diff --git a/10-1-kuard-deployment.yaml b/10-1-kuard-deployment.yaml new file mode 100644 index 0000000..701f695 --- /dev/null +++ b/10-1-kuard-deployment.yaml @@ -0,0 +1,19 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: kuard + labels: + run: kuard +spec: + selector: + matchLabels: + run: kuard + replicas: 1 + template: + metadata: + labels: + run: kuard + spec: + containers: + - name: kuard + image: gcr.io/kuar-demo/kuard-amd64:blue diff --git a/9-1-fluentd.yaml b/11-1-fluentd.yaml similarity index 100% rename from 9-1-fluentd.yaml rename to 11-1-fluentd.yaml diff --git a/9-2-nginx-fast-storage.yaml b/11-2-nginx-fast-storage.yaml similarity index 95% rename from 9-2-nginx-fast-storage.yaml rename to 11-2-nginx-fast-storage.yaml index 8e66746..6f58b63 100644 --- a/9-2-nginx-fast-storage.yaml +++ b/11-2-nginx-fast-storage.yaml @@ -1,5 +1,5 @@ apiVersion: apps/v1 -kind: "DaemonSet" +kind: DaemonSet metadata: labels: app: nginx diff --git a/10-1-job-oneshot.yaml b/12-1-job-oneshot.yaml similarity index 70% rename from 10-1-job-oneshot.yaml rename to 12-1-job-oneshot.yaml index 063ba65..3e62b73 100644 --- a/10-1-job-oneshot.yaml +++ b/12-1-job-oneshot.yaml @@ -2,18 +2,15 @@ apiVersion: batch/v1 kind: Job metadata: name: oneshot - labels: - chapter: jobs spec: template: - metadata: - labels: - chapter: jobs spec: containers: - name: kuard - image: gcr.io/kuar-demo/kuard-amd64:1 + image: gcr.io/kuar-demo/kuard-amd64:blue imagePullPolicy: Always + command: + - "/kuard" args: - "--keygen-enable" - "--keygen-exit-on-complete" diff --git a/10-2-job-oneshot-failure1.yaml b/12-2-job-oneshot-failure1.yaml similarity index 82% rename from 10-2-job-oneshot-failure1.yaml rename to 12-2-job-oneshot-failure1.yaml index 88af786..48b428a 100644 --- a/10-2-job-oneshot-failure1.yaml +++ b/12-2-job-oneshot-failure1.yaml @@ -12,8 +12,10 @@ spec: spec: containers: - name: kuard - image: gcr.io/kuar-demo/kuard-amd64:1 + image: gcr.io/kuar-demo/kuard-amd64:blue imagePullPolicy: Always + command: + - "/kuard" args: - "--keygen-enable" - "--keygen-exit-on-complete" diff --git a/10-3-job-parallel.yaml b/12-3-job-parallel.yaml similarity index 83% rename from 10-3-job-parallel.yaml rename to 12-3-job-parallel.yaml index c8ef106..1e78fe8 100644 --- a/10-3-job-parallel.yaml +++ b/12-3-job-parallel.yaml @@ -14,8 +14,10 @@ spec: spec: containers: - name: kuard - image: gcr.io/kuar-demo/kuard-amd64:1 + image: gcr.io/kuar-demo/kuard-amd64:blue imagePullPolicy: Always + command: + - "/kuard" args: - "--keygen-enable" - "--keygen-exit-on-complete" diff --git a/10-4-rs-queue.yaml b/12-4-rs-queue.yaml similarity index 89% rename from 10-4-rs-queue.yaml rename to 12-4-rs-queue.yaml index 28c9363..6e6bc94 100644 --- a/10-4-rs-queue.yaml +++ b/12-4-rs-queue.yaml @@ -22,5 +22,5 @@ spec: spec: containers: - name: queue - image: "gcr.io/kuar-demo/kuard-amd64:1" + image: "gcr.io/kuar-demo/kuard-amd64:blue" imagePullPolicy: Always diff --git a/10-5-service-queue.yaml b/12-5-service-queue.yaml similarity index 100% rename from 10-5-service-queue.yaml rename to 12-5-service-queue.yaml diff --git a/10-6-load-queue.sh b/12-6-load-queue.sh old mode 100644 new mode 100755 similarity index 100% rename from 10-6-load-queue.sh rename to 12-6-load-queue.sh diff --git a/10-7-job-consumers.yaml b/12-7-job-consumers.yaml similarity index 86% rename from 10-7-job-consumers.yaml rename to 12-7-job-consumers.yaml index 9832fb5..00865bf 100644 --- a/10-7-job-consumers.yaml +++ b/12-7-job-consumers.yaml @@ -17,8 +17,10 @@ spec: spec: containers: - name: worker - image: "gcr.io/kuar-demo/kuard-amd64:1" + image: "gcr.io/kuar-demo/kuard-amd64:blue" imagePullPolicy: Always + command: + - "/kuard" args: - "--keygen-enable" - "--keygen-exit-on-complete" diff --git a/11-1-simple-config.txt b/13-1-my-config.txt similarity index 100% rename from 11-1-simple-config.txt rename to 13-1-my-config.txt diff --git a/11-2-kuard-config.yaml b/13-2-kuard-config.yaml similarity index 70% rename from 11-2-kuard-config.yaml rename to 13-2-kuard-config.yaml index efeb6be..5edb44b 100644 --- a/11-2-kuard-config.yaml +++ b/13-2-kuard-config.yaml @@ -5,23 +5,27 @@ metadata: spec: containers: - name: test-container - image: gcr.io/kuar-demo/kuard-amd64:1 + image: gcr.io/kuar-demo/kuard-amd64:blue imagePullPolicy: Always command: - "/kuard" - "$(EXTRA_PARAM)" env: + # An example of an environment variable used inside the container - name: ANOTHER_PARAM valueFrom: configMapKeyRef: name: my-config key: another-param + # An example of an environment variable passed to the command to start + # the container (above). - name: EXTRA_PARAM valueFrom: configMapKeyRef: name: my-config key: extra-param volumeMounts: + # Mounting the ConfigMap as a set of files - name: config-volume mountPath: /config volumes: diff --git a/11-3-kuard-secret.yaml b/13-3-kuard-secret.yaml similarity index 86% rename from 11-3-kuard-secret.yaml rename to 13-3-kuard-secret.yaml index 3b1e41d..bf064d6 100644 --- a/11-3-kuard-secret.yaml +++ b/13-3-kuard-secret.yaml @@ -5,7 +5,7 @@ metadata: spec: containers: - name: kuard-tls - image: gcr.io/kuar-demo/kuard-amd64:1 + image: gcr.io/kuar-demo/kuard-amd64:blue imagePullPolicy: Always volumeMounts: - name: tls-certs diff --git a/11-4-kuard-secret-ips.yaml b/13-4-kuard-secret-ips.yaml similarity index 88% rename from 11-4-kuard-secret-ips.yaml rename to 13-4-kuard-secret-ips.yaml index ae4c6da..ed1aff2 100644 --- a/11-4-kuard-secret-ips.yaml +++ b/13-4-kuard-secret-ips.yaml @@ -5,7 +5,7 @@ metadata: spec: containers: - name: kuard-tls - image: gcr.io/kuar-demo/kuard-amd64:1 + image: gcr.io/kuar-demo/kuard-amd64:blue imagePullPolicy: Always volumeMounts: - name: tls-certs diff --git a/14-1-parse.yaml b/14-1-parse.yaml deleted file mode 100644 index ceec9c1..0000000 --- a/14-1-parse.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: parse-server -spec: - replicas: 1 - selector: - matchLabels: - run: parse-server - template: - metadata: - labels: - run: parse-server - spec: - containers: - - name: parse-server - image: ${DOCKER_USER}/parse-server - env: - - name: PARSE_SERVER_DATABASE_URI - value: "mongodb://mongo-0.mongo:27017,\ - mongo-1.mongo:27017,mongo-2.mongo\ - :27017/dev?replicaSet=rs0" - - name: PARSE_SERVER_APP_ID - value: "my-app-id" - - name: PARSE_SERVER_MASTER_KEY - value: "my-master-key" diff --git a/14-10-redis.yaml b/14-10-redis.yaml deleted file mode 100644 index 1a17b3e..0000000 --- a/14-10-redis.yaml +++ /dev/null @@ -1,40 +0,0 @@ -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: redis -spec: - replicas: 3 - serviceName: redis - selector: - matchLabels: - app: redis - template: - metadata: - labels: - app: redis - spec: - containers: - - command: [sh, -c, source /redis-config/init.sh ] - image: redis:3.2.7-alpine - name: redis - ports: - - containerPort: 6379 - name: redis - volumeMounts: - - mountPath: /redis-config - name: config - - mountPath: /redis-data - name: data - - command: [sh, -c, source /redis-config/sentinel.sh] - image: redis:3.2.7-alpine - name: sentinel - volumeMounts: - - mountPath: /redis-config - name: config - volumes: - - configMap: - defaultMode: 420 - name: redis-config - name: config - - emptyDir: - name: data diff --git a/14-2-parse-service.yaml b/14-2-parse-service.yaml deleted file mode 100644 index 2a6a29d..0000000 --- a/14-2-parse-service.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: parse-server - namespace: default -spec: - ports: - - port: 1337 - protocol: TCP - targetPort: 1337 - selector: - run: parse-server diff --git a/14-3-ghost-config.js b/14-3-ghost-config.js deleted file mode 100644 index 71675ba..0000000 --- a/14-3-ghost-config.js +++ /dev/null @@ -1,25 +0,0 @@ -var path = require('path'), - config; - -config = { - development: { - url: 'http://localhost:2368', - database: { - client: 'sqlite3', - connection: { - filename: path.join(process.env.GHOST_CONTENT, - '/data/ghost-dev.db') - }, - debug: false - }, - server: { - host: '0.0.0.0', - port: '2368' - }, - paths: { - contentPath: path.join(process.env.GHOST_CONTENT, '/') - } - } -}; - -module.exports = config; diff --git a/14-4-ghost.yaml b/14-4-ghost.yaml deleted file mode 100644 index 02b9596..0000000 --- a/14-4-ghost.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: ghost -spec: - replicas: 1 - selector: - matchLabels: - run: ghost - template: - metadata: - labels: - run: ghost - spec: - containers: - - image: ghost - name: ghost - command: - - sh - - -c - - cp /ghost-config/ghost-config.js /var/lib/ghost/config.js - && docker-entrypoint.sh node current/index.js - volumeMounts: - - mountPath: /ghost-config - name: config - volumes: - - name: config - configMap: - defaultMode: 420 - name: ghost-config diff --git a/14-4-master.conf b/14-4-master.conf deleted file mode 100644 index 1924460..0000000 --- a/14-4-master.conf +++ /dev/null @@ -1,4 +0,0 @@ -bind 0.0.0.0 -port 6379 - -dir /redis-data diff --git a/14-5-slave.conf b/14-5-slave.conf deleted file mode 100644 index 87e300d..0000000 --- a/14-5-slave.conf +++ /dev/null @@ -1,6 +0,0 @@ -bind 0.0.0.0 -port 6379 - -dir . - -slaveof redis-0.redis 6379 diff --git a/14-6-sentinel.conf b/14-6-sentinel.conf deleted file mode 100644 index 10e4598..0000000 --- a/14-6-sentinel.conf +++ /dev/null @@ -1,7 +0,0 @@ -bind 0.0.0.0 -port 26379 - -sentinel monitor redis redis-0.redis 6379 2 -sentinel parallel-syncs redis 1 -sentinel down-after-milliseconds redis 10000 -sentinel failover-timeout redis 20000 diff --git a/14-7-init.sh b/14-7-init.sh deleted file mode 100644 index 738071a..0000000 --- a/14-7-init.sh +++ /dev/null @@ -1,6 +0,0 @@ -#!/bin/bash -if [[ ${HOSTNAME} == 'redis-0' ]]; then - redis-server /redis-config/master.conf -else - redis-server /redis-config/slave.conf -fi diff --git a/14-8-sentinel.sh b/14-8-sentinel.sh deleted file mode 100644 index 026f6e9..0000000 --- a/14-8-sentinel.sh +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/bash -while ! ping -c 1 redis-0.redis; do - echo 'Waiting for server' - sleep 1 -done - -redis-sentinel /redis-config/sentinel.conf - diff --git a/14-9-redis-service.yaml b/14-9-redis-service.yaml deleted file mode 100644 index 9f24a8c..0000000 --- a/14-9-redis-service.