Chapter 19 updates

Signed-off-by: Lachlan Evenson <lachlan.evenson@gmail.com>
2024-01-29 21:49:09 -08:00 · 2024-01-29 21:49:09 -08:00 · 2d09842027
commit 2d09842027
parent a35d445fd1
12 changed files with 156 additions and 0 deletions
--- a/19-1-kuard-pod-securitycontext.yaml
+++ b/19-1-kuard-pod-securitycontext.yaml
@ -0,0 +1,21 @@
 apiVersion: v1
 kind: Pod
 metadata:
  name: kuard
 spec:
  securityContext:
    runAsNonRoot: true
    runAsUser: 1000
    runAsGroup: 3000
    fsGroup: 2000
  containers:
    - image: gcr.io/kuar-demo/kuard-amd64:blue
      name: kuard
      securityContext:
          allowPrivilegeEscalation: false
          readOnlyRootFilesystem: true
          privileged: false
      ports:
        - containerPort: 8080
          name: http
          protocol: TCP
--- a/19-10-kuard-pod.yaml
+++ b/19-10-kuard-pod.yaml
@ -0,0 +1,14 @@
 apiVersion: v1
 kind: Pod
 metadata:
  name: kuard
  labels:
    app: kuard
 spec:
  containers:
    - image: gcr.io/kuar-demo/kuard-amd64:blue
      name: kuard
      ports:
        - containerPort: 8080
          name: http
          protocol: TCP
--- a/19-11-networkpolicy-default-deny.yaml
+++ b/19-11-networkpolicy-default-deny.yaml
@ -0,0 +1,8 @@
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
  name: default-deny-ingress
 spec:
  podSelector: {}
  policyTypes:
  - Ingress
--- a/19-12-networkpolicy-kuard-allow-test-source.yaml
+++ b/19-12-networkpolicy-kuard-allow-test-source.yaml
@ -0,0 +1,13 @@
 kind: NetworkPolicy
 apiVersion: networking.k8s.io/v1
 metadata:
  name: access-kuard
 spec:
  podSelector:
    matchLabels:
      app: kuard
  ingress:
    - from:
      - podSelector:
          matchLabels:
            run: test-source
--- a/19-2-amicontained-pod.yaml
+++ b/19-2-amicontained-pod.yaml
@ -0,0 +1,10 @@
 apiVersion: v1
 kind: Pod
 metadata:
  name: amicontained
 spec:
  containers:
    - image: jess/amicontained:v0.4.9
      name: amicontained
      command: [ "/bin/sh", "-c", "--" ]
      args: [ "amicontained" ]
--- a/19-3-amicontained-pod-securitycontext.yaml
+++ b/19-3-amicontained-pod-securitycontext.yaml
@ -0,0 +1,26 @@
 apiVersion: v1
 kind: Pod
 metadata:
  name: amicontained
  annotations:
    container.apparmor.security.beta.kubernetes.io/amicontained: "runtime/default"
 spec:
  securityContext:
    runAsNonRoot: true
    runAsUser: 1000
    runAsGroup: 3000
    fsGroup: 2000
    seccompProfile:
      type: RuntimeDefault
  containers:
    - image: jess/amicontained:v0.4.9
      name: amicontained
      command: [ "/bin/sh", "-c", "--" ]
      args: [ "amicontained" ]
      securityContext:
        capabilities:
            add: ["SYS_TIME"]
            drop: ["NET_BIND_SERVICE"]
        allowPrivilegeEscalation: false
        readOnlyRootFilesystem: true
        privileged: false
--- a/19-4-baseline-ns.yaml
+++ b/19-4-baseline-ns.yaml
@ -0,0 +1,11 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: baseline-ns
  labels:
    pod-security.kubernetes.io/enforce: baseline
    pod-security.kubernetes.io/enforce-version: v1.22
    pod-security.kubernetes.io/audit: restricted
    pod-security.kubernetes.io/audit-version: v1.22
    pod-security.kubernetes.io/warn: restricted
    pod-security.kubernetes.io/warn-version: v1.22
--- a/19-5-baseline-ns.yaml
+++ b/19-5-baseline-ns.yaml
@ -0,0 +1,11 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: baseline-ns
  labels:
    pod-security.kubernetes.io/enforce: baseline
    pod-security.kubernetes.io/enforce-version: v1.22
    pod-security.kubernetes.io/audit: restricted
    pod-security.kubernetes.io/audit-version: v1.22
    pod-security.kubernetes.io/warn: restricted
    pod-security.kubernetes.io/warn-version: v1.22
--- a/19-6-kuard-pod.yaml
+++ b/19-6-kuard-pod.yaml
@ -0,0 +1,14 @@
 apiVersion: v1
 kind: Pod
 metadata:
  name: kuard
  labels:
    app: kuard
 spec:
  containers:
    - image: gcr.io/kuar-demo/kuard-amd64:blue
      name: kuard
      ports:
        - containerPort: 8080
          name: http
          protocol: TCP
--- a/19-7-service-account.yaml
+++ b/19-7-service-account.yaml
@ -0,0 +1,5 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: default
 automountServiceAccountToken: false
--- a/19-8-kuard-pod-runtimeclass.yaml
+++ b/19-8-kuard-pod-runtimeclass.yaml
@ -0,0 +1,15 @@
 apiVersion: v1
 kind: Pod
 metadata:
  name: kuard
  labels:
    app: kuard
 spec:
  runtimeClassName: firecracker
  containers:
    - image: gcr.io/kuar-demo/kuard-amd64:blue
      name: kuard
      ports:
        - containerPort: 8080
          name: http
          protocol: TCP
--- a/19-9-networkpolicy-default-deny.yaml
+++ b/19-9-networkpolicy-default-deny.yaml
@ -0,0 +1,8 @@
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
  name: default-deny-ingress
 spec:
  podSelector: {}
  policyTypes:
  - Ingress