ansible-collections/kubernetes
2
0
Fork 0
Code Issues 8 Pull Requests 1 Actions Projects Releases 28 Wiki Activity

chore: migrated from internal repo

Browse Source 
!1 nofusscomputing/infrastructure/config!28
This commit is contained in:
Jon Lockwood
2023-10-27 21:47:03 +09:30
parent e45190fab4
commit 93b63308ef
30 changed files with 7326 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

51
template-manifests/ClusterPolicy-manifest-network_default_network_policy.yaml Normal file
View File

@ -0,0 +1,51 @@
# ---
# apiVersion: kyverno.io/v1
# kind: ClusterPolicy
# metadata:
# name: add-networkpolicy
# labels:
# <<: {{ kubernetes_config.defaults.labels.deployment_labels | from_yaml }}
# annotations:
# ansible.kubernetes.io/path: {{ item }}
# policies.kyverno.io/title: Add Network Policy
# policies.kyverno.io/category: Multi-Tenancy, EKS Best Practices
# policies.kyverno.io/subject: NetworkPolicy
# policies.kyverno.io/minversion: 1.6.0
# policies.kyverno.io/description: >-
# By default, Kubernetes allows communications across all Pods within a cluster.
# The NetworkPolicy resource and a CNI plug-in that supports NetworkPolicy must be used to restrict
# communications. A default NetworkPolicy should be configured for each Namespace to
# default deny all ingress and egress traffic to the Pods in the Namespace. Application
# teams can then configure additional NetworkPolicy resources to allow desired traffic
# to application Pods from select sources. This policy will create a new NetworkPolicy resource
# named `default-deny` which will deny all traffic anytime a new Namespace is created.
# spec:
# rules:
# - name: default-deny
# match:
# any:
# - resources:
# kinds:
# - Namespace
# exclude:
# any:
# - resources:
# namespaces:
# - kube-metrics
# - kube-policy
# - kube-system
# - default
# generate:
# apiVersion: networking.k8s.io/v1
# kind: NetworkPolicy
# name: default-deny
# namespace: "{{'{{request.object.metadata.name}}'}}"
# synchronize: true
# data:
# spec:
# # select all pods in the namespace
# podSelector: {}
# # deny all traffic
# policyTypes:
# - Ingress
# - Egress

60
template-manifests/ClusterPolicy-manifest-network_default_network_policy_kubeDNS.yaml Normal file
View File

@ -0,0 +1,60 @@
# ---
# apiVersion: kyverno.io/v1
# kind: ClusterPolicy
# metadata:
# name: add-networkpolicy-dns
# labels:
# <<: {{ kubernetes_config.defaults.labels.deployment_labels | from_yaml }}
# annotations:
# ansible.kubernetes.io/path: {{ item }}
# policies.kyverno.io/title: Add Network Policy for DNS
# policies.kyverno.io/category: Multi-Tenancy, EKS Best Practices
# policies.kyverno.io/subject: NetworkPolicy
# kyverno.io/kyverno-version: 1.6.2
# policies.kyverno.io/minversion: 1.6.0
# kyverno.io/kubernetes-version: "1.23"
# policies.kyverno.io/description: >-
# By default, Kubernetes allows communications across all Pods within a cluster.
# The NetworkPolicy resource and a CNI plug-in that supports NetworkPolicy must be used to restrict
# communications. A default NetworkPolicy should be configured for each Namespace to
# default deny all ingress and egress traffic to the Pods in the Namespace. Application
# teams can then configure additional NetworkPolicy resources to allow desired traffic
# to application Pods from select sources. This policy will create a new NetworkPolicy resource
# named `default-deny` which will deny all traffic anytime a new Namespace is created.
# spec:
# generateExistingOnPolicyUpdate: true
# rules:
# - name: add-netpol-dns
# match:
# any:
# - resources:
# kinds:
# - Namespace
# exclude:
# any:
# - resources:
# namespaces:
# - kube-metrics
# - kube-policy
# - kube-system
# - default
# generate:
# apiVersion: networking.k8s.io/v1
# kind: NetworkPolicy
# name: allow-dns
# namespace: "{{'{{request.object.metadata.name}}'}}"
# synchronize: true
# data:
# spec:
# podSelector:
# matchLabels: {}
# policyTypes:
# - Egress
# egress:
# - to:
# - namespaceSelector:
# matchLabels:
# name: kube-system
# ports:
# - protocol: UDP
# port: 53

48
template-manifests/ClusterPolicy-manifest-network_disallow-mutable-tags.yaml Normal file
View File

