feat: Initial commit

vicenteherrera · Feb 17, 2023 · a49514a · a49514a
1 parent 92922ad
commit a49514a
Show file tree

Hide file tree

Showing 79 changed files with 11,888 additions and 1 deletion.
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,2 @@
+.vscode
+.envrc
diff --git a/README.md b/README.md
@@ -1,2 +1,63 @@
 # starter-k8s
-A starter project to learn and test Kubernetes concepts
+
+This repo has files to quickstart a Kubernetes project or experiment with Kubernetes
+
+## Usage
+
+```bash
+# Create a cluster in minikube, start it, and deploy several platform charts on it
+make
+
+# Create a cluster in minikube
+make start
+
+# Create a cluster in EKS
+make start CLUSTER_TYPE="eks"
+
+# Deploy Prometheus, Grafana, Alertmanager, Gatekeeper (and custom templates & constraints),
+# Falco, Robusta, Vault, cert-manager
+make helmfile_sync
+
+# Delete minikube cluster
+make delete
+
+# Delete eks cluster
+make delete CLUSTER_TYPE="eks"
+
+# Follow Kubernetes audit log
+make audit_log
+
+# Open proxy connection to Grafana
+make proxy_grafana
+
+# Install microservices demo
+make install_demo
+```
+
+Check more targets at `makefile`.
+
+## Directories
+
+ + clusters: files to create and configure different cluster types
+ + charts: files to deploy and configure several Helm charts
+ + exercises: files to run commands to practice different Kubernetes concepts
+
+## Configuration
+
+### Alertmanager (Opsgenie, Mailtrap)
+
+**Alertmanager** takes Prometheus rules firing and sends an alert to a receiver application.
+
+To use **Opsgenie** with Alertmanager, copy `sample.envrc` to `.envrc`, and set your API key and team id in that file. Then load its values into environment before deploying charts, with `source .envrc` or using [direnv](https://direnv.net/).
+
+To use **Mailtrap** as an alternative, edit `./charts/prometheus/am-mailtrap.yaml` with your user and password, and edit `./charts/helmfile-observability`, switch commenting these lines so they look like this:
+```
+    - ./prometheus/am-mailtrap.yaml
+    # - ./prometheus/am-opsgenie.yaml
+```
+
+If you don't want to configure any alert receiver, comment both lines, and everything under the `set:` directive of `promstack` chart.
+
+### Robusta
+
+Generate your Robusta configuration and set relevant values on `.envrc` as previously, or comment out the whole robusta chart block on `./charts/helmfile-observability.yaml`
diff --git a/charts/falco/falco_rule_gatekeeper_ac.yaml b/charts/falco/falco_rule_gatekeeper_ac.yaml
@@ -0,0 +1,11 @@
+- rule: Admission Controller Block
+  desc: >
+     Detected an admission controller blocking a deployment
+  condition: kevt and jevt.value[/responseStatus/status]="Failure" and jevt.value[/responseStatus/reason]="Forbidden"
+  output: >
+    Admission controller blocked deployment 
+    (user=%ka.user.name verb=%ka.verb message=jevt.value[/responseObject/message] sourceIps=jevt.value[/sourceIPs])
+  priority: WARNING
+  source: k8s_audit
+  tags: [k8s]
+
diff --git a/charts/falco/values.yaml b/charts/falco/values.yaml
@@ -0,0 +1,9 @@
+auditLog:
+  enabled: true
+resources:
+  limits:
+    cpu: 500m
+    memory: 512Mi
+  requests:
+    memory: 256Mi
+    cpu: 50m
diff --git a/charts/gatekeeper/chart-constraints/.helmignore b/charts/gatekeeper/chart-constraints/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/charts/gatekeeper/chart-constraints/Chart.yaml b/charts/gatekeeper/chart-constraints/Chart.yaml
@@ -0,0 +1,29 @@
+apiVersion: v2
+name: chart-constraints
+description: A Helm chart for Kubernetes
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "1.16.0"
+
+# dependencies:
+# - name: chart-constraint-templates
+#   version: "0.1.0"
+#   repository: "file://../chart-constraint-templates"
diff --git a/charts/gatekeeper/chart-constraints/templates/NOTES.txt b/charts/gatekeeper/chart-constraints/templates/NOTES.txt
diff --git a/charts/gatekeeper/chart-constraints/templates/_helpers.tpl b/charts/gatekeeper/chart-constraints/templates/_helpers.tpl
@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "chart-policies.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "chart-policies.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "chart-policies.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "chart-policies.labels" -}}
