From 600cf7b3fc0f912fb474380214f6c21b35d6e536 Mon Sep 17 00:00:00 2001 From: Denis Mishin Date: Fri, 25 Oct 2024 18:36:06 -0400 Subject: [PATCH 1/3] zero: add kustomize --- zero/kustomize/.gitignore | 1 + zero/kustomize/README.md | 43 +++++++++++++++++++ zero/kustomize/deployment/base.yaml | 16 +++++++ zero/kustomize/deployment/env.yaml | 29 +++++++++++++ zero/kustomize/deployment/image.yaml | 12 ++++++ zero/kustomize/deployment/kustomization.yaml | 10 +++++ zero/kustomize/deployment/no-root.yaml | 22 ++++++++++ zero/kustomize/deployment/ports.yaml | 19 ++++++++ .../deployment/readonly-root-fs.yaml | 11 +++++ zero/kustomize/deployment/resources.yaml | 16 +++++++ zero/kustomize/deployment/volumes.yaml | 34 +++++++++++++++ zero/kustomize/kustomization.yaml | 8 ++++ zero/kustomize/namespace.yaml | 4 ++ zero/kustomize/pomerium-secret.yaml.example | 8 ++++ zero/kustomize/rbac/kustomization.yaml | 6 +++ zero/kustomize/rbac/role.yaml | 14 ++++++ zero/kustomize/rbac/role_binding.yaml | 11 +++++ zero/kustomize/rbac/service_account.yaml | 4 ++ zero/kustomize/service/kustomization.yaml | 2 + zero/kustomize/service/proxy.yaml | 16 +++++++ 20 files changed, 286 insertions(+) create mode 100644 zero/kustomize/.gitignore create mode 100644 zero/kustomize/README.md create mode 100644 zero/kustomize/deployment/base.yaml create mode 100644 zero/kustomize/deployment/env.yaml create mode 100644 zero/kustomize/deployment/image.yaml create mode 100644 zero/kustomize/deployment/kustomization.yaml create mode 100644 zero/kustomize/deployment/no-root.yaml create mode 100644 zero/kustomize/deployment/ports.yaml create mode 100644 zero/kustomize/deployment/readonly-root-fs.yaml create mode 100644 zero/kustomize/deployment/resources.yaml create mode 100644 zero/kustomize/deployment/volumes.yaml create mode 100644 zero/kustomize/kustomization.yaml create mode 100644 zero/kustomize/namespace.yaml create mode 100644 zero/kustomize/pomerium-secret.yaml.example create mode 100644 zero/kustomize/rbac/kustomization.yaml create mode 100644 zero/kustomize/rbac/role.yaml create mode 100644 zero/kustomize/rbac/role_binding.yaml create mode 100644 zero/kustomize/rbac/service_account.yaml create mode 100644 zero/kustomize/service/kustomization.yaml create mode 100644 zero/kustomize/service/proxy.yaml diff --git a/zero/kustomize/.gitignore b/zero/kustomize/.gitignore new file mode 100644 index 0000000..b2ca117 --- /dev/null +++ b/zero/kustomize/.gitignore @@ -0,0 +1 @@ +pomerium-secret.yaml diff --git a/zero/kustomize/README.md b/zero/kustomize/README.md new file mode 100644 index 0000000..f944acc --- /dev/null +++ b/zero/kustomize/README.md @@ -0,0 +1,43 @@ +# Installing Pomerium Zero + +Visit https://console.pomerium.app and register for an account. + +# Install base pomerium zero + +```shell +kubectl apply -k https://github.com/pomerium/pomerium/k8s/zero?ref=main +``` + +(that would install an evergreen `main`) + +# Create a secret with Pomerium Zero token to complete your installation + +```yaml filename="pomerium-secret.yaml" +apiVersion: v1 +kind: Secret +metadata: + name: pomerium + namespace: pomerium-zero +type: Opaque +stringData: + pomerium_zero_token: +``` + +```shell +kubectl apply -f pomerium-secret.yaml +``` + +Now your Pomerium deployment should be up and running. + +# Update Pomerium cluster configuration + +1. The externally available address of your Pomerium Cluster should be set to the value assigned by your Load Balancer: + +```shell +kubectl get svc/pomerium-proxy -n pomerium-zero -o=jsonpath='{.status.loadBalancer.ingress[0].ip}' +``` + +2. Because container is configured to run as non-root, the following should be adjusted: + +- http redirect address set to `:8080` +- server address set to `:8443` diff --git a/zero/kustomize/deployment/base.yaml b/zero/kustomize/deployment/base.yaml new file mode 100644 index 0000000..7395ab7 --- /dev/null +++ b/zero/kustomize/deployment/base.yaml @@ -0,0 +1,16 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: pomerium +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: pomerium-zero + template: + spec: + automountServiceAccountToken: true + serviceAccountName: pomerium-zero + containers: + - name: pomerium + terminationGracePeriodSeconds: 10 diff --git