Squashing relevant changes from fast-dev-gke-marzi
Co-authored-by: Daniel Marzini <dmarzi@google.com>
This commit is contained in:
parent
d28dfc40b0
commit
110d94067d
|
@ -0,0 +1,3 @@
|
||||||
|
The cluster/ directory contains configs that apply to entire clusters, rather than to namespaces. By default, any config in the cluster/ directory applies to every cluster enrolled in Config Sync. You can limit which clusters a config can affect by using a ClusterSelector.
|
||||||
|
|
||||||
|
Doc ref: https://cloud.google.com/anthos-config-management/docs/concepts/hierarchical-repo#cluster
|
|
@ -0,0 +1,28 @@
|
||||||
|
# Copyright 2022 Google LLC
|
||||||
|
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRole
|
||||||
|
metadata:
|
||||||
|
name: dev-namespace-viewer
|
||||||
|
rules:
|
||||||
|
- apiGroups: ["", "metrics.k8s.io", "extensions", "apps"]
|
||||||
|
resources:
|
||||||
|
- "pods"
|
||||||
|
- "pods/log"
|
||||||
|
- "events"
|
||||||
|
- "deployments"
|
||||||
|
- "replicasets"
|
||||||
|
verbs: ["get", "watch", "list"]
|
|
@ -0,0 +1,43 @@
|
||||||
|
# Copyright 2022 Google LLC
|
||||||
|
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
|
||||||
|
apiVersion: constraints.gatekeeper.sh/v1beta1
|
||||||
|
kind: K8sRequiredLabels
|
||||||
|
metadata:
|
||||||
|
name: ns-must-have-geo
|
||||||
|
annotations:
|
||||||
|
configsync.gke.io/cluster-name-selector: gke-1
|
||||||
|
spec:
|
||||||
|
enforcementAction: dryrun
|
||||||
|
match:
|
||||||
|
excludedNamespaces:
|
||||||
|
- "kube-system"
|
||||||
|
- "kube-public"
|
||||||
|
- "kube-node-lease"
|
||||||
|
- "resource-group-system"
|
||||||
|
- "config-management-monitoring"
|
||||||
|
- "config-management-system"
|
||||||
|
- "cos-auditd"
|
||||||
|
- "gatekeeper-system"
|
||||||
|
- "kube-node-lease"
|
||||||
|
- "cnrm-system"
|
||||||
|
- "gke-mcs"
|
||||||
|
- "configconnector-operator-system"
|
||||||
|
kinds:
|
||||||
|
- apiGroups: [""]
|
||||||
|
kinds: ["Namespace"]
|
||||||
|
parameters:
|
||||||
|
labels:
|
||||||
|
- key: "geo"
|
|
@ -0,0 +1,47 @@
|
||||||
|
# Copyright 2022 Google LLC
|
||||||
|
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
apiVersion: scheduling.k8s.io/v1
|
||||||
|
kind: PriorityClass
|
||||||
|
metadata:
|
||||||
|
name: high-priority-system
|
||||||
|
value: 1000000
|
||||||
|
globalDefault: false
|
||||||
|
description: "This priority class will cause other pods to be preempted."
|
||||||
|
---
|
||||||
|
apiVersion: scheduling.k8s.io/v1
|
||||||
|
kind: PriorityClass
|
||||||
|
metadata:
|
||||||
|
name: high-priority
|
||||||
|
value: 1000
|
||||||
|
globalDefault: false
|
||||||
|
description: "This priority class will cause other pods to be preempted."
|
||||||
|
---
|
||||||
|
apiVersion: scheduling.k8s.io/v1
|
||||||
|
kind: PriorityClass
|
||||||
|
metadata:
|
||||||
|
name: mid-priority
|
||||||
|
value: 100
|
||||||
|
globalDefault: false
|
||||||
|
# preemptionPolicy: Never
|
||||||
|
description: "This priority class will cause other pods to be preempted."
