Chapter 19 updates

Signed-off-by: Lachlan Evenson <lachlan.evenson@gmail.com>
2024-01-29 21:49:09 -08:00 · 2024-01-29 21:49:09 -08:00 · 2d09842027
commit 2d09842027
parent a35d445fd1
12 changed files with 156 additions and 0 deletions
--- a/19-1-kuard-pod-securitycontext.yaml
+++ b/19-1-kuard-pod-securitycontext.yaml
@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: kuard
+spec:
+  securityContext:
+    runAsNonRoot: true
+    runAsUser: 1000
+    runAsGroup: 3000
+    fsGroup: 2000
+  containers:
+    - image: gcr.io/kuar-demo/kuard-amd64:blue
+      name: kuard
+      securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          privileged: false
+      ports:
+        - containerPort: 8080
+          name: http
+          protocol: TCP
--- a/19-10-kuard-pod.yaml
+++ b/19-10-kuard-pod.yaml
@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: kuard
+  labels:
+    app: kuard
+spec:
+  containers:
+    - image: gcr.io/kuar-demo/kuard-amd64:blue
+      name: kuard
+      ports:
+        - containerPort: 8080
+          name: http
+          protocol: TCP
--- a/19-11-networkpolicy-default-deny.yaml
+++ b/19-11-networkpolicy-default-deny.yaml
@ -0,0 +1,8 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny-ingress
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress
--- a/19-12-networkpolicy-kuard-allow-test-source.yaml
+++ b/19-12-networkpolicy-kuard-allow-test-source.yaml
@ -0,0 +1,13 @@
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: access-kuard
+spec:
+  podSelector:
+    matchLabels:
+      app: kuard
+  ingress:
+    - from:
+      - podSelector:
+          matchLabels:
+            run: test-source
--- a/19-2-amicontained-pod.yaml
+++ b/19-2-amicontained-pod.yaml
@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: amicontained
+spec:
+  containers:
+    - image: jess/amicontained:v0.4.9
+      name: amicontained
+      command: [ "/bin/sh", "-c", "--" ]
+      args: [ "amicontained" ]
--- a/19-3-amicontained-pod-securitycontext.yaml
+++ b/19-3-amicontained-pod-securitycontext.yaml
@ -0,0 +1,26 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: amicontained
+  annotations:
+    container.apparmor.security.beta.kubernetes.io/amicontained: "runtime/default"
+spec:
+  securityContext:
+    runAsNonRoot: true
+    runAsUser: 1000
+    runAsGroup: 3000
+    fsGroup: 2000
+    seccompProfile:
+      type: RuntimeDefault
+  containers:
+    - image: jess/amicontained:v0.4.9
+      name: amicontained
+      command: [ "/bin/sh", "-c", "--" ]
+      args: [ "amicontained" ]
+      securityContext:
+        capabilities:
+            add: ["SYS_TIME"]
+            drop: ["NET_BIND_SERVICE"]
+        allowPrivilegeEscalation: false
+        readOnlyRootFilesystem: true
+        privileged: false
--- a/19-4-baseline-ns.yaml
+++ b/19-4-baseline-ns.yaml
@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: baseline-ns
+  labels:
+    pod-security.kubernetes.io/enforce: baseline
+    pod-security.kubernetes.io/enforce-version: v1.22
+    pod-security.kubernetes.io/audit: restricted
+    pod-security.kubernetes.io/audit-version: v1.22
+    pod-security.kubernetes.io/warn: restricted
+    pod-security.kubernetes.io/warn-version: v1.22
--- a/19-5-baseline-ns.yaml
+++ b/19-5-baseline-ns.yaml
@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: baseline-ns
+  labels:
+    pod-security.kubernetes.io/enforce: baseline
+    pod-security.kubernetes.io/enforce-version: v1.22
+    pod-security.kubernetes.io/audit: restricted
+    pod-security.kubernetes.io/audit-version: v1.22
+    pod-security.kubernetes.io/warn: restricted
+    pod-security.kubernetes.io/warn-version: v1.22
--- a/19-6-kuard-pod.yaml
+++ b/19-6-kuard-pod.yaml
@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: kuard
+  labels:
+    app: kuard
+spec:
+  containers:
+    - image: gcr.io/kuar-demo/kuard-amd64:blue
+      name: kuard
+      ports:
+        - containerPort: 8080
+          name: http
+          protocol: TCP
--- a/19-7-service-account.yaml
+++ b/19-7-service-account.yaml
@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: default
+automountServiceAccountToken: false
--- a/19-8-kuard-pod-runtimeclass.yaml
+++ b/19-8-kuard-pod-runtimeclass.yaml
@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: kuard
+  labels:
+    app: kuard
+spec:
+  runtimeClassName: firecracker
+  containers:
+    - image: gcr.io/kuar-demo/kuard-amd64:blue
+      name: kuard
+      ports:
+        - containerPort: 8080
+          name: http
+          protocol: TCP
--- a/19-9-networkpolicy-default-deny.yaml
+++ b/19-9-networkpolicy-default-deny.yaml
@ -0,0 +1,8 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny-ingress
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress