adrien/ansible-role-k8s-traefik
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Traefik 2.3 et PSP fonctionnent #1

Merged
adrien merged 3 commits from WIP into master 2020-11-03 23:33:05 +00:00
Conversation 0 Commits 3 Files changed 11 +132 -50
10 changed files with 132 additions and 50 deletions
Download patch file Download diff file Expand all files Collapse all files
Showing only changes of commit 3bb04bb45c - Show all commits

6
defaults/main.yml
View file

@ -11,9 +11,9 @@ traefik_namespace: "traefik"
traefik_cpu_limit: 500m traefik_cpu_limit: 500m
traefik_memory_limit: 300Mi traefik_memory_limit: 300Mi
traefik_entrypoints: traefik_entrypoints:
- { name: "http", port: 80, proto: "TCP" } - { name: "http", port: 8000, proto: "TCP", hostport: 80 }
- { name: "https", port: 443, proto: "TCP", tls: true } - { name: "https", port: 4443, proto: "TCP", hostport: 443, tls: true }
- { name: "traefik", port: 8080, proto: "TCP" } # - { name: "traefik", port: 8080, proto: "TCP" }
basic_auth: false basic_auth: false
#traefik_dashboard_certificate: wildcard-cluster #traefik_dashboard_certificate: wildcard-cluster

11
tasks/main.yml
View file

@ -49,7 +49,7 @@
k8s_info: k8s_info:
context: "{{ my_context }}" context: "{{ my_context }}"
api_version: v1 api_version: v1
kind: Deployment kind: DaemonSet
name: traefik name: traefik
namespace: '{{ traefik_namespace }}' namespace: '{{ traefik_namespace }}'
field_selectors: field_selectors:
@ -82,18 +82,19 @@
resource_definition: "{{ lookup('template', item) | from_yaml }}" resource_definition: "{{ lookup('template', item) | from_yaml }}"
with_items: with_items:
- "{{ lookup('vars', 'traefik_' + traefik_version | regex_replace('[.]','_') + '_list') }}" - "{{ lookup('vars', 'traefik_' + traefik_version | regex_replace('[.]','_') + '_list') }}"
- traefik-psp.yml.j2
- traefik-cm.yml.j2 - traefik-cm.yml.j2
- traefik-sa.yml.j2 - traefik-sa.yml.j2
- traefik-dp.yml.j2 - traefik-dp.yml.j2
- traefik-svc.yml.j2 # - traefik-svc.yml.j2
- traefik-dashboard-svc.yml.j2 # - traefik-dashboard-svc.yml.j2
- traefik-middleware-httpsredirect.yml.j2 - traefik-middleware-httpsredirect.yml.j2
- traefik-middleware-basicauth.yml.j2 - traefik-middleware-basicauth.yml.j2
- traefik-middleware-headers.yml.j2 - traefik-middleware-headers.yml.j2
- traefik-tls-options.yml.j2 - traefik-tls-options.yml.j2
- traefik-dashboard.yml.j2 - traefik-ingressroute.yml.j2
- traefik-dashboard-insecure.yml.j2 - traefik-dashboard-insecure.yml.j2
- traefik-ping.yml.j2 # - traefik-ping.yml.j2
- name: Define state of ipwhitelist middleware to present - name: Define state of ipwhitelist middleware to present

4
templates/2.2/traefik-clusterrole.yml.j2
View file

@ -4,6 +4,10 @@ metadata:
name: traefik-ingress-controller name: traefik-ingress-controller
rules: rules:
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames: ['traefik-ingress-controller']
- apiGroups: - apiGroups:
- "" - ""
resources: resources:

2
templates/2.3/traefik-clusterrole.yml.j2
View file

@ -1,5 +1,5 @@
kind: ClusterRole kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1 apiVersion: rbac.authorization.k8s.io/v1
metadata: metadata:
name: traefik-ingress-controller name: traefik-ingress-controller

25
templates/traefik-dashboard-insecure.yml.j2
View file

@ -19,21 +19,22 @@ spec:
# only support "Rule". # only support "Rule".
kind: Rule kind: Rule
# (optional) Priority disambiguates rules of the same length, for route matching. # (optional) Priority disambiguates rules of the same length, for route matching.
priority: 12
middlewares: middlewares:
{% if ingress_whitelist is defined %} {% if ingress_whitelist is defined %}
- name: traefik-ipwhitelist - name: traefik-ipwhitelist
{% endif %} {% endif %}
- name: https-only - name: https-only
services: services:
- name: traefik-dashboard - name: api@internal
port: 8080 kind: TraefikService
# (default 1) A weight used by the weighted round-robin strategy (WRR). # - name: traefik-dashboard
weight: 1 # port: 8080
# (default true) PassHostHeader controls whether to leave the request's Host # # (default 1) A weight used by the weighted round-robin strategy (WRR).
# Header as it was before it reached the proxy, or whether to let the proxy set it # weight: 1
# to the destination (backend) host. # # (default true) PassHostHeader controls whether to leave the request's Host
passHostHeader: true # # Header as it was before it reached the proxy, or whether to let the proxy set it
responseForwarding: # # to the destination (backend) host.
# (default 100ms) Interval between flushes of the buffered response body to the client. # passHostHeader: true
flushInterval: 100ms # responseForwarding:
# # (default 100ms) Interval between flushes of the buffered response body to the client.
# flushInterval: 100ms

6
templates/traefik-dashboard-svc.yml.j2
View file

@ -12,9 +12,9 @@ spec:
port: 80 port: 80
protocol: TCP protocol: TCP
targetPort: 80 targetPort: 80
- name: traefik # - name: traefik
port: 8080 # port: 8080
protocol: TCP # protocol: TCP
- protocol: TCP - protocol: TCP
port: 443 port: 443
name: https name: https

11
templates/traefik-dp.yml.j2
View file

@ -19,6 +19,10 @@ spec:
app: traefik app: traefik
spec: spec:
serviceAccountName: traefik-ingress-controller serviceAccountName: traefik-ingress-controller
# securityContext:
# sysctls:
# - name: kernel.net.ipv4.ip_unprivileged_port_start
# value: "80"
containers: containers:
- name: traefik - name: traefik
image: traefik:{{ lookup('vars', 'traefik_version_' + traefik_version | regex_replace('\.','_')) }} image: traefik:{{ lookup('vars', 'traefik_version_' + traefik_version | regex_replace('\.','_')) }}
@ -30,7 +34,9 @@ spec:
- name: {{ traefik_entrypoint.name }} - name: {{ traefik_entrypoint.name }}
containerPort: {{ traefik_entrypoint.port }} containerPort: {{ traefik_entrypoint.port }}
protocol: {{ traefik_entrypoint.proto }} protocol: {{ traefik_entrypoint.proto }}
hostPort: {{ traefik_entrypoint.port }} {% if traefik_entrypoint.hostport is defined %}
hostPort: {{ traefik_entrypoint.hostport }}
{% endif %}
{% endfor %} {% endfor %}
readinessProbe: readinessProbe:
httpGet: httpGet:
@ -56,6 +62,9 @@ spec:
- ALL - ALL
add: add:
- NET_BIND_SERVICE - NET_BIND_SERVICE
runAsUser: 1000
runAsGroup: 1000
allowPrivilegeEscalation: true
resources: resources:
limits: limits:
cpu: {{ traefik_cpu_limit }} cpu: {{ traefik_cpu_limit }}

42
templates/traefik-dashboard.yml.j2 → templates/traefik-ingressroute.yml.j2
View file

@ -1,7 +1,7 @@
apiVersion: traefik.containo.us/v1alpha1 apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute kind: IngressRoute
metadata: metadata:
name: traefik-dashboard name: traefik
namespace: {{ traefik_namespace }} namespace: {{ traefik_namespace }}
labels: labels:
app: traefik app: traefik
@ -13,13 +13,12 @@ spec:
# Match is the rule corresponding to an underlying router. # Match is the rule corresponding to an underlying router.
# Later on, match could be the simple form of a path prefix, e.g. just "/bar", # Later on, match could be the simple form of a path prefix, e.g. just "/bar",
# but for now we only support a traefik style matching rule. # but for now we only support a traefik style matching rule.
# - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`)
- match: Host(`traefik.{{ traefik_domain }}`) - match: Host(`traefik.{{ traefik_domain }}`)
# kind could eventually be one of "Rule", "Path", "Host", "Method", "Header", # kind could eventually be one of "Rule", "Path", "Host", "Method", "Header",
# "Parameter", etc, to support simpler forms of rule matching, but for now we # "Parameter", etc, to support simpler forms of rule matching, but for now we
# only support "Rule". # only support "Rule".
kind: Rule kind: Rule
# (optional) Priority disambiguates rules of the same length, for route matching.
priority: 12
{% if basic_auth is defined or ingress_whitelist is defined %} {% if basic_auth is defined or ingress_whitelist is defined %}
middlewares: middlewares:
{% if ingress_whitelist is defined %} {% if ingress_whitelist is defined %}
@ -30,17 +29,32 @@ spec:
{% endif %} {% endif %}
{% endif %} {% endif %}
services: services:
- name: traefik-dashboard - name: api@internal
port: 8080 kind: TraefikService
# (default 1) A weight used by the weighted round-robin strategy (WRR). # - name: traefik-dashboard
weight: 1 # port: 8080
# (default true) PassHostHeader controls whether to leave the request's Host # # (default 1) A weight used by the weighted round-robin strategy (WRR).
# Header as it was before it reached the proxy, or whether to let the proxy set it # weight: 1
# to the destination (backend) host. # # (default true) PassHostHeader controls whether to leave the request's Host
passHostHeader: true # # Header as it was before it reached the proxy, or whether to let the proxy set it
responseForwarding: # # to the destination (backend) host.
# (default 100ms) Interval between flushes of the buffered response body to the client. # passHostHeader: true
flushInterval: 100ms # responseForwarding:
# # (default 100ms) Interval between flushes of the buffered response body to the client.
# flushInterval: 100ms
- match: Host(`traefik.{{ traefik_domain }}`) && PathPrefix(`/ping`)
kind: Rule
services:
- name: ping@internal
kind: TraefikService
- match: Host(`traefik.{{ traefik_domain }}`) && PathPrefix(`/metrics`)
kind: Rule
services:
- name: prometheus@internal
kind: TraefikService
tls: tls:
{% if traefik_dashboard_certificate is defined %} {% if traefik_dashboard_certificate is defined %}
secretName: {{ traefik_dashboard_certificate }} secretName: {{ traefik_dashboard_certificate }}

24
templates/traefik-ping.yml.j2
View file

@ -21,17 +21,19 @@ spec:
# (optional) Priority disambiguates rules of the same length, for route matching. # (optional) Priority disambiguates rules of the same length, for route matching.
priority: 14 priority: 14
services: services:
- name: traefik-dashboard - name: ping@internal
port: 8080 kind: TraefikService
# (default 1) A weight used by the weighted round-robin strategy (WRR). # - name: traefik-dashboard
weight: 1 # port: 8080
# (default true) PassHostHeader controls whether to leave the request's Host # # (default 1) A weight used by the weighted round-robin strategy (WRR).
# Header as it was before it reached the proxy, or whether to let the proxy set it # weight: 1
# to the destination (backend) host. # # (default true) PassHostHeader controls whether to leave the request's Host
passHostHeader: true # # Header as it was before it reached the proxy, or whether to let the proxy set it
responseForwarding: # # to the destination (backend) host.
# (default 100ms) Interval between flushes of the buffered response body to the client. # passHostHeader: true
flushInterval: 100ms # responseForwarding:
# # (default 100ms) Interval between flushes of the buffered response body to the client.
# flushInterval: 100ms
tls: tls:
secretName: wildcard-cluster secretName: wildcard-cluster
options: options:

51
templates/traefik-psp.yml.j2 Normal file
View file

@ -0,0 +1,51 @@
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: runtime/default
seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default
name: traefik-ingress-controller
spec:
requiredDropCapabilities:
- ALL
allowedCapabilities:
- NET_BIND_SERVICE
privileged: false
allowPrivilegeEscalation: false
# Allow core volume types.
volumes:
- configMap
- downwardAPI
- secret
- emptyDir
- projected
# - persistentVolumeClaim
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
# Require the container to run without root privileges.
rule: 'MustRunAsNonRoot'
supplementalGroups:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
hostPorts:
- max: 65535
min: 1
readOnlyRootFilesystem: true
seLinux:
rule: 'RunAsAny'
hostPorts:
- max: 65535
min: 1
# allowedUnsafeSysctls:
# - kernel.net.ipv4.ip_unprivileged_port_start