From da6bf8045426f0461ac29c9dab02494737584adb Mon Sep 17 00:00:00 2001 From: Rustam Tagaev Date: Fri, 31 Jan 2025 10:49:39 +0300 Subject: [PATCH] [DO-1496] add limits and network-policy (!4) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit схлопнул networkpolicy limits и namespace в один файл и назвал его так же как namespace Co-authored-by: Rustam Tagaev Reviewed-on: https://git.avroid.tech/K8s/k8s-configs/pulls/4 Reviewed-by: Denis Patrakeev Co-authored-by: Rustam Tagaev Co-committed-by: Rustam Tagaev --- .../namespaces/example/example.yaml | 51 +++++++++++++++++ .../example/super-service/argo-values.yaml | 1 + .../super-service-network-policy.yaml | 52 +++++++++++++++++ .../example/super-service/values.yaml | 1 + .../jenkins-deploy-service-account.yaml | 0 ...lds-namespace.yaml => jenkins-builds.yaml} | 0 .../namespaces/sandbox/sandbox-namespace.yaml | 10 ---- .../sandbox/sandbox-resourcequota.yaml | 13 ----- .../namespaces/sandbox/sandbox.yaml | 24 ++++++++ ...msg-messenger-core-api-network-policy.yaml | 39 +++++++++++++ .../openresty/openresty-network-policy.yaml | 39 +++++++++++++ .../tavro-cloud-dev-namespace.yaml | 10 ---- .../tavro-cloud-dev-resourcequota.yaml | 13 ----- .../tavro-cloud-dev/tavro-cloud-dev.yaml | 56 +++++++++++++++++++ .../vault-infra/vault-infra-namespace.yaml | 10 ---- .../namespaces/vault-infra/vault-infra.yaml | 30 ++++++++++ .../vault-secrets-webhook/values.yaml | 10 +++- 17 files changed, 302 insertions(+), 57 deletions(-) create mode 100644 clusters/k8s-avroid-office.prod.local/namespaces/example/example.yaml create mode 100644 clusters/k8s-avroid-office.prod.local/namespaces/example/super-service/argo-values.yaml create mode 100644 clusters/k8s-avroid-office.prod.local/namespaces/example/super-service/super-service-network-policy.yaml create mode 100644 clusters/k8s-avroid-office.prod.local/namespaces/example/super-service/values.yaml rename clusters/k8s-avroid-office.prod.local/namespaces/jenkins-builds/{ => .rbac}/jenkins-deploy-service-account.yaml (100%) rename clusters/k8s-avroid-office.prod.local/namespaces/jenkins-builds/{jenkins-builds-namespace.yaml => jenkins-builds.yaml} (100%) delete mode 100644 clusters/k8s-avroid-office.prod.local/namespaces/sandbox/sandbox-namespace.yaml delete mode 100644 clusters/k8s-avroid-office.prod.local/namespaces/sandbox/sandbox-resourcequota.yaml create mode 100644 clusters/k8s-avroid-office.prod.local/namespaces/sandbox/sandbox.yaml create mode 100644 clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-dev/msg-messenger-core-api/msg-messenger-core-api-network-policy.yaml create mode 100644 clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-dev/openresty/openresty-network-policy.yaml delete mode 100644 clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-dev/tavro-cloud-dev-namespace.yaml delete mode 100644 clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-dev/tavro-cloud-dev-resourcequota.yaml create mode 100644 clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-dev/tavro-cloud-dev.yaml delete mode 100644 clusters/k8s-avroid-office.prod.local/namespaces/vault-infra/vault-infra-namespace.yaml create mode 100644 clusters/k8s-avroid-office.prod.local/namespaces/vault-infra/vault-infra.yaml diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/example/example.yaml b/clusters/k8s-avroid-office.prod.local/namespaces/example/example.yaml new file mode 100644 index 0000000..d12a17f --- /dev/null +++ b/clusters/k8s-avroid-office.prod.local/namespaces/example/example.yaml @@ -0,0 +1,51 @@ +--- +# создаем namespace +apiVersion: v1 +kind: Namespace +metadata: + name: example + labels: + name: example + + app.kubernetes.io/managed-by: manual + annotations: + scheduler.alpha.kubernetes.io/node-selector: "nodetype=worker" +--- +# выделяем лимиты на текущий namespace +apiVersion: v1 +kind: ResourceQuota +metadata: + name: example + namespace: example + labels: + app.kubernetes.io/managed-by: manual +spec: + hard: + configmaps: "100" + limits.cpu: "16" + limits.memory: 32Gi + persistentvolumeclaims: "1" + pods: "100" + replicationcontrollers: "0" + requests.cpu: "8" + requests.memory: "24Gi" + requests.storage: "2Gi" + resourcequotas: "1" + secrets: "100" + services: "100" + services.loadbalancers: "0" + services.nodeports: "0" +--- +# запрещаем все для текущего namespace +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: deny-all + namespace: example +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress + ingress: [] + egress: [] diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/example/super-service/argo-values.yaml b/clusters/k8s-avroid-office.prod.local/namespaces/example/super-service/argo-values.yaml new file mode 100644 index 0000000..3da8547 --- /dev/null +++ b/clusters/k8s-avroid-office.prod.local/namespaces/example/super-service/argo-values.yaml @@ -0,0 +1 @@ +# тут будут values для приложений которые развернуты через argo diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/example/super-service/super-service-network-policy.yaml b/clusters/k8s-avroid-office.prod.local/namespaces/example/super-service/super-service-network-policy.yaml new file mode 100644 index 0000000..479e243 --- /dev/null +++ b/clusters/k8s-avroid-office.prod.local/namespaces/example/super-service/super-service-network-policy.yaml @@ -0,0 +1,52 @@ +--- +# разрещаем сервису принимать входящие запросы на порт 8080 +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: super-service-in + namespace: example + labels: + app.kubernetes.io/managed-by: manual +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: super-service + policyTypes: + - Ingress + ingress: + - ports: + - port: 8080 + protocol: TCP +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: super-service-out + namespace: example + labels: + app.kubernetes.io/managed-by: manual +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: super-service + policyTypes: + - Egress + egress: + - to: + # пример для внутренних ресурсов + # разрещаем сервису отправлять запросы на порт 8000 сервиса superman + - podSelector: + matchLabels: + app.kubernetes.io/name: superman + ports: + - port: 8000 + protocol: TCP + - to: + - ipBlock: + # пример для внешних ресурсов + # тут пишем название домена например test.avroid.tech домен резолвится в 192.168.1.2 + # для того что бы понимать куда смотрит ip + cidr: 192.168.1.2/32 + ports: + - port: 80 + protocol: TCP diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/example/super-service/values.yaml b/clusters/k8s-avroid-office.prod.local/namespaces/example/super-service/values.yaml new file mode 100644 index 0000000..15182ac --- /dev/null +++ b/clusters/k8s-avroid-office.prod.local/namespaces/example/super-service/values.yaml @@ -0,0 +1 @@ +# тут будут values от helm diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/jenkins-builds/jenkins-deploy-service-account.yaml b/clusters/k8s-avroid-office.prod.local/namespaces/jenkins-builds/.rbac/jenkins-deploy-service-account.yaml similarity index 100% rename from clusters/k8s-avroid-office.prod.local/namespaces/jenkins-builds/jenkins-deploy-service-account.yaml rename to clusters/k8s-avroid-office.prod.local/namespaces/jenkins-builds/.rbac/jenkins-deploy-service-account.yaml diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/jenkins-builds/jenkins-builds-namespace.yaml b/clusters/k8s-avroid-office.prod.local/namespaces/jenkins-builds/jenkins-builds.yaml similarity index 100% rename from clusters/k8s-avroid-office.prod.local/namespaces/jenkins-builds/jenkins-builds-namespace.yaml rename to clusters/k8s-avroid-office.prod.local/namespaces/jenkins-builds/jenkins-builds.yaml diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/sandbox/sandbox-namespace.yaml b/clusters/k8s-avroid-office.prod.local/namespaces/sandbox/sandbox-namespace.yaml deleted file mode 100644 index 3f24def..0000000 --- a/clusters/k8s-avroid-office.prod.local/namespaces/sandbox/sandbox-namespace.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: sandbox - labels: - name: sandbox - app.kubernetes.io/managed-by: manual - annotations: - scheduler.alpha.kubernetes.io/node-selector: node-role.kubernetes.io/worker= diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/sandbox/sandbox-resourcequota.yaml b/clusters/k8s-avroid-office.prod.local/namespaces/sandbox/sandbox-resourcequota.yaml deleted file mode 100644 index 8ae1bed..0000000 --- a/clusters/k8s-avroid-office.prod.local/namespaces/sandbox/sandbox-resourcequota.