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: redis -spec: - ports: - - port: 6379 - name: peer - clusterIP: None - selector: - app: redis diff --git a/13-1-dns-service.yaml b/16-1-dns-service.yaml similarity index 100% rename from 13-1-dns-service.yaml rename to 16-1-dns-service.yaml diff --git a/13-10-mongo-simple.yaml b/16-10-mongo-simple.yaml similarity index 100% rename from 13-10-mongo-simple.yaml rename to 16-10-mongo-simple.yaml diff --git a/13-11-mongo-service.yaml b/16-11-mongo-service.yaml similarity index 100% rename from 13-11-mongo-service.yaml rename to 16-11-mongo-service.yaml diff --git a/13-12-mongo-configmap.yaml b/16-12-mongo-configmap.yaml similarity index 100% rename from 13-12-mongo-configmap.yaml rename to 16-12-mongo-configmap.yaml diff --git a/13-13-mongo.yaml b/16-13-mongo.yaml similarity index 100% rename from 13-13-mongo.yaml rename to 16-13-mongo.yaml diff --git a/13-2-external-ip-service.yaml b/16-2-external-ip-service.yaml similarity index 100% rename from 13-2-external-ip-service.yaml rename to 16-2-external-ip-service.yaml diff --git a/13-3-external-ip-endpoints.yaml b/16-3-external-ip-endpoints.yaml similarity index 100% rename from 13-3-external-ip-endpoints.yaml rename to 16-3-external-ip-endpoints.yaml diff --git a/13-4-nfs-volume.yaml b/16-4-nfs-volume.yaml similarity index 100% rename from 13-4-nfs-volume.yaml rename to 16-4-nfs-volume.yaml diff --git a/13-5-nfs-volume-claim.yaml b/16-5-nfs-volume-claim.yaml similarity index 100% rename from 13-5-nfs-volume-claim.yaml rename to 16-5-nfs-volume-claim.yaml diff --git a/13-6-mysql-replicaset.yaml b/16-6-mysql-replicaset.yaml similarity index 100% rename from 13-6-mysql-replicaset.yaml rename to 16-6-mysql-replicaset.yaml diff --git a/13-7-mysql-service.yaml b/16-7-mysql-service.yaml similarity index 100% rename from 13-7-mysql-service.yaml rename to 16-7-mysql-service.yaml diff --git a/13-8-storageclass.yaml b/16-8-storageclass.yaml similarity index 100% rename from 13-8-storageclass.yaml rename to 16-8-storageclass.yaml diff --git a/13-9-dynamic-volume-claim.yaml b/16-9-dynamic-volume-claim.yaml similarity index 100% rename from 13-9-dynamic-volume-claim.yaml rename to 16-9-dynamic-volume-claim.yaml diff --git a/19-1-kuard-pod-securitycontext.yaml b/19-1-kuard-pod-securitycontext.yaml new file mode 100644 index 0000000..fce9adb --- /dev/null +++ b/19-1-kuard-pod-securitycontext.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: kuard +spec: + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 3000 + fsGroup: 2000 + containers: + - image: gcr.io/kuar-demo/kuard-amd64:blue + name: kuard + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + privileged: false + ports: + - containerPort: 8080 + name: http + protocol: TCP diff --git a/19-10-kuard-pod.yaml b/19-10-kuard-pod.yaml new file mode 100644 index 0000000..77f5ae9 --- /dev/null +++ b/19-10-kuard-pod.