zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fix boilerplate

This commit is contained in:
Ludovico Magnocavallo 2022-06-23 08:52:36 +02:00
parent 666d8a469c
commit 744417f22f
9 changed files with 143 additions and 148 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
fast/stages/03-gke-multitenant/config/cluster/clusterrole-ns-viewer.yml
View File

@ -1,28 +1,27 @@
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: dev-namespace-viewer
rules:
- apiGroups: ["", "metrics.k8s.io", "extensions", "apps"]
resources:
- "pods"
- "pods/log"
- "events"
- "deployments"
- "replicasets"
verbs: ["get", "watch", "list"]
- apiGroups: ["", "metrics.k8s.io", "extensions", "apps"]
resources:
- "pods"
- "pods/log"
- "events"
- "deployments"
- "replicasets"
verbs: ["get", "watch", "list"]

35
fast/stages/03-gke-multitenant/config/cluster/ns-must-have-geo-constraint_v1beta_gatekeeper.yml
View File

@ -1,18 +1,17 @@
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredLabels
metadata:
@ -22,22 +21,22 @@ metadata:
spec:
enforcementAction: dryrun
match:
excludedNamespaces:
- "kube-system"
- "kube-public"
- "kube-node-lease"
- "resource-group-system"
- "config-management-monitoring"
- "config-management-system"
- "cos-auditd"
- "gatekeeper-system"
- "kube-node-lease"
- "cnrm-system"
- "gke-mcs"
- "configconnector-operator-system"
excludedNamespaces:
- "kube-system"
- "kube-public"
- "kube-node-lease"
- "resource-group-system"
- "config-management-monitoring"
- "config-management-system"
- "cos-auditd"
- "gatekeeper-system"
- "kube-node-lease"
- "cnrm-system"
- "gke-mcs"
- "configconnector-operator-system"
kinds:
- apiGroups: [""]
kinds: ["Namespace"]
parameters:
labels:
- key: "geo"
- key: "geo"

8
fast/stages/03-gke-multitenant/config/cluster/pod_priority_classes.yml
View File

@ -1,11 +1,11 @@
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@ -44,4 +44,4 @@ metadata:
value: 10
globalDefault: true
# preemptionPolicy: Never
description: "This priority class will cause other pods to be preempted."
description: "This priority class will cause other pods to be preempted."

11
fast/stages/03-gke-multitenant/config/namespaces/cos-auditd/apps_v1_configmap_cos-auditd.yml
View File

@ -1,25 +1,24 @@
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
kind: ConfigMap
apiVersion: v1
metadata:
name: fluentd-gcp-config-cos-auditd
namespace: cos-auditd
annotations:
kubernetes.io/description: 'ConfigMap for Linux auditd logging daemonset on COS nodes.'
kubernetes.io/description: "ConfigMap for Linux auditd logging daemonset on COS nodes."
data:
google-fluentd.conf: |-
<source>
@ -51,4 +50,4 @@ data:
disable_retry_limit
num_threads 2
use_grpc true
</match>
</match>

170
fast/stages/03-gke-multitenant/config/namespaces/cos-auditd/apps_v1_daemonset_cos-auditd.yml
View File

