├── .DS_Store
├── .github
    └── workflows
    │   └── blank.yml
├── .gitignore
├── .vscode
    ├── configurationCache.log
    ├── dryrun.log
    └── targets.log
├── Bare-Metal
    ├── EquinixMetal
    │   ├── equinixprovider
    │   │   ├── main.tf
    │   │   └── variables.tf
    │   └── requirements.md
    ├── kubeadm-automated
    │   ├── controlPlaneScript.sh
    │   └── workerNodeScript.sh
    ├── kubeadm-cilium
    │   ├── control_plane_setup.sh
    │   ├── install_control_plane.sh
    │   ├── install_worker_node.sh
    │   └── storageClass.yaml
    └── kubeadm
    │   ├── containerd_control_plane.sh
    │   ├── control_plane_setup.sh
    │   ├── flannel.yaml
    │   ├── install_control_plane.sh
    │   ├── install_worker_node.sh
    │   ├── instructions_for_kubeadm
    │       └── kubeadm_on_equinix
    │       │   └── read.md
    │   └── joincommands.md
├── Google
    ├── GKE-Autopilot
    │   ├── main.tf
    │   └── variables.tf
    ├── GKE-Network-Policy-Enabled
    │   ├── main.tf
    │   └── variables.tf
    ├── GKE
    │   ├── main.tf
    │   └── variables.tf
    ├── anthos-bare-metal
    │   └── anthos.md
    ├── anthos-in-the-cloud
    │   ├── docs.md
    │   ├── main.tf
    │   └── variables.tf
    ├── authenticate_to_google
    │   └── instructions.sh
    └── prereqs.md
├── Linode
    ├── Consul
    │   ├── consul.yaml
    │   └── consulservicemesh.sh
    ├── commands.sh
    ├── main.tf
    └── variables.tf
├── alaz.yaml
├── alaz.yaml-e
├── aws
    ├── cloudwatch-agent-container-insights
    │   └── install.sh
    ├── connect-to-eks-cluster.sh
    ├── ecs
    │   ├── cluster
    │   │   └── main.tf
    │   └── workload
    │   │   └── main.tf
    ├── eks-auto-mode
    │   ├── main.tf
    │   ├── roles
    │   │   └── main.tf
    │   └── variables.tf
    ├── eks-bottlerocket
    │   ├── main.tf
    │   └── variables.tf
    ├── eks-fargate
    │   ├── main.tf
    │   └── variables.tf
    ├── eks-private-cluster
    │   ├── main.tf
    │   └── variables.tf
    ├── eks-with-cilium-cni
    │   ├── cilium
    │   │   └── helm.md
    │   ├── main.tf
    │   └── variables.tf
    └── eks
    │   ├── main.tf
    │   └── variables.tf
├── azure
    ├── aks-calico
    │   ├── main.tf
    │   └── variables.tf
    ├── aks-cilium
    │   ├── main.tf
    │   └── variables.tf
    ├── aks-rbac-enabled
    │   ├── main.tf
    │   └── variables.tf
    ├── aks-with-virtual-kubelet
    │   ├── instructions.md
    │   ├── main.tf
    │   └── variables.tf
    └── aks
    │   ├── Wasm
    │       └── wasm.sh
    │   ├── kubernetes_export_sa.sh
    │   ├── main.tf
    │   ├── startcluster.ps1
    │   ├── stopcluster.ps1
    │   ├── tmp
    │       ├── ca.crt
    │       └── k8s-cd-user-devtroncd-conf-31406.conf
    │   └── variables.tf
├── cfg
    ├── ack-1.0
    │   ├── config.yaml
    │   ├── controlplane.yaml
    │   ├── etcd.yaml
    │   ├── managedservices.yaml
    │   ├── master.yaml
    │   ├── node.yaml
    │   └── policies.yaml
    ├── aks-1.0
    │   ├── config.yaml
    │   ├── controlplane.yaml
    │   ├── managedservices.yaml
    │   ├── master.yaml
    │   ├── node.yaml
    │   └── policies.yaml
    ├── cis-1.5
    │   ├── config.yaml
    │   ├── controlplane.yaml
    │   ├── etcd.yaml
    │   ├── master.yaml
    │   ├── node.yaml
    │   └── policies.yaml
    ├── cis-1.6
    │   ├── config.yaml
    │   ├── controlplane.yaml
    │   ├── etcd.yaml
    │   ├── master.yaml
    │   ├── node.yaml
    │   └── policies.yaml
    ├── config.yaml
    ├── eks-1.0
    │   ├── config.yaml
    │   ├── controlplane.yaml
    │   ├── managedservices.yaml
    │   ├── master.yaml
    │   ├── node.yaml
    │   └── policies.yaml
    ├── gke-1.0
    │   ├── config.yaml
    │   ├── controlplane.yaml
    │   ├── etcd.yaml
    │   ├── managedservices.yaml
    │   ├── master.yaml
    │   ├── node.yaml
    │   └── policies.yaml
    ├── rh-0.7
    │   ├── config.yaml
    │   ├── master.yaml
    │   └── node.yaml
    └── rh-1.0
    │   ├── config.yaml
    │   ├── controlplane.yaml
    │   ├── etcd.yaml
    │   ├── master.yaml
    │   ├── node.yaml
    │   └── policies.yaml
├── deployment.yaml
├── env0
    └── eks-fargate
    │   └── main.tf
├── get_helm.sh
├── images
    └── k8s.png
├── kube-bench_0.6.2_linux_amd64.tar.gz
├── readme.md
├── value2.yaml
└── values.yaml


/.DS_Store:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AdminTurnedDevOps/Kubernetes-Quickstart-Environments/7b9cb39375efefc90c345a7d07799c945520ed85/.DS_Store


--------------------------------------------------------------------------------
/.github/workflows/blank.yml:
--------------------------------------------------------------------------------
 1 | name: GKE Kubernetes Deployment
 2 | 
 3 | on:
 4 |   workflow_dispatch:
 5 | 
 6 | jobs:
 7 |   build:
 8 |     runs-on: ubuntu-latest
 9 | 
10 |     steps:
11 |       - uses: actions/checkout@v3
12 | 
13 |       - name: Setup Terraform
14 |         uses: hashicorp/setup-terraform@v1
15 | 
16 |       - name: Set up gcloud Cloud SDK environment
17 |         uses: google-github-actions/setup-gcloud@v0.6.0
18 |         with:
19 |           service_account_email:
20 |           service_account_key:
21 |           project_id:
22 | 
23 |       - name: Terraform Init
24 |         working-directory: where_the_gke_code_lives
25 |         run: terraform init
26 |         
27 |       - name: Terraform Format
28 |         working-directory: where_the_gke_code_lives
29 |         run: terraform fmt
30 | 
31 |       - name: Terraform Plan
32 |         working-directory: where_the_gke_code_lives
33 |         run: terraform plan
34 | 
35 |       - name: Terraform Apply
36 |         working-directory: where_the_gke_code_lives
37 |         run: terraform apply -auto-approve
38 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
 1 | **aws-orb**
 2 | 
 3 | # Local .terraform directories
 4 | **/.terraform/*
 5 | 
 6 | # .tfstate files
 7 | *.tfstate
 8 | *.tfstate.*
 9 | 
10 | # Crash log files
11 | crash.log
12 | 
13 | # Locks
14 | *lock.hcl
15 | 
16 | # Ignore any .tfvars files that are generated automatically for each Terraform run. Most
17 | # .tfvars files are managed as part of configuration and so should be included in
18 | # version control.
19 | #
20 | # example.tfvars
21 | 
22 | # Ignore override files as they are usually used to override resources locally and so
23 | # are not checked in
24 | override.tf
25 | override.tf.json
26 | *_override.tf
27 | *_override.tf.json
28 | 
29 | # Include override files you do wish to add to version control using negated pattern
30 | #
31 | # !example_override.tf
32 | 
33 | # Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
34 | # example: *tfplan*
35 | 
36 | *karpenter*


--------------------------------------------------------------------------------
/.vscode/configurationCache.log:
--------------------------------------------------------------------------------
1 | {"buildTargets":[],"launchTargets":[],"customConfigurationProvider":{"workspaceBrowse":{"browsePath":[],"compilerArgs":[]},"fileIndex":[]}}


--------------------------------------------------------------------------------
/.vscode/dryrun.log:
--------------------------------------------------------------------------------
1 | make --dry-run --always-make --keep-going --print-directory
2 | make: Entering directory `/Users/michael/gitrepos/Kubernetes-Quickstart-Environments'
3 | make: Leaving directory `/Users/michael/gitrepos/Kubernetes-Quickstart-Environments'
4 |  
5 | make: *** No targets specified and no makefile found.  Stop.
6 | 
7 | 


