Set base RBAC permissions for cluster.

2017-10-10 13:10:39 +02:00
parent 8a904384ef
commit 45845a7ea7
6 changed files with 73 additions and 0 deletions
--- a/yaml/busybox.yml
+++ b/yaml/busybox.yml
@@ -0,0 +1,49 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: bbox
+  labels:
+    run: bbox
+spec:
+  type: ClusterIP
+  selector:
+   app: busybox
+  ports:
+  - port: 8000
+    targetPort: 8000
+    protocol: TCP
+    name: http
+---
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+   name: busybox
+   namespace: default
+spec:
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: busybox
+    spec:
+      containers:
+      - image: busybox
+        name: busybox
+        command:
+          - /bin/sh
+          - "-c"
+          - "while true; do echo ping | nc -l -p 8000; done"
+          # - "while true; do sleep 10; done"
+        volumeMounts:
+        - mountPath: /data
+          name: nfs-vol
+        ports:
+        - containerPort: 8000
+      volumes:
+      - name: nfs-vol
+        nfs:
+            path: /data
+            server: git01.itpartner.intern
+            readOnly: false
+
+
--- a/yaml/hello.yml
+++ b/yaml/hello.yml
@@ -0,0 +1,38 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: hello
+  labels:
+    run: hello
+spec:
+  type: ClusterIP
+  ports:
+  - port: 8000
+    targetPort: 8000
+    protocol: TCP
+    name: http
+  selector:
+    app: hello
+---
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+   name: hello
+   namespace: default
+spec:
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: hello
+    spec:
+      containers:
+      - image: crccheck/hello-world
+        name: hello
+        # command:
+        #   - sleep
+        #   - "3600"
+        ports:
+        - containerPort: 8000
+
+
--- a/yaml/kube-rbac.yaml
+++ b/yaml/kube-rbac.yaml
@@ -0,0 +1,73 @@
+#
+# These RBAC permissions enable the cluster to operate, but restrict the default/default Service
+# The 'kube-admin' and 'kube-worker' users have full access
+# The 'kube-system/default' ServiceAccount has full access (used by the default kube-system Pods)
+# The 'default/default' ServiceAccount has no access, and so can only pull public or ECR images
+#
+
+#
+# ClusterRole's
+#
+
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1alpha1
+metadata:
+    name: full-access
+rules:
+  - apiGroups: ["*"]
+    resources: ["*"]
+    verbs: ["*"]
+  - nonResourceURLs: ["*"]
+    verbs: ["*"]
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1alpha1
+metadata:
+    name: read-access
+rules:
+  - apiGroups: ["*"]
+    resources: ["*"]
+    verbs: ["get", "list", "watch"]
+  - nonResourceURLs: ["*"]
+    verbs: ["get", "list", "watch"]
+---
+#
+# ClusterRoleBindings's
+#
+
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1alpha1
+metadata:
+  name: kube-admin
+subjects:
+  - kind: User
+    name: kube-admin
+roleRef:
+  kind: ClusterRole
+  name: full-access
+  apiGroup: rbac.authorization.k8s.io
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1alpha1
+metadata:
+  name: kube-worker
+subjects:
+  - kind: User
+    name: kube-worker
+roleRef:
+  kind: ClusterRole
+  name: full-access
+  apiGroup: rbac.authorization.k8s.io
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1alpha1
+metadata:
+  name: system-default-service-account
+subjects:
+  - kind: ServiceAccount
+    namespace: kube-system
+    name: default
+roleRef:
+  kind: ClusterRole
+  name: full-access
+  apiGroup: rbac.authorization.k8s.io
--- a/yaml/traefik-conf.yml
+++ b/yaml/traefik-conf.yml
@@ -0,0 +1,22 @@
+---
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: traefik-conf
+  namespace: kube-system
+data:
+  traefik.toml: |-
+    logLevel = "INFO"
+    defaultEntryPoints = ["http"]
+
+    [kubernetes]
+
+    [entryPoints]
+    [entryPoints.http]
+    address = ":80"
+    # [entryPoints.https]
+    # address = ":443"
+    # [entryPoints.https.tls]
+
+    [web]
+    address = ":8091"
--- a/yaml/traefik-ui.yml
+++ b/yaml/traefik-ui.yml
--- a/yaml/traefik.yml
+++ b/yaml/traefik.yml
@@ -0,0 +1,85 @@
+# ---
+# apiVersion: v1
+# kind: ServiceAccount
+# metadata:
+#   name: traefik-ingress-controller
+#   namespace: kube-system
+---
+kind: DaemonSet
+apiVersion: extensions/v1beta1
+metadata:
+  name: traefik-ingress-controller
+  namespace: kube-system
+  labels:
+    k8s-app: traefik-ingress-lb
+spec:
+  template:
+    metadata:
+      labels:
+        k8s-app: traefik-ingress-lb
+        name: traefik-ingress-lb
+    spec:
+      # serviceAccountName: traefik-ingress-controller
+      serviceAccountName: default
+      terminationGracePeriodSeconds: 60
+      hostNetwork: true
+      volumes:
+      - name: traefik-config
+        configMap:
+          name: traefik-conf
+      containers:
+      - image: traefik
+        name: traefik-ingress-lb
+        resources:
+          limits:
+            cpu: 200m
+            memory: 30Mi
+          requests:
+            cpu: 100m
+            memory: 20Mi
+        volumeMounts:
+          - mountPath: /etc/traefik
+            name: traefik-config
+        ports:
+        - name: http
+          containerPort: 80
+          hostPort: 80
+        - name: admin
+          containerPort: 8091
+        securityContext:
+          privileged: true
+        args:
+        - --web
+        - --web.address=:8091
+        - --kubernetes
+        - --configfile=/etc/traefik/traefik.toml
+        - --insecureSkipVerify=true
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: traefik-web-ui
+  namespace: kube-system
+spec:
+  type: NodePort
+  selector:
+    k8s-app: traefik-ingress-lb
+  ports:
+  - name: web
+    port: 8091
+    targetPort: 8091
+---
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: traefik-web-ui
+  namespace: kube-system
+spec:
+  rules:
+  - host: traefik-ui.cluster.local
+    http:
+      paths:
+      - path: /
+        backend:
+          serviceName: traefik-web-ui
+          servicePort: web