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: kuard + labels: + app: kuard +spec: + containers: + - image: gcr.io/kuar-demo/kuard-amd64:blue + name: kuard + ports: + - containerPort: 8080 + name: http + protocol: TCP diff --git a/19-11-networkpolicy-default-deny.yaml b/19-11-networkpolicy-default-deny.yaml new file mode 100644 index 0000000..1a97947 --- /dev/null +++ b/19-11-networkpolicy-default-deny.yaml @@ -0,0 +1,8 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-deny-ingress +spec: + podSelector: {} + policyTypes: + - Ingress diff --git a/19-12-networkpolicy-kuard-allow-test-source.yaml b/19-12-networkpolicy-kuard-allow-test-source.yaml new file mode 100644 index 0000000..8930a13 --- /dev/null +++ b/19-12-networkpolicy-kuard-allow-test-source.yaml @@ -0,0 +1,13 @@ +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: access-kuard +spec: + podSelector: + matchLabels: + app: kuard + ingress: + - from: + - podSelector: + matchLabels: + run: test-source diff --git a/19-2-amicontained-pod.yaml b/19-2-amicontained-pod.yaml new file mode 100644 index 0000000..0535dc5 --- /dev/null +++ b/19-2-amicontained-pod.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Pod +metadata: + name: amicontained +spec: + containers: + - image: jess/amicontained:v0.4.9 + name: amicontained + command: [ "/bin/sh", "-c", "--" ] + args: [ "amicontained" ] diff --git a/19-3-amicontained-pod-securitycontext.yaml b/19-3-amicontained-pod-securitycontext.yaml new file mode 100644 index 0000000..18a8276 --- /dev/null +++ b/19-3-amicontained-pod-securitycontext.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Pod +metadata: + name: amicontained + annotations: + container.apparmor.security.beta.kubernetes.io/amicontained: "runtime/default" +spec: + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 3000 + fsGroup: 2000 + seccompProfile: + type: RuntimeDefault + containers: + - image: jess/amicontained:v0.4.9 + name: amicontained + command: [ "/bin/sh", "-c", "--" ] + args: [ "amicontained" ] + securityContext: + capabilities: + add: ["SYS_TIME"] + drop: ["NET_BIND_SERVICE"] + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + privileged: false diff --git a/19-4-baseline-ns.yaml b/19-4-baseline-ns.yaml new file mode 100644 index 0000000..6767d14 --- /dev/null +++ b/19-4-baseline-ns.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: baseline-ns + labels: + pod-security.kubernetes.io/enforce: baseline + pod-security.kubernetes.io/enforce-version: v1.22 + pod-security.kubernetes.io/audit: restricted + pod-security.kubernetes.io/audit-version: v1.22 + pod-security.kubernetes.io/warn: restricted + pod-security.kubernetes.io/warn-version: v1.22 diff --git a/19-5-baseline-ns.yaml b/19-5-baseline-ns.yaml new file mode 100644 index 0000000..6767d14 --- /dev/null +++ b/19-5-baseline-ns.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: baseline-ns + labels: + pod-security.kubernetes.io/enforce: baseline + pod-security.kubernetes.io/enforce-version: v1.22 + pod-security.kubernetes.io/audit: restricted + pod-security.kubernetes.io/audit-version: v1.22 + pod-security.kubernetes.io/warn: restricted + pod-security.kubernetes.io/warn-version: v1.22 diff --git a/19-6-kuard-pod.yaml b/19-6-kuard-pod.yaml new file mode 100644 index 0000000..77f5ae9 --- /dev/null +++ b/19-6-kuard-pod.