- /dev/null
+++ b/19-5-baseline-ns.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: baseline-ns
+  labels:
+    pod-security.kubernetes.io/enforce: baseline
+    pod-security.kubernetes.io/enforce-version: v1.22
+    pod-security.kubernetes.io/audit: restricted
+    pod-security.kubernetes.io/audit-version: v1.22
+    pod-security.kubernetes.io/warn: restricted
+    pod-security.kubernetes.io/warn-version: v1.22
diff --git a/19-6-kuard-pod.yaml b/19-6-kuard-pod.yaml
new file mode 100644
index 0000000..77f5ae9
--- /dev/null
+++ b/19-6-kuard-pod.yaml
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: kuard
+  labels:
+    app: kuard
+spec:
+  containers:
+    - image: gcr.io/kuar-demo/kuard-amd64:blue
+      name: kuard
+      ports:
+        - containerPort: 8080
+          name: http
+          protocol: TCP
diff --git a/19-7-service-account.yaml b/19-7-service-account.yaml
new file mode 100644
index 0000000..fdf7895
--- /dev/null
+++ b/19-7-service-account.yaml
@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: default
+automountServiceAccountToken: false
diff --git a/19-8-kuard-pod-runtimeclass.yaml b/19-8-kuard-pod-runtimeclass.yaml
new file mode 100644
index 0000000..78b4933
--- /dev/null
+++ b/19-8-kuard-pod-runtimeclass.yaml
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: kuard
+  labels:
+    app: kuard
+spec:
+  runtimeClassName: firecracker
+  containers:
+    - image: gcr.io/kuar-demo/kuard-amd64:blue
+      name: kuard
+      ports:
+        - containerPort: 8080
+          name: http
+          protocol: TCP
diff --git a/19-9-networkpolicy-default-deny.yaml b/19-9-networkpolicy-default-deny.yaml
new file mode 100644
index 0000000..1a97947
--- /dev/null
+++ b/19-9-networkpolicy-default-deny.yaml
@@ -0,0 +1,8 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny-ingress
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress