[DO-1496] add limits and network-policy (!4)

схлопнул networkpolicy limits и namespace в один файл и назвал его так же как namespace

Co-authored-by: Rustam Tagaev <rustam.tagaev@avroid.tech>
Reviewed-on: https://git.avroid.tech/K8s/k8s-configs/pulls/4
Reviewed-by: Denis Patrakeev <denis.patrakeev@avroid.team>
Co-authored-by: Rustam Tagaev <rustam.tagaev@avroid.team>
Co-committed-by: Rustam Tagaev <rustam.tagaev@avroid.team>

clusters/k8s-avroid-office.prod.local/namespaces/example/example.yaml

@@ -0,0 +1,51 @@
+---
+# создаем namespace
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: example
+  labels:
+    name: example
+
+    app.kubernetes.io/managed-by: manual
+  annotations:
+    scheduler.alpha.kubernetes.io/node-selector: "nodetype=worker"
+---
+# выделяем лимиты на текущий namespace
+apiVersion: v1
+kind: ResourceQuota
+metadata:
+  name: example
+  namespace: example
+  labels:
+    app.kubernetes.io/managed-by: manual
+spec:
+  hard:
+    configmaps:             "100"
+    limits.cpu:             "16"
+    limits.memory:          32Gi
+    persistentvolumeclaims: "1"
+    pods:                   "100"
+    replicationcontrollers: "0"
+    requests.cpu:           "8"
+    requests.memory:        "24Gi"
+    requests.storage:       "2Gi"
+    resourcequotas:         "1"
+    secrets:                "100"
+    services:               "100"
+    services.loadbalancers: "0"
+    services.nodeports:     "0"
+---
+# запрещаем все для текущего namespace
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: deny-all
+  namespace: example
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress
+  - Egress
+  ingress: []
+  egress: []

clusters/k8s-avroid-office.prod.local/namespaces/example/super-service/argo-values.yaml

@@ -0,0 +1 @@
+# тут будут values для приложений которые развернуты через argo

clusters/k8s-avroid-office.prod.local/namespaces/example/super-service/super-service-network-policy.yaml

@@ -0,0 +1,52 @@
+---
+# разрещаем сервису принимать входящие запросы на порт 8080
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: super-service-in
+  namespace: example
+  labels:
+    app.kubernetes.io/managed-by: manual
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: super-service
+  policyTypes:
+    - Ingress
+  ingress:
+    - ports:
+        - port: 8080
+          protocol: TCP
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: super-service-out
+  namespace: example
+  labels:
+    app.kubernetes.io/managed-by: manual
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: super-service
+  policyTypes:
+    - Egress
+  egress:
+    - to:
+        # пример для внутренних ресурсов
+        # разрещаем сервису отправлять запросы на порт 8000 сервиса superman
+        - podSelector:
+            matchLabels:
+              app.kubernetes.io/name: superman
+      ports:
+        - port: 8000
+          protocol: TCP
+    - to:
+        - ipBlock:
+            # пример для внешних ресурсов
+            # тут пишем название домена например test.avroid.tech домен резолвится в 192.168.1.2
+            # для того что бы понимать куда смотрит ip
+            cidr: 192.168.1.2/32
+      ports:
+        - port: 80
+          protocol: TCP

clusters/k8s-avroid-office.prod.local/namespaces/example/super-service/values.yaml

@@ -0,0 +1 @@
+# тут будут values от helm

clusters/k8s-avroid-office.prod.local/namespaces/sandbox/sandbox-namespace.yaml

@@ -1,10 +0,0 @@
----
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: sandbox
-  labels:
-    name: sandbox
-    app.kubernetes.io/managed-by: manual
-  annotations:
-    scheduler.alpha.kubernetes.io/node-selector: node-role.kubernetes.io/worker=

clusters/k8s-avroid-office.prod.local/namespaces/sandbox/sandbox-resourcequota.yaml

@@ -1,13 +0,0 @@
----
-apiVersion: v1
-kind: ResourceQuota
-metadata:
-  name: sandbox
-  labels:
-    app.kubernetes.io/managed-by: manual
-spec:
-  hard:
-    requests.cpu: "8"
-    requests.memory: 24Gi
-    limits.cpu: "16"
-    limits.memory: 32Gi

clusters/k8s-avroid-office.prod.local/namespaces/sandbox/sandbox.yaml

@@ -0,0 +1,24 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: sandbox
+  labels:
+    name: sandbox
+    app.kubernetes.io/managed-by: manual
+  annotations:
+    scheduler.alpha.kubernetes.io/node-selector: node-role.kubernetes.io/worker=
+---
+apiVersion: v1
+kind: ResourceQuota
+metadata:
+  name: sandbox
+  namespace: sandbox
+  labels:
+    app.kubernetes.io/managed-by: manual
+spec:
+  hard:
+    requests.cpu: "8"
+    requests.memory: 24Gi
+    limits.cpu: "16"
+    limits.memory: 32Gi

clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-dev/msg-messenger-core-api/msg-messenger-core-api-network-policy.yaml

