From 232cd4de5d77035bf35ed696e1045838eac5314d Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sat, 28 Sep 2024 18:55:34 +0200 Subject: [PATCH 1/2] Update traefik role --- defaults/main.yml | 4 +- tasks/main.yml | 7 ++- templates/default-network-dns-policy.yaml.j2 | 46 ++++++++++++++++++++ templates/traefik-helm-value.yaml.j2 | 12 +++-- templates/traefik-ingressroute.yml.j2 | 2 +- 5 files changed, 64 insertions(+), 7 deletions(-) create mode 100644 templates/default-network-dns-policy.yaml.j2 diff --git a/defaults/main.yml b/defaults/main.yml index fad378a..bf17a26 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,6 +1,6 @@ my_context: kubernetes -traefik_version: "3.0.4" -traefik_helm_chart_version: "28.0.0" +traefik_version: "3.1.4" +traefik_helm_chart_version: "31.1.1" cluster_domain: "local" traefik_namespace: "traefik" traefik_service_type: LoadBalancer diff --git a/tasks/main.yml b/tasks/main.yml index d103949..07f176b 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -106,6 +106,9 @@ kubernetes.core.helm_repository: name: traefik repo_url: "https://helm.traefik.io/traefik" +# - name: show templating results +# ansible.builtin.debug: +# msg: "{{ lookup('ansible.builtin.template', 'traefik-helm-value.yaml.j2') }}" - name: Deploy latest version of Traefik kubernetes.core.helm: context: "{{ my_context }}" @@ -113,6 +116,7 @@ chart_ref: traefik/traefik chart_version: "{{ traefik_helm_chart_version }}" release_namespace: "{{ traefik_namespace }}" + create_namespace: true values: "{{ lookup('template', 'traefik-helm-value.yaml.j2') | from_yaml }}" - name: Install traefik configuration @@ -122,8 +126,9 @@ namespace: '{{ traefik_namespace }}' # merge_type: merge apply: true - resource_definition: "{{ lookup('template', item) | from_yaml }}" + resource_definition: "{{ lookup('template', item) | from_yaml_all }}" with_items: + - default-network-dns-policy.yaml.j2 # - "{{ lookup('vars', 'traefik_' + traefik_version | regex_replace('[.]','_') + '_list') }}" - traefik-certificate.yml.j2 - traefik-cm.yml.j2 diff --git a/templates/default-network-dns-policy.yaml.j2 b/templates/default-network-dns-policy.yaml.j2 new file mode 100644 index 0000000..185500e --- /dev/null +++ b/templates/default-network-dns-policy.yaml.j2 @@ -0,0 +1,46 @@ +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: intra-namespace +spec: + podSelector: {} + ingress: + - from: + - namespaceSelector: + matchLabels: + name: {{ traefik_namespace }} + +#--- +#apiVersion: networking.k8s.io/v1 +#kind: NetworkPolicy +#metadata: +# name: allow-dns-access +#spec: +# podSelector: +# matchLabels: {} +# policyTypes: +# - Egress +# egress: +# - to: +# - namespaceSelector: +# matchLabels: +# kubernetes.io/metadata.name: kube-system +# podSelector: +# matchLabels: +# k8s-app: kube-dns +# ports: +# - protocol: UDP +# port: 53 +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-all-traefik-v121-ingress +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: traefik + ingress: + - {} + policyTypes: + - Ingress diff --git a/templates/traefik-helm-value.yaml.j2 b/templates/traefik-helm-value.yaml.j2 index ee066b4..c1d6b71 100644 --- a/templates/traefik-helm-value.yaml.j2 +++ b/templates/traefik-helm-value.yaml.j2 @@ -140,11 +140,10 @@ metrics: # severity: warning # annotations: # summary: "Traefik Down" -# description: "{{ $labels.pod }} on {{ $labels.nodename }} is down" +# description: "{% raw %}{{ $labels.pod }} on {{ $labels.nodename }} is down{% endraw %}" experimental: - plugins: - enabled: true {% if traefik_ondemand is defined %} + plugins: sablier: moduleName: "github.com/acouvreur/sablier" version: "v1.7.0" @@ -155,3 +154,10 @@ experimental: hub: enabled: true {% endif %} +securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: [ALL] + readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault diff --git a/templates/traefik-ingressroute.yml.j2 b/templates/traefik-ingressroute.yml.j2 index 22000cc..93c07e5 100644 --- a/templates/traefik-ingressroute.yml.j2 +++ b/templates/traefik-ingressroute.yml.j2 @@ -1,4 +1,4 @@ -apiVersion: traefik.containo.us/v1alpha1 +apiVersion: traefik.io/v1alpha1 kind: IngressRoute metadata: name: traefik From 24d977621bbd0d1dbbc10676f0522e62bd100e1e Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sat, 28 Sep 2024 18:55:56 +0200 Subject: [PATCH 2/2] Add forgotten file --- templates/traefik-ondemand-plugin.yml.j2 | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/templates/traefik-ondemand-plugin.yml.j2 b/templates/traefik-ondemand-plugin.yml.j2 index 59c28ad..0a0aba5 100644 --- a/templates/traefik-ondemand-plugin.yml.j2 +++ b/templates/traefik-ondemand-plugin.yml.j2 @@ -19,9 +19,21 @@ spec: containers: - name: sablier image: acouvreur/sablier:1.7.0 - args: ["start", "--provider.name=kubernetes"] + args: ["start", "--provider.name=kubernetes", "--storage.file=/dev/shm/state.json"] ports: - - containerPort: 10000 + - containerPort: 10000 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: [ALL] + readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault + securityContext: + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 +# --configFile=path/to/myconfigfile.yml --- apiVersion: v1 kind: Service @@ -39,7 +51,6 @@ apiVersion: v1 kind: ServiceAccount metadata: name: sablier - namespace: {{ traefik_namespace }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -87,7 +98,7 @@ subjects: name: sablier namespace: {{ traefik_namespace }} #--- -#apiVersion: traefik.containo.us/v1alpha1 +#apiVersion: traefik.io/v1alpha1 #kind: Middleware #metadata: # name: ondemand