fix boilerplate
This commit is contained in:
parent
666d8a469c
commit
744417f22f
|
@ -1,28 +1,27 @@
|
|||
# Copyright 2022 Google LLC
|
||||
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: dev-namespace-viewer
|
||||
rules:
|
||||
- apiGroups: ["", "metrics.k8s.io", "extensions", "apps"]
|
||||
resources:
|
||||
- "pods"
|
||||
- "pods/log"
|
||||
- "events"
|
||||
- "deployments"
|
||||
- "replicasets"
|
||||
verbs: ["get", "watch", "list"]
|
||||
- apiGroups: ["", "metrics.k8s.io", "extensions", "apps"]
|
||||
resources:
|
||||
- "pods"
|
||||
- "pods/log"
|
||||
- "events"
|
||||
- "deployments"
|
||||
- "replicasets"
|
||||
verbs: ["get", "watch", "list"]
|
||||
|
|
|
@ -1,18 +1,17 @@
|
|||
# Copyright 2022 Google LLC
|
||||
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
|
||||
apiVersion: constraints.gatekeeper.sh/v1beta1
|
||||
kind: K8sRequiredLabels
|
||||
metadata:
|
||||
|
@ -22,22 +21,22 @@ metadata:
|
|||
spec:
|
||||
enforcementAction: dryrun
|
||||
match:
|
||||
excludedNamespaces:
|
||||
- "kube-system"
|
||||
- "kube-public"
|
||||
- "kube-node-lease"
|
||||
- "resource-group-system"
|
||||
- "config-management-monitoring"
|
||||
- "config-management-system"
|
||||
- "cos-auditd"
|
||||
- "gatekeeper-system"
|
||||
- "kube-node-lease"
|
||||
- "cnrm-system"
|
||||
- "gke-mcs"
|
||||
- "configconnector-operator-system"
|
||||
excludedNamespaces:
|
||||
- "kube-system"
|
||||
- "kube-public"
|
||||
- "kube-node-lease"
|
||||
- "resource-group-system"
|
||||
- "config-management-monitoring"
|
||||
- "config-management-system"
|
||||
- "cos-auditd"
|
||||
- "gatekeeper-system"
|
||||
- "kube-node-lease"
|
||||
- "cnrm-system"
|
||||
- "gke-mcs"
|
||||
- "configconnector-operator-system"
|
||||
kinds:
|
||||
- apiGroups: [""]
|
||||
kinds: ["Namespace"]
|
||||
parameters:
|
||||
labels:
|
||||
- key: "geo"
|
||||
- key: "geo"
|
||||
|
|
|
@ -1,11 +1,11 @@
|
|||
# Copyright 2022 Google LLC
|
||||
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
|
@ -44,4 +44,4 @@ metadata:
|
|||
value: 10
|
||||
globalDefault: true
|
||||
# preemptionPolicy: Never
|
||||
description: "This priority class will cause other pods to be preempted."
|
||||
description: "This priority class will cause other pods to be preempted."
|
||||
|
|
|
@ -1,25 +1,24 @@
|
|||
# Copyright 2022 Google LLC
|
||||
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
|
||||
kind: ConfigMap
|
||||
apiVersion: v1
|
||||
metadata:
|
||||
name: fluentd-gcp-config-cos-auditd
|
||||
namespace: cos-auditd
|
||||
annotations:
|
||||
kubernetes.io/description: 'ConfigMap for Linux auditd logging daemonset on COS nodes.'
|
||||
kubernetes.io/description: "ConfigMap for Linux auditd logging daemonset on COS nodes."
|
||||
data:
|
||||
google-fluentd.conf: |-
|
||||
<source>
|
||||
|
@ -51,4 +50,4 @@ data:
|
|||
disable_retry_limit
|
||||
num_threads 2
|
||||
use_grpc true
|
||||
</match>
|
||||
</match>
|
||||
|
|
|
@ -1,25 +1,24 @@
|
|||
# Copyright 2022 Google LLC
|
||||
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
|
||||
apiVersion: apps/v1
|
||||
kind: DaemonSet
|
||||
metadata:
|
||||
name: cos-auditd-logging
|
||||
namespace: cos-auditd
|
||||
annotations:
|
||||
kubernetes.io/description: 'DaemonSet that enables Linux auditd logging on COS nodes.'
|
||||
kubernetes.io/description: "DaemonSet that enables Linux auditd logging on COS nodes."