@@ -0,0 +1,39 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: msg-messenger-core-api-in
+  namespace: tavro-cloud-dev
+  labels:
+    app.kubernetes.io/managed-by: manual
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: msg-messenger-core-api
+  policyTypes:
+    - Ingress
+  ingress:
+    - ports:
+        - port: 8000
+          protocol: TCP
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: msg-messenger-core-api-out
+  namespace: tavro-cloud-dev
+  labels:
+    app.kubernetes.io/managed-by: manual
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: msg-messenger-core-api
+  policyTypes:
+    - Egress
+  egress:
+    - to:
+        - ipBlock:
+            # pg-db-test.avroid.tech
+            cidr: 10.2.40.5/32
+      ports:
+        - port: 5432
+          protocol: TCP

clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-dev/openresty/openresty-network-policy.yaml

@@ -0,0 +1,39 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: openresty-in
+  namespace: tavro-cloud-dev
+  labels:
+    app.kubernetes.io/managed-by: manual
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: openresty
+  policyTypes:
+    - Ingress
+  ingress:
+    - ports:
+        - port: 8081
+          protocol: TCP
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: openresty-out
+  namespace: tavro-cloud-dev
+  labels:
+    app.kubernetes.io/managed-by: manual
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: openresty
+  policyTypes:
+    - Egress
+  egress:
+    - to:
+      - podSelector:
+          matchLabels:
+            app.kubernetes.io/name: msg-messenger-core-api
+      ports:
+        - port: 8000
+          protocol: TCP

clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-dev/tavro-cloud-dev-namespace.yaml

@@ -1,10 +0,0 @@
----
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: tavro-cloud-dev
-  labels:
-    name: tavro-cloud-dev
-    app.kubernetes.io/managed-by: manual
-  annotations:
-    scheduler.alpha.kubernetes.io/node-selector: node-role.kubernetes.io/worker=

clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-dev/tavro-cloud-dev-resourcequota.yaml

@@ -1,13 +0,0 @@
----
-apiVersion: v1
-kind: ResourceQuota
-metadata:
-  name: tavro-cloud-dev
-  labels:
-    app.kubernetes.io/managed-by: manual
-spec:
-  hard:
-    requests.cpu: "8"
-    requests.memory: 24Gi
-    limits.cpu: "16"
-    limits.memory: 32Gi

clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-dev/tavro-cloud-dev.yaml

@@ -0,0 +1,56 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: tavro-cloud-dev
+  labels:
+    name: tavro-cloud-dev
+    app.kubernetes.io/managed-by: manual
+  annotations:
+    scheduler.alpha.kubernetes.io/node-selector: "nodetype=worker"
+---
+apiVersion: v1
+kind: ResourceQuota
+metadata:
+  name: tavro-cloud-dev
+  namespace: tavro-cloud-dev
+  labels:
+    app.kubernetes.io/managed-by: manual
+spec:
+  hard:
+    configmaps: "100"
+    limits.cpu: "5"
+    limits.memory: 13Gi
+    persistentvolumeclaims: "1"
+    pods: "100"
+    requests.cpu: "3"
+    requests.memory: "10Gi"
+    requests.storage: "2Gi"
+    resourcequotas: "1"
+    secrets: "100"
+    services: "100"
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: tavro-cloud-dev-common
+  namespace: tavro-cloud-dev
+spec:
+  podSelector: {}
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress: []
+  egress:
+    - to:
+        - ipBlock:
+            # vault.avroid.tech
+            cidr: 10.18.3.7/32
+      ports:
+        - port: 443
+          protocol: TCP
+    - ports:
+        - port: 53
+          protocol: TCP
+        - port: 53
+          protocol: UDP

clusters/k8s-avroid-office.prod.local/namespaces/vault-infra/vault-infra-namespace.yaml

@@ -1,10 +0,0 @@
----
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: vault-infra
-  labels:
-    name: vault-infra
-    app.kubernetes.io/managed-by: manual
-  annotations:
-    scheduler.alpha.kubernetes.io/node-selector: node-role.kubernetes.io/worker=

clusters/k8s-avroid-office.prod.local/namespaces/vault-infra/vault-infra.yaml

@@ -0,0 +1,30 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: vault-infra
+  labels:
+    name: vault-infra
+    app.kubernetes.io/managed-by: manual
+  annotations:
+    scheduler.alpha.kubernetes.io/node-selector: node-role.kubernetes.io/worker=
+---
+apiVersion: v1
+kind: ResourceQuota
+metadata:
+  name: vault-infra
+  namespace: vault-infra
+  labels:
+    app.kubernetes.io/managed-by: manual
+spec:
+  hard:
+    configmaps: "10"
+    limits.cpu: "4"
+    limits.memory: 2Gi
+    persistentvolumeclaims: "1"
+    pods: "10"
+    requests.cpu: "3"
+    requests.memory: 1Gi
+    resourcequotas: "1"
+    secrets: "10"
+    services: "1"

clusters/k8s-avroid-office.prod.local/namespaces/vault-infra/vault-secrets-webhook/values.yaml

@@ -1 +1,9 @@
-# helm upgrade -n vault-infra --install --wait vault-secrets-webhook oci://ghcr.io/bank-vaults/helm-charts/vault-secrets-webhook
+# helm upgrade -n vault-infra -f values.yaml --install --wait vault-secrets-webhook oci://ghcr.io/bank-vaults/helm-charts/vault-secrets-webhook
+
+resources:
+  limits:
+    cpu: 100m
+    memory: 50Mi
+  requests:
+    cpu: 50m
+    memory: 25Mi