--------------------------------------------------------------------------------
/.vscode/targets.log:
--------------------------------------------------------------------------------
  1 | make all --print-data-base --no-builtin-variables --no-builtin-rules --question
  2 | # GNU Make 3.81
  3 | # Copyright (C) 2006  Free Software Foundation, Inc.
  4 | # This is free software; see the source for copying conditions.
  5 | # There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
  6 | # PARTICULAR PURPOSE.
  7 | 
  8 | # This program built for i386-apple-darwin11.3.0
  9 |  
 10 | make: *** No rule to make target `all'.  Stop.
 11 | 
 12 | 
 13 | # Make data base, printed on Wed Aug 24 13:51:01 2022
 14 | 
 15 | # Variables
 16 | 
 17 | # automatic
 18 | <D = $(patsubst %/,%,$(dir $<))
 19 | # automatic
 20 | ?F = $(notdir $?)
 21 | # automatic
 22 | ?D = $(patsubst %/,%,$(dir $?))
 23 | # automatic
 24 | @D = $(patsubst %/,%,$(dir $@))
 25 | # automatic
 26 | @F = $(notdir $@)
 27 | # makefile
 28 | CURDIR := /Users/michael/gitrepos/Kubernetes-Quickstart-Environments
 29 | # makefile
 30 | SHELL = /bin/sh
 31 | # environment
 32 | VSCODE_NLS_CONFIG = {"locale":"en-us","availableLanguages":{},"_languagePackSupport":true}
 33 | # environment
 34 | _ = /usr/bin/make
 35 | # environment
 36 | sonobuoy = /Users/michael/sonobuoyapp/sonobuoy
 37 | # makefile
 38 | MAKEFILE_LIST := 
 39 | # environment
 40 | __CFBundleIdentifier = com.microsoft.VSCode
 41 | # environment
 42 | INFOPATH = /opt/homebrew/share/info:
 43 | # environment
 44 | VSCODE_CWD = /
 45 | # environment
 46 | PATH = /opt/homebrew/bin:/opt/homebrew/sbin:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/Applications/VMware Fusion.app/Contents/Public:/usr/local/go/bin:/usr/local/share/dotnet:~/.dotnet/tools:/Library/Frameworks/Mono.framework/Versions/Current/Commands
 47 | # environment
 48 | LSCOLORS = Gxfxcxdxbxegedabagacad
 49 | # environment
 50 | ELECTRON_RUN_AS_NODE = 1
 51 | # default
 52 | .FEATURES := target-specific order-only second-expansion else-if archives jobserver check-symlink
 53 | # environment
 54 | SSH_AUTH_SOCK = /private/tmp/com.apple.launchd.fPw2EfskpR/Listeners
 55 | # automatic
 56 | %F = $(notdir $%)
 57 | # environment
 58 | PWD = /Users/michael/gitrepos/Kubernetes-Quickstart-Environments
 59 | # environment
 60 | HOMEBREW_CELLAR = /opt/homebrew/Cellar
 61 | # environment
 62 | ORIGINAL_XDG_CURRENT_DESKTOP = undefined
 63 | # environment
 64 | MANPATH = /opt/homebrew/share/man::
 65 | # environment
 66 | VSCODE_AMD_ENTRYPOINT = vs/workbench/api/node/extensionHostProcess
 67 | # environment
 68 | HOME = /Users/michael
 69 | # default
 70 | MAKEFILEPATH = $(shell /usr/bin/xcode-select -print-path 2>/dev/null || echo /Developer)/Makefiles
 71 | # environment
 72 | VSCODE_CODE_CACHE_PATH = /Users/michael/Library/Application Support/Code/CachedData/6d9b74a70ca9c7733b29f0456fd8195364076dda
 73 | # environment
 74 | LOGNAME = michael
 75 | # environment
 76 | APPLICATION_INSIGHTS_NO_DIAGNOSTIC_CHANNEL = 1
 77 | # environment
 78 | ZSH = /Users/michael/.oh-my-zsh
 79 | # environment
 80 | VSCODE_HANDLES_UNCAUGHT_ERRORS = true
 81 | # automatic
 82 | ^D = $(patsubst %/,%,$(dir $^))
 83 | # environment
 84 | XPC_FLAGS = 0x0
 85 | # default
 86 | MAKE = $(MAKE_COMMAND)
 87 | # default
 88 | MAKECMDGOALS := all
 89 | # environment
 90 | SHLVL = 1
 91 | # default
 92 | MAKE_VERSION := 3.81
 93 | # environment
 94 | USER = michael
 95 | # makefile
 96 | .DEFAULT_GOAL := 
 97 | # environment
 98 | LESS = -R
 99 | # automatic
100 | %D = $(patsubst %/,%,$(dir $%))
101 | # default
102 | MAKE_COMMAND := /Library/Developer/CommandLineTools/usr/bin/make
103 | # default
104 | .VARIABLES := 
105 | # environment
106 | TMPDIR = /var/folders/c7/m_mq7b7d6t37zt5fg7gg4hb80000gn/T/
107 | # automatic
108 | *F = $(notdir $*)
109 | # environment
110 | VSCODE_IPC_HOOK = /Users/michael/Library/Application Support/Code/1.70.1-main.sock
111 | # environment
112 | MallocNanoZone = 0
113 | # makefile
114 | MAKEFLAGS = Rrqp
115 | # environment
116 | MFLAGS = -Rrqp
117 | # automatic
118 | *D = $(patsubst %/,%,$(dir $*))
119 | # environment
120 | XPC_SERVICE_NAME = application.com.microsoft.VSCode.25155684.25155690
121 | # environment
122 | HOMEBREW_PREFIX = /opt/homebrew
123 | # automatic
124 | +D = $(patsubst %/,%,$(dir $+))
125 | # automatic
126 | +F = $(notdir $+)
127 | # environment
128 | HOMEBREW_REPOSITORY = /opt/homebrew
129 | # environment
130 | __CF_USER_TEXT_ENCODING = 0x1F5:0x0:0x0
131 | # environment
132 | COMMAND_MODE = unix2003
133 | # default
134 | MAKEFILES := 
135 | # automatic
136 | <F = $(notdir $<)
137 | # environment
138 | PAGER = less
139 | # environment
140 | LC_ALL = C
141 | # automatic
142 | ^F = $(notdir $^)
143 | # default
144 | SUFFIXES := 
145 | # default
146 | .INCLUDE_DIRS = /usr/local/include
147 |  
148 | # environment
149 | MAKELEVEL := 0
150 | # environment
151 | LANG = C
152 | # environment
153 | VSCODE_PID = 93451
154 | # variable set hash-table stats:
155 | # Load=68/1024=7%, Rehash=0, Collisions=1/89=1%
156 | 
157 | # Pattern-specific Variable Values
158 | 
159 | # No pattern-specific variable values.
160 | 
161 | # Directories
162 | 
163 | # . (device 16777232, inode 14333764): 15 files, no impossibilities.
164 | 
165 | # 15 files, no impossibilities in 1 directories.
166 | 
167 | # Implicit Rules
168 | 
169 | # No implicit rules.
170 | 
171 | # Files
172 | 
173 | # Not a target:
174 | all:
175 | #  Command-line target.
176 | #  Implicit rule search has been done.
177 | #  File does not exist.
178 | #  File has not been updated.
179 | # variable set hash-table stats:
180 | # Load=0/32=0%, Rehash=0, Collisions=0/0=0%
181 | 
182 | # Not a target:
183 | .SUFFIXES:
184 | #  Implicit rule search has not been done.
185 | #  Modification time never checked.
186 | #  File has not been updated.
187 | 
188 | # Not a target:
189 | Makefile:
190 | #  A default, MAKEFILES, or -include/sinclude makefile.
191 | #  Implicit rule search has been done.
192 | #  File does not exist.
193 | #  File has been updated.
194 | #  Failed to be updated.
195 | # variable set hash-table stats:
196 | # Load=0/32=0%, Rehash=0, Collisions=0/0=0%
197 | 
198 | # Not a target:
199 | makefile:
200 | #  A default, MAKEFILES, or -include/sinclude makefile.
201 | #  Implicit rule search has been done.
202 | #  File does not exist.
203 | #  File has been updated.
204 | #  Failed to be updated.
205 | # variable set hash-table stats:
206 | # Load=0/32=0%, Rehash=0, Collisions=0/0=0%
207 | 
208 | # Not a target:
209 | .DEFAULT:
210 | #  Implicit rule search has not been done.
211 | #  Modification time never checked.
212 | #  File has not been updated.
213 | 
214 | # Not a target:
215 | GNUmakefile:
216 | #  A default, MAKEFILES, or -include/sinclude makefile.
217 | #  Implicit rule search has been done.
218 | #  File does not exist.
219 | #  File has been updated.
220 | #  Failed to be updated.
221 | # variable set hash-table stats:
222 | # Load=0/32=0%, Rehash=0, Collisions=0/0=0%
223 | 
224 | # files hash-table stats:
225 | # Load=6/1024=1%, Rehash=0, Collisions=0/17=0%
226 | # VPATH Search Paths
227 | 
228 | # No `vpath' search paths.
229 | 
230 | # No general (`VPATH' variable) search path.
231 | 
232 | # # of strings in strcache: 0
233 | # # of strcache buffers: 0
234 | # strcache size: total = 0 / max = 0 / min = 4096 / avg = 0
235 | # strcache free: total = 0 / max = 0 / min = 4096 / avg = 0
236 | 
237 | # Finished Make data base on Wed Aug 24 13:51:01 2022
238 | 
239 |  
240 | 


--------------------------------------------------------------------------------
/Bare-Metal/EquinixMetal/equinixprovider/main.tf:
--------------------------------------------------------------------------------
 1 | terraform {
 2 |   required_providers {
 3 |     metal = {
 4 |       source = "equinix/metal"
 5 |       version = "3.3.0-alpha.3"
 6 |     }
 7 |   }
 8 | }
 9 | 
10 | provider "metal" {
11 |   auth_token = var.token
12 | }
13 | 
14 | resource "metal_device" "k8sservers-controlplane" {
15 |   count = 2
16 |   project_id = var.project_id
17 |   hostname = "${var.hostname}-controlplane-${count.index}"
18 |   operating_system = var.OS
19 |   plan             = var.server_size
20 |   facilities       = [var.datacenter]
21 |   billing_cycle    = "hourly"
22 | 
23 |   ip_address {
24 |     type = "private_ipv4"
25 |     cidr = 30
26 |   }
27 | 
28 |   ip_address {
29 |     type = "public_ipv4"
30 |   }
31 | 
32 |   connection {
33 |     type     = "ssh"
34 |     user     = "root"
35 |     host     = self.access_public_ipv4
36 |     private_key = file("~/.ssh/id_rsa")
37 |     #host     = metal_device.k8sservers-controlplane.hostname
38 |   }
39 |   provisioner "file" {
40 |     source      = "../../kubeadm/install_control_plane.sh"
41 |     destination = "/root/install_control_plane.sh"
42 |   }
43 | 
44 |   provisioner "remote-exec" {
45 |     inline = [ 
46 |       "chmod 755 /root/install_control_plane.sh",
47 |       "/root/install_control_plane.sh",
48 |     ]
49 |   }
50 | }
51 | 
52 | resource "metal_device" "k8sservers-workernode" {
53 |   count = 3
54 |   project_id = var.project_id
55 |   hostname = "${var.hostname}-worker-${count.index}"
56 |   operating_system = var.OS
57 |   plan             = var.server_size
58 |   facilities       = [var.datacenter]
59 |   billing_cycle    = "hourly"
60 | 
61 |   ip_address {
62 |     type = "private_ipv4"
63 |     cidr = 30
64 |   }
65 | }
66 | 
67 | output "publicIP1" {
68 |   value = metal_device.k8sservers-controlplane[0].access_public_ipv4
69 | }
70 | 
71 | output "publicIP2" {
72 |   value = metal_device.k8sservers-controlplane[1].access_public_ipv4
73 | }
74 | 
75 | output "privateIP1" {
76 |   value = metal_device.k8sservers-controlplane[0].access_private_ipv4
77 | }
78 | 
79 | output "privateIP2" {
80 |   value = metal_device.k8sservers-controlplane[1].access_private_ipv4
81 | }


--------------------------------------------------------------------------------
/Bare-Metal/EquinixMetal/equinixprovider/variables.tf:
--------------------------------------------------------------------------------
 1 | variable "server_size" {
 2 |   type = string
 3 |   default = "n2.xlarge.x86"
 4 | }
 5 | 
 6 | variable "datacenter" {
 7 |   type = string
 8 |   default = "ny5"
 9 | }
10 | 
11 | variable "OS" {
12 |   type = string
13 |   default = "ubuntu_21_04"
14 | }
15 | 
16 | variable "hostname" {
17 |   type = string
18 |   default = "k8stesting"
19 | }
20 | 
21 | variable "project_id" {
22 |   type = string
23 |   default = ""
24 | }
25 | 
26 | variable "token" {
27 |   type = string
28 |   sensitive = true
29 |   default = ""
30 | }
31 | 
32 | variable "public_ssh_key" {
33 |   type = string
34 |   default = ""
35 | }


--------------------------------------------------------------------------------
/Bare-Metal/EquinixMetal/requirements.md:
--------------------------------------------------------------------------------
 1 | 1. N2.xlarge.x86
 2 | 2. Five nodes minimum
 3 |    - Two control planes
 4 |    - Three worker nodes
 5 | 3. Ubuntu (or Windows for Worker Nodes)
 6 | 
 7 | ## References
 8 | - https://metal.equinix.com/developers/docs/operating-systems/supported/
 9 | - https://registry.terraform.io/providers/equinix/metal/latest/docs/resources/device
10 | - https://metal.equinix.com/developers/docs/libraries/cli/
11 | - https://github.com/equinix/terraform-provider-metal