|
||||||
|
---
|
||||||
|
apiVersion: scheduling.k8s.io/v1
|
||||||
|
kind: PriorityClass
|
||||||
|
metadata:
|
||||||
|
name: low-priority
|
||||||
|
value: 10
|
||||||
|
globalDefault: true
|
||||||
|
# preemptionPolicy: Never
|
||||||
|
description: "This priority class will cause other pods to be preempted."
|
|
@ -0,0 +1,7 @@
|
||||||
|
|
||||||
|
|
||||||
|
The namespaces/ directory contains configs for namespaces and namespace-scoped objects.
|
||||||
|
|
||||||
|
The structure within namespaces/ is the mechanism that drives namespace inheritance. You can limit which namespaces can inherit a config, by using a NamespaceSelector.
|
||||||
|
|
||||||
|
Doc ref: https://cloud.google.com/anthos-config-management/docs/concepts/hierarchical-repo#namespaces
|
|
@ -0,0 +1,54 @@
|
||||||
|
# Copyright 2022 Google LLC
|
||||||
|
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
|
||||||
|
kind: ConfigMap
|
||||||
|
apiVersion: v1
|
||||||
|
metadata:
|
||||||
|
name: fluentd-gcp-config-cos-auditd
|
||||||
|
namespace: cos-auditd
|
||||||
|
annotations:
|
||||||
|
kubernetes.io/description: 'ConfigMap for Linux auditd logging daemonset on COS nodes.'
|
||||||
|
data:
|
||||||
|
google-fluentd.conf: |-
|
||||||
|
<source>
|
||||||
|
@type systemd
|
||||||
|
filters [{ "SYSLOG_IDENTIFIER": "audit" }]
|
||||||
|
pos_file /var/log/gcp-journald-audit.pos
|
||||||
|
read_from_head true
|
||||||
|
tag linux-auditd
|
||||||
|
</source>
|
||||||
|
|
||||||
|
# Do not collect fluentd's own logs to avoid infinite loops.
|
||||||
|
<match fluent.**>
|
||||||
|
@type null
|
||||||
|
</match>
|
||||||
|
|
||||||
|
<match **>
|
||||||
|
@type google_cloud
|
||||||
|
|
||||||
|
enable_monitoring false
|
||||||
|
split_logs_by_tag false
|
||||||
|
detect_subservice false
|
||||||
|
buffer_type file
|
||||||
|
buffer_path /var/log/fluentd-buffers/system.audit.buffer
|
||||||
|
buffer_queue_full_action block
|
||||||
|
buffer_chunk_limit 512k
|
||||||
|
buffer_queue_limit 2
|
||||||
|
flush_interval 5s
|
||||||
|
max_retry_wait 30
|
||||||
|
disable_retry_limit
|
||||||
|
num_threads 2
|
||||||
|
use_grpc true
|
||||||
|
</match>
|
|
@ -0,0 +1,128 @@
|
||||||
|
# Copyright 2022 Google LLC
|
||||||
|
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: DaemonSet
|
||||||
|
metadata:
|
||||||
|
name: cos-auditd-logging
|
||||||
|
namespace: cos-auditd
|
||||||
|
annotations:
|
||||||
|
kubernetes.io/description: 'DaemonSet that enables Linux auditd logging on COS nodes.'