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
|
@ -36,93 +35,94 @@ spec:
|
|||
nodeSelector:
|
||||
cloud.google.com/gke-os-distribution: cos
|
||||
volumes:
|
||||
- hostPath:
|
||||
path: /
|
||||
name: host
|
||||
- hostPath:
|
||||
path: /var/log
|
||||
name: varlog
|
||||
- hostPath:
|
||||
path: /usr/lib64
|
||||
name: libsystemddir
|
||||
- configMap:
|
||||
defaultMode: 420
|
||||
name: fluentd-gcp-config-cos-auditd
|
||||
name: config-volume
|
||||
- hostPath:
|
||||
path: /
|
||||
name: host
|
||||
- hostPath:
|
||||
path: /var/log
|
||||
name: varlog
|
||||
- hostPath:
|
||||
path: /usr/lib64
|
||||
name: libsystemddir
|
||||
- configMap:
|
||||
defaultMode: 420
|
||||
name: fluentd-gcp-config-cos-auditd
|
||||
name: config-volume
|
||||
initContainers:
|
||||
- name: cos-auditd-setup
|
||||
image: ubuntu
|
||||
command: ["chroot", "/host", "systemctl", "start", "cloud-audit-setup"]
|
||||
securityContext:
|
||||
privileged: true
|
||||
volumeMounts:
|
||||
- name: host
|
||||
mountPath: /host
|
||||
resources:
|
||||
requests:
|
||||
memory: "10Mi"
|
||||
cpu: "10m"
|
||||
- name: cos-auditd-setup
|
||||
image: ubuntu
|
||||
command:
|
||||
["chroot", "/host", "systemctl", "start", "cloud-audit-setup"]
|
||||
securityContext:
|
||||
privileged: true
|
||||
volumeMounts:
|
||||
- name: host
|
||||
mountPath: /host
|
||||
resources:
|
||||
requests:
|
||||
memory: "10Mi"
|
||||
cpu: "10m"
|
||||
priorityClassName: high-priority-system
|
||||
containers:
|
||||
- name: fluentd-gcp-cos-auditd
|
||||
env:
|
||||
- name: NODE_NAME
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
apiVersion: v1
|
||||
fieldPath: spec.nodeName
|
||||
image: gcr.io/stackdriver-agents/stackdriver-logging-agent:0.6-1.6.0-1
|
||||
imagePullPolicy: IfNotPresent
|
||||
livenessProbe:
|
||||
exec:
|
||||
command:
|
||||
- /bin/sh
|
||||
- -c
|
||||
- |
|
||||
LIVENESS_THRESHOLD_SECONDS=${LIVENESS_THRESHOLD_SECONDS:-300}; STUCK_THRESHOLD_SECONDS=${LIVENESS_THRESHOLD_SECONDS:-900}; if [[ ! -e /var/log/fluentd-buffers ]]; then
|
||||
exit 1;
|
||||
fi; touch -d "${STUCK_THRESHOLD_SECONDS} seconds ago" /tmp/marker-stuck; if [[ -z "$(find /var/log/fluentd-buffers -type f -newer /tmp/marker-stuck -print -quit)" ]]; then
|
||||
rm -rf /var/log/fluentd-buffers;
|
||||
exit 1;
|
||||
fi; touch -d "${LIVENESS_THRESHOLD_SECONDS} seconds ago" /tmp/marker-liveness; if [[ -z "$(find /var/log/fluentd-buffers -type f -newer /tmp/marker-liveness -print -quit)" ]]; then
|
||||
exit 1;
|
||||
fi;
|
||||
failureThreshold: 3
|
||||
initialDelaySeconds: 600
|
||||
periodSeconds: 60
|
||||
successThreshold: 1
|
||||
timeoutSeconds: 1
|
||||
resources:
|
||||
limits:
|
||||
cpu: "1"
|
||||
memory: 500Mi
|
||||
requests:
|
||||
cpu: 100m
|
||||
memory: 200Mi
|
||||
terminationMessagePath: /dev/termination-log
|
||||
terminationMessagePolicy: File
|
||||
volumeMounts:
|
||||
- mountPath: /var/log
|
||||
name: varlog
|
||||
- mountPath: /host/lib
|
||||
name: libsystemddir
|
||||
readOnly: true
|
||||
- mountPath: /etc/google-fluentd/google-fluentd.conf
|
||||
subPath: google-fluentd.conf
|
||||
name: config-volume
|
||||
- name: fluentd-gcp-cos-auditd
|
||||
env:
|
||||
- name: NODE_NAME
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
apiVersion: v1
|
||||
fieldPath: spec.nodeName
|
||||
image: gcr.io/stackdriver-agents/stackdriver-logging-agent:0.6-1.6.0-1
|
||||
imagePullPolicy: IfNotPresent
|
||||
livenessProbe:
|
||||
exec:
|
||||
command:
|
||||
- /bin/sh
|
||||
- -c
|
||||
- |
|