--------------------------------------------------------------------------------
/Bare-Metal/kubeadm-automated/controlPlaneScript.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | sudo apt update -y
 3 | 
 4 | sudo apt-get install -y apt-transport-https curl
 5 | 
 6 | curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key add -
 7 | echo "deb https://apt.kubernetes.io/ kubernetes-xenial main" | sudo tee /etc/apt/sources.list.d/kubernetes.list
 8 | 
 9 | sudo apt update -y 
10 | 
11 | OS=xUbuntu_20.04
12 | VERSION=1.22
13 | 
14 | echo "deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/$OS/ /" > /etc/apt/sources.list.d/devel:kubic:libcontainers:stable.list
15 | echo "deb http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable:/cri-o:/$VERSION/$OS/ /" > /etc/apt/sources.list.d/devel:kubic:libcontainers:stable:cri-o:$VERSION.list
16 | 
17 | curl -L https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable:cri-o:$VERSION/$OS/Release.key | apt-key add -
18 | curl -L https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/$OS/Release.key | apt-key add -
19 | 
20 | sudo apt update -y
21 | sudo apt install cri-o cri-o-runc -y
22 | 
23 | sudo systemctl daemon-reload
24 | sudo systemctl enable crio --now
25 | 
26 | apt-cache policy cri-o
27 | 
28 | swapoff -a
29 | 
30 | sudo modprobe overlay
31 | sudo modprobe br_netfilter
32 | 
33 | sudo tee /etc/sysctl.d/kubernetes.conf<<EOF
34 | net.bridge.bridge-nf-call-ip6tables = 1
35 | net.bridge.bridge-nf-call-iptables = 1
36 | net.ipv4.ip_forward = 1
37 | EOF
38 | 
39 | sudo sysctl --system
40 | 
41 | sudo ufw allow 6443/tcp
42 | sudo ufw allow 2379:2380/tcp
43 | sudo ufw allow 10250/tcp
44 | sudo ufw allow 10259/tcp
45 | sudo ufw allow 10257/tcp


--------------------------------------------------------------------------------
/Bare-Metal/kubeadm-automated/workerNodeScript.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | sudo apt update -y
 3 | 
 4 | sudo apt-get install -y apt-transport-https curl
 5 | 
 6 | curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key add -
 7 | echo "deb https://apt.kubernetes.io/ kubernetes-xenial main" | sudo tee /etc/apt/sources.list.d/kubernetes.list
 8 | 
 9 | sudo apt update -y 
10 | 
11 | OS=xUbuntu_20.04
12 | VERSION=1.22
13 | 
14 | echo "deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/$OS/ /" > /etc/apt/sources.list.d/devel:kubic:libcontainers:stable.list
15 | echo "deb http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable:/cri-o:/$VERSION/$OS/ /" > /etc/apt/sources.list.d/devel:kubic:libcontainers:stable:cri-o:$VERSION.list
16 | 
17 | curl -L https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable:cri-o:$VERSION/$OS/Release.key | apt-key add -
18 | curl -L https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/$OS/Release.key | apt-key add -
19 | 
20 | sudo apt update -y
21 | sudo apt install cri-o cri-o-runc -y
22 | 
23 | sudo systemctl daemon-reload
24 | sudo systemctl enable crio --now
25 | 
26 | apt-cache policy cri-o
27 | 
28 | swapoff -a
29 | 
30 | sudo modprobe overlay
31 | sudo modprobe br_netfilter
32 | 
33 | sudo tee /etc/sysctl.d/kubernetes.conf<<EOF
34 | net.bridge.bridge-nf-call-ip6tables = 1
35 | net.bridge.bridge-nf-call-iptables = 1
36 | net.ipv4.ip_forward = 1
37 | EOF
38 | 
39 | sudo sysctl --system
40 | 
41 | sudo ufw allow 6443/tcp
42 | sudo ufw allow 30000:32767/tcp
43 | 
44 | sudo apt-get install -y kubelet kubeadm kubectl


--------------------------------------------------------------------------------
/Bare-Metal/kubeadm-cilium/control_plane_setup.sh:
--------------------------------------------------------------------------------
 1 | # Define variables for the `kubeadm init` command. Examples below.
 2 | sudo su -
 3 | 
 4 | user=k8stest
 5 | pass='Password12!@'
 6 | sudo useradd -m -d /home/$user $user
 7 | sudo echo "$user:$pass" | chpasswd
 8 | usermod -aG sudo $user
 9 | 
10 | exit
11 | 
12 | 
13 | #######
14 | Depending on where you are deploying, you could either have just a public subnet, or a public and private subnet
15 | If you have just a public subnet, use the same value for the ip_address and publicIP, along with the CIDR range
16 | If you have a private and public subnet, use the public IP for the publicIP, the private IP for the ip_address, and the private IP range for the CIDR
17 | #######
18 | ip_address=192.168.1.46
19 | cidr=172.17.0.0/16
20 | publicIP=192.168.1.46
21 | 
22 | sudo kubeadm init --skip-phases=addon/kube-proxy --control-plane-endpoint $publicIP --apiserver-advertise-address $ip_address --pod-network-cidr=$cidr --upload-certs
23 | 
24 | #######
25 | 
26 | If you are deploying in the cloud, you may find yourself in a situation where the init fails because the Kubelet connect communicate with the API server
27 | 
28 | This typically happens in public clouds due to network restrictions
29 | 
30 | If it happens to you, open up the following ports: https://kubernetes.io/docs/reference/ports-and-protocols/
31 | 
32 | #######
33 | 
34 | # To start using your Kubernetes cluster, you need to configure your home user settings
35 | su -l k8stest
36 | mkdir -p $HOME/.kube
37 | sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
38 | sudo chown $(id -u):$(id -g) $HOME/.kube/config
39 | 
40 | ## Install Helm
41 | curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3
42 | chmod 700 get_helm.sh
43 | ./get_helm.sh
44 | 
45 | ## Install Cilium
46 | helm repo add cilium https://helm.cilium.io/
47 | 
48 | helm install cilium cilium/cilium \
49 |     --namespace kube-system \
50 |     --set kubeProxyReplacement=true \
51 |     --set k8sServiceHost=192.168.1.100 \
52 |     --set k8sServicePort=6443


--------------------------------------------------------------------------------
/Bare-Metal/kubeadm-cilium/install_control_plane.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | sudo apt update -y
 3 | 
 4 | # Install transport layer
 5 | sudo apt-get install -y apt-transport-https curl
 6 | 
 7 | # Install Kubernetes package on Ubuntu
 8 | curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key add -
 9 | echo "deb https://apt.kubernetes.io/ kubernetes-xenial main" | sudo tee /etc/apt/sources.list.d/kubernetes.list
10 | 
11 | sudo apt update -y 
12 | 
13 | # Install and configure the CRI-O container runtime
14 | OS=xUbuntu_20.04
15 | VERSION=1.22
16 | 
17 | echo "deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/$OS/ /" > /etc/apt/sources.list.d/devel:kubic:libcontainers:stable.list
18 | echo "deb http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable:/cri-o:/$VERSION/$OS/ /" > /etc/apt/sources.list.d/devel:kubic:libcontainers:stable:cri-o:$VERSION.list
19 | 
20 | curl -L https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable:cri-o:$VERSION/$OS/Release.key | apt-key add -
21 | curl -L https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/$OS/Release.key | apt-key add -
22 | 
23 | sudo apt update -y
24 | sudo apt install cri-o cri-o-runc -y
25 | 
26 | sudo systemctl daemon-reload
27 | sudo systemctl enable crio --now
28 | 
29 | # Check to see CRI-O is installed properly
30 | apt-cache policy cri-o
31 | 
32 | # Turn off swap
33 | swapoff -a
34 | 
35 | # sysctl settings and ip tables
36 | sudo modprobe overlay
37 | sudo modprobe br_netfilter
38 | 
39 | sudo tee /etc/sysctl.d/kubernetes.conf<<EOF
40 | net.bridge.bridge-nf-call-ip6tables = 1
41 | net.bridge.bridge-nf-call-iptables = 1
42 | net.ipv4.ip_forward = 1
43 | EOF
44 | 
45 | sudo sysctl --system
46 | 
47 | # Install and configure Kubeadm
48 | sudo apt-get install -y kubelet kubeadm kubectl
49 | 
50 | sudo apt-mark hold kubelet kubeadm kubectl
51 | 


--------------------------------------------------------------------------------
/Bare-Metal/kubeadm-cilium/install_worker_node.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | sudo apt update -y
 3 | 
 4 | # Install transport layer
 5 | sudo apt-get install -y apt-transport-https curl
 6 | 
 7 | # Install Kubernetes package on Ubuntu
 8 | curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key add -
 9 | echo "deb https://apt.kubernetes.io/ kubernetes-xenial main" | sudo tee /etc/apt/sources.list.d/kubernetes.list
10 | 
11 | sudo apt update -y
12 | 
13 | sudo su -
14 | 
15 | # Install and configure the CRI-O container runtime
16 | OS=xUbuntu_20.04
17 | VERSION=1.22
18 | 
19 | echo "deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/$OS/ /" > /etc/apt/sources.list.d/devel:kubic:libcontainers:stable.list
20 | echo "deb http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable:/cri-o:/$VERSION/$OS/ /" > /etc/apt/sources.list.d/devel:kubic:libcontainers:stable:cri-o:$VERSION.list
21 | 
22 | curl -L https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable:cri-o:$VERSION/$OS/Release.key | apt-key add -
23 | curl -L https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/$OS/Release.key | apt-key add -
24 | 
25 | exit
26 | 
27 | sudo apt update -y
28 | sudo apt install cri-o cri-o-runc -y
29 | 
30 | sudo systemctl daemon-reload
31 | sudo systemctl enable crio --now
32 | 
33 | # Check to see CRI-O is installed properly
34 | apt-cache policy cri-o
35 | 
36 | # Turn off swap
37 | swapoff -a
38 | 
39 | # sysctl settings and ip tables
40 | sudo modprobe overlay
41 | sudo modprobe br_netfilter
42 | 
43 | sudo tee /etc/sysctl.d/kubernetes.conf<<EOF
44 | net.bridge.bridge-nf-call-ip6tables = 1
45 | net.bridge.bridge-nf-call-iptables = 1
46 | net.ipv4.ip_forward = 1
47 | EOF
48 | 
49 | sudo sysctl --system
50 | 
51 | # Install kubeadm
52 | sudo apt-get install -y kubelet kubeadm kubectl
53 | 


--------------------------------------------------------------------------------
/Bare-Metal/kubeadm-cilium/storageClass.yaml:
--------------------------------------------------------------------------------
1 | kubectl apply -f - <<EOF
2 | apiVersion: storage.k8s.io/v1
3 | kind: StorageClass
4 | metadata:
5 |   name: local-storage
6 | provisioner: kubernetes.io/no-provisioner
7 | volumeBindingMode: Immediate
8 | EOF
9 | 


