From 9733394788ad7dba7ce3ee62d0e27cd8ab5ece41 Mon Sep 17 00:00:00 2001 From: bobjwalker Date: Mon, 16 Oct 2023 15:23:45 -0500 Subject: [PATCH] Simplified RBAC, changed from Load Balancer to Ingress + IP --- k8s/create-dev-service-account-token.yaml | 8 --- k8s/create-namespace.yaml | 4 ++ k8s/create-prod-service-account-token.yaml | 8 --- ... => create-service-account-and-token.yaml} | 28 +++++---- k8s/create-staging-namespace-and-role.yaml | 63 ------------------- k8s/create-staging-service-account-token.yaml | 8 --- k8s/create-test-namespace-and-role.yaml | 62 ------------------ k8s/create-test-service-account-token.yaml | 8 --- k8s/trident-app.yaml | 29 +++++++-- src/Trident.sln | 9 +-- 10 files changed, 46 insertions(+), 181 deletions(-) delete mode 100644 k8s/create-dev-service-account-token.yaml create mode 100644 k8s/create-namespace.yaml delete mode 100644 k8s/create-prod-service-account-token.yaml rename k8s/{create-prod-namespace-and-role.yaml => create-service-account-and-token.yaml} (67%) delete mode 100644 k8s/create-staging-namespace-and-role.yaml delete mode 100644 k8s/create-staging-service-account-token.yaml delete mode 100644 k8s/create-test-namespace-and-role.yaml delete mode 100644 k8s/create-test-service-account-token.yaml diff --git a/k8s/create-dev-service-account-token.yaml b/k8s/create-dev-service-account-token.yaml deleted file mode 100644 index 7bc79b9..0000000 --- a/k8s/create-dev-service-account-token.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: octopus-dev-token - namespace: dev - annotations: - kubernetes.io/service-account.name: octopus-dev -type: kubernetes.io/service-account-token \ No newline at end of file diff --git a/k8s/create-namespace.yaml b/k8s/create-namespace.yaml new file mode 100644 index 0000000..6afbd99 --- /dev/null +++ b/k8s/create-namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: testing \ No newline at end of file diff --git a/k8s/create-prod-service-account-token.yaml b/k8s/create-prod-service-account-token.yaml deleted file mode 100644 index b39e776..0000000 --- a/k8s/create-prod-service-account-token.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: octopus-prod-token - namespace: prod - annotations: - kubernetes.io/service-account.name: octopus-prod -type: kubernetes.io/service-account-token \ No newline at end of file diff --git a/k8s/create-prod-namespace-and-role.yaml b/k8s/create-service-account-and-token.yaml similarity index 67% rename from k8s/create-prod-namespace-and-role.yaml rename to k8s/create-service-account-and-token.yaml index c26502d..d081e08 100644 --- a/k8s/create-prod-namespace-and-role.yaml +++ b/k8s/create-service-account-and-token.yaml @@ -1,19 +1,23 @@ apiVersion: v1 -kind: Namespace +kind: ServiceAccount metadata: - name: prod + name: octopus-svc-account + namespace: default --- apiVersion: v1 -kind: ServiceAccount +kind: Secret metadata: - name: octopus-prod - namespace: prod + name: octopus-svc-account-token + namespace: default + annotations: + kubernetes.io/service-account.name: octopus-svc-account +type: kubernetes.io/service-account-token --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: octopus-prod-role - namespace: prod + name: octopus-svc-account-role + namespace: default rules: - apiGroups: - "" @@ -23,7 +27,7 @@ rules: - extensions - policy - rbac.authorization.k8s.io - - secret + - secrets resources: - pods - componentstatuses @@ -52,12 +56,12 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: octopus-prod-role-binding + name: octopus-namespace-role-binding subjects: -- namespace: prod +- namespace: default kind: ServiceAccount - name: octopus-prod + name: octopus-svc-account roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: octopus-prod-role \ No newline at end of file + name: octopus-svc-account-role \ No newline at end of file diff --git a/k8s/create-staging-namespace-and-role.yaml b/k8s/create-staging-namespace-and-role.yaml deleted file mode 100644 index e986f55..0000000 --- a/k8s/create-staging-namespace-and-role.yaml +++ /dev/null @@ -1,63 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: staging ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: octopus-staging - namespace: staging ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: octopus-staging-role - namespace: staging -rules: - - apiGroups: - - "" - - apps - - autoscaling - - batch - - extensions - - policy - - rbac.authorization.k8s.io - - secret - resources: - - pods - - componentstatuses - - configmaps - - daemonsets - - deployments - - events - - endpoints - - horizontalpodautoscalers - - ingress - - jobs - - limitranges - - namespaces - - nodes - - pods - - persistentvolumes - - persistentvolumeclaims - - resourcequotas - - replicasets - - replicationcontrollers - - serviceaccounts - - services - - secrets - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: octopus-staging-role-binding -subjects: -- namespace: staging - kind: ServiceAccount - name: octopus-staging -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: octopus-staging-role \ No newline at end of file diff --git a/k8s/create-staging-service-account-token.yaml b/k8s/create-staging-service-account-token.yaml deleted file mode 100644 index 8ff4367..0000000 --- a/k8s/create-staging-service-account-token.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: octopus-staging-token - namespace: staging - annotations: - kubernetes.io/service-account.name: octopus-staging -type: kubernetes.io/service-account-token \ No newline at end of file diff --git a/k8s/create-test-namespace-and-role.yaml b/k8s/create-test-namespace-and-role.yaml deleted file mode 100644 index 02166b0..0000000 --- a/k8s/create-test-namespace-and-role.yaml +++ /dev/null @@ -1,62 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: test ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: octopus-test - namespace: test ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: octopus-test-role - namespace: test -rules: - - apiGroups: - - "" - - apps - - autoscaling - - batch - - extensions - - policy - - rbac.authorization.k8s.io - resources: - - pods - - componentstatuses - - configmaps - - daemonsets - - deployments - - events - - endpoints - - horizontalpodautoscalers - - ingress - - jobs - - limitranges - - namespaces - - nodes - - pods - - persistentvolumes - - persistentvolumeclaims - - resourcequotas - - replicasets - - replicationcontrollers - - serviceaccounts - - services - - secrets - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: octopus-test-role-binding -subjects: -- namespace: test - kind: ServiceAccount - name: octopus-test -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: octopus-test-role \ No newline at end of file diff --git a/k8s/create-test-service-account-token.yaml b/k8s/create-test-service-account-token.yaml deleted file mode 100644 index f8fc4b8..0000000 --- a/k8s/create-test-service-account-token.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: octopus-test-token - namespace: test - annotations: - kubernetes.io/service-account.name: octopus-test -type: kubernetes.io/service-account-token \ No newline at end of file diff --git a/k8s/trident-app.yaml b/k8s/trident-app.yaml index a434dfb..68682ea 100644 --- a/k8s/trident-app.yaml +++ b/k8s/trident-app.yaml @@ -37,13 +37,32 @@ spec: apiVersion: v1 kind: Service metadata: - name: trident-loadbalancer-service + name: trident-app-cluster-ip-service spec: + type: ClusterIP selector: component: trident-web ports: - - port: 5000 - targetPort: 5000 - name: http-port - type: LoadBalancer + - port: 6800 + targetPort: 5000 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: trident-ingress-nginx + annotations: + nginx.ingress.kubernetes.io/rewrite-target: /$1 +spec: + rules: + - host: trident.local + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: trident-app-cluster-ip-service + port: + number: 6800 + \ No newline at end of file diff --git a/src/Trident.sln b/src/Trident.sln index 77ddde9..d7fa480 100644 --- a/src/Trident.sln +++ b/src/Trident.sln @@ -8,13 +8,8 @@ EndProject Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "K8s", "K8s", "{742F9EEC-0930-416A-9EC0-AEB915E0B2F0}" ProjectSection(SolutionItems) = preProject ..\k8s\create-dev-namespace-and-role.yaml = ..\k8s\create-dev-namespace-and-role.yaml - ..\k8s\create-dev-service-account-token.yaml = ..\k8s\create-dev-service-account-token.yaml - ..\k8s\create-prod-namespace-and-role.yaml = ..\k8s\create-prod-namespace-and-role.yaml - ..\k8s\create-prod-service-account-token.yaml = ..\k8s\create-prod-service-account-token.yaml - ..\k8s\create-staging-namespace-and-role.yaml = ..\k8s\create-staging-namespace-and-role.yaml - ..\k8s\create-staging-service-account-token.yaml = ..\k8s\create-staging-service-account-token.yaml - ..\k8s\create-test-namespace-and-role.yaml = ..\k8s\create-test-namespace-and-role.yaml - ..\k8s\create-test-service-account-token.yaml = ..\k8s\create-test-service-account-token.yaml + ..\k8s\create-namespace.yaml = ..\k8s\create-namespace.yaml + ..\k8s\create-service-account-and-token.yaml = ..\k8s\create-service-account-and-token.yaml ..\k8s\trident-app.yaml = ..\k8s\trident-app.yaml EndProjectSection EndProject