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: kuard + labels: + app: kuard +spec: + containers: + - image: gcr.io/kuar-demo/kuard-amd64:blue + name: kuard + ports: + - containerPort: 8080 + name: http + protocol: TCP diff --git a/19-7-service-account.yaml b/19-7-service-account.yaml new file mode 100644 index 0000000..fdf7895 --- /dev/null +++ b/19-7-service-account.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: default +automountServiceAccountToken: false diff --git a/19-8-kuard-pod-runtimeclass.yaml b/19-8-kuard-pod-runtimeclass.yaml new file mode 100644 index 0000000..78b4933 --- /dev/null +++ b/19-8-kuard-pod-runtimeclass.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: kuard + labels: + app: kuard +spec: + runtimeClassName: firecracker + containers: + - image: gcr.io/kuar-demo/kuard-amd64:blue + name: kuard + ports: + - containerPort: 8080 + name: http + protocol: TCP diff --git a/19-9-networkpolicy-default-deny.yaml b/19-9-networkpolicy-default-deny.yaml new file mode 100644 index 0000000..1a97947 --- /dev/null +++ b/19-9-networkpolicy-default-deny.yaml @@ -0,0 +1,8 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-deny-ingress +spec: + podSelector: {} + policyTypes: + - Ingress diff --git a/20-1-allowedrepos-constraint-template.yaml b/20-1-allowedrepos-constraint-template.yaml new file mode 100644 index 0000000..aecff62 --- /dev/null +++ b/20-1-allowedrepos-constraint-template.yaml @@ -0,0 +1,42 @@ +apiVersion: templates.gatekeeper.sh/v1beta1 +kind: ConstraintTemplate +metadata: + name: k8sallowedrepos + annotations: + description: Requires container images to begin with a repo string from a + specified list. +spec: + crd: + spec: + names: + kind: K8sAllowedRepos + validation: + # Schema for the `parameters` field + openAPIV3Schema: + properties: + repos: + type: array + items: + type: string + targets: + - target: admission.k8s.gatekeeper.sh + rego: | + package k8sallowedrepos + + violation[{"msg": msg}] { + container := input.review.object.spec.containers[_] + not strings.any_prefix_match(container.image, input.parameters.repos) + msg := sprintf("container <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos]) + } + + violation[{"msg": msg}] { + container := input.review.object.spec.initContainers[_] + not strings.any_prefix_match(container.image, input.parameters.repos) + msg := sprintf("initContainer <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos]) + } + + violation[{"msg": msg}] { + container := input.review.object.spec.ephemeralContainers[_] + not strings.any_prefix_match(container.image, input.parameters.repos) + msg := sprintf("ephemeralContainer <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos]) + } diff --git a/20-2-allowedrepos-constraint.yaml b/20-2-allowedrepos-constraint.yaml new file mode 100644 index 0000000..0d89d94 --- /dev/null +++ b/20-2-allowedrepos-constraint.yaml @@ -0,0 +1,15 @@ +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sAllowedRepos +metadata: + name: repo-is-kuar-demo +spec: + enforcementAction: deny + match: + kinds: + - apiGroups: [""] + kinds: ["Pod"] + namespaces: + - "default" + parameters: + repos: + - "gcr.io/kuar-demo/" diff --git a/20-3-compliant-pod.yaml b/20-3-compliant-pod.yaml new file mode 100644 index 0000000..f7795da --- /dev/null +++ b/20-3-compliant-pod.