--------------------------------------------------------------------------------
/Bare-Metal/kubeadm/containerd_control_plane.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | sudo apt update -y
 3 | 
 4 | # Install transport layer
 5 | sudo apt-get install -y apt-transport-https curl
 6 | 
 7 | # Install Kubernetes package on Ubuntu
 8 | curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key add -
 9 | echo "deb https://apt.kubernetes.io/ kubernetes-xenial main" | sudo tee /etc/apt/sources.list.d/kubernetes.list
10 | 
11 | sudo apt update -y
12 | 
13 | # Configure Containerd
14 | sudo tee /etc/modules-load.d/containerd.conf<<EOF
15 | overlay
16 | br_netfilter
17 | EOF
18 | 
19 | sudo sysctl --system
20 | 
21 | sudo apt install curl gnupg2 software-properties-common apt-transport-https ca-certificates -y
22 | 
23 | curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
24 | 
25 | sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
26 | 
27 | sudo apt update
28 | 
29 | sudo apt install containerd.io -y
30 | 
31 | sudo su -
32 | 
33 | mkdir -p /etc/containerd
34 | 
35 | containerd config default>/etc/containerd/config.toml
36 | 
37 | exit
38 | 
39 | sudo systemctl restart containerd
40 | 
41 | sudo systemctl enable containerd
42 | 
43 | # Turn off swap
44 | swapoff -a
45 | 
46 | # sysctl settings and ip tables
47 | sudo modprobe overlay
48 | sudo modprobe br_netfilter
49 | 
50 | sudo tee /etc/sysctl.d/kubernetes.conf<<EOF
51 | net.bridge.bridge-nf-call-ip6tables = 1
52 | net.bridge.bridge-nf-call-iptables = 1
53 | net.ipv4.ip_forward = 1
54 | EOF
55 | 
56 | sudo sysctl --system
57 | 
58 | # Install and configure Kubeadm with the latest version of Kubernetes.
59 | sudo apt-get install -y kubelet kubeadm kubectl
60 | 
61 | # To install a specific version of Kubernetes (not the latest), you can use the following...
62 | # Example: sudo apt-get install -qy kubelet=1.25.5-00 kubectl=1.25.5-00 kubeadm=1.25.5-00
63 | 
64 | # You can see all Kubernetes versions available for Kubeadm like this: `apt list -a kubeadm`
65 | 
66 | sudo apt-get install -qy kubelet=<version> kubectl=<version> kubeadm=<version>
67 | 
68 | sudo apt-mark hold kubelet kubeadm kubectl


--------------------------------------------------------------------------------
/Bare-Metal/kubeadm/control_plane_setup.sh:
--------------------------------------------------------------------------------
 1 | # Define variables for the `kubeadm init` command. Examples below.
 2 | sudo su -
 3 | 
 4 | user=k8stest
 5 | pass='Password12!@'
 6 | sudo useradd -m -d /home/$user $user
 7 | sudo echo "$user:$pass" | chpasswd
 8 | usermod -aG sudo $user
 9 | 
10 | exit
11 | 
12 | 
13 | #######
14 | Depending on where you are deploying, you could either have just a public subnet, or a public and private subnet
15 | If you have just a public subnet, use the same value for the ip_address and publicIP, along with the CIDR range
16 | If you have a private and public subnet, use the public IP for the publicIP, the private IP for the ip_address, and the private IP range for the CIDR
17 | #######
18 | ip_address=10.162.0.26
19 | cidr=172.18.0.0/16
20 | publicIP=10.162.0.26
21 | 
22 | sudo kubeadm init --control-plane-endpoint $publicIP --apiserver-advertise-address $ip_address --pod-network-cidr=$cidr --upload-certs
23 | 
24 | #######
25 | 
26 | If you are deploying in the cloud, you may find yourself in a situation where the init fails because the Kubelet connect communicate with the API server
27 | 
28 | This typically happens in public clouds due to network restrictions
29 | 
30 | If it happens to you, open up the following ports: https://kubernetes.io/docs/reference/ports-and-protocols/
31 | 
32 | #######
33 | 
34 | # To start using your Kubernetes cluster, you need to configure your home user settings
35 | su -l k8stest
36 | mkdir -p $HOME/.kube
37 | sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
38 | sudo chown $(id -u):$(id -g) $HOME/.kube/config
39 | 
40 | # Networking: Weave
41 | # If you don't want to use Weave, you can see the network frameworks listed here: https://kubernetes.io/docs/concepts/cluster-administration/addons/
42 | kubectl apply -f https://github.com/weaveworks/weave/releases/download/v2.8.1/weave-daemonset-k8s.yaml
43 | 
44 | 


--------------------------------------------------------------------------------
/Bare-Metal/kubeadm/flannel.yaml:
--------------------------------------------------------------------------------
  1 | kubectl apply -f - <<EOF
  2 | ---
  3 | kind: Namespace
  4 | apiVersion: v1
  5 | metadata:
  6 |   name: kube-flannel
  7 |   labels:
  8 |     pod-security.kubernetes.io/enforce: privileged
  9 | ---
 10 | kind: ClusterRole
 11 | apiVersion: rbac.authorization.k8s.io/v1
 12 | metadata:
 13 |   name: flannel
 14 | rules:
 15 | - apiGroups:
 16 |   - ""
 17 |   resources:
 18 |   - pods
 19 |   verbs:
 20 |   - get
 21 | - apiGroups:
 22 |   - ""
 23 |   resources:
 24 |   - nodes
 25 |   verbs:
 26 |   - list
 27 |   - watch
 28 | - apiGroups:
 29 |   - ""
 30 |   resources:
 31 |   - nodes/status
 32 |   verbs:
 33 |   - patch
 34 | ---
 35 | kind: ClusterRoleBinding
 36 | apiVersion: rbac.authorization.k8s.io/v1
 37 | metadata:
 38 |   name: flannel
 39 | roleRef:
 40 |   apiGroup: rbac.authorization.k8s.io
 41 |   kind: ClusterRole
 42 |   name: flannel
 43 | subjects:
 44 | - kind: ServiceAccount
 45 |   name: flannel
 46 |   namespace: kube-flannel
 47 | ---
 48 | apiVersion: v1
 49 | kind: ServiceAccount
 50 | metadata:
 51 |   name: flannel
 52 |   namespace: kube-flannel
 53 | ---
 54 | kind: ConfigMap
 55 | apiVersion: v1
 56 | metadata:
 57 |   name: kube-flannel-cfg
 58 |   namespace: kube-flannel
 59 |   labels:
 60 |     tier: node
 61 |     app: flannel
 62 | data:
 63 |   cni-conf.json: |
 64 |     {
 65 |       "name": "cbr0",
 66 |       "cniVersion": "0.3.1",
 67 |       "plugins": [
 68 |         {
 69 |           "type": "flannel",
 70 |           "delegate": {
 71 |             "hairpinMode": true,
 72 |             "isDefaultGateway": true
 73 |           }
 74 |         },
 75 |         {
 76 |           "type": "portmap",
 77 |           "capabilities": {
 78 |             "portMappings": true
 79 |           }
 80 |         }
 81 |       ]
 82 |     }
 83 |   net-conf.json: |
 84 |     {
 85 |       "Network": "172.17.0.0/16",
 86 |       "Backend": {
 87 |         "Type": "vxlan"
 88 |       }
 89 |     }
 90 | ---
 91 | apiVersion: apps/v1
 92 | kind: DaemonSet
 93 | metadata:
 94 |   name: kube-flannel-ds
 95 |   namespace: kube-flannel
 96 |   labels:
 97 |     tier: node
 98 |     app: flannel
 99 | spec:
100 |   selector:
101 |     matchLabels:
102 |       app: flannel
103 |   template:
104 |     metadata:
105 |       labels:
106 |         tier: node
107 |         app: flannel
108 |     spec:
109 |       affinity:
110 |         nodeAffinity:
111 |           requiredDuringSchedulingIgnoredDuringExecution:
112 |             nodeSelectorTerms:
113 |             - matchExpressions:
114 |               - key: kubernetes.io/os
115 |                 operator: In
116 |                 values:
117 |                 - linux
118 |       hostNetwork: true
119 |       priorityClassName: system-node-critical
120 |       tolerations:
121 |       - operator: Exists
122 |         effect: NoSchedule
123 |       serviceAccountName: flannel
124 |       initContainers:
125 |       - name: install-cni-plugin
126 |        #image: flannelcni/flannel-cni-plugin:v1.1.0 for ppc64le and mips64le (dockerhub limitations may apply)
127 |         image: docker.io/rancher/mirrored-flannelcni-flannel-cni-plugin:v1.1.0
128 |         command:
129 |         - cp
130 |         args:
131 |         - -f
132 |         - /flannel
133 |         - /opt/cni/bin/flannel
134 |         volumeMounts:
135 |         - name: cni-plugin
136 |           mountPath: /opt/cni/bin
137 |       - name: install-cni
138 |        #image: flannelcni/flannel:v0.19.2 for ppc64le and mips64le (dockerhub limitations may apply)
139 |         image: docker.io/rancher/mirrored-flannelcni-flannel:v0.19.2
140 |         command:
141 |         - cp
142 |         args:
143 |         - -f
144 |         - /etc/kube-flannel/cni-conf.json
145 |         - /etc/cni/net.d/10-flannel.conflist
146 |         volumeMounts:
147 |         - name: cni
148 |           mountPath: /etc/cni/net.d
149 |         - name: flannel-cfg
150 |           mountPath: /etc/kube-flannel/
151 |       containers:
152 |       - name: kube-flannel
153 |        #image: flannelcni/flannel:v0.19.2 for ppc64le and mips64le (dockerhub limitations may apply)
154 |         image: docker.io/rancher/mirrored-flannelcni-flannel:v0.19.2
155 |         command:
156 |         - /opt/bin/flanneld
157 |         args:
158 |         - --ip-masq
159 |         - --kube-subnet-mgr
160 |         resources:
161 |           requests:
162 |             cpu: "100m"
163 |             memory: "50Mi"
164 |           limits:
165 |             cpu: "100m"
166 |             memory: "50Mi"
167 |         securityContext:
168 |           privileged: false
169 |           capabilities:
170 |             add: ["NET_ADMIN", "NET_RAW"]
171 |         env:
172 |         - name: POD_NAME
173 |           valueFrom:
174 |             fieldRef:
175 |               fieldPath: metadata.name
176 |         - name: POD_NAMESPACE
177 |           valueFrom:
178 |             fieldRef:
179 |               fieldPath: metadata.namespace
180 |         - name: EVENT_QUEUE_DEPTH
181 |           value: "5000"
182 |         volumeMounts:
183 |         - name: run
184 |           mountPath: /run/flannel
185 |         - name: flannel-cfg
186 |           mountPath: /etc/kube-flannel/
187 |         - name: xtables-lock
188 |           mountPath: /run/xtables.lock
189 |       volumes:
190 |       - name: run
191 |         hostPath:
192 |           path: /run/flannel
193 |       - name: cni-plugin
194 |         hostPath:
195 |           path: /opt/cni/bin
196 |       - name: cni
197 |         hostPath:
198 |           path: /etc/cni/net.d
199 |       - name: flannel-cfg
200 |         configMap:
201 |           name: kube-flannel-cfg
202 |       - name: xtables-lock
203 |         hostPath:
204 |           path: /run/xtables.lock
205 |           type: FileOrCreate
206 | EOF


