diff --git a/.github/workflows/apparmor-wf.yml b/.github/workflows/apparmor-wf.yml new file mode 100644 index 0000000..861d06a --- /dev/null +++ b/.github/workflows/apparmor-wf.yml @@ -0,0 +1,42 @@ +name: "apparmor kind Ubuntu CI workflow" + + +on: + push: + branches: [ test ] + # schedule: + # https://crontab.guru/ + # https://docs.github.com/en/actions/reference/events-that-trigger-workflows + # - cron: '0 0 * * FRI' ##execution of a task in the first minute of the month + + +jobs: + +# https://kubernetes.io/docs/tutorials/security/apparmor/ + seccomp-kind-ubuntu-latest-job: + name: "Restrict a Container's Access to Resources with AppArmor job" + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: "os fingerprinti ng" + run: hostnamectl status + # https://kind.sigs.k8s.io/docs/user/quick-start/ + - name: "Restrict a Container's Access to Resources with AppArmor" + run: | + curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.11.1/kind-linux-amd64 + chmod +x ./kind + mv ./kind /usr/local/bin/kind + # Default cluster context name is `kind`. + kind create cluster + kind get clusters + kubectl config get-contexts + kubectl cluster-info --context kind-kind + docker ps + # Kubernetes version is at least v1.4 -- Kubernetes support for AppArmor was added in v1.4. + # verify the Kubelet version of nodes + kubectl get nodes -o=jsonpath=$'{range .items[*]}{@.metadata.name}: {@.status.nodeInfo.kubeletVersion}\n{end}' + # check whether the apparmor module is enabled + cat /sys/module/apparmor/parameters/enabled + # verify AppArmor support on nodes by checking the node ready condition message + kubectl get nodes -o=jsonpath=$'{range .items[*]}{@.metadata.name}: {.status.conditions[?(@.reason=="KubeletReady")].message}\n{end}' + \ No newline at end of file diff --git a/.github/workflows/make-kind-wf.yml b/.github/workflows/make-kind-wf.yml new file mode 100644 index 0000000..a272f24 --- /dev/null +++ b/.github/workflows/make-kind-wf.yml @@ -0,0 +1,27 @@ +name: "make kind CI workflow" + + +on: + push: + branches: [ test ] + # schedule: + # https://crontab.guru/ + # https://docs.github.com/en/actions/reference/events-that-trigger-workflows + # - cron: '0 0 * * FRI' ##execution of a task in the first minute of the month + + +jobs: + + + ubuntu-latest-kind-job: + name: "make kind ubuntu-latest job" + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: "os fingerprinting" + run: hostnamectl status + - name: "deploy kind" + run: sudo make deploy-kind + + + \ No newline at end of file diff --git a/.github/workflows/psa-cluster-wf.yml b/.github/workflows/psa-cluster-wf.yml new file mode 100644 index 0000000..9dfdb3f --- /dev/null +++ b/.github/workflows/psa-cluster-wf.yml @@ -0,0 +1,39 @@ +name: "Pod Security Standards Cluster Level workflow" + + +on: + push: + branches: [ test ] + # schedule: + # https://crontab.guru/ + # https://docs.github.com/en/actions/reference/events-that-trigger-workflows + # - cron: '0 0 * * FRI' ##execution of a task in the first minute of the month + + +jobs: + +# https://kubernetes.io/docs/tutorials/security/cluster-level-pss/ + psa-cluster-kind-ubuntu-latest-job: + name: "Apply Pod Security Standards at the Cluster Level" + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: "os fingerprinti ng" + run: hostnamectl status + # https://kind.sigs.k8s.io/docs/user/quick-start/ + - name: "Apply Pod Security Standards at the Cluster Level" + run: | + curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.11.1/kind-linux-amd64 + chmod +x ./kind + mv ./kind /usr/local/bin/kind + # Default cluster context name is `kind`. + # kind create cluster + # kind get clusters + # kubectl config get-contexts + # kubectl cluster-info --context kind-kind + # Create a cluster with no Pod Security Standards applied: + kind create cluster --name psa-wo-cluster-pss --image kindest/node:v1.23.0 + kind get clusters + kubectl config get-contexts + kubectl cluster-info --context kind-psa-wo-cluster-pss + \ No newline at end of file diff --git a/.github/workflows/psa-namespace-wf.yml b/.github/workflows/psa-namespace-wf.yml new file mode 100644 index 0000000..64a67a2 --- /dev/null +++ b/.github/workflows/psa-namespace-wf.yml @@ -0,0 +1,41 @@ +name: "Pod Security Standards Namespace Level workflow" + + +on: + push: + branches: [ test ] + # schedule: + # https://crontab.guru/ + # https://docs.github.com/en/actions/reference/events-that-trigger-workflows + # - cron: '0 0 * * FRI' ##execution of a task in the first minute of the month + + +jobs: + +# https://kubernetes.io/docs/tutorials/security/ns-level-pss/ + psa-namespace-kind-ubuntu-latest-job: + name: "Apply Pod Security Standards at the Namespace Level" + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: "os fingerprinti ng" + run: hostnamectl status + # https://kind.sigs.k8s.io/docs/user/quick-start/ + - name: "Apply Pod Security Standards at the Cluster Level" + run: | + curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.11.1/kind-linux-amd64 + chmod +x ./kind + mv ./kind /usr/local/bin/kind + # Default cluster context name is `kind`. + # kind create cluster + # kind get clusters + # kubectl config get-contexts + # kubectl cluster-info --context kind-kind + # Create a cluster with no Pod Security Standards applied: + kind create cluster --name psa-ns-level --image kindest/node:v1.23.0 + kind get clusters + kubectl config get-contexts + kubectl cluster-info --context kind-psa-ns-level + # kubectl cluster-info --context kind-kind + kubectl create ns example + \ No newline at end of file diff --git a/.github/workflows/seccomp-wf.yml b/.github/workflows/seccomp-wf.yml new file mode 100644 index 0000000..06e76b4 --- /dev/null +++ b/.github/workflows/seccomp-wf.yml @@ -0,0 +1,46 @@ +name: "seccomp kind Ubuntu CI workflow" + + +on: + push: + branches: [ test ] + # schedule: + # https://crontab.guru/ + # https://docs.github.com/en/actions/reference/events-that-trigger-workflows + # - cron: '0 0 * * FRI' ##execution of a task in the first minute of the month + + +jobs: + +# https://kubernetes.io/docs/tutorials/security/seccomp/ + seccomp-kind-ubuntu-latest-job: + name: "Restrict a Container's Syscalls with seccomp job" + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: "os fingerprinti ng" + run: hostnamectl status + # https://kind.sigs.k8s.io/docs/user/quick-start/ + - name: "Download example seccomp profiles" + run: | + curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.11.1/kind-linux-amd64 + chmod +x ./kind + mv ./kind /usr/local/bin/kind + # Default cluster context name is `kind`. + # kind create cluster + # kind get clusters + # kubectl config get-contexts + # kubectl cluster-info --context kind-kind + mkdir ./profiles + curl -L -o profiles/audit.json https://k8s.io/examples/pods/security/seccomp/profiles/audit.json + curl -L -o profiles/violation.json https://k8s.io/examples/pods/security/seccomp/profiles/violation.json + curl -L -o profiles/fine-grained.json https://k8s.io/examples/pods/security/seccomp/profiles/fine-grained.json + ls profiles + curl -L -O https://k8s.io/examples/pods/security/seccomp/kind.yaml + kind create cluster --config=kind.yaml + kind get clusters + kubectl config get-contexts + # kubectl cluster-info --context kind-kind + docker ps + + \ No newline at end of file diff --git a/.github/workflows/ubuntu-kind-wf.yml b/.github/workflows/ubuntu-kind-wf.yml index 9a61337..7cb9853 100644 --- a/.github/workflows/ubuntu-kind-wf.yml +++ b/.github/workflows/ubuntu-kind-wf.yml @@ -3,56 +3,103 @@ name: "kind Ubuntu CI workflow" on: push: - branches: [ main ] - schedule: + branches: [ test ] + # schedule: # https://crontab.guru/ # https://docs.github.com/en/actions/reference/events-that-trigger-workflows - - cron: '0 0 * * FRI' ##execution of a task in the first minute of the month + # - cron: '0 0 * * FRI' ##execution of a task in the first minute of the month -jobs: +jobs: - ubuntu-latest-kind-job: - name: "ubuntu-latest kind job" + kind-binary-ubuntu-latest-job: + name: "Installing From Release Binaries ubuntu-latest job" runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 - - name: "os fingerprinting" + - name: "os fingerprinti ng" run: hostnamectl status - - name: "deploy kind" - run: sudo make deploy-kind - - name: "create cluster" - run: sudo kind create cluster --config=app/kind-config.yaml - - name: "kubectl cluster-info" - run: sudo kubectl cluster-info --context kind-kind + # https://kind.sigs.k8s.io/docs/user/quick-start/ + - name: "Installing From Release Binaries" + run: | + curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.11.1/kind-linux-amd64 + chmod +x ./kind + mv ./kind /usr/local/bin/kind + # Default cluster context name is `kind`. + kind create cluster + kind create cluster --name kind-3 + kind get clusters + #kind is prefixed to the context and cluster names, for example: kind-istio-testing + kubectl config get-contexts + kubectl cluster-info --context kind-kind + kubectl cluster-info --context kind-kind-3 - ubuntu-2004-job: - name: "ubuntu-20.04 minikube job" - runs-on: ubuntu-20.04 + kind-binary-cfg-ubuntu-latest-job: + name: "Installing