|
||||||
|
spec:
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
name: cos-auditd-logging
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
annotations:
|
||||||
|
scheduler.alpha.kubernetes.io/critical-pod: ""
|
||||||
|
labels:
|
||||||
|
name: cos-auditd-logging
|
||||||
|
spec:
|
||||||
|
hostNetwork: true
|
||||||
|
hostPID: true
|
||||||
|
nodeSelector:
|
||||||
|
cloud.google.com/gke-os-distribution: cos
|
||||||
|
volumes:
|
||||||
|
- hostPath:
|
||||||
|
path: /
|
||||||
|
name: host
|
||||||
|
- hostPath:
|
||||||
|
path: /var/log
|
||||||
|
name: varlog
|
||||||
|
- hostPath:
|
||||||
|
path: /usr/lib64
|
||||||
|
name: libsystemddir
|
||||||
|
- configMap:
|
||||||
|
defaultMode: 420
|
||||||
|
name: fluentd-gcp-config-cos-auditd
|
||||||
|
name: config-volume
|
||||||
|
initContainers:
|
||||||
|
- name: cos-auditd-setup
|
||||||
|
image: ubuntu
|
||||||
|
command: ["chroot", "/host", "systemctl", "start", "cloud-audit-setup"]
|
||||||
|
securityContext:
|
||||||
|
privileged: true
|
||||||
|
volumeMounts:
|
||||||
|
- name: host
|
||||||
|
mountPath: /host
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
memory: "10Mi"
|
||||||
|
cpu: "10m"
|
||||||
|
priorityClassName: high-priority-system
|
||||||
|
containers:
|
||||||
|
- name: fluentd-gcp-cos-auditd
|
||||||
|
env:
|
||||||
|
- name: NODE_NAME
|
||||||
|
valueFrom:
|
||||||
|
fieldRef:
|
||||||
|
apiVersion: v1
|
||||||
|
fieldPath: spec.nodeName
|
||||||
|
image: gcr.io/stackdriver-agents/stackdriver-logging-agent:0.6-1.6.0-1
|
||||||
|
imagePullPolicy: IfNotPresent
|
||||||
|
livenessProbe:
|
||||||
|
exec:
|
||||||
|
command:
|
||||||
|
- /bin/sh
|
||||||
|
- -c
|
||||||
|
- |
|
||||||
|
LIVENESS_THRESHOLD_SECONDS=${LIVENESS_THRESHOLD_SECONDS:-300}; STUCK_THRESHOLD_SECONDS=${LIVENESS_THRESHOLD_SECONDS:-900}; if [[ ! -e /var/log/fluentd-buffers ]]; then
|
||||||
|
exit 1;
|
||||||
|
fi; touch -d "${STUCK_THRESHOLD_SECONDS} seconds ago" /tmp/marker-stuck; if [[ -z "$(find /var/log/fluentd-buffers -type f -newer /tmp/marker-stuck -print -quit)" ]]; then
|
||||||
|
rm -rf /var/log/fluentd-buffers;
|
||||||
|
exit 1;
|
||||||
|
fi; touch -d "${LIVENESS_THRESHOLD_SECONDS} seconds ago" /tmp/marker-liveness; if [[ -z "$(find /var/log/fluentd-buffers -type f -newer /tmp/marker-liveness -print -quit)" ]]; then
|
||||||
|
exit 1;
|
||||||
|
fi;
|
||||||
|
failureThreshold: 3
|
||||||
|
initialDelaySeconds: 600
|
||||||
|
periodSeconds: 60
|
||||||
|
successThreshold: 1
|
||||||
|
timeoutSeconds: 1
|
||||||
|
resources:
|
||||||
|
limits:
|
||||||
|
cpu: "1"
|
||||||
|
memory: 500Mi
|
||||||
|
requests:
|
||||||
|
cpu: 100m
|
||||||
|
memory: 200Mi
|
||||||
|
terminationMessagePath: /dev/termination-log
|
||||||
|
terminationMessagePolicy: File
|
||||||
|
volumeMounts:
|
||||||
|