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: v1 -kind: ResourceQuota -metadata: - name: sandbox - labels: - app.kubernetes.io/managed-by: manual -spec: - hard: - requests.cpu: "8" - requests.memory: 24Gi - limits.cpu: "16" - limits.memory: 32Gi diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/sandbox/sandbox.yaml b/clusters/k8s-avroid-office.prod.local/namespaces/sandbox/sandbox.yaml new file mode 100644 index 0000000..d26facd --- /dev/null +++ b/clusters/k8s-avroid-office.prod.local/namespaces/sandbox/sandbox.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: sandbox + labels: + name: sandbox + app.kubernetes.io/managed-by: manual + annotations: + scheduler.alpha.kubernetes.io/node-selector: node-role.kubernetes.io/worker= +--- +apiVersion: v1 +kind: ResourceQuota +metadata: + name: sandbox + namespace: sandbox + labels: + app.kubernetes.io/managed-by: manual +spec: + hard: + requests.cpu: "8" + requests.memory: 24Gi + limits.cpu: "16" + limits.memory: 32Gi diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-dev/msg-messenger-core-api/msg-messenger-core-api-network-policy.yaml b/clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-dev/msg-messenger-core-api/msg-messenger-core-api-network-policy.yaml new file mode 100644 index 0000000..e42a27d --- /dev/null +++ b/clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-dev/msg-messenger-core-api/msg-messenger-core-api-network-policy.yaml @@ -0,0 +1,39 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: msg-messenger-core-api-in + namespace: tavro-cloud-dev + labels: + app.kubernetes.io/managed-by: manual +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: msg-messenger-core-api + policyTypes: + - Ingress + ingress: + - ports: + - port: 8000 + protocol: TCP +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: msg-messenger-core-api-out + namespace: tavro-cloud-dev + labels: + app.kubernetes.io/managed-by: manual +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: msg-messenger-core-api + policyTypes: + - Egress + egress: + - to: + - ipBlock: + # pg-db-test.avroid.tech + cidr: 10.2.40.5/32 + ports: + - port: 5432 + protocol: TCP diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-dev/openresty/openresty-network-policy.yaml b/clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-dev/openresty/openresty-network-policy.yaml new file mode 100644 index 0000000..773afdb --- /dev/null +++ b/clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-dev/openresty/openresty-network-policy.yaml @@ -0,0 +1,39 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: openresty-in + namespace: tavro-cloud-dev + labels: + app.kubernetes.io/managed-by: manual +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: openresty + policyTypes: + - Ingress + ingress: + - ports: + - port: 8081 + protocol: TCP +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: openresty-out + namespace: tavro-cloud-dev + labels: + app.kubernetes.io/managed-by: manual +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: openresty + policyTypes: + - Egress + egress: + - to: + - podSelector: + matchLabels: + app.kubernetes.io/name: msg-messenger-core-api + ports: + - port: 8000 + protocol: TCP diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-dev/tavro-cloud-dev-namespace.yaml b/clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-dev/tavro-cloud-dev-namespace.yaml deleted file mode 100644 index 2a67ec0..0000000 --- a/clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-dev/tavro-cloud-dev-namespace.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: tavro-cloud-dev - labels: - name: tavro-cloud-dev - app.kubernetes.io/managed-by: manual - annotations: - scheduler.alpha.kubernetes.io/node-selector: node-role.kubernetes.io/worker= diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-dev/tavro-cloud-dev-resourcequota.yaml b/clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-dev/tavro-cloud-dev-resourcequota.yaml deleted file mode 100644 index cb29214..0000000 --- a/clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-dev/tavro-cloud-dev-resourcequota.