@ -0,0 +1,48 @@
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-mutable-tag
labels:
<<: {{ kubernetes_config.defaults.labels.deployment_labels | from_yaml }}
annotations:
ansible.kubernetes.io/path: {{ item }}
policies.kyverno.io/title: Disallow mutable Tag
policies.kyverno.io/category: Best Practices
policies.kyverno.io/minversion: 1.6.0
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >-
The ':latest', ':master' and ':dev(elopment)' tags are mutable and can lead to unexpected errors if the
image changes. A best practice is to use an immutable tag that maps to
a specific version of an application Pod. This policy validates that the image
specifies a tag and that it is not called `latest` `master` or`dev(elopment)`.
spec:
#failurePolicy: Fail
validationFailureAction: Audit
background: true
rules:
- name: require-image-tag
match:
any:
- resources:
kinds:
- Pod
validate:
message: "An image tag is required."
pattern:
spec:
containers:
- image: "*:*"
- name: validate-image-tag
match:
any:
- resources:
kinds:
- Pod
validate:
message: "Using a mutable image tag e.g. 'latest', 'master' or 'dev[elopment]' is not allowed."
pattern:
spec:
containers:
- image: "!*:[latest|master|dev|development]"

52
template-manifests/ClusterPolicy-manifest-network_disallow_default_namespace.yaml Normal file
View File

@ -0,0 +1,52 @@
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: disallow-default-namespace
labels:
<<: {{ kubernetes_config.defaults.labels.deployment_labels | from_yaml }}
annotations:
pod-policies.kyverno.io/autogen-controllers: none
policies.kyverno.io/title: Disallow Default Namespace
policies.kyverno.io/minversion: 1.6.0
policies.kyverno.io/category: Multi-Tenancy
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >-
Kubernetes Namespaces are an optional feature that provide a way to segment and
isolate cluster resources across multiple applications and users. As a best
practice, workloads should be isolated with Namespaces. Namespaces should be required
and the default (empty) Namespace should not be used. This policy validates that Pods
specify a Namespace name other than `default`. Rule auto-generation is disabled here
due to Pod controllers need to specify the `namespace` field under the top-level `metadata`
object and not at the Pod template level.
spec:
#failurePolicy: Fail
validationFailureAction: Audit
background: true
rules:
- name: validate-namespace
match:
any:
- resources:
kinds:
- Pod
validate:
message: "Using 'default' namespace is not allowed."
pattern:
metadata:
namespace: "!default"
- name: validate-podcontroller-namespace
match:
any:
- resources:
kinds:
- DaemonSet
- Deployment
- Job
- StatefulSet
validate:
message: "Using 'default' namespace is not allowed for pod controllers."
pattern:
metadata:
namespace: "!default"

48
template-manifests/ClusterPolicy-manifest-topology-constraint-nodes.yaml Normal file
View File

@ -0,0 +1,48 @@
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: spread-pods
labels:
<<: {{ kubernetes_config.defaults.labels.deployment_labels | from_yaml }}
annotations:
policies.kyverno.io/title: Spread Pods Across Nodes
policies.kyverno.io/category: Sample
policies.kyverno.io/subject: Deployment, Pod
policies.kyverno.io/minversion: 1.6.0
policies.kyverno.io/description: >-
Deployments to a Kubernetes cluster with multiple availability zones often need to
distribute those replicas to align with those zones to ensure site-level failures
do not impact availability. This policy matches Deployments with the label
`distributed=required` and mutates them to spread Pods across zones.
spec:
generateExistingOnPolicyUpdate: true
background: true
rules:
- name: spread-pods-across-nodes
# Matches any Deployment with the label `distributed=required`
match:
any:
- resources:
kinds:
- Deployment
- StatefulSet
preconditions:
all:
- key: "{{ '{{ request.object.spec.replicas }}' }}"
operator: GreaterThanOrEquals
value: 2
# Mutates the incoming Deployment.
mutate:
patchStrategicMerge:
spec:
template:
spec:
# Adds the topologySpreadConstraints field if non-existent in the request.
+(topologySpreadConstraints):
- maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: ScheduleAnyway
labelSelector:
matchLabels:
app.kubernetes.io/name: "{% raw %} '{{ request.object.metadata.labels.\"app.kubernetes.io/name\" }}' {% endraw %}"

38
template-manifests/NetworkPolicy-manifest-kube-metrics-metrics_server.yaml Normal file
View File

@ -0,0 +1,38 @@
# apiVersion: networking.k8s.io/v1
# kind: NetworkPolicy
# metadata:
# name: kube-metrics
# namespace: kube-metrics
# labels:
# app.kubernetes.io/name: kube-metrics
# # app.kubernetes.io/instance: { .Release.Name }}
# # app.kubernetes.io/version: { .Chart.Version | quote }}
# # app.kubernetes.io/managed-by: { .Release.Service }}
# app.kubernetes.io/component: loki
# app.kubernetes.io/part-of: metrics
# spec:
# egress:
# - to:
# #- podSelector:
# - namespaceSelector:
# matchLabels:
# kubernetes.io/metadata.name: "default"
# ports:
# - port: 443
# protocol: TCP
# # ingress:
# # - from:
# # #- podSelector:
# # - namespaceSelector:
# # matchLabels:
# # #app.kubernetes.io/name: prometheus
# # #app.kubernetes.io/instance: k8s
# # #app.kubernetes.io/managed-by: prometheus-operator
# # app.kubernetes.io/name: grafana-agent
# # #app.kubernetes.io/part-of: kube-prometheus
# # #app: grafana
# policyTypes:
# - Egress
# #- Ingress