--------------------------------------------------------------------------------
/Bare-Metal/kubeadm/install_control_plane.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | sudo apt update -y
 3 | 
 4 | # Install transport layer
 5 | sudo apt-get install -y apt-transport-https curl
 6 | 
 7 | # Add Kubernetes Signing Key
 8 | curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.28/deb/Release.key | sudo gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg
 9 | 
10 | # Add Software Repositories
11 | echo 'deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.29/deb/ /' | sudo tee /etc/apt/sources.list.d/kubernetes.list
12 | 
13 | sudo apt update -y 
14 | 
15 | sudo su -
16 | 
17 | # Install and configure the CRI-O container runtime
18 | OS=xUbuntu_22.04
19 | VERSION=1.22
20 | 
21 | echo "deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/$OS/ /" > /etc/apt/sources.list.d/devel:kubic:libcontainers:stable.list
22 | echo "deb http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable:/cri-o:/$VERSION/$OS/ /" > /etc/apt/sources.list.d/devel:kubic:libcontainers:stable:cri-o:$VERSION.list
23 | 
24 | curl -L https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable:cri-o:$VERSION/$OS/Release.key | apt-key add -
25 | curl -L https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/$OS/Release.key | apt-key add -
26 | 
27 | exit
28 | 
29 | sudo apt update -y
30 | sudo apt install cri-o cri-o-runc -y
31 | 
32 | sudo systemctl daemon-reload
33 | sudo systemctl enable crio --now
34 | 
35 | # Check to see CRI-O is installed properly
36 | apt-cache policy cri-o
37 | 
38 | # Turn off swap
39 | sudo swapoff -a
40 | 
41 | # sysctl settings and ip tables
42 | sudo modprobe overlay
43 | sudo modprobe br_netfilter
44 | 
45 | sudo tee /etc/sysctl.d/kubernetes.conf<<EOF
46 | net.bridge.bridge-nf-call-ip6tables = 1
47 | net.bridge.bridge-nf-call-iptables = 1
48 | net.ipv4.ip_forward = 1
49 | EOF
50 | 
51 | sudo sysctl --system
52 | 
53 | # Install and configure Kubeadm with the latest version of Kubernetes.
54 | sudo apt-get install -y kubelet kubeadm kubectl
55 | 
56 | # To install a specific version of Kubernetes (not the latest), you can use the following...
57 | # Example: sudo apt-get install -qy kubelet=1.25.5-00 kubectl=1.25.5-00 kubeadm=1.25.5-00
58 | 
59 | # You can see all Kubernetes versions available for Kubeadm like this: `apt list -a kubeadm`
60 | 
61 | sudo apt-get install -qy kubelet=<version> kubectl=<version> kubeadm=<version>
62 | 
63 | sudo apt-mark hold kubelet kubeadm kubectl
64 | 


--------------------------------------------------------------------------------
/Bare-Metal/kubeadm/install_worker_node.sh:
--------------------------------------------------------------------------------
 1 | sudo apt update -y
 2 | 
 3 | # Install transport layer
 4 | sudo apt-get install -y apt-transport-https curl
 5 | 
 6 | # Install Kubernetes package on Ubuntu
 7 | curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key add -
 8 | echo "deb https://apt.kubernetes.io/ kubernetes-xenial main" | sudo tee /etc/apt/sources.list.d/kubernetes.list
 9 | 
10 | sudo apt update -y
11 | 
12 | sudo su -
13 | 
14 | # Install and configure the CRI-O container runtime
15 | OS=xUbuntu_20.04
16 | VERSION=1.22
17 | 
18 | echo "deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/$OS/ /" > /etc/apt/sources.list.d/devel:kubic:libcontainers:stable.list
19 | echo "deb http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable:/cri-o:/$VERSION/$OS/ /" > /etc/apt/sources.list.d/devel:kubic:libcontainers:stable:cri-o:$VERSION.list
20 | 
21 | curl -L https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable:cri-o:$VERSION/$OS/Release.key | apt-key add -
22 | curl -L https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/$OS/Release.key | apt-key add -
23 | 
24 | exit
25 | 
26 | sudo apt update -y
27 | sudo apt install cri-o cri-o-runc -y
28 | 
29 | sudo systemctl daemon-reload
30 | sudo systemctl enable crio --now
31 | 
32 | # Check to see CRI-O is installed properly
33 | apt-cache policy cri-o
34 | 
35 | # Turn off swap
36 | swapoff -a
37 | 
38 | # sysctl settings and ip tables
39 | sudo modprobe overlay
40 | sudo modprobe br_netfilter
41 | 
42 | sudo tee /etc/sysctl.d/kubernetes.conf<<EOF
43 | net.bridge.bridge-nf-call-ip6tables = 1
44 | net.bridge.bridge-nf-call-iptables = 1
45 | net.ipv4.ip_forward = 1
46 | EOF
47 | 
48 | sudo sysctl --system
49 | 
50 | # Install kubeadm
51 | sudo apt-get install -y kubelet kubeadm kubectl
52 | 


--------------------------------------------------------------------------------
/Bare-Metal/kubeadm/instructions_for_kubeadm/kubeadm_on_equinix/read.md:
--------------------------------------------------------------------------------
 1 | 1. Run the configuration in the `equinixprovider` Terraform module
 2 | 2. Once the config finishes, you'll see four outputs:
 3 |    - privateIP1
 4 |    - privateIP2
 5 |    - publicIP1
 6 |    - publicIP2
 7 | 3. SSH into `publicIP1`
 8 | 4. Take note of `publicIP1` and `privateIP1`
 9 | 5. Open up the `control_plane_setup.sh` script in the `kubeadm` directory
10 | 
11 | In the `control_plane_setup.sh` script, you'll see three variables:
12 | ip_address=
13 | cidr=
14 | publicIP=
15 | 
16 | Update the variables with the proper values from `publicIP1` and `privateIP1`.
17 | 
18 | 6. Run the `control_plane_setup.sh` after you put in the variable values
19 | 
20 | After the script is complete, you'll see the output for Kubeadm and the output on how to join new Control Planes and Worker Nodes. For more information on this, check out the [join commands page](https://github.com/AdminTurnedDevOps/Kubernetes-Quickstart-Environments/blob/main/Bare-Metal/kubeadm/joincommands.md)


--------------------------------------------------------------------------------
/Bare-Metal/kubeadm/joincommands.md:
--------------------------------------------------------------------------------
 1 | ## Control Plane
 2 | 
 3 | When installing/adding a control plane to a Kubernetes cluster, the options may vary based on where you're installing it.
 4 | 
 5 | For example, if you're installing Kubeadm in the cloud, say Azure, you'll need to specify the `--control-plane-endpoint` switch when running `kube init`.
 6 | 
 7 | The reason why is explained in the docs found [here](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-availability/#create-load-balancer-for-kube-apiserver) on creating highly available clusters with Kubeadm.
 8 | 
 9 |  The Control Plane endpoint can be a load balancer sitting in front of the Kubernetes API or the servers public IP address.
10 | 
11 | 
12 | ### Control Plane Join
13 | 
14 | When you run `kubeadmin init` in the `install_control_plane.sh` script, you'll see an output that tells you about the server with a command similar to the one below. You can copy/paste it into the new Control Plane server to join the new Control Plane server to the Kubernetes cluster.
15 | 
16 | ```
17 | kubeadm join 20.232.11.27:6443 --token p2paxv.aqtlrcd4ymaoly1y --discovery-token-ca-cert-hash sha256:44485769d06937cfc8a37c443f201d525aeb5ffcf52865b61793d6931c65e117 --control-plane
18 | ```
19 | 
20 | ### Worker Node Join
21 | 
22 | When you run `kubeadmin init` in the `install_control_plane.sh` script on the Control Plane, you'll see an output that tells you about the server with a command similar to the one below. You can copy/paste it into the new Worker Node server to join the new Worker Node server to the Kubernetes cluster.
23 | 
24 | ```
25 | kubeadm join 172.18.0.4:6443 --token q8pao2.6bub77ub8qvjdees --discovery-token-ca-cert-hash sha256:c431198db7aa4d89ca390a3a07e535522a0679335290b2e27e21782aa414bdae
26 | ```


--------------------------------------------------------------------------------
/Google/GKE-Autopilot/main.tf:
--------------------------------------------------------------------------------
 1 | provider "google" {
 2 |   project = var.project_id
 3 |   region  = var.region
 4 | }
 5 | resource "google_container_cluster" "primary" {
 6 |   name     = var.cluster_name
 7 |   location = var.region
 8 | 
 9 |   ip_allocation_policy {}
10 | 
11 |   network    = var.vpc_name
12 |   subnetwork = var.subnet_name
13 | 
14 |   enable_autopilot = true
15 | }
16 | 


--------------------------------------------------------------------------------
/Google/GKE-Autopilot/variables.tf:
--------------------------------------------------------------------------------
 1 | variable "project_id" {
 2 |   type = string
 3 |   default = "gold-mode-297211"
 4 | }
 5 | 
 6 | variable "region" {
 7 |   type = string
 8 |   default = "us-east1"
 9 | }
10 | 
11 | variable "machine_type" {
12 |   type = string
13 |   default = "e2-small"
14 | }
15 | 
16 | variable "vpc_name" {
17 |   type = string
18 |   default = "default"
19 | }
20 | 
21 | variable "subnet_name" {
22 |   type = string
23 |   default = "default"
24 | }
25 | 
26 | variable "node_count" {
27 |   type = string
28 |   default = 2
29 | }
30 | 
31 | variable "cluster_name" {
32 |   type = string
33 |   default = "gkek8senv"
34 | }


--------------------------------------------------------------------------------
/Google/GKE-Network-Policy-Enabled/main.tf:
--------------------------------------------------------------------------------
 1 | provider "google" {
 2 |   project     = var.project_id
 3 |   region      = var.region
 4 | }
 5 | resource "google_container_cluster" "primary" {
 6 |   name     = var.cluster_name
 7 |   location = var.region
 8 |   
 9 |   remove_default_node_pool = true
10 |   initial_node_count       = 2
11 | 
12 |   network    = var.vpc_name
13 |   subnetwork = var.subnet_name
14 | 
15 |   min_master_version = var.k8s_version
16 | 
17 |   network_policy {
18 |     provider = "CALICO"
19 |     enabled = true
20 |   }
21 | }
22 | 
23 | resource "google_container_node_pool" "nodes" {
24 |   name       = "${google_container_cluster.primary.name}-node-pool"
25 |   location   = var.region
26 |   cluster    = google_container_cluster.primary.name
27 |   node_count = var.node_count
28 | 
29 |   node_config {
30 |     oauth_scopes = [
31 |       "https://www.googleapis.com/auth/logging.write",
32 |       "https://www.googleapis.com/auth/monitoring",
33 |     ]
34 | 
35 |     labels = {
36 |       env = var.project_id
37 |     }
38 | 
39 |     machine_type = var.machine_type
40 |     tags         = ["gke-node", "${var.project_id}-gke"]
41 |     metadata = {
42 |       disable-legacy-endpoints = "true"
43 |     }
44 |   }
45 | }


--------------------------------------------------------------------------------
/Google/GKE-Network-Policy-Enabled/variables.tf:
--------------------------------------------------------------------------------
 1 | variable "project_id" {
 2 |   type = string
 3 |   default = "gold-mode-297211"
 4 | }
 5 | 
 6 | variable "region" {
 7 |   type = string
 8 |   default = "us-east1"
 9 | }
10 | 
11 | variable "machine_type" {
12 |   type = string
13 |   default = "e2-standard-4"
14 | }
15 | 
16 | variable "vpc_name" {
17 |   type = string
18 |   default = "default"
19 | }
20 | 
21 | variable "subnet_name" {
22 |   type = string
23 |   default = "default"
24 | }
25 | 
26 | variable "node_count" {
27 |   type = string
28 |   default = 2
29 | }
30 | 
31 | variable "cluster_name" {
32 |   type = string
33 |   default = "gkek8senv"
34 | }
35 | 
36 | variable "k8s_version" {
37 |   type = string
38 |   default = "1.29.4-gke.1043002"
39 | }