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: v1 -kind: ResourceQuota -metadata: - name: tavro-cloud-dev - labels: - app.kubernetes.io/managed-by: manual -spec: - hard: - requests.cpu: "8" - requests.memory: 24Gi - limits.cpu: "16" - limits.memory: 32Gi diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-dev/tavro-cloud-dev.yaml b/clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-dev/tavro-cloud-dev.yaml new file mode 100644 index 0000000..46fc608 --- /dev/null +++ b/clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-dev/tavro-cloud-dev.yaml @@ -0,0 +1,56 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: tavro-cloud-dev + labels: + name: tavro-cloud-dev + app.kubernetes.io/managed-by: manual + annotations: + scheduler.alpha.kubernetes.io/node-selector: "nodetype=worker" +--- +apiVersion: v1 +kind: ResourceQuota +metadata: + name: tavro-cloud-dev + namespace: tavro-cloud-dev + labels: + app.kubernetes.io/managed-by: manual +spec: + hard: + configmaps: "100" + limits.cpu: "5" + limits.memory: 13Gi + persistentvolumeclaims: "1" + pods: "100" + requests.cpu: "3" + requests.memory: "10Gi" + requests.storage: "2Gi" + resourcequotas: "1" + secrets: "100" + services: "100" +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: tavro-cloud-dev-common + namespace: tavro-cloud-dev +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress + ingress: [] + egress: + - to: + - ipBlock: + # vault.avroid.tech + cidr: 10.18.3.7/32 + ports: + - port: 443 + protocol: TCP + - ports: + - port: 53 + protocol: TCP + - port: 53 + protocol: UDP diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/vault-infra/vault-infra-namespace.yaml b/clusters/k8s-avroid-office.prod.local/namespaces/vault-infra/vault-infra-namespace.yaml deleted file mode 100644 index 911f1cb..0000000 --- a/clusters/k8s-avroid-office.prod.local/namespaces/vault-infra/vault-infra-namespace.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: vault-infra - labels: - name: vault-infra - app.kubernetes.io/managed-by: manual - annotations: - scheduler.alpha.kubernetes.io/node-selector: node-role.kubernetes.io/worker= diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/vault-infra/vault-infra.yaml b/clusters/k8s-avroid-office.prod.local/namespaces/vault-infra/vault-infra.yaml new file mode 100644 index 0000000..d3d5524 --- /dev/null +++ b/clusters/k8s-avroid-office.prod.local/namespaces/vault-infra/vault-infra.yaml @@ -0,0 +1,30 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: vault-infra + labels: + name: vault-infra + app.kubernetes.io/managed-by: manual + annotations: + scheduler.alpha.kubernetes.io/node-selector: node-role.kubernetes.io/worker= +--- +apiVersion: v1 +kind: ResourceQuota +metadata: + name: vault-infra + namespace: vault-infra + labels: + app.kubernetes.io/managed-by: manual +spec: + hard: + configmaps: "10" + limits.cpu: "4" + limits.memory: 2Gi + persistentvolumeclaims: "1" + pods: "10" + requests.cpu: "3" + requests.memory: 1Gi + resourcequotas: "1" + secrets: "10" + services: "1" diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/vault-infra/vault-secrets-webhook/values.yaml b/clusters/k8s-avroid-office.prod.local/namespaces/vault-infra/vault-secrets-webhook/values.yaml index 8daf9f8..34b4f62 100644 --- a/clusters/k8s-avroid-office.prod.local/namespaces/vault-infra/vault-secrets-webhook/values.yaml +++ b/clusters/k8s-avroid-office.prod.local/namespaces/vault-infra/vault-secrets-webhook/values.yaml @@ -1 +1,9 @@ -# helm upgrade -n vault-infra --install --wait vault-secrets-webhook oci://ghcr.io/bank-vaults/helm-charts/vault-secrets-webhook +# helm upgrade -n vault-infra -f values.yaml --install --wait vault-secrets-webhook oci://ghcr.io/bank-vaults/helm-charts/vault-secrets-webhook + +resources: + limits: + cpu: 100m + memory: 50Mi + requests: + cpu: 50m + memory: 25Mi