- mountPath: /var/log
|
||||||
|
name: varlog
|
||||||
|
- mountPath: /host/lib
|
||||||
|
name: libsystemddir
|
||||||
|
readOnly: true
|
||||||
|
- mountPath: /etc/google-fluentd/google-fluentd.conf
|
||||||
|
subPath: google-fluentd.conf
|
||||||
|
name: config-volume
|
||||||
|
dnsPolicy: Default
|
||||||
|
restartPolicy: Always
|
||||||
|
terminationGracePeriodSeconds: 30
|
||||||
|
tolerations:
|
||||||
|
- effect: NoSchedule
|
||||||
|
key: node.alpha.kubernetes.io/ismaster
|
||||||
|
- effect: NoExecute
|
||||||
|
operator: Exists
|
||||||
|
- effect: NoSchedule
|
||||||
|
key: sandbox.gke.io/runtime
|
||||||
|
operator: Equal
|
||||||
|
value: gvisor
|
||||||
|
updateStrategy:
|
||||||
|
rollingUpdate:
|
||||||
|
maxUnavailable: 1
|
||||||
|
type: RollingUpdate
|
|
@ -0,0 +1,19 @@
|
||||||
|
# Copyright 2022 Google LLC
|
||||||
|
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Namespace
|
||||||
|
metadata:
|
||||||
|
name: cos-auditd
|
|
@ -0,0 +1,34 @@
|
||||||
|
# Copyright 2022 Google LLC
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
# LimitRange Reference: https://kubernetes.io/docs/concepts/policy/limit-range/
|
||||||
|
apiVersion: v1
|
||||||
|
kind: LimitRange
|
||||||
|
metadata:
|
||||||
|
name: default-limits
|
||||||
|
spec:
|
||||||
|
limits:
|
||||||
|
- type: Container
|
||||||
|
default:
|
||||||
|
cpu: "1"
|
||||||
|
memory: 512Mi
|
||||||
|
defaultRequest:
|
||||||
|
memory: 256Mi
|
||||||
|
cpu: "0.5"
|
||||||
|
max:
|
||||||
|
cpu: "2"
|
||||||
|
memory: 1Gi
|
||||||
|
- type: PersistentVolumeClaim
|
||||||
|
max:
|
||||||
|
storage: 2Gi
|
|
@ -0,0 +1,22 @@
|
||||||
|
# Copyright 2022 Google LLC
|
||||||
|
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
# apiVersion: networking.k8s.io/v1
|
||||||
|
# kind: NetworkPolicy
|
||||||
|
# metadata:
|
||||||
|
# name: default-deny-egress
|
||||||
|
# spec:
|
||||||
|
# podSelector: {}
|
||||||
|
# policyTypes:
|
||||||
|
# - Egress
|
|
@ -0,0 +1,18 @@
|
||||||
|
# Copyright 2022 Google LLC
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Namespace
|
||||||
|
metadata:
|
||||||
|
name: team-a
|
|
@ -0,0 +1,30 @@
|
||||||
|
# Copyright 2022 Google LLC
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
# This Namespace is configured with RepoSync
|
||||||
|
# Doc ref: https://cloud.google.com/anthos-config-management/docs/how-to/namespace-repositories#namespace-root
|
||||||
|
|
||||||
|
apiVersion: configsync.gke.io/v1beta1
|
||||||
|
kind: RepoSync
|
||||||
|
metadata:
|
||||||
|
name: repo-sync
|
||||||
|
namespace: team-a
|
||||||
|
spec:
|
||||||
|
sourceFormat: unstructured
|
||||||
|
git:
|
||||||
|
repo: "https://github.com/danielmarzini/configsync-application-example"
|
||||||
|
branch: main
|
||||||
|
revision: HEAD
|
||||||
|
dir: "configsync/team-a"
|
||||||
