adrien/ansible-role-k8s-traefik
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Work on PodSecurityPolicy
All checks were successful
continuous-integration/drone/push Build is passing
Details

Browse source
This commit is contained in:
Adrien Reslinger 2020-10-10 00:30:36 +02:00
parent f668bb276c
commit 3bb04bb45c
10 changed files with 132 additions and 50 deletions
Download patch file Download diff file Expand all files Collapse all files

4
templates/2.2/traefik-clusterrole.yml.j2
View file

@ -4,6 +4,10 @@ metadata:
name: traefik-ingress-controller
rules:
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames: ['traefik-ingress-controller']
- apiGroups:
- ""
resources:

2
templates/2.3/traefik-clusterrole.yml.j2
View file

@ -1,5 +1,5 @@
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: traefik-ingress-controller

25
templates/traefik-dashboard-insecure.yml.j2
View file

@ -19,21 +19,22 @@ spec:
# only support "Rule".
kind: Rule
# (optional) Priority disambiguates rules of the same length, for route matching.
priority: 12
middlewares:
{% if ingress_whitelist is defined %}
- name: traefik-ipwhitelist
{% endif %}
- name: https-only
services:
- name: traefik-dashboard
port: 8080
# (default 1) A weight used by the weighted round-robin strategy (WRR).
weight: 1
# (default true) PassHostHeader controls whether to leave the request's Host
# Header as it was before it reached the proxy, or whether to let the proxy set it
# to the destination (backend) host.
passHostHeader: true
responseForwarding:
# (default 100ms) Interval between flushes of the buffered response body to the client.
flushInterval: 100ms
- name: api@internal
kind: TraefikService
# - name: traefik-dashboard
# port: 8080
# # (default 1) A weight used by the weighted round-robin strategy (WRR).
# weight: 1
# # (default true) PassHostHeader controls whether to leave the request's Host
# # Header as it was before it reached the proxy, or whether to let the proxy set it
# # to the destination (backend) host.
# passHostHeader: true
# responseForwarding:
# # (default 100ms) Interval between flushes of the buffered response body to the client.
# flushInterval: 100ms

6
templates/traefik-dashboard-svc.yml.j2
View file

@ -12,9 +12,9 @@ spec:
port: 80
protocol: TCP
targetPort: 80
- name: traefik
port: 8080
protocol: TCP
# - name: traefik
# port: 8080
# protocol: TCP
- protocol: TCP
port: 443
name: https

11
templates/traefik-dp.yml.j2
View file

@ -19,6 +19,10 @@ spec:
app: traefik
spec:
serviceAccountName: traefik-ingress-controller
# securityContext:
# sysctls:
# - name: kernel.net.ipv4.ip_unprivileged_port_start
# value: "80"
containers:
- name: traefik
image: traefik:{{ lookup('vars', 'traefik_version_' + traefik_version | regex_replace('\.','_')) }}
@ -30,7 +34,9 @@ spec:
- name: {{ traefik_entrypoint.name }}
containerPort: {{ traefik_entrypoint.port }}
protocol: {{ traefik_entrypoint.proto }}
hostPort: {{ traefik_entrypoint.port }}
{% if traefik_entrypoint.hostport is defined %}
hostPort: {{ traefik_entrypoint.hostport }}
{% endif %}
{% endfor %}
readinessProbe:
httpGet:
@ -56,6 +62,9 @@ spec:
- ALL
add:
- NET_BIND_SERVICE
runAsUser: 1000
runAsGroup: 1000
allowPrivilegeEscalation: true
resources:
limits:
cpu: {{ traefik_cpu_limit }}

42
templates/traefik-dashboard.yml.j2 → templates/traefik-ingressroute.yml.j2
View file

@ -1,7 +1,7 @@
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: traefik-dashboard
name: traefik
namespace: {{ traefik_namespace }}
labels:
app: traefik
@ -13,13 +13,12 @@ spec:
# Match is the rule corresponding to an underlying router.
# Later on, match could be the simple form of a path prefix, e.g. just "/bar",
# but for now we only support a traefik style matching rule.
# - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`)
- match: Host(`traefik.{{ traefik_domain }}`)
# kind could eventually be one of "Rule", "Path", "Host", "Method", "Header",
# "Parameter", etc, to support simpler forms of rule matching, but for now we
# only support "Rule".
kind: Rule
# (optional) Priority disambiguates rules of the same length, for route matching.
priority: 12
{% if basic_auth is defined or ingress_whitelist is defined %}
middlewares:
{% if ingress_whitelist is defined %}
@ -30,17 +29,32 @@ spec:
{% endif %}
{% endif %}
services:
- name: traefik-dashboard
port: 8080
# (default 1) A weight used by the weighted round-robin strategy (WRR).
weight: 1
# (default true) PassHostHeader controls whether to leave the request's Host
# Header as it was before it reached the proxy, or whether to let the proxy set it
# to the destination (backend) host.
passHostHeader: true
responseForwarding:
# (default 100ms) Interval between flushes of the buffered response body to the client.
flushInterval: 100ms
- name: api@internal
kind: TraefikService
# - name: traefik-dashboard
# port: 8080
# # (default 1) A weight used by the weighted round-robin strategy (WRR).
# weight: 1
# # (default true) PassHostHeader controls whether to leave the request's Host
# # Header as it was before it reached the proxy, or whether to let the proxy set it
# # to the destination (backend) host.
# passHostHeader: true
# responseForwarding:
# # (default 100ms) Interval between flushes of the buffered response body to the client.
# flushInterval: 100ms
- match: Host(`traefik.{{ traefik_domain }}`) && PathPrefix(`/ping`)
kind: Rule
services:
- name: ping@internal
kind: TraefikService
- match: Host(`traefik.{{ traefik_domain }}`) && PathPrefix(`/metrics`)
kind: Rule
services:
- name: prometheus@internal
kind: TraefikService
tls:
{% if traefik_dashboard_certificate is defined %}
secretName: {{ traefik_dashboard_certificate }}

24
templates/traefik-ping.yml.j2
View file

@ -21,17 +21,19 @@ spec:
# (optional) Priority disambiguates rules of the same length, for route matching.
priority: 14
services:
- name: traefik-dashboard
port: 8080
# (default 1) A weight used by the weighted round-robin strategy (WRR).
weight: 1
# (default true) PassHostHeader controls whether to leave the request's Host
# Header as it was before it reached the proxy, or whether to let the proxy set it
# to the destination (backend) host.
passHostHeader: true
responseForwarding:
# (default 100ms) Interval between flushes of the buffered response body to the client.
flushInterval: 100ms
- name: ping@internal
kind: TraefikService
# - name: traefik-dashboard
# port: 8080
# # (default 1) A weight used by the weighted round-robin strategy (WRR).
# weight: 1
# # (default true) PassHostHeader controls whether to leave the request's Host
# # Header as it was before it reached the proxy, or whether to let the proxy set it
# # to the destination (backend) host.
# passHostHeader: true
# responseForwarding:
# # (default 100ms) Interval between flushes of the buffered response body to the client.
# flushInterval: 100ms
tls:
secretName: wildcard-cluster
options:

51
templates/traefik-psp.yml.j2 Normal file
View file

@ -0,0 +1,51 @@
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: runtime/default
seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default
name: traefik-ingress-controller
spec:
requiredDropCapabilities:
- ALL
allowedCapabilities:
- NET_BIND_SERVICE
privileged: false
allowPrivilegeEscalation: false
# Allow core volume types.
volumes:
- configMap
- downwardAPI
- secret
- emptyDir
- projected
# - persistentVolumeClaim
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
# Require the container to run without root privileges.
rule: 'MustRunAsNonRoot'
supplementalGroups:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
hostPorts:
- max: 65535
min: 1
readOnlyRootFilesystem: true
seLinux:
rule: 'RunAsAny'
hostPorts:
- max: 65535
min: 1
# allowedUnsafeSysctls:
# - kernel.net.ipv4.ip_unprivileged_port_start