--------------------------------------------------------------------------------
/Google/GKE/main.tf:
--------------------------------------------------------------------------------
 1 | provider "google" {
 2 |   project     = var.project_id
 3 |   region      = var.region
 4 | }
 5 | resource "google_container_cluster" "primary" {
 6 |   name     = var.cluster_name
 7 |   location = var.region
 8 |   
 9 |   remove_default_node_pool = true
10 |   initial_node_count       = 2
11 | 
12 |   network    = var.vpc_name
13 |   subnetwork = var.subnet_name
14 | 
15 |   min_master_version = var.k8s_version
16 | }
17 | 
18 | resource "google_container_node_pool" "nodes" {
19 |   name       = "${google_container_cluster.primary.name}-node-pool"
20 |   location   = var.region
21 |   cluster    = google_container_cluster.primary.name
22 |   node_count = var.node_count
23 | 
24 |   node_config {
25 |     oauth_scopes = [
26 |       "https://www.googleapis.com/auth/logging.write",
27 |       "https://www.googleapis.com/auth/monitoring",
28 |     ]
29 | 
30 |     labels = {
31 |       env = var.project_id
32 |     }
33 | 
34 |     machine_type = var.machine_type
35 |     tags         = ["gke-node", "${var.project_id}-gke"]
36 |     metadata = {
37 |       disable-legacy-endpoints = "true"
38 |     }
39 |   }
40 | }


--------------------------------------------------------------------------------
/Google/GKE/variables.tf:
--------------------------------------------------------------------------------
 1 | variable "project_id" {
 2 |   type = string
 3 |   default = "gold-mode-297211"
 4 | }
 5 | 
 6 | variable "region" {
 7 |   type = string
 8 |   default = "us-east1"
 9 | }
10 | 
11 | variable "machine_type" {
12 |   type = string
13 |   default = "e2-small"
14 | }
15 | 
16 | variable "vpc_name" {
17 |   type = string
18 |   default = "default"
19 | }
20 | 
21 | variable "subnet_name" {
22 |   type = string
23 |   default = "default"
24 | }
25 | 
26 | variable "node_count" {
27 |   type = string
28 |   default = 2
29 | }
30 | 
31 | variable "cluster_name" {
32 |   type = string
33 |   default = "gkek8senv"
34 | }
35 | 
36 | variable "k8s_version" {
37 |   type = string
38 |   defualt = "1.26.1-gke.1500"
39 | }


--------------------------------------------------------------------------------
/Google/anthos-bare-metal/anthos.md:
--------------------------------------------------------------------------------
1 | When creating any project, the last thing you want to do is re-invent the wheel. As I was figuring out how to run Anthos on Equinix Metal, a colleague brought this project to my attention.
2 | 
3 | The module below deploys a full Google Anthos on-prem environment in Equinix with input variables that allow you to customize pretty much everything about the setup.
4 | 
5 | Link below.
6 | 
7 | https://registry.terraform.io/modules/equinix/anthos-on-baremetal/metal/latest


--------------------------------------------------------------------------------
/Google/anthos-in-the-cloud/docs.md:
--------------------------------------------------------------------------------
1 | https://cloud.google.com/anthos/docs/setup/set-up-google-cloud#terraform


--------------------------------------------------------------------------------
/Google/anthos-in-the-cloud/main.tf:
--------------------------------------------------------------------------------
 1 | terraform {
 2 |   required_providers {
 3 |     google-beta = {
 4 |       source  = "hashicorp/google-beta"
 5 |     }
 6 |   }
 7 | }
 8 | 
 9 | provider "google" {
10 |   project     = var.project_id
11 |   region      = var.region
12 | }
13 | 
14 | resource "google_container_cluster" "primary" {
15 |   name     = var.cluster_name
16 |   location = var.region
17 | 
18 |   remove_default_node_pool = true
19 |   initial_node_count       = 1
20 | 
21 |   network    = var.vpc_name
22 |   subnetwork = var.subnet_name
23 | }
24 | 
25 | resource "google_container_node_pool" "nodes" {
26 |   name       = "${google_container_cluster.primary.name}-node-pool"
27 |   location   = var.region
28 |   cluster    = google_container_cluster.primary.name
29 |   node_count = var.node_count
30 | 
31 |   node_config {
32 |     oauth_scopes = [
33 |       "https://www.googleapis.com/auth/logging.write",
34 |       "https://www.googleapis.com/auth/monitoring",
35 |     ]
36 | 
37 |     labels = {
38 |       env = var.project_id
39 |     }
40 | 
41 |     disk_size_gb = 50
42 | 
43 |     machine_type = var.machine_type
44 |     tags         = ["gke-node", "${var.project_id}-gke"]
45 |     metadata = {
46 |       disable-legacy-endpoints = "true"
47 |     }
48 |   }
49 | }
50 | 
51 | resource "google_gke_hub_membership" "anthos_registration" {
52 |   provider      = google-beta
53 |   project = var.project_id
54 |   membership_id = "${var.cluster_name}-fleet"
55 |   endpoint {
56 |     gke_cluster {
57 |       resource_link = "//container.googleapis.com/${google_container_cluster.primary.id}"
58 |     }
59 |   }
60 | }
61 | 


--------------------------------------------------------------------------------
/Google/anthos-in-the-cloud/variables.tf:
--------------------------------------------------------------------------------
 1 | variable "project_id" {
 2 |   type = string
 3 |   default = "gold-mode-297211"
 4 | }
 5 | 
 6 | variable "region" {
 7 |   type = string
 8 |   default = "us-east1"
 9 | }
10 | 
11 | variable "machine_type" {
12 |   type = string
13 |   default = "e2-small"
14 | }
15 | 
16 | variable "vpc_name" {
17 |   type = string
18 |   default = "default"
19 | }
20 | 
21 | variable "subnet_name" {
22 |   type = string
23 |   default = "default"
24 | }
25 | 
26 | variable "node_count" {
27 |   type = string
28 |   default = 2
29 | }
30 | 
31 | variable "cluster_name" {
32 |   type = string
33 |   default = "anthosgke"
34 | }
35 | 


--------------------------------------------------------------------------------
/Google/authenticate_to_google/instructions.sh:
--------------------------------------------------------------------------------
1 | `gcloud auth application-default login`


--------------------------------------------------------------------------------
/Google/prereqs.md:
--------------------------------------------------------------------------------
1 | Run the following commands to log into GCP
2 | 
3 | ```
4 | brew install --cask google-cloud-sdk
5 | 
6 | gcloud init
7 | ```


--------------------------------------------------------------------------------
/Linode/Consul/consul.yaml:
--------------------------------------------------------------------------------
 1 | global:
 2 |   name: consul
 3 |   datacenter: njtest
 4 | server:
 5 |   replicas: 2
 6 |   securityContext:
 7 |     runAsNonRoot: false
 8 |     runAsUser: 0
 9 | ui:
10 |   enabled: true
11 | connectInject:
12 |   enabled: true
13 |   default: true
14 | controller:
15 |   enabled: true
16 |     


--------------------------------------------------------------------------------
/Linode/Consul/consulservicemesh.sh:
--------------------------------------------------------------------------------
 1 | sudo wget https://get.helm.sh/helm-v3.6.1-linux-amd64.tar.gz
 2 | 
 3 | 1. Install Helm
 4 | 
 5 | helm repo add hashicorp https://helm.releases.hashicorp.com
 6 | 
 7 | helm search repo hashicorp/consul
 8 | 
 9 | helm repo update
10 | 
11 | helm install consul hashicorp/consul --set global.name=consul -f consul.yaml


--------------------------------------------------------------------------------
/Linode/commands.sh:
--------------------------------------------------------------------------------
 1 | pip3 --version
 2 | pip3 install linode-cli
 3 | linode-cli --help
 4 | linode-cli configure
 5 | linode-cli lke clusters-list
 6 | 
 7 | linode-cli lke cluster-create \
 8 |   --label kodekloudtest \
 9 |   --region us-central \
10 |   --k8s_version 1.23 \
11 |   --node_pools.type g6-standard-4 --node_pools.count 3


--------------------------------------------------------------------------------
/Linode/main.tf:
--------------------------------------------------------------------------------
 1 | terraform {
 2 |   required_providers {
 3 |     linode = {
 4 |       source = "linode/linode"
 5 |       version = "1.27.1"
 6 |     }
 7 |   }
 8 | }
 9 | 
10 | provider "linode" {
11 |   token = var.token
12 | }
13 | 
14 | resource "linode_lke_cluster" "kodekloud" {
15 |     label       = "my-cluster"
16 |     k8s_version = "1.23"
17 |     region      = "us-central"
18 |     tags        = ["prod"]
19 | 
20 |     pool {
21 |         type  = "g6-standard-2"
22 |         count = 3
23 | 
24 |         # autoscaler {
25 |         #   min = 3
26 |         #   max = 10
27 |         # }
28 |     }
29 | }
30 | 
31 | output "kubeconfig" {
32 |    value = linode_lke_cluster.kodekloud.kubeconfig
33 |    sensitive = true
34 | }


--------------------------------------------------------------------------------
/Linode/variables.tf:
--------------------------------------------------------------------------------
1 | variable "token" {
2 |   default = ""
3 |   type = string
4 |   sensitive = true
5 | }