|
auth: none
|
|
@ -0,0 +1,35 @@
|
||||||
|
# Copyright 2022 Google LLC
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
# ResourceQuota Reference: https://kubernetes.io/docs/concepts/policy/resource-quotas/
|
||||||
|
kind: ResourceQuota
|
||||||
|
apiVersion: v1
|
||||||
|
metadata:
|
||||||
|
namespace: team-a
|
||||||
|
name: pvc
|
||||||
|
spec:
|
||||||
|
hard:
|
||||||
|
persistentvolumeclaims: "3"
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ResourceQuota
|
||||||
|
metadata:
|
||||||
|
namespace: team-a
|
||||||
|
name: mem-cpu-store
|
||||||
|
spec:
|
||||||
|
hard:
|
||||||
|
requests.cpu: "1"
|
||||||
|
requests.memory: 1Gi
|
||||||
|
limits.cpu: "2"
|
||||||
|
limits.memory: 2Gi
|
|
@ -0,0 +1,28 @@
|
||||||
|
# Copyright 2022 Google LLC
|
||||||
|
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
|
||||||
|
kind: RoleBinding
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
metadata:
|
||||||
|
name: namespace-viewer
|
||||||
|
roleRef:
|
||||||
|
kind: ClusterRole
|
||||||
|
name: dev-namespace-viewer
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
subjects:
|
||||||
|
- kind: Group
|
||||||
|
name: team-a@marzi.gcp-pso-italy.net
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
namespace: team-a
|
|
@ -0,0 +1,28 @@
|
||||||
|
# Copyright 2022 Google LLC
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
# ROOT_REPO/namespaces/NAMESPACE/sync-rolebinding.yaml
|
||||||
|
kind: RoleBinding
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
metadata:
|
||||||
|
name: syncs-repo
|
||||||
|
namespace: team-a
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: ns-reconciler-team-a
|
||||||
|
namespace: config-management-system
|
||||||
|
roleRef:
|
||||||
|
kind: ClusterRole
|
||||||
|
name: edit
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
|
@ -0,0 +1,44 @@
|
||||||
|
|
||||||
|
# Copyright 2022 Google LLC
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
metadata:
|
||||||
|
namespace: team-b
|
||||||
|
name: whereami
|
||||||
|
spec:
|
||||||
|
replicas: 1
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
app: whereami
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
app: whereami
|
||||||
|
version: v1
|
||||||
|
spec:
|
||||||
|
containers:
|
||||||
|
- name: whereami
|
||||||
|
image: us-docker.pkg.dev/google-samples/containers/gke/whereami:v1.2.7
|
||||||
|
resources:
|
||||||
|
limits:
|
||||||
|
cpu: "0.5"
|
||||||
|
memory: 128Mi
|
||||||
|
requests:
|
||||||
|
cpu: "0.5"
|
||||||
|
memory: 128Mi
|
||||||
|
ports:
|
||||||
|
- name: http
|
||||||
|
containerPort: 8080
|
|
@ -0,0 +1,20 @@
|
||||||
|
# Copyright 2022 Google LLC
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Namespace
|
||||||
|
metadata:
|
||||||
|
name: team-b
|
||||||
|
labels:
|
||||||
|
geo: "europe-west1"