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Pod +metadata: + name: kuard +spec: + containers: + - image: gcr.io/kuar-demo/kuard-amd64:blue + name: kuard + ports: + - containerPort: 8080 + name: http + protocol: TCP diff --git a/20-4-noncompliant-pod.yaml b/20-4-noncompliant-pod.yaml new file mode 100644 index 0000000..c6712cc --- /dev/null +++ b/20-4-noncompliant-pod.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Pod +metadata: + name: nginx-noncompliant +spec: + containers: + - name: nginx + image: nginx diff --git a/20-5-allowedrepos-constraint-dryrun.yaml b/20-5-allowedrepos-constraint-dryrun.yaml new file mode 100644 index 0000000..3e13d2b --- /dev/null +++ b/20-5-allowedrepos-constraint-dryrun.yaml @@ -0,0 +1,15 @@ +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sAllowedRepos +metadata: + name: repo-is-kuar-demo +spec: + enforcementAction: dryrun + match: + kinds: + - apiGroups: [""] + kinds: ["Pod"] + namespaces: + - "default" + parameters: + repos: + - "gcr.io/kuar-demo/" diff --git a/20-6-imagepullpolicyalways-mutation.yaml b/20-6-imagepullpolicyalways-mutation.yaml new file mode 100644 index 0000000..5cfbe6b --- /dev/null +++ b/20-6-imagepullpolicyalways-mutation.yaml @@ -0,0 +1,19 @@ +apiVersion: mutations.gatekeeper.sh/v1alpha1 +kind: Assign +metadata: + name: demo-image-pull-policy +spec: + applyTo: + - groups: [""] + kinds: ["Pod"] + versions: ["v1"] + match: + scope: Namespaced + kinds: + - apiGroups: ["*"] + kinds: ["Pod"] + excludedNamespaces: ["system"] + location: "spec.containers[name:*].imagePullPolicy" + parameters: + assign: + value: Always diff --git a/20-7-config-sync.yaml b/20-7-config-sync.yaml new file mode 100644 index 0000000..ff2c7ed --- /dev/null +++ b/20-7-config-sync.yaml @@ -0,0 +1,14 @@ +apiVersion: config.gatekeeper.sh/v1alpha1 +kind: Config +metadata: + name: config + namespace: "gatekeeper-system" +spec: + sync: + syncOnly: + - group: "" + version: "v1" + kind: "Namespace" + - group: "" + version: "v1" + kind: "Pod" diff --git a/20-8-uniqueingresshost-constraint-template.yaml b/20-8-uniqueingresshost-constraint-template.yaml new file mode 100644 index 0000000..a724faf --- /dev/null +++ b/20-8-uniqueingresshost-constraint-template.yaml @@ -0,0 +1,31 @@ +apiVersion: templates.gatekeeper.sh/v1beta1 +kind: ConstraintTemplate +metadata: + name: k8suniqueingresshost + annotations: + description: Requires all Ingress hosts to be unique. +spec: + crd: + spec: + names: + kind: K8sUniqueIngressHost + targets: + - target: admission.k8s.gatekeeper.sh + rego: | + package k8suniqueingresshost + + identical(obj, review) { + obj.metadata.namespace == review.object.metadata.namespace + obj.metadata.name == review.object.metadata.name + } + + violation[{"msg": msg}] { + input.review.kind.kind == "Ingress" + regex.match("^(extensions|networking.k8s.io)$", input.review.kind.group) + host := input.review.object.spec.rules[_].host + other := data.inventory.namespace[_][otherapiversion]["Ingress"][name] + regex.match("^(extensions|networking.k8s.io)/.