+helm.sh/chart: {{ include "chart-policies.chart" . }}
+{{ include "chart-policies.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "chart-policies.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "chart-policies.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "chart-policies.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "chart-policies.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
diff --git a/charts/gatekeeper/chart-constraints/templates/c-label.yaml b/charts/gatekeeper/chart-constraints/templates/c-label.yaml
@@ -0,0 +1,15 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sRequiredLabels
+metadata:
+  name: ns-must-have-gk
+spec:
+  match:
+    kinds:
+      - apiGroups: ["apps"]
+        kinds: ["Deployment"]
+    scope: "Namespaced"
+    namespaces:
+      - "tennant"
+  parameters:
+    labels: 
+    - {{ .Values.constraint.label }}
diff --git a/charts/gatekeeper/chart-constraints/templates/c-privileged-container.yaml b/charts/gatekeeper/chart-constraints/templates/c-privileged-container.yaml
@@ -0,0 +1,13 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: PrivilegedContainers
+metadata:
+  name: privileged-container
+spec:
+  enforcementAction: deny
+  match:
+    kinds:
+      - apiGroups: [""]
+        kinds: ["Pod"]
+    namespaces:
+      - "tennant"
+
diff --git a/charts/gatekeeper/chart-constraints/templates/tests/test-connection.yaml b/charts/gatekeeper/chart-constraints/templates/tests/test-connection.yaml
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: "{{ include "chart-policies.fullname" . }}-test-connection"
+  labels:
+    {{- include "chart-policies.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": test
+spec:
+  containers:
+    - name: wget
+      image: busybox
+      command: ['wget']
+      args: ['{{ include "chart-policies.fullname" . }}:{{ .Values.service.port }}']
+  restartPolicy: Never
diff --git a/charts/gatekeeper/chart-constraints/values.yaml b/charts/gatekeeper/chart-constraints/values.yaml
@@ -0,0 +1,79 @@
+# Default values for chart-policies.
+
+replicaCount: 1
+
+image:
+  repository: nginx
+  pullPolicy: IfNotPresent
+  # Overrides the image tag whose default is the chart appVersion.
+  tag: ""
+
+imagePullSecrets: []
+nameOverride: ""
+fullnameOverride: ""
+
+serviceAccount:
+  # Specifies whether a service account should be created
+  create: false
+  # Annotations to add to the service account
+  annotations: {}
+  # The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name: ""
+
+podAnnotations: {}
+
+podSecurityContext: {}
+  # fsGroup: 2000
+
+securityContext: {}
+  # capabilities:
+  #   drop:
+  #   - ALL
+  # readOnlyRootFilesystem: true
+  # runAsNonRoot: true
+  # runAsUser: 1000
+
+service:
+  type: ClusterIP
+  port: 80
+
+ingress:
+  enabled: false
+  className: ""
+  annotations: {}
+    # kubernetes.io/ingress.class: nginx
+    # kubernetes.io/tls-acme: "true"
+  hosts:
+    - host: chart-example.local
+      paths:
+        - path: /
+          pathType: ImplementationSpecific
+  tls: []
+  #  - secretName: chart-example-tls
+  #    hosts:
+  #      - chart-example.local
+
+resources: {}
+  # limits:
+  #   cpu: 100m
+  #   memory: 128Mi
+  # requests:
+  #   cpu: 100m
+  #   memory: 128Mi
+
+autoscaling:
+  enabled: false
+  minReplicas: 1
+  maxReplicas: 100
+  targetCPUUtilizationPercentage: 80
+  # targetMemoryUtilizationPercentage: 80
+
+nodeSelector: {}
+tolerations: []
+affinity: {}
+
+#------------------------------------------------------------------------------------------------------------------
+
+constraint:
+  label: gatekeeper
diff --git a/charts/gatekeeper/chart-templates/.helmignore b/charts/gatekeeper/chart-templates/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/charts/gatekeeper/chart-templates/Chart.yaml b/charts/gatekeeper/chart-templates/Chart.yaml
@@ -0,0 +1,24 @@
+apiVersion: v2
+name: chart-constraint-templates
+description: A Helm chart for Kubernetes
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "1.16.0"
diff --git a/charts/gatekeeper/chart-templates/templates/NOTES.txt b/charts/gatekeeper/chart-templates/templates/NOTES.txt