|
|
@ -0,0 +1,23 @@
|
||||||
|
# Copyright 2022 Google LLC
|
||||||
|
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
|
||||||
|
# For the mono-repo mode, declaring a Repo resource under system/ directory is required.
|
||||||
|
# For the multi-repo mode, declaring a Repo resource under system/ directory is optional.
|
||||||
|
apiVersion: configmanagement.gke.io/v1
|
||||||
|
kind: Repo
|
||||||
|
metadata:
|
||||||
|
name: repo
|
||||||
|
spec:
|
||||||
|
version: 1.0.0
|
|
@ -63,6 +63,9 @@ everything else is in RBAC (second part of this stage)
|
||||||
|
|
||||||
## Addresses for ILBs
|
## Addresses for ILBs
|
||||||
|
|
||||||
|
### Private Cluster
|
||||||
|
WARNING: do not use run this stage with GKE-HUB and private clusters enabled from a machine outside the clusters network
|
||||||
|
|
||||||
## Filestore
|
## Filestore
|
||||||
|
|
||||||
- later
|
- later
|
||||||
|
|
|
@ -43,6 +43,7 @@ module "gke-cluster" {
|
||||||
horizontal_pod_autoscaling = true
|
horizontal_pod_autoscaling = true
|
||||||
config_connector_config = true
|
config_connector_config = true
|
||||||
kalm_config = false
|
kalm_config = false
|
||||||
|
gcp_filestore_csi_driver_config = false
|
||||||
# enable only if enable_dataplane_v2 is changed to false below
|
# enable only if enable_dataplane_v2 is changed to false below
|
||||||
network_policy_config = false
|
network_policy_config = false
|
||||||
istio_config = {
|
istio_config = {
|
||||||
|
@ -51,15 +52,15 @@ module "gke-cluster" {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
# change these here for all clusters if absolutely needed
|
# change these here for all clusters if absolutely needed
|
||||||
# authenticator_security_group = var.authenticator_security_group
|
authenticator_security_group = var.authenticator_security_group
|
||||||
enable_dataplane_v2 = true
|
enable_dataplane_v2 = true
|
||||||
enable_l4_ilb_subsetting = false
|
enable_l4_ilb_subsetting = false
|
||||||
enable_intranode_visibility = true
|
enable_intranode_visibility = true
|
||||||
enable_shielded_nodes = true
|
enable_shielded_nodes = true
|
||||||
workload_identity = true
|
workload_identity = true
|
||||||
private_cluster_config = {
|
private_cluster_config = {
|
||||||
enable_private_nodes = true
|
enable_private_nodes = true
|
||||||
enable_private_endpoint = true
|
enable_private_endpoint = false
|
||||||
master_ipv4_cidr_block = each.value.net.master_range
|
master_ipv4_cidr_block = each.value.net.master_range
|
||||||
master_global_access = true
|
master_global_access = true
|
||||||
}
|
}
|
||||||
|
|
|
@ -0,0 +1,59 @@
|
||||||
|
/**
|
||||||
|
* Copyright 2022 Google LLC
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
module "gke-hub" {
|
||||||
|
source = "../../../../modules/gke-hub"
|
||||||
|
project_id = module.gke-project-0.project_id
|
||||||
|
features = {
|
||||||
|
configmanagement = true
|
||||||
|
mc_ingress = true
|
||||||
|
mc_servicediscovery = true
|
||||||
|
}
|
||||||
|
member_clusters = {
|
||||||
|
for cluster_id in keys(var.clusters) :
|
||||||
|
cluster_id => module.gke-cluster[cluster_id].id
|
||||||
|
}
|
||||||
|
member_features = {
|
||||||
|
configmanagement = {
|
||||||
|
binauthz = false
|
||||||
|
config_sync = {
|
||||||
|
gcp_service_account_email = null
|
||||||
|
https_proxy = null
|
||||||
|
policy_dir = "fast/stages/03-gke-multitenant/config"
|
||||||
|
secret_type = "none"
|
||||||
|
source_format = "hierarchy"
|
||||||
|
sync_branch = "fast-dev-gke-marzi"
|
||||||
|
sync_repo = "https://github.com/GoogleCloudPlatform/cloud-foundation-fabric"
|
||||||
|
sync_rev = null
|
||||||
|
}
|
||||||
|
hierarchy_controller = null
|
||||||