+$", otherapiversion) + other.spec.rules[_].host == host + not identical(other, input.review) + msg := sprintf("ingress host conflicts with an existing ingress <%v>", [host]) + } diff --git a/5-1-kuard-pod.yaml b/5-1-kuard-pod.yaml index b1dc580..1e15dd8 100644 --- a/5-1-kuard-pod.yaml +++ b/5-1-kuard-pod.yaml @@ -4,7 +4,7 @@ metadata: name: kuard spec: containers: - - image: gcr.io/kuar-demo/kuard-amd64:1 + - image: gcr.io/kuar-demo/kuard-amd64:blue name: kuard ports: - containerPort: 8080 diff --git a/5-2-kuard-pod-health.yaml b/5-2-kuard-pod-health.yaml index f85c949..59efb02 100644 --- a/5-2-kuard-pod-health.yaml +++ b/5-2-kuard-pod-health.yaml @@ -4,7 +4,7 @@ metadata: name: kuard spec: containers: - - image: gcr.io/kuar-demo/kuard-amd64:1 + - image: gcr.io/kuar-demo/kuard-amd64:blue name: kuard livenessProbe: httpGet: diff --git a/5-3-kaurd-pod-resreq.yaml b/5-3-kaurd-pod-resreq.yaml index 8f7e5b3..efb95d7 100644 --- a/5-3-kaurd-pod-resreq.yaml +++ b/5-3-kaurd-pod-resreq.yaml @@ -4,7 +4,7 @@ metadata: name: kuard spec: containers: - - image: gcr.io/kuar-demo/kuard-amd64:1 + - image: gcr.io/kuar-demo/kuard-amd64:blue name: kuard resources: requests: diff --git a/8-1-simple-ingress.yaml b/8-1-simple-ingress.yaml new file mode 100644 index 0000000..23464f8 --- /dev/null +++ b/8-1-simple-ingress.yaml @@ -0,0 +1,10 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: simple-ingress +spec: + defaultBackend: + service: + name: alpaca + port: + number: 8080 diff --git a/8-2-host-ingress.yaml b/8-2-host-ingress.yaml new file mode 100644 index 0000000..fb6120a --- /dev/null +++ b/8-2-host-ingress.yaml @@ -0,0 +1,21 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: host-ingress +spec: + defaultBackend: + service: + name: be-default + port: + number: 8080 + rules: + - host: alpaca.example.com + http: + paths: + - pathType: Prefix + path: / + backend: + service: + name: alpaca + port: + number: 8080 diff --git a/8-3-path-ingress.yaml b/8-3-path-ingress.yaml new file mode 100644 index 0000000..8a41a44 --- /dev/null +++ b/8-3-path-ingress.yaml @@ -0,0 +1,23 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: path-ingress +spec: + rules: + - host: bandicoot.example.com + http: + paths: + - pathType: Prefix + path: "/" + backend: + service: + name: bandicoot + port: + number: 8080 + - pathType: Prefix + path: "/a/" + backend: + service: + name: alpaca + port: + number: 8080 diff --git a/8-4-tls-secret.yaml b/8-4-tls-secret.yaml new file mode 100644 index 0000000..684fc34 --- /dev/null +++ b/8-4-tls-secret.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + name: tls-secret-name +type: kubernetes.io/tls +data: + tls.crt: + tls.key: diff --git a/8-5-tls-ingress.yaml b/8-5-tls-ingress.yaml new file mode 100644 index 0000000..4573092 --- /dev/null +++ b/8-5-tls-ingress.yaml @@ -0,0 +1,20 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: tls-ingress +spec: + tls: + - hosts: + - alpaca.example.com + secretName: tls-secret-name + rules: + - host: alpaca.example.com + http: + paths: + - pathType: Prefix + path: "/" + backend: + service: + name: alpaca + port: + number: 8080 diff --git a/8-1-kuard-rs.yaml b/9-1-kuard-rs.yaml similarity index 67% rename from 8-1-kuard-rs.yaml rename to 9-1-kuard-rs.yaml index 0cad32d..c9d8474 100644 --- a/8-1-kuard-rs.yaml +++ b/9-1-kuard-rs.yaml @@ -5,9 +5,6 @@ metadata: app: kuard version: "2" name: kuard - labels: - app: kuard - version: "2" spec: replicas: 1 selector: @@ -22,4 +19,8 @@ spec: spec: containers: - name: kuard - image: "gcr.io/kuar-demo/kuard-amd64:2" + image: "gcr.io/kuar-demo/kuard-amd64:green" + resources: + requests: + cpu: "500m" + memory: "128Mi"