adrien/ansible-role-k8s-dashboard
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Add NetworkPolicies

Browse source
This commit is contained in:
Adrien Reslinger 2020-05-01 01:32:18 +02:00
parent 07283a2243
commit 63318b11b9
4 changed files with 39 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

19
files/NetworkPolicies/allow-from-namespaces.yaml Normal file
View file

@ -0,0 +1,19 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-from-namespaces
namespace: kubernetes-dashboard
spec:
podSelector: {}
ingress:
- from:
- podSelector: {}
- from:
- namespaceSelector:
matchLabels:
namespace: tools
podSelector:
matchLabels:
app: traefik
policyTypes:
- Ingress

10
files/NetworkPolicies/default-deny-all.yaml Normal file
View file

@ -0,0 +1,10 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
namespace: kubernetes-dashboard
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress

5
tasks/main.yml
View file

@ -4,9 +4,12 @@
k8s: k8s:
state: present state: present
context: "{{ my_context }}" context: "{{ my_context }}"
merge_type: merge
resource_definition: "{{ lookup('file', item) | from_yaml }}" resource_definition: "{{ lookup('file', item) | from_yaml }}"
with_items: with_items:
- "kubernetes-dashboard-Namespace.yaml" - "kubernetes-dashboard-Namespace.yaml"
- NetworkPolicies/default-deny-all.yaml
- NetworkPolicies/allow-from-namespaces.yaml
- "kubernetes-dashboard-ServiceAccount.yaml" - "kubernetes-dashboard-ServiceAccount.yaml"
- "kubernetes-dashboard-Service.yaml" - "kubernetes-dashboard-Service.yaml"
- "kubernetes-dashboard-certs-Secret.yaml" - "kubernetes-dashboard-certs-Secret.yaml"
@ -35,6 +38,7 @@
k8s: k8s:
state: present state: present
context: "{{ my_context }}" context: "{{ my_context }}"
merge_type: merge
definition: definition:
apiVersion: traefik.containo.us/v1alpha1 apiVersion: traefik.containo.us/v1alpha1
kind: Middleware kind: Middleware
@ -53,6 +57,7 @@
k8s: k8s:
state: present state: present
context: "{{ my_context }}" context: "{{ my_context }}"
merge_type: merge
resource_definition: "{{ lookup('template', item) | from_yaml }}" resource_definition: "{{ lookup('template', item) | from_yaml }}"
with_items: with_items:
- dashboard-ingress.yaml - dashboard-ingress.yaml

10
templates/dashboard-ingress.yaml
View file

@ -1,4 +1,4 @@
{% if traefik_version | regex_search('(1.)') %} {% if traefik_version | regex_search('(^1.)') %}
apiVersion: extensions/v1beta1 apiVersion: extensions/v1beta1
kind: Ingress kind: Ingress
metadata: metadata:
@ -25,7 +25,7 @@ spec:
serviceName: kubernetes-dashboard serviceName: kubernetes-dashboard
servicePort: 443 servicePort: 443
{% else %} {% else %}
{% if traefik_version | regex_search('(2.)') %} {% if traefik_version | regex_search('(^2.)') %}
apiVersion: traefik.containo.us/v1alpha1 apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute kind: IngressRoute
metadata: metadata:
@ -43,11 +43,11 @@ spec:
middlewares: middlewares:
{% if ingress_whitelist is defined %} {% if ingress_whitelist is defined %}
- name: traefik-ipwhitelist - name: traefik-ipwhitelist
namespace: tools namespace: traefik
{% endif %} {% endif %}
{% if basic_auth is defined %} {% if basic_auth is defined %}
- name: basic-auth - name: basic-auth
namespace: tools namespace: traefik
{% endif %} {% endif %}
- name: kubernetes-dashboard-auth - name: kubernetes-dashboard-auth
services: services:
@ -60,7 +60,7 @@ spec:
tls: tls:
options: options:
name: default name: default
namespace: tools namespace: traefik
secretName: wildcard-cluster secretName: wildcard-cluster
{% endif %} {% endif %}
{% endif %} {% endif %}