Compare commits
15 Commits
28334c15a3
...
main
| Author | SHA1 | Date | |
|---|---|---|---|
|
76a89520e1 | ||
|
|
6ab4467a25 | ||
|
|
9aeea7b830 | ||
|
|
23ea92636e | ||
|
|
1384b3ab50 | ||
|
|
3d6b022cad | ||
|
|
46807f93d9 | ||
|
|
a62e3aba2f | ||
|
|
77ef9348f9 | ||
|
|
0cf4f155de | ||
|
|
a95fad4423 | ||
|
|
06307b4047 | ||
|
|
6569a6c33b | ||
|
|
04f351706c | ||
|
|
314c75d8df |
75
templates/NetworkPolicy.yaml
Normal file
75
templates/NetworkPolicy.yaml
Normal file
@@ -0,0 +1,75 @@
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: dragonfly
|
||||
namespace: memelord-raiko
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
app: memelord-raiko-redis
|
||||
policyTypes:
|
||||
- Ingress
|
||||
ingress:
|
||||
# App -> Redis
|
||||
- from:
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
app: memelord-raiko
|
||||
ports:
|
||||
- protocol: TCP
|
||||
port: 6379
|
||||
- from:
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
app: memelord-raiko-redis
|
||||
ports:
|
||||
- protocol: TCP
|
||||
port: 6379
|
||||
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: postgres
|
||||
namespace: memelord-raiko
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
cnpg.io/cluster: memelord-raiko-database
|
||||
policyTypes:
|
||||
- Ingress
|
||||
ingress:
|
||||
- from:
|
||||
- podSelector:
|
||||
matchLabels:
|
||||
app: memelord
|
||||
- podSelector: # Primary-secondary replication!
|
||||
matchLabels:
|
||||
cnpg.io/cluster: memelord-raiko-database
|
||||
ports:
|
||||
- protocol: TCP
|
||||
port: 5432
|
||||
- ports: # Probes do work now!
|
||||
- protocol: TCP
|
||||
port: 8000
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: memelord
|
||||
namespace: memelord-raiko
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
app: memelord
|
||||
policyTypes:
|
||||
- Ingress
|
||||
ingress:
|
||||
- from:
|
||||
- namespaceSelector:
|
||||
matchLabels:
|
||||
kubernetes.io/metadata.name: traefik
|
||||
ports:
|
||||
- protocol: TCP
|
||||
port: 8000
|
||||
@@ -175,3 +175,22 @@ spec:
|
||||
number: 80
|
||||
tls:
|
||||
- secretName: {{ .Release.Name }}-tls
|
||||
---
|
||||
apiVersion: codemowers.cloud/v1beta1
|
||||
kind: OIDCClient
|
||||
metadata:
|
||||
name: {{ .Release.Name }}
|
||||
spec:
|
||||
displayName: Memelord Raiko
|
||||
uri: https://{{ .Values.hostname }}/oidc/authenticate/
|
||||
redirectUris:
|
||||
- https://{{ .Values.hostname }}/oidc/callback/
|
||||
grantTypes:
|
||||
- authorization_code
|
||||
- refresh_token
|
||||
responseTypes:
|
||||
- code
|
||||
availableScopes:
|
||||
- openid
|
||||
- profile
|
||||
pkce: false
|
||||
|
||||
54
templates/kyverno.yaml
Normal file
54
templates/kyverno.yaml
Normal file
@@ -0,0 +1,54 @@
|
||||
# ---
|
||||
# apiVersion: kyverno.io/v1
|
||||
# kind: Policy
|
||||
# metadata:
|
||||
# name: add-default-securitycontext
|
||||
# namespace: memelord-raiko
|
||||
# spec:
|
||||
# rules:
|
||||
# - name: add-default-securitycontext
|
||||
# match:
|
||||
# any:
|
||||
# - resources:
|
||||
# kinds:
|
||||
# - Pod
|
||||
# mutate:
|
||||
# patchStrategicMerge:
|
||||
# spec:
|
||||
# securityContext:
|
||||
# +(runAsNonRoot): true
|
||||
# +(runAsUser): 1000
|
||||
# +(runAsGroup): 3000
|
||||
# +(fsGroup): 2000
|
||||
#
|
||||
# ---
|
||||
# apiVersion: kyverno.io/v1
|
||||
# kind: Policy
|
||||
# metadata:
|
||||
# name: require-run-as-non-root-user
|
||||
# namespace: memelord-raiko
|
||||
# spec:
|
||||
# validationFailureAction: Enforce
|
||||
# background: false
|
||||
# rules:
|
||||
# - name: run-as-non-root-user
|
||||
# match:
|
||||
# any:
|
||||
# - resources:
|
||||
# kinds:
|
||||
# - Pod
|
||||
# validate:
|
||||
# message: Running as root is not allowed. The fields spec.securityContext.runAsUser, spec.containers[*].securityContext.runAsUser, spec.initContainers[*].securityContext.runAsUser, and spec.ephemeralContainers[*].securityContext.runAsUser must be unset or set to a number greater than zero.
|
||||
# pattern:
|
||||
# spec:
|
||||
# "=(securityContext)":
|
||||
# "=(runAsUser)": ">0"
|
||||
# "=(ephemeralContainers)":
|
||||
# - "=(securityContext)":
|
||||
# "=(runAsUser)": ">0"
|
||||
# "=(initContainers)":
|
||||
# - "=(securityContext)":
|
||||
# "=(runAsUser)": ">0"
|
||||
# containers:
|
||||
# - "=(securityContext)":
|
||||
# "=(runAsUser)": ">0"
|
||||
Reference in New Issue
Block a user