||||
LIVENESS_THRESHOLD_SECONDS=${LIVENESS_THRESHOLD_SECONDS:-300}; STUCK_THRESHOLD_SECONDS=${LIVENESS_THRESHOLD_SECONDS:-900}; if [[ ! -e /var/log/fluentd-buffers ]]; then
|
||||
exit 1;
|
||||
fi; touch -d "${STUCK_THRESHOLD_SECONDS} seconds ago" /tmp/marker-stuck; if [[ -z "$(find /var/log/fluentd-buffers -type f -newer /tmp/marker-stuck -print -quit)" ]]; then
|
||||
rm -rf /var/log/fluentd-buffers;
|
||||
exit 1;
|
||||
fi; touch -d "${LIVENESS_THRESHOLD_SECONDS} seconds ago" /tmp/marker-liveness; if [[ -z "$(find /var/log/fluentd-buffers -type f -newer /tmp/marker-liveness -print -quit)" ]]; then
|
||||
exit 1;
|
||||
fi;
|
||||
failureThreshold: 3
|
||||
initialDelaySeconds: 600
|
||||
periodSeconds: 60
|
||||
successThreshold: 1
|
||||
timeoutSeconds: 1
|
||||
resources:
|
||||
limits:
|
||||
cpu: "1"
|
||||
memory: 500Mi
|
||||
requests:
|
||||
cpu: 100m
|
||||
memory: 200Mi
|
||||
terminationMessagePath: /dev/termination-log
|
||||
terminationMessagePolicy: File
|
||||
volumeMounts:
|
||||
- mountPath: /var/log
|
||||
name: varlog
|
||||
- mountPath: /host/lib
|
||||
name: libsystemddir
|
||||
readOnly: true
|
||||
- mountPath: /etc/google-fluentd/google-fluentd.conf
|
||||
subPath: google-fluentd.conf
|
||||
name: config-volume
|
||||
dnsPolicy: Default
|
||||
restartPolicy: Always
|
||||
terminationGracePeriodSeconds: 30
|
||||
tolerations:
|
||||
- effect: NoSchedule
|
||||
key: node.alpha.kubernetes.io/ismaster
|
||||
- effect: NoExecute
|
||||
operator: Exists
|
||||
- effect: NoSchedule
|
||||
key: sandbox.gke.io/runtime
|
||||
operator: Equal
|
||||
value: gvisor
|
||||
- effect: NoSchedule
|
||||
key: node.alpha.kubernetes.io/ismaster
|
||||
- effect: NoExecute
|
||||
operator: Exists
|
||||
- effect: NoSchedule
|
||||
key: sandbox.gke.io/runtime
|
||||
operator: Equal
|
||||
value: gvisor
|
||||
updateStrategy:
|
||||
rollingUpdate:
|
||||
maxUnavailable: 1
|
||||
type: RollingUpdate
|
||||
type: RollingUpdate
|
||||
|
|
|
@ -1,19 +1,18 @@
|
|||
# Copyright 2022 Google LLC
|
||||
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: cos-auditd
|
||||
name: cos-auditd
|
||||
|
|
|
@ -1,11 +1,11 @@
|
|||
# Copyright 2022 Google LLC
|
||||
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
|
|
|
@ -1,18 +1,17 @@
|
|||
# Copyright 2022 Google LLC
|
||||
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
|
||||
kind: RoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
|
@ -22,7 +21,7 @@ roleRef:
|
|||
name: dev-namespace-viewer
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
subjects:
|
||||
- kind: Group
|
||||
name: team-a@marzi.gcp-pso-italy.net
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
namespace: team-a
|
||||
- kind: Group
|
||||
name: team-a@marzi.gcp-pso-italy.net
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
namespace: team-a
|
||||
|
|
|
@ -1,23 +1,23 @@
|
|||
# Copyright 2022 Google LLC
|
||||
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
# mono-repo mode: a Repo resource under system/ directory is required
|
||||
# multi-repo mode: a Repo resource under system/ directory is optional
|
||||
|
||||
# For the mono-repo mode, declaring a Repo resource under system/ directory is required.
|
||||
# For the multi-repo mode, declaring a Repo resource under system/ directory is optional.
|
||||
apiVersion: configmanagement.gke.io/v1
|
||||
kind: Repo
|
||||
metadata:
|
||||
name: repo
|
||||
name: repo
|
||||
spec:
|
||||
version: 1.0.0
|
||||
version: 1.0.0
|
||||
|
|
Loading…
Reference in New Issue