a/zero/kustomize/deployment/env.yaml b/zero/kustomize/deployment/env.yaml new file mode 100644 index 0000000..6cb28d7 --- /dev/null +++ b/zero/kustomize/deployment/env.yaml @@ -0,0 +1,29 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: pomerium +spec: + template: + spec: + containers: + - name: pomerium + env: + - name: POMERIUM_ZERO_TOKEN + valueFrom: + secretKeyRef: + name: pomerium + key: pomerium_zero_token + optional: false + - name: POMERIUM_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: BOOTSTRAP_CONFIG_FILE + value: "/var/run/secrets/pomerium/bootstrap.dat" + - name: BOOTSTRAP_CONFIG_WRITEBACK_URI + value: "secret://$(POMERIUM_NAMESPACE)/pomerium/bootstrap" + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP diff --git a/zero/kustomize/deployment/image.yaml b/zero/kustomize/deployment/image.yaml new file mode 100644 index 0000000..93eab78 --- /dev/null +++ b/zero/kustomize/deployment/image.yaml @@ -0,0 +1,12 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: pomerium +spec: + replicas: 1 + template: + spec: + containers: + - name: pomerium + image: pomerium/pomerium:v0.27.2 + imagePullPolicy: IfNotFound diff --git a/zero/kustomize/deployment/kustomization.yaml b/zero/kustomize/deployment/kustomization.yaml new file mode 100644 index 0000000..daa4b2a --- /dev/null +++ b/zero/kustomize/deployment/kustomization.yaml @@ -0,0 +1,10 @@ +resources: + - base.yaml +patchesStrategicMerge: + - env.yaml + - image.yaml + - ports.yaml + - resources.yaml + - no-root.yaml + - readonly-root-fs.yaml + - volumes.yaml diff --git a/zero/kustomize/deployment/no-root.yaml b/zero/kustomize/deployment/no-root.yaml new file mode 100644 index 0000000..b708193 --- /dev/null +++ b/zero/kustomize/deployment/no-root.yaml @@ -0,0 +1,22 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: pomerium +spec: + template: + spec: + securityContext: + fsGroup: 1000 + runAsNonRoot: true + runAsGroup: 1000 + runAsUser: 1000 + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "80" + containers: + - name: pomerium + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL diff --git a/zero/kustomize/deployment/ports.yaml b/zero/kustomize/deployment/ports.yaml new file mode 100644 index 0000000..547e777 --- /dev/null +++ b/zero/kustomize/deployment/ports.yaml @@ -0,0 +1,19 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: pomerium +spec: + template: + spec: + containers: + - name: pomerium + ports: + - containerPort: 443 + name: https + protocol: TCP + - name: http + containerPort: 80 + protocol: TCP + - name: metrics + containerPort: 9090 + protocol: TCP diff --git a/zero/kustomize/deployment/readonly-root-fs.yaml b/zero/kustomize/deployment/readonly-root-fs.yaml new file mode 100644 index 0000000..7159c9e --- /dev/null +++ b/zero/kustomize/deployment/readonly-root-fs.yaml @@ -0,0 +1,11 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: pomerium +spec: + template: + spec: + containers: + - name: pomerium + securityContext: + readOnlyRootFilesystem: true diff --git a/zero/kustomize/deployment/resources.yaml b/zero/kustomize/deployment/resources.yaml new file mode 100644 index 0000000..21a6ee6 --- /dev/null +++ b/zero/kustomize/deployment/resources.yaml @@ -0,0 +1,16 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: pomerium +spec: + template: + spec: + containers: + - name: pomerium + resources: + limits: + cpu: 5000m + memory: 1Gi + requests: + cpu: 300m + memory: 200Mi diff --git a/zero/kustomize/deployment/volumes.yaml b/zero/kustomize/deployment/volumes.yaml new file mode 100644 index 0000000..1547567 --- /dev/null +++ b/zero/kustomize/deployment/volumes.yaml @@ -0,0 +1,34 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: pomerium +spec: + template: + spec: + nodeSelector: + kubernetes.io/os: linux + containers: + - name: pomerium + env: + - name: TMPDIR + value: "/tmp/pomerium" + - name: XDG_CACHE_HOME + value: "/tmp/pomerium/cache" + - name: XDG_DATA_HOME + value: "/tmp/pomerium/cache" + volumeMounts: + - mountPath: "/tmp/pomerium" + name: tmp + - mountPath: "/var/run/secrets/pomerium" + name: bootstrap + readOnly: true + volumes: + - name: tmp + emptyDir: {} + - name: bootstrap + secret: + optional: true + secretName: pomerium + items: + - key: bootstrap + path: bootstrap.dat diff --git a/zero/kustomize/kustomization.yaml b/zero/kustomize/kustomization.yaml new file mode 100644 index 0000000..60afd7e --- /dev/null +++ b/zero/kustomize/kustomization.yaml @@ -0,0 +1,8 @@ +namespace: pomerium-zero +commonLabels: + app.kubernetes.io/name: pomerium-zero +resources: + - namespace.yaml + - ./rbac + - ./deployment + - ./service diff --git a/zero/kustomize/namespace.yaml b/zero/kustomize/namespace.yaml new file mode 100644 index 0000000..2fd27e4 --- /dev/null +++ b/zero/kustomize/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: pomerium-zero diff --git a/zero/kustomize/pomerium-secret.yaml.example b/zero/kustomize/pomerium-secret.yaml.example new file mode 100644 index 0000000..abe06f1 --- /dev/null +++ b/zero/kustomize/pomerium-secret.yaml.example @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Secret +metadata: + name: pomerium + namespace: pomerium-zero +type: Opaque +stringData: + pomerium_zero_token: YOUR_TOKEN_HERE diff --git a/zero/kustomize/rbac/kustomization.yaml b/zero/kustomize/rbac/kustomization.yaml new file mode 100644 index 0000000..6da23f4 --- /dev/null +++ b/zero/kustomize/rbac/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- role.yaml +- role_binding.yaml +- service_account.yaml diff --git a/zero/kustomize/rbac/role.yaml b/zero/kustomize/rbac/role.yaml new file mode 100644 index 0000000..25a7bd6 --- /dev/null +++ b/zero/kustomize/rbac/role.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: pomerium-zero +rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - patch + resourceNames: + - pomerium diff --git a/zero/kustomize/rbac/role_binding.yaml b/zero/kustomize/rbac/role_binding.yaml new file mode 100644 index 0000000..6f6bc3a --- /dev/null +++ b/zero/kustomize/rbac/role_binding.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: pomerium-zero +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: pomerium-zero +subjects: + - kind: ServiceAccount + name: pomerium-zero diff --git a/zero/kustomize/rbac/service_account.yaml b/zero/kustomize/rbac/service_account.yaml new file mode 100644 index 0000000..6ad2603 --- /dev/null +++ b/zero/kustomize/rbac/service_account.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: pomerium-zero diff --git a/zero/kustomize/service/kustomization.yaml b/zero/kustomize/service/kustomization.yaml new file mode 100644 index 0000000..a9e08b9 --- /dev/null +++ b/zero/kustomize/service/kustomization.yaml @@ -0,0 +1,2 @@ +resources: + - proxy.yaml diff --git a/zero/kustomize/service/proxy.yaml b/zero/kustomize/service/proxy.yaml new file mode 100644 index 0000000..5d4275a --- /dev/null +++ b/zero/kustomize/service/proxy.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + name: pomerium-proxy +spec: + type: LoadBalancer + externalTrafficPolicy: Local + ports: + - port: 443 + targetPort: https + protocol: TCP + name: https + - name: http + targetPort: http + protocol: TCP + port: 80 From 8e71afd1a513ca51827aca8a5da06ea59b4882b6 Mon Sep 17 00:00:00 2001 From: Denis Mishin Date: Thu, 31 Oct 2024 10:53:44 -0400 Subject: [PATCH 2/3] imagePullPolicy Co-authored-by: bobby <1544881+desimone@users.noreply.github.com> --- zero/kustomize/deployment/image.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/zero/kustomize/deployment/image.yaml b/zero/kustomize/deployment/image.yaml index 93eab78..900bc15 100644 --- a/zero/kustomize/deployment/image.yaml +++ b/zero/kustomize/deployment/image.yaml @@ -9,4 +9,4 @@ spec: containers: - name: pomerium image: pomerium/pomerium:v0.27.2 - imagePullPolicy: IfNotFound + imagePullPolicy: IfNotPresent From 8a524b9ee6895b73003928ef0af5292b7335055a Mon Sep 17 00:00:00 2001 From: Denis Mishin Date: Thu, 31 Oct 2024 10:54:12 -0400 Subject: [PATCH 3/3] emptyDir limit Co-authored-by: bobby <1544881+desimone@users.noreply.github.com> --- zero/kustomize/deployment/volumes.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/zero/kustomize/deployment/volumes.yaml b/zero/kustomize/deployment/volumes.yaml index 1547567..08d5041 100644 --- a/zero/kustomize/deployment/volumes.yaml +++ b/zero/kustomize/deployment/volumes.yaml @@ -24,7 +24,8 @@ spec: readOnly: true volumes: - name: tmp - emptyDir: {} + emptyDir: + sizeLimit: 500Mi - name: bootstrap secret: optional: true