@ -1,25 +1,24 @@
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: cos-auditd-logging
namespace: cos-auditd
annotations:
kubernetes.io/description: 'DaemonSet that enables Linux auditd logging on COS nodes.'
kubernetes.io/description: "DaemonSet that enables Linux auditd logging on COS nodes."
spec:
selector:
matchLabels:
@ -36,93 +35,94 @@ spec:
nodeSelector:
cloud.google.com/gke-os-distribution: cos
volumes:
- hostPath:
path: /
name: host
- hostPath:
path: /var/log
name: varlog
- hostPath:
path: /usr/lib64
name: libsystemddir
- configMap:
defaultMode: 420
name: fluentd-gcp-config-cos-auditd
name: config-volume
- hostPath:
path: /
name: host
- hostPath:
path: /var/log
name: varlog
- hostPath:
path: /usr/lib64
name: libsystemddir
- configMap:
defaultMode: 420
name: fluentd-gcp-config-cos-auditd
name: config-volume
initContainers:
- name: cos-auditd-setup
image: ubuntu
command: ["chroot", "/host", "systemctl", "start", "cloud-audit-setup"]
securityContext:
privileged: true
volumeMounts:
- name: host
mountPath: /host
resources:
requests:
memory: "10Mi"
cpu: "10m"
- name: cos-auditd-setup
image: ubuntu
command:
["chroot", "/host", "systemctl", "start", "cloud-audit-setup"]
securityContext:
privileged: true
volumeMounts:
- name: host
mountPath: /host
resources:
requests:
memory: "10Mi"
cpu: "10m"
priorityClassName: high-priority-system
containers:
- name: fluentd-gcp-cos-auditd
env:
- name: NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
image: gcr.io/stackdriver-agents/stackdriver-logging-agent:0.6-1.6.0-1
imagePullPolicy: IfNotPresent
livenessProbe:
exec:
command:
- /bin/sh
- -c
- |
LIVENESS_THRESHOLD_SECONDS=${LIVENESS_THRESHOLD_SECONDS:-300}; STUCK_THRESHOLD_SECONDS=${LIVENESS_THRESHOLD_SECONDS:-900}; if [[ ! -e /var/log/fluentd-buffers ]]; then
exit 1;
fi; touch -d "${STUCK_THRESHOLD_SECONDS} seconds ago" /tmp/marker-stuck; if [[ -z "$(find /var/log/fluentd-buffers -type f -newer /tmp/marker-stuck -print -quit)" ]]; then
rm -rf /var/log/fluentd-buffers;
exit 1;
fi; touch -d "${LIVENESS_THRESHOLD_SECONDS} seconds ago" /tmp/marker-liveness; if [[ -z "$(find /var/log/fluentd-buffers -type f -newer /tmp/marker-liveness -print -quit)" ]]; then
exit 1;
fi;
failureThreshold: 3
initialDelaySeconds: 600
periodSeconds: 60
successThreshold: 1
timeoutSeconds: 1
resources:
limits:
cpu: "1"
memory: 500Mi
requests:
cpu: 100m
memory: 200Mi
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/log
name: varlog
- mountPath: /host/lib
name: libsystemddir
readOnly: true
- mountPath: /etc/google-fluentd/google-fluentd.conf
subPath: google-fluentd.conf
name: config-volume
- name: fluentd-gcp-cos-auditd
env:
- name: NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
image: gcr.io/stackdriver-agents/stackdriver-logging-agent:0.6-1.6.0-1
imagePullPolicy: IfNotPresent
livenessProbe:
exec:
command:
- /bin/sh
- -c
- |
LIVENESS_THRESHOLD_SECONDS=${LIVENESS_THRESHOLD_SECONDS:-300}; STUCK_THRESHOLD_SECONDS=${LIVENESS_THRESHOLD_SECONDS:-900}; if [[ ! -e /var/log/fluentd-buffers ]]; then
exit 1;
fi; touch -d "${STUCK_THRESHOLD_SECONDS} seconds ago" /tmp/marker-stuck; if [[ -z "$(find /var/log/fluentd-buffers -type f -newer /tmp/marker-stuck -print -quit)" ]]; then
rm -rf /var/log/fluentd-buffers;
exit 1;
fi; touch -d "${LIVENESS_THRESHOLD_SECONDS} seconds ago" /tmp/marker-liveness; if [[ -z "$(find /var/log/fluentd-buffers -type f -newer /tmp/marker-liveness -print -quit)" ]]; then
exit 1;
fi;
failureThreshold: 3
initialDelaySeconds: 600
periodSeconds: 60
successThreshold: 1
timeoutSeconds: 1
resources:
limits:
cpu: "1"
memory: 500Mi
requests:
cpu: 100m
memory: 200Mi
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/log
name: varlog
- mountPath: /host/lib
name: libsystemddir
readOnly: true
- mountPath: /etc/google-fluentd/google-fluentd.conf
subPath: google-fluentd.conf
name: config-volume
dnsPolicy: Default
restartPolicy: Always
terminationGracePeriodSeconds: 30
tolerations:
- effect: NoSchedule
key: node.alpha.kubernetes.io/ismaster
- effect: NoExecute
operator: Exists
- effect: NoSchedule
key: sandbox.gke.io/runtime
operator: Equal
value: gvisor
- effect: NoSchedule
key: node.alpha.kubernetes.io/ismaster
- effect: NoExecute
operator: Exists
- effect: NoSchedule
key: sandbox.gke.io/runtime
operator: Equal
value: gvisor
updateStrategy:
rollingUpdate:
maxUnavailable: 1
type: RollingUpdate
type: RollingUpdate

9
fast/stages/03-gke-multitenant/config/namespaces/cos-auditd/namespace.yml
View File

@ -1,19 +1,18 @@
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: Namespace
metadata:
name: cos-auditd
name: cos-auditd

6
fast/stages/03-gke-multitenant/config/namespaces/teams/network-policy-default-deny-egress.yml
View File

@ -1,11 +1,11 @@
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

15
fast/stages/03-gke-multitenant/config/namespaces/teams/team-a/rolebinding-ns-viewer.yml
View File

@ -1,18 +1,17 @@
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
@ -22,7 +21,7 @@ roleRef:
name: dev-namespace-viewer
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
name: team-a@marzi.gcp-pso-italy.net
apiGroup: rbac.authorization.k8s.io
namespace: team-a
- kind: Group
name: team-a@marzi.gcp-pso-italy.net
apiGroup: rbac.authorization.k8s.io
namespace: team-a

14
fast/stages/03-gke-multitenant/config/system/repo.yml
View File

@ -1,23 +1,23 @@
# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# mono-repo mode: a Repo resource under system/ directory is required
# multi-repo mode: a Repo resource under system/ directory is optional
# For the mono-repo mode, declaring a Repo resource under system/ directory is required.
# For the multi-repo mode, declaring a Repo resource under system/ directory is optional.
apiVersion: configmanagement.gke.io/v1
kind: Repo
metadata:
name: repo
name: repo
spec:
version: 1.0.0
version: 1.0.0