|
policy_controller = {
|
||||||
|
exemptable_namespaces = [
|
||||||
|
"asm-system",
|
||||||
|
"config-management-system",
|
||||||
|
"config-management-monitoring",
|
||||||
|
"gatekeeper-system",
|
||||||
|
"kube-system",
|
||||||
|
"cos-auditd"
|
||||||
|
]
|
||||||
|
log_denies_enabled = true
|
||||||
|
referential_rules_enabled = false
|
||||||
|
template_library_installed = true
|
||||||
|
}
|
||||||
|
version = "1.10.2"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
|
@ -35,7 +35,9 @@ module "gke-project-0" {
|
||||||
"gkehub.googleapis.com",
|
"gkehub.googleapis.com",
|
||||||
"stackdriver.googleapis.com",
|
"stackdriver.googleapis.com",
|
||||||
"container.googleapis.com",
|
"container.googleapis.com",
|
||||||
# "trafficdirector.googleapis.com"
|
"multiclusterservicediscovery.googleapis.com",
|
||||||
|
"multiclusteringress.googleapis.com",
|
||||||
|
"trafficdirector.googleapis.com"
|
||||||
]
|
]
|
||||||
# add here any other service ids and keys for robot accounts which are needed
|
# add here any other service ids and keys for robot accounts which are needed
|
||||||
# service_encryption_key_ids = {
|
# service_encryption_key_ids = {
|
||||||
|
@ -66,6 +68,9 @@ module "gke-project-0" {
|
||||||
# values = ["projects/fl01-prod-iac-core-0"]
|
# values = ["projects/fl01-prod-iac-core-0"]
|
||||||
# }
|
# }
|
||||||
# }
|
# }
|
||||||
|
iam = {
|
||||||
|
"roles/container.clusterViewer" = var.cluster_viewer_users
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
module "gke-dataset-resource-usage" {
|
module "gke-dataset-resource-usage" {
|
||||||
|
|
|
@ -18,11 +18,11 @@
|
||||||
# 1 project, m clusters
|
# 1 project, m clusters
|
||||||
# cloud dns for gke?
|
# cloud dns for gke?
|
||||||
|
|
||||||
# variable "authenticator_security_group" {
|
variable "authenticator_security_group" {
|
||||||
# description = "Optional group used for Groups for GKE."
|
description = "Optional group used for Groups for GKE."
|
||||||
# type = string
|
type = string
|
||||||
# default = null
|
default = null
|
||||||
# }
|
}
|
||||||
|
|
||||||
variable "billing_account" {
|
variable "billing_account" {
|
||||||
# tfdoc:variable:source 00-bootstrap
|
# tfdoc:variable:source 00-bootstrap
|
||||||
|
@ -36,14 +36,15 @@ variable "billing_account" {
|
||||||
variable "cluster_defaults" {
|
variable "cluster_defaults" {
|
||||||
description = "Default values for optional cluster configurations."
|
description = "Default values for optional cluster configurations."
|
||||||
type = object({
|
type = object({
|
||||||
cloudrun_config = bool
|
cloudrun_config = bool
|
||||||
database_encryption_key = string
|
database_encryption_key = string
|
||||||
enable_binary_authorization = bool
|
enable_binary_authorization = bool
|
||||||
master_authorized_ranges = map(string)
|
master_authorized_ranges = map(string)
|
||||||
max_pods_per_node = number
|
max_pods_per_node = number
|
||||||
pod_security_policy = bool
|
pod_security_policy = bool
|
||||||
release_channel = string
|
release_channel = string
|
||||||
vertical_pod_autoscaling = bool
|
vertical_pod_autoscaling = bool
|
||||||
|
gcp_filestore_csi_driver_config = bool
|
||||||
})
|
})
|
||||||
default = {
|
default = {
|
||||||
# TODO: review defaults
|
# TODO: review defaults
|
||||||
|
@ -55,10 +56,11 @@ variable "cluster_defaults" {
|
||||||
rfc1918_2 = "172.16.0.0/12"
|
rfc1918_2 = "172.16.0.0/12"
|
||||||
rfc1918_3 = "192.168.0.0/16"
|
rfc1918_3 = "192.168.0.0/16"
|
||||||
}
|
}
|
||||||
max_pods_per_node = 110
|
max_pods_per_node = 110
|
||||||
pod_security_policy = false
|
pod_security_policy = false
|
||||||
release_channel = "STABLE"
|