--------------------------------------------------------------------------------
/alaz.yaml:
--------------------------------------------------------------------------------
  1 | apiVersion: v1
  2 | kind: ServiceAccount
  3 | metadata:
  4 |   name: alaz-serviceaccount
  5 |   namespace: ddosify
  6 | ---
  7 | # For alaz to keep track of changes in cluster
  8 | apiVersion: rbac.authorization.k8s.io/v1
  9 | kind: ClusterRole
 10 | metadata:
 11 |   name: alaz-role
 12 |   namespace: ddosify
 13 | rules:
 14 | - apiGroups:
 15 |   - "*"
 16 |   resources:
 17 |   - pods
 18 |   - services
 19 |   - endpoints
 20 |   - replicasets
 21 |   - deployments
 22 |   - daemonsets
 23 |   verbs:
 24 |   - "get"
 25 |   - "list"
 26 |   - "watch"
 27 | ---
 28 | apiVersion: rbac.authorization.k8s.io/v1
 29 | kind: ClusterRoleBinding
 30 | metadata:
 31 |   name: alaz-role-binding
 32 |   namespace: ddosify
 33 | roleRef:
 34 |   apiGroup: rbac.authorization.k8s.io
 35 |   kind: ClusterRole
 36 |   name: alaz-role
 37 | subjects:
 38 | - kind: ServiceAccount
 39 |   name: alaz-serviceaccount
 40 |   namespace: ddosify
 41 | ---
 42 | apiVersion: apps/v1
 43 | kind: DaemonSet
 44 | metadata:
 45 |   name: alaz-daemonset
 46 |   namespace: ddosify
 47 | spec:
 48 |   selector:
 49 |     matchLabels:
 50 |       app: alaz
 51 |   template:
 52 |     metadata:
 53 |       labels:
 54 |         app: alaz
 55 |     spec:
 56 |       hostPID: true
 57 |       containers:
 58 |       - env:
 59 |         - name: EBPF_ENABLED
 60 |           value: "true"
 61 |         - name: METRICS_ENABLED
 62 |           value: "true"
 63 |         - name: BACKEND_HOST
 64 |           value: http://localhost:8014/api
 65 |         - name: LOG_LEVEL
 66 |           value: "1"
 67 |         - name: MONITORING_ID
 68 |           value: 2f5231e4-c2db-4bf2-84ff-49b770fa3615
 69 |         - name: NODE_NAME
 70 |           valueFrom:
 71 |             fieldRef:
 72 |               apiVersion: v1
 73 |               fieldPath: spec.nodeName
 74 |         args:
 75 |         - --no-collector.wifi
 76 |         - --no-collector.hwmon
 77 |         - --collector.filesystem.ignored-mount-points=^/(dev|proc|sys|var/lib/docker/.+|var/lib/kubelet/pods/.+)($|/)
 78 |         - --collector.netclass.ignored-devices=^(veth.*)$
 79 |         image: ddosify/alaz:v0.1.4
 80 |         imagePullPolicy: IfNotPresent
 81 |         name: alaz-pod
 82 |         ports:
 83 |         - containerPort: 8181
 84 |           protocol: TCP
 85 |         resources:
 86 |           limits:
 87 |             cpu: "1"
 88 |             memory: 1Gi
 89 |           requests:
 90 |             cpu: 500m
 91 |             memory: 400Mi
 92 |         securityContext:
 93 |           privileged: true 
 94 |         terminationMessagePath: /dev/termination-log
 95 |         terminationMessagePolicy: File
 96 |         # needed for linking ebpf trace programs
 97 |         volumeMounts:
 98 |         - mountPath: /sys/kernel/debug
 99 |           name: debugfs
100 |           readOnly: false
101 |       dnsPolicy: ClusterFirst
102 |       restartPolicy: Always
103 |       schedulerName: default-scheduler
104 |       securityContext: {}
105 |       serviceAccount: alaz-serviceaccount
106 |       serviceAccountName: alaz-serviceaccount
107 |       terminationGracePeriodSeconds: 30
108 |       # needed for linking ebpf trace programs
109 |       volumes:
110 |       - name: debugfs
111 |         hostPath:
112 |           path: /sys/kernel/debug
113 | 


--------------------------------------------------------------------------------
/alaz.yaml-e:
--------------------------------------------------------------------------------
  1 | apiVersion: v1
  2 | kind: ServiceAccount
  3 | metadata:
  4 |   name: alaz-serviceaccount
  5 |   namespace: ddosify
  6 | ---
  7 | # For alaz to keep track of changes in cluster
  8 | apiVersion: rbac.authorization.k8s.io/v1
  9 | kind: ClusterRole
 10 | metadata:
 11 |   name: alaz-role
 12 |   namespace: ddosify
 13 | rules:
 14 | - apiGroups:
 15 |   - "*"
 16 |   resources:
 17 |   - pods
 18 |   - services
 19 |   - endpoints
 20 |   - replicasets
 21 |   - deployments
 22 |   - daemonsets
 23 |   verbs:
 24 |   - "get"
 25 |   - "list"
 26 |   - "watch"
 27 | ---
 28 | apiVersion: rbac.authorization.k8s.io/v1
 29 | kind: ClusterRoleBinding
 30 | metadata:
 31 |   name: alaz-role-binding
 32 |   namespace: ddosify
 33 | roleRef:
 34 |   apiGroup: rbac.authorization.k8s.io
 35 |   kind: ClusterRole
 36 |   name: alaz-role
 37 | subjects:
 38 | - kind: ServiceAccount
 39 |   name: alaz-serviceaccount
 40 |   namespace: ddosify
 41 | ---
 42 | apiVersion: apps/v1
 43 | kind: DaemonSet
 44 | metadata:
 45 |   name: alaz-daemonset
 46 |   namespace: ddosify
 47 | spec:
 48 |   selector:
 49 |     matchLabels:
 50 |       app: alaz
 51 |   template:
 52 |     metadata:
 53 |       labels:
 54 |         app: alaz
 55 |     spec:
 56 |       hostPID: true
 57 |       containers:
 58 |       - env:
 59 |         - name: EBPF_ENABLED
 60 |           value: "true"
 61 |         - name: METRICS_ENABLED
 62 |           value: "true"
 63 |         - name: BACKEND_HOST
 64 |           value: https://api.ddosify.com:443
 65 |         - name: LOG_LEVEL
 66 |           value: "1"
 67 |         - name: MONITORING_ID
 68 |           value: 2f5231e4-c2db-4bf2-84ff-49b770fa3615
 69 |         - name: NODE_NAME
 70 |           valueFrom:
 71 |             fieldRef:
 72 |               apiVersion: v1
 73 |               fieldPath: spec.nodeName
 74 |         args:
 75 |         - --no-collector.wifi
 76 |         - --no-collector.hwmon
 77 |         - --collector.filesystem.ignored-mount-points=^/(dev|proc|sys|var/lib/docker/.+|var/lib/kubelet/pods/.+)($|/)
 78 |         - --collector.netclass.ignored-devices=^(veth.*)$
 79 |         image: ddosify/alaz:v0.1.4
 80 |         imagePullPolicy: IfNotPresent
 81 |         name: alaz-pod
 82 |         ports:
 83 |         - containerPort: 8181
 84 |           protocol: TCP
 85 |         resources:
 86 |           limits:
 87 |             cpu: "1"
 88 |             memory: 1Gi
 89 |           requests:
 90 |             cpu: 500m
 91 |             memory: 400Mi
 92 |         securityContext:
 93 |           privileged: true 
 94 |         terminationMessagePath: /dev/termination-log
 95 |         terminationMessagePolicy: File
 96 |         # needed for linking ebpf trace programs
 97 |         volumeMounts:
 98 |         - mountPath: /sys/kernel/debug
 99 |           name: debugfs
100 |           readOnly: false
101 |       dnsPolicy: ClusterFirst
102 |       restartPolicy: Always
103 |       schedulerName: default-scheduler
104 |       securityContext: {}
105 |       serviceAccount: alaz-serviceaccount
106 |       serviceAccountName: alaz-serviceaccount
107 |       terminationGracePeriodSeconds: 30
108 |       # needed for linking ebpf trace programs
109 |       volumes:
110 |       - name: debugfs
111 |         hostPath:
112 |           path: /sys/kernel/debug
113 | 


--------------------------------------------------------------------------------
/aws/cloudwatch-agent-container-insights/install.sh:
--------------------------------------------------------------------------------
1 | ClusterName=k8squickstart-cluster
2 | RegionName=us-east-1
3 | FluentBitHttpPort='2020'
4 | FluentBitReadFromHead='Off'
5 | [[ ${FluentBitReadFromHead} = 'On' ]] && FluentBitReadFromTail='Off'|| FluentBitReadFromTail='On'
6 | [[ -z ${FluentBitHttpPort} ]] && FluentBitHttpServer='Off' || FluentBitHttpServer='On'
7 | curl https://raw.githubusercontent.com/aws-samples/amazon-cloudwatch-container-insights/latest/k8s-deployment-manifest-templates/deployment-mode/daemonset/container-insights-monitoring/quickstart/cwagent-fluent-bit-quickstart.yaml | sed 's/{{cluster_name}}/'${ClusterName}'/;s/{{region_name}}/'${RegionName}'/;s/{{http_server_toggle}}/"'${FluentBitHttpServer}'"/;s/{{http_server_port}}/"'${FluentBitHttpPort}'"/;s/{{read_from_head}}/"'${FluentBitReadFromHead}'"/;s/{{read_from_tail}}/"'${FluentBitReadFromTail}'"/' | kubectl apply -f - 


--------------------------------------------------------------------------------
/aws/connect-to-eks-cluster.sh:
--------------------------------------------------------------------------------
1 | aws eks --region us-east-1 update-kubeconfig --name k8squickstart-cluster


--------------------------------------------------------------------------------
/aws/ecs/cluster/main.tf:
--------------------------------------------------------------------------------
 1 | terraform {
 2 |   backend "s3" {
 3 |     bucket = "terraform-state-k8senv"
 4 |     key    = "ecs-workload.tfstate"
 5 |     region = "us-east-1"
 6 |   }
 7 |   required_providers {
 8 |     aws = {
 9 |       source = "hashicorp/aws"
10 |     }
11 |   }
12 | }
13 | 
14 | resource "aws_ecs_cluster" "levancluster" {
15 |   name = "levanecscluster"
16 | 
17 |   setting {
18 |     name  = "containerInsights"
19 |     value = "enabled"
20 |   }
21 | }


--------------------------------------------------------------------------------
/aws/ecs/workload/main.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_ecs_task_definition" "nginxapp" {
 2 |   family                   = "nginxapptask"
 3 | #   requires_compatibilities = ["FARGATE"]
 4 | #   network_mode             = "awsvpc"
 5 |   cpu                      = 1024
 6 |   memory                   = 2048
 7 | 
 8 |   container_definitions = <<DEFINITION
 9 | [
10 |   {
11 |     "image": "nginx:latest",
12 |     "name": "nginx",
13 |     "networkMode": "awsvpc",
14 |     "portMappings": [
15 |       {
16 |         "containerPort": 80,
17 |         "hostPort": 80
18 |       }
19 |     ]
20 |   }
21 | ]
22 | DEFINITION
23 | }
24 | 
25 | # resource "aws_iam_role" "ecs-iam-role" {
26 | #   name = "ecs-iam-role"
27 | 
28 | #   path = "/"
29 | 
30 | #   assume_role_policy = <<EOF
31 | # {
32 | #   "Version": "2012-10-17",
33 | #   "Statement": [
34 | #     {
35 | #       "Effect": "Allow",
36 | #       "Principal": {
37 | #         "Service": "ecs.amazonaws.com"
38 | #       },
39 | #       "Action": "sts:AssumeRole"
40 | #     }
41 | #   ]
42 | # }
43 | # EOF
44 | # }
45 | 
46 | resource "aws_ecs_service" "ecsservice" {
47 |   name            = "nginxservice"
48 |   cluster         = "levanecscluster"
49 | #   iam_role        = aws_iam_role.ecs-iam-role.arn
50 |   task_definition = aws_ecs_task_definition.nginxapp.arn
51 |   desired_count   = 2
52 | 
53 |   depends_on = [
54 |     aws_ecs_task_definition.nginxapp
55 |   ]
56 | }
57 | 


