From b04372638a4515b21e18e6aa85627e45c1f0f420 Mon Sep 17 00:00:00 2001 From: Caleb Warren Date: Thu, 14 Nov 2024 08:28:18 -0800 Subject: [PATCH 1/2] adding example for hardened linux clusters based on example --- hardened/README.md | 16 ++++++++++++ hardened/frontend-deployment.yaml | 33 +++++++++++++++++++++++++ hardened/frontend-service.yaml | 14 +++++++++++ hardened/redis-master-deployment.yaml | 35 +++++++++++++++++++++++++++ hardened/redis-master-service.yaml | 16 ++++++++++++ hardened/redis-slave-deployment.yaml | 35 +++++++++++++++++++++++++++ hardened/redis-slave-service.yaml | 15 ++++++++++++ 7 files changed, 164 insertions(+) create mode 100644 hardened/README.md create mode 100644 hardened/frontend-deployment.yaml create mode 100644 hardened/frontend-service.yaml create mode 100644 hardened/redis-master-deployment.yaml create mode 100644 hardened/redis-master-service.yaml create mode 100644 hardened/redis-slave-deployment.yaml create mode 100644 hardened/redis-slave-service.yaml diff --git a/hardened/README.md b/hardened/README.md new file mode 100644 index 00000000..bb4c1f94 --- /dev/null +++ b/hardened/README.md @@ -0,0 +1,16 @@ +# Hardened Example + +This example will deploy the [Kubernetes sample guestbook](https://github.com/kubernetes/examples/tree/master/guestbook/) application, with modifications to securityContext which allow its deployment on a hardened cluster. +The app will be deployed into the `default` namespace. Note that you must have added the `default` namespace to the PSA to allow deployments to this namespace. + +```yaml +kind: GitRepo +apiVersion: fleet.cattle.io/v1alpha1 +metadata: + name: simple + namespace: fleet-local +spec: + repo: https://github.com/rancher/fleet-examples + paths: + - hardened +``` diff --git a/hardened/frontend-deployment.yaml b/hardened/frontend-deployment.yaml new file mode 100644 index 00000000..69b761cc --- /dev/null +++ b/hardened/frontend-deployment.yaml @@ -0,0 +1,33 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: frontend +spec: + selector: + matchLabels: + app: guestbook + tier: frontend + replicas: 3 + template: + metadata: + labels: + app: guestbook + tier: frontend + spec: + containers: + - name: php-redis + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + capabilities: + drop: ["ALL"] + image: us-docker.pkg.dev/google-samples/containers/gke/gb-frontend:v5 + resources: + requests: + cpu: 100m + memory: 100Mi + ports: + - containerPort: 80 diff --git a/hardened/frontend-service.yaml b/hardened/frontend-service.yaml new file mode 100644 index 00000000..e488acba --- /dev/null +++ b/hardened/frontend-service.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Service +metadata: + name: frontend + labels: + app: guestbook + tier: frontend +spec: + type: NodePort + ports: + - port: 80 + selector: + app: guestbook + tier: frontend diff --git a/hardened/redis-master-deployment.yaml b/hardened/redis-master-deployment.yaml new file mode 100644 index 00000000..fd1ba025 --- /dev/null +++ b/hardened/redis-master-deployment.yaml @@ -0,0 +1,35 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: redis-master +spec: + selector: + matchLabels: + app: redis + role: master + tier: backend + replicas: 1 + template: + metadata: + labels: + app: redis + role: master + tier: backend + spec: + containers: + - name: master + image: redis:7-alpine + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + capabilities: + drop: ["ALL"] + resources: + requests: + cpu: 100m + memory: 100Mi + ports: + - containerPort: 6379 diff --git a/hardened/redis-master-service.yaml b/hardened/redis-master-service.yaml new file mode 100644 index 00000000..a484014f --- /dev/null +++ b/hardened/redis-master-service.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + name: redis-master + labels: + app: redis + role: master + tier: backend +spec: + ports: + - port: 6379 + targetPort: 6379 + selector: + app: redis + role: master + tier: backend diff --git a/hardened/redis-slave-deployment.yaml b/hardened/redis-slave-deployment.yaml new file mode 100644 index 00000000..99615a66 --- /dev/null +++ b/hardened/redis-slave-deployment.yaml @@ -0,0 +1,35 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: redis-slave +spec: + selector: + matchLabels: + app: redis + role: slave + tier: backend + replicas: 2 + template: + metadata: + labels: + app: redis + role: slave + tier: backend + spec: + containers: + - name: slave + image: redis:7-alpine + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + capabilities: + drop: ["ALL"] + resources: + requests: + cpu: 100m + memory: 100Mi + ports: + - containerPort: 6379 diff --git a/hardened/redis-slave-service.yaml b/hardened/redis-slave-service.yaml new file mode 100644 index 00000000..238fd63f --- /dev/null +++ b/hardened/redis-slave-service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: redis-slave + labels: + app: redis + role: slave + tier: backend +spec: + ports: + - port: 6379 + selector: + app: redis + role: slave + tier: backend From 41a92187c1b378a21801701c848ad507992b7371 Mon Sep 17 00:00:00 2001 From: Caleb Warren Date: Tue, 26 Nov 2024 12:14:38 -0800 Subject: [PATCH 2/2] adding fleet.yaml with namespaceLabels --- hardened/fleet.yaml | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 hardened/fleet.yaml diff --git a/hardened/fleet.yaml b/hardened/fleet.yaml new file mode 100644 index 00000000..7ebb432f --- /dev/null +++ b/hardened/fleet.yaml @@ -0,0 +1,4 @@ +namespace: hardened-fleet-deployments + +namespaceLabels: + pod-security.kubernetes.io/enforce: baseline \ No newline at end of file