release_channel = "STABLE"
|
||||||
vertical_pod_autoscaling = false
|
vertical_pod_autoscaling = false
|
||||||
|
gcp_filestore_csi_driver_config = false
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -82,18 +84,25 @@ variable "clusters" {
|
||||||
subnet = string
|
subnet = string
|
||||||
})
|
})
|
||||||
overrides = object({
|
overrides = object({
|
||||||
cloudrun_config = bool
|
cloudrun_config = bool
|
||||||
database_encryption_key = string
|
database_encryption_key = string
|
||||||
enable_binary_authorization = bool
|
enable_binary_authorization = bool
|
||||||
master_authorized_ranges = map(string)
|
master_authorized_ranges = map(string)
|
||||||
max_pods_per_node = number
|
max_pods_per_node = number
|
||||||
pod_security_policy = bool
|
pod_security_policy = bool
|
||||||
release_channel = string
|
release_channel = string
|
||||||
vertical_pod_autoscaling = bool
|
vertical_pod_autoscaling = bool
|
||||||
|
gcp_filestore_csi_driver_config = bool
|
||||||
})
|
})
|
||||||
}))
|
}))
|
||||||
}
|
}
|
||||||
|
|
||||||
|
variable "cluster_viewer_users" {
|
||||||
|
description = "list of users to be granted as container.clusterViewer"
|
||||||
|
type = list(any)
|
||||||
|
default = []
|
||||||
|
}
|
||||||
|
|
||||||
variable "dns_domain" {
|
variable "dns_domain" {
|
||||||
description = "Domain name used for clusters, prefix by each cluster name. Leave null to disable Cloud DNS for GKE."
|
description = "Domain name used for clusters, prefix by each cluster name. Leave null to disable Cloud DNS for GKE."
|
||||||
type = string
|
type = string
|
||||||
|
|
|
@ -40,7 +40,7 @@ resource "google_gke_hub_feature" "configmanagement" {
|
||||||
|
|
||||||
resource "google_gke_hub_feature" "mci" {
|
resource "google_gke_hub_feature" "mci" {
|
||||||
provider = google-beta
|
provider = google-beta
|
||||||
for_each = var.features.mc_ingress ? var.member_clusters : {}
|
for_each = var.features.mc_ingress ? try(var.member_clusters[0], {}) : {}
|
||||||
project = var.project_id
|
project = var.project_id
|
||||||
name = "multiclusteringress"
|
name = "multiclusteringress"
|
||||||
location = "global"
|
location = "global"
|
||||||
|
@ -67,6 +67,12 @@ resource "google_gke_hub_feature_membership" "feature_member" {
|
||||||
feature = google_gke_hub_feature.configmanagement["1"].name
|
feature = google_gke_hub_feature.configmanagement["1"].name
|
||||||
membership = google_gke_hub_membership.membership[each.key].membership_id
|
membership = google_gke_hub_membership.membership[each.key].membership_id
|
||||||
|
|
||||||
|
depends_on = [
|
||||||
|
google_gke_hub_feature.configmanagement,
|
||||||
|
google_gke_hub_feature.mci,
|
||||||
|
google_gke_hub_feature.mcs,
|
||||||
|
]
|
||||||
|
|
||||||
dynamic "configmanagement" {
|
dynamic "configmanagement" {
|
||||||
for_each = (
|
for_each = (
|
||||||
try(var.member_features.configmanagement, null) != null
|
try(var.member_features.configmanagement, null) != null
|
||||||
|
|
|
@ -84,7 +84,7 @@ resource "google_container_node_pool" "nodepool" {
|
||||||
location = var.location
|
location = var.location
|
||||||
name = var.name
|
name = var.name
|
||||||
|
|
||||||
initial_node_count = var.initial_node_count
|
initial_node_count = var.node_count == null ? var.initial_node_count : null // (dmarzi) TOFIX
|
||||||
max_pods_per_node = var.max_pods_per_node
|
max_pods_per_node = var.max_pods_per_node
|
||||||
node_count = var.autoscaling_config == null ? var.node_count : null
|
node_count = var.autoscaling_config == null ? var.node_count : null
|
||||||
node_locations = var.node_locations
|
node_locations = var.node_locations
|
||||||
|
|
Loading…
Reference in New Issue