From Release Binaries with cfg yaml ubuntu-latest job" + runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 - - name: "os fingerprinting" - run: hostnamectl status - - name: "deploy kind" - run: sudo make deploy-kind - - name: "create cluster" - run: sudo kind create cluster --config=app/kind-config.yaml - - name: "kubectl cluster-info" - run: sudo kubectl cluster-info --context kind-kind + - name: "os fingerprinti ng" + run: hostnamectl status + # https://kind.sigs.k8s.io/docs/user/quick-start/ + - name: "Installing From Release Binaries with cfg yaml" + run: | + curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.11.1/kind-linux-amd64 + chmod +x ./kind + mv ./kind /usr/local/bin/kind + kind create cluster --config platform/kind-example-config.yaml + kind get clusters + # kubectl cluster-info --context kind-kind + # kubectl cluster-info --context kind-kind-2 - ubuntu-1804-job: - name: "ubuntu-18.04 minikube job" - runs-on: ubuntu-18.04 + kind-binary-cfg-multi-controlplane-ubuntu-latest-job: + name: "Installing From Release Binaries with cfg yaml multi controlplane ubuntu-latest job" + runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 - - name: "os fingerprinting" - run: hostnamectl status - - name: "deploy kind" - run: sudo make deploy-kind - - name: "create cluster" - run: sudo kind create cluster --config=app/kind-config.yaml - - name: "kubectl cluster-info" - run: sudo kubectl cluster-info --context kind-kind + - name: "os fingerprinti ng" + run: hostnamectl status + - name: "Installing From Release Binaries with cfg yaml multi controlplane" + run: | + curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.11.1/kind-linux-amd64 + chmod +x ./kind + mv ./kind /usr/local/bin/kind + kind create cluster --config platform/kind-example-config.yaml + kind get clusters + # kubectl cluster-info --context kind-kind + # kubectl cluster-info --context kind-kind-2 + # - name: "create cluster" + # run: sudo kind create cluster --config=platform/kind-config.yaml + # - name: "kubectl cluster-info" + # run: sudo kubectl cluster-info --context kind-kind + + # ubuntu-2004-job: + # name: "ubuntu-20.04 minikube job" + # runs-on: ubuntu-20.04 + # steps: + # - uses: actions/checkout@v2 + # - name: "os fingerprinting" + # run: hostnamectl status + # - name: "deploy kind" + # run: sudo make deploy-kind + # - name: "create cluster" + # run: sudo kind create cluster --config=platform/kind-config.yaml + # - name: "kubectl cluster-info" + # run: sudo kubectl cluster-info --context kind-kind + + # ubuntu-1804-job: + # name: "ubuntu-18.04 minikube job" + # runs-on: ubuntu-18.04 + # steps: + # - uses: actions/checkout@v2 + # - name: "os fingerprinting" + # run: hostnamectl status + # - name: "deploy kind" + # run: sudo make deploy-kind + # - name: "create cluster" + # run: sudo kind create cluster --config=platform/kind-config.yaml + # - name: "kubectl cluster-info" + # run: sudo kubectl cluster-info --context kind-kind #deprecated # ubuntu-1604-job: @@ -65,7 +112,7 @@ jobs: # - name: "deploy kind" # run: sudo make deploy-kind # - name: "create cluster" - # run: sudo kind create cluster --config=app/kind-config.yaml + # run: sudo kind create cluster --config=platform/kind-config.yaml # - name: "kubectl cluster-info" # run: sudo kubectl cluster-info --context kind-kind diff --git a/app/baeldung-service.yaml b/app/baeldung-service.yaml new file mode 100644 index 0000000..7a62cea --- /dev/null +++ b/app/baeldung-service.yaml @@ -0,0 +1,41 @@ +freestar + +kind: Pod +apiVersion: v1 +metadata: + name: baeldung-app + labels: + app: baeldung-app +spec: + containers: + - name: baeldung-app + image: hashicorp/http-echo:0.2.3 + args: + - "-text=Hello World! This is a Baeldung Kubernetes with kind App" +--- +kind: Service +apiVersion: v1 +metadata: + name: baeldung-service +spec: + selector: + app: baeldung-app + ports: + # Default port used by the image + - port: 5678 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: baeldung-ingress +spec: + rules: + - http: + paths: + - pathType: Prefix + path: "/baeldung" + backend: + service: + name: baeldung-service + port: + number: 5678 \ No newline at end of file diff --git a/app/kind-config.yaml b/platform/kind-config.yaml similarity index 59% rename from app/kind-config.yaml rename to platform/kind-config.yaml index e23e5d0..06884a8 100644 --- a/app/kind-config.yaml +++ b/platform/kind-config.yaml @@ -1,3 +1,4 @@ +# https://raw.githubusercontent.com/kubernetes-sigs/kind/main/site/content/docs/user/kind-example-config.yaml kind: Cluster apiVersion: kind.x-k8s.io/v1alpha4 nodes: diff --git a/platform/kind-example-config.yaml b/platform/kind-example-config.yaml new file mode 100644 index 0000000..6af62d7 --- /dev/null +++ b/platform/kind-example-config.yaml @@ -0,0 +1,28 @@ +# this config file contains all config fields with comments +# NOTE: this is not a particularly useful config file +kind: Cluster +apiVersion: kind.x-k8s.io/v1alpha4 +# patch the generated kubeadm config with some extra settings +kubeadmConfigPatches: +- | + apiVersion: kubelet.config.k8s.io/v1beta1 + kind: KubeletConfiguration + evictionHard: + nodefs.available: "0%" +# patch it further using a JSON 6902 patch +kubeadmConfigPatchesJSON6902: +- group: kubeadm.k8s.io + version: v1beta2 + kind: ClusterConfiguration + patch: | + - op: add + path: /apiServer/certSANs/- + value: my-hostname +# 1 control plane node and 3 workers +nodes: +# the control plane node config +- role: control-plane +# the three workers +- role: worker +- role: worker +- role: worker \ No newline at end of file diff --git a/platform/multi-controlplane-kind-config.yaml b/platform/multi-controlplane-kind-config.yaml new file mode 100644 index 0000000..ce9c858 --- /dev/null +++ b/platform/multi-controlplane-kind-config.yaml @@ -0,0 +1,31 @@ +# https://raw.githubusercontent.com/kubernetes-sigs/kind/main/site/content/docs/user/kind-example-config.yaml +# this config file contains all config fields with comments +# NOTE: this is not a particularly useful config file +kind: Cluster +apiVersion: kind.x-k8s.io/v1alpha4 +# patch the generated kubeadm config with some extra settings +kubeadmConfigPatches: +- | + apiVersion: kubelet.config.k8s.io/v1beta1 + kind: KubeletConfiguration + evictionHard: + nodefs.available: "0%" +# patch it further using a JSON 6902 patch +kubeadmConfigPatchesJSON6902: +- group: kubeadm.k8s.io + version: v1beta2 + kind: ClusterConfiguration + patch: | + - op: add + path: /apiServer/certSANs/- + value: my-hostname +# 1 control plane node and 3 workers +nodes: +# the control plane node config +- role: control-plane +- role: control-plane +- role: control-plane +# the three workers +- role: worker +- role: worker +- role: worker \ No newline at end of file diff --git a/scripts/deploy-kind.sh b/scripts/deploy-kind.sh index 2ea7d44..8418871 100644 --- a/scripts/deploy-kind.sh +++ b/scripts/deploy-kind.sh @@ -15,7 +15,53 @@ curl -Lo ./kind https://kind.sigs.k8s.io/dl/v$KIND_VERSION/kind-$(uname)-amd64 chmod +x ./kind mv ./kind /usr/local/bin/kind +# create two clusters +kind create cluster # Default cluster context name is `kind`. +# If the flag --name is not specified, kind will use the default cluster context name kind +kind create cluster --name kind-2 + +kind get clusters #see the list of kind clusters + +#kind is prefixed to the context and cluster names, for example: kind-istio-testing +kubectl config get-contexts + +kubectl cluster-info --context kind-kind +kubectl cluster-info --context kind-kind-2 + +# extract the detailed information about a cluster +kubectl cluster-info dump --context kind-kind +kubectl cluster-info dump --context kind-kind-2 + + + +# Deleting a Cluster +# If the flag --name is not specified, kind will use the default cluster context name kind +kind delete cluster --name kind-2 kind get clusters #see the list of kind clusters -kubectl config get-contexts #kind is prefixed to the context and cluster names, for example: kind-istio-testing -echo "=============================deploy kind=============================================================" \ No newline at end of file +docker ps +kubectl get nodes + +kubectl get namespaces +kubectl --namespace kube-system get pods + +echo "=============================deploy kind=============================================================" +echo "=============================deploy nginx=============================================================" + +# deploy the Kubernetes supported ingress NGINX controller to work as a reverse proxy and load balancer: +kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml + +# Deploying a Service Locally +# use a simple http-echo web server available as a docker image. +# https://hub.docker.com/r/hashicorp/http-echo/ + +# deploy service +# cluster integrates with the ingress NGINX controller +kubectl apply -f baeldung-service.yaml +# check the status of the services +kubectl get services + +# test +curl localhost/baeldung + +echo "=============================deploy nginx=============================================================" \ No newline at end of file