--------------------------------------------------------------------------------
/aws/eks-auto-mode/main.tf:
--------------------------------------------------------------------------------
  1 | terraform {
  2 |   backend "s3" {
  3 |     bucket = "terraform-state-k8senv"
  4 |     key    = "eks-terraform-automode1.tfstate"
  5 |     region = "us-east-1"
  6 |   }
  7 |   required_providers {
  8 |     aws = {
  9 |       source = "hashicorp/aws"
 10 |     }
 11 |   }
 12 | }
 13 | 
 14 | 
 15 | # IAM Role for EKS to have access to the appropriate resources
 16 | resource "aws_iam_role" "eks-iam-role" {
 17 |   name = "k8squickstart-eks-iam-role"
 18 | 
 19 |   path = "/"
 20 | 
 21 |   assume_role_policy = <<EOF
 22 | {
 23 |   "Version": "2012-10-17",
 24 |   "Statement": [
 25 |     {
 26 |       "Effect": "Allow",
 27 |       "Principal": {
 28 |         "Service": "eks.amazonaws.com"
 29 |       },
 30 |       "Action": "sts:AssumeRole"
 31 |     }
 32 |   ]
 33 | }
 34 | EOF
 35 | 
 36 | }
 37 | 
 38 | ## Recommended Policies For EKS Auto Mode Control Plane
 39 | resource "aws_iam_role_policy_attachment" "AmazonEKSClusterPolicy" {
 40 |   policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
 41 |   role       = aws_iam_role.eks-iam-role.name
 42 | }
 43 | 
 44 | resource "aws_iam_role_policy_attachment" "AmazonEKSBlockStoragePolicy" {
 45 |   policy_arn = "arn:aws:iam::aws:policy/AmazonEKSBlockStoragePolicy"
 46 |   role       = aws_iam_role.eks-iam-role.name
 47 | }
 48 | resource "aws_iam_role_policy_attachment" "AmazonEKSComputePolicy" {
 49 |   policy_arn = "arn:aws:iam::aws:policy/AmazonEKSComputePolicy"
 50 |   role       = aws_iam_role.eks-iam-role.name
 51 | }
 52 | resource "aws_iam_role_policy_attachment" "AmazonEKSLoadBalancingPolicy" {
 53 |   policy_arn = "arn:aws:iam::aws:policy/AmazonEKSLoadBalancingPolicy"
 54 |   role       = aws_iam_role.eks-iam-role.name
 55 | }
 56 | resource "aws_iam_role_policy_attachment" "AmazonEKSNetworkingPolicy" {
 57 |   policy_arn = "arn:aws:iam::aws:policy/AmazonEKSNetworkingPolicy"
 58 |   role       = aws_iam_role.eks-iam-role.name
 59 | }
 60 | 
 61 | ## EKS Worker Node Policies For Auto Mode
 62 | resource "aws_iam_role" "workernodes" {
 63 |   name = "eks-node-group-example"
 64 | 
 65 |   assume_role_policy = jsonencode({
 66 |     Statement = [{
 67 |       Action = "sts:AssumeRole"
 68 |       Effect = "Allow"
 69 |       Principal = {
 70 |         Service = "ec2.amazonaws.com"
 71 |       }
 72 |     }]
 73 |     Version = "2012-10-17"
 74 |   })
 75 | }
 76 | 
 77 | resource "aws_iam_role_policy_attachment" "AmazonEKSWorkerNodeMinimalPolicy" {
 78 |   policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodeMinimalPolicy"
 79 |   role       = aws_iam_role.workernodes.name
 80 | }
 81 | 
 82 | resource "aws_iam_role_policy_attachment" "AmazonEC2ContainerRegistryPullOnly" {
 83 |   policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryPullOnly"
 84 |   role       = aws_iam_role.workernodes.name
 85 | }
 86 | 
 87 | ## Create the EKS cluster
 88 | resource "aws_eks_cluster" "k8squickstart-eks" {
 89 |   name     = "k8squickstart-cluster"
 90 |   role_arn = aws_iam_role.eks-iam-role.arn
 91 | 
 92 | #   enabled_cluster_log_types = ["api", "audit", "scheduler", "controllerManager"]
 93 |   version                   = var.k8sVersion
 94 | 
 95 |   access_config {
 96 |     authentication_mode = "API"
 97 |   }
 98 | 
 99 |   vpc_config {
100 |     subnet_ids = [var.subnet_id_1, var.subnet_id_2]
101 |   }
102 | 
103 |   compute_config {
104 |     enabled       = true
105 |     node_pools    = ["general-purpose", "system"]
106 |     node_role_arn = aws_iam_role.workernodes.arn
107 |   }
108 | 
109 |   kubernetes_network_config {
110 |     elastic_load_balancing {
111 |       enabled = true
112 |     }
113 |   }
114 | 
115 |   storage_config {
116 |     block_storage {
117 |       enabled = true
118 |     }
119 |   }
120 | 
121 |   bootstrap_self_managed_addons = false
122 | 
123 |   depends_on = [
124 |     aws_iam_role.eks-iam-role,
125 |   ]
126 | }
127 | 
128 | # # ## Worker Nodes
129 | 
130 | 
131 | # resource "aws_eks_node_group" "worker-node-group" {
132 | #   cluster_name    = aws_eks_cluster.k8squickstart-eks.name
133 | #   node_group_name = "k8squickstart-workernodes"
134 | #   node_role_arn   = aws_iam_role.workernodes.arn
135 | #   subnet_ids      = [var.subnet_id_1, var.subnet_id_2]
136 | #   instance_types = ["p2.xlarge"]
137 | 
138 | #   scaling_config {
139 | #     desired_size = var.desired_size
140 | #     max_size     = 4
141 | #     min_size     = var.min_size
142 | #   }
143 | 
144 | #   depends_on = [
145 | #     aws_iam_role_policy_attachment.AmazonEKSWorkerNodePolicy,
146 | #     aws_iam_role_policy_attachment.AmazonEKS_CNI_Policy,
147 | #     #aws_iam_role_policy_attachment.AmazonEC2ContainerRegistryReadOnly,
148 | #   ]
149 | # }
150 | 
151 | # resource "aws_eks_addon" "csi" {
152 | #   cluster_name = aws_eks_cluster.k8squickstart-eks.name
153 | #   addon_name   = "aws-ebs-csi-driver"
154 | # }
155 | 


--------------------------------------------------------------------------------
/aws/eks-auto-mode/roles/main.tf:
--------------------------------------------------------------------------------
 1 | # IAM Role for EKS to have access to the appropriate resources
 2 | resource "aws_iam_role" "eks-iam-role" {
 3 |   name = "k8squickstart-eks-iam-role"
 4 | 
 5 |   path = "/"
 6 | 
 7 |   assume_role_policy = <<EOF
 8 | {
 9 |   "Version": "2012-10-17",
10 |   "Statement": [
11 |     {
12 |       "Effect": "Allow",
13 |       "Principal": {
14 |         "Service": "eks.amazonaws.com"
15 |       },
16 |       "Action": "sts:AssumeRole"
17 |     }
18 |   ]
19 | }
20 | EOF
21 | 
22 | }
23 | 
24 | ## Recommended Policies For EKS Auto Mode Control Plane
25 | resource "aws_iam_role_policy_attachment" "AmazonEKSClusterPolicy" {
26 |   policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
27 |   role       = aws_iam_role.eks-iam-role.name
28 | }
29 | 
30 | resource "aws_iam_role_policy_attachment" "AmazonEKSBlockStoragePolicy" {
31 |   policy_arn = "arn:aws:iam::aws:policy/AmazonEKSBlockStoragePolicy"
32 |   role       = aws_iam_role.eks-iam-role.name
33 | }
34 | resource "aws_iam_role_policy_attachment" "AmazonEKSComputePolicy" {
35 |   policy_arn = "arn:aws:iam::aws:policy/AmazonEKSComputePolicy"
36 |   role       = aws_iam_role.eks-iam-role.name
37 | }
38 | resource "aws_iam_role_policy_attachment" "AmazonEKSLoadBalancingPolicy" {
39 |   policy_arn = "arn:aws:iam::aws:policy/AmazonEKSLoadBalancingPolicy"
40 |   role       = aws_iam_role.eks-iam-role.name
41 | }
42 | resource "aws_iam_role_policy_attachment" "AmazonEKSNetworkingPolicy" {
43 |   policy_arn = "arn:aws:iam::aws:policy/AmazonEKSNetworkingPolicy"
44 |   role       = aws_iam_role.eks-iam-role.name
45 | }
46 | 
47 | ## EKS Worker Node Policies For Auto Mode
48 | resource "aws_iam_role" "workernodes" {
49 |   name = "eks-node-group-example"
50 | 
51 |   assume_role_policy = jsonencode({
52 |     Statement = [{
53 |       Action = "sts:AssumeRole"
54 |       Effect = "Allow"
55 |       Principal = {
56 |         Service = "ec2.amazonaws.com"
57 |       }
58 |     }]
59 |     Version = "2012-10-17"
60 |   })
61 | }
62 | 
63 | # resource "aws_iam_role_policy_attachment" "AmazonEKSWorkerNodeMinimalPolicy" {
64 | #   policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodeMinimalPolicy"
65 | #   role       = aws_iam_role.workernodes.name
66 | # }
67 | 
68 | resource "aws_iam_role_policy_attachment" "AmazonEKSWorkerNodePolicy" {
69 |   policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
70 |   role       = aws_iam_role.workernodes.name
71 | }
72 | 
73 | resource "aws_iam_role_policy_attachment" "AmazonEC2ContainerRegistryPullOnly" {
74 |   policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryPullOnly"
75 |   role       = aws_iam_role.workernodes.name
76 | }


--------------------------------------------------------------------------------
/aws/eks-auto-mode/variables.tf:
--------------------------------------------------------------------------------
 1 | variable "subnet_id_1" {
 2 |   type = string
 3 |   default = "subnet-00eaa3ab643abea76"
 4 | }
 5 | 
 6 | variable "subnet_id_2" {
 7 |   type = string
 8 |   default = "subnet-081d97174d250cffd"
 9 | }
10 | 
11 | variable "desired_size" {
12 |   type = string
13 |   default = 2
14 | }
15 | variable "min_size" {
16 |   type = string
17 |   default = 2
18 | }
19 | 
20 | variable "k8sVersion" {
21 |   default = "1.31"
22 |   type = string
23 | }


--------------------------------------------------------------------------------
/aws/eks-bottlerocket/main.tf:
--------------------------------------------------------------------------------
  1 | terraform {
  2 |   backend "s3" {
  3 |     bucket = "terraform-state-k8senv"
  4 |     key    = "eks-terraform-workernodes-bottlerocket.tfstate"
  5 |     region = "us-east-1"
  6 |   }
  7 |   required_providers {
  8 |     aws = {
  9 |       source = "hashicorp/aws"
 10 |     }
 11 |   }
 12 | }
 13 | 
 14 | 
 15 | # IAM Role for EKS to have access to the appropriate resources
 16 | resource "aws_iam_role" "eks-iam-role" {
 17 |   name = "k8squickstart-eks-iam-role"
 18 | 
 19 |   path = "/"
 20 | 
 21 |   assume_role_policy = <<EOF
 22 | {
 23 |   "Version": "2012-10-17",
 24 |   "Statement": [
 25 |     {
 26 |       "Effect": "Allow",
 27 |       "Principal": {
 28 |         "Service": "eks.amazonaws.com"
 29 |       },
 30 |       "Action": "sts:AssumeRole"
 31 |     }
 32 |   ]
 33 | }
 34 | EOF
 35 | 
 36 | }
 37 | 
 38 | ## Attach the IAM policy to the IAM role
 39 | resource "aws_iam_role_policy_attachment" "AmazonEKSClusterPolicy" {
 40 |   policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
 41 |   role       = aws_iam_role.eks-iam-role.name
 42 | }
 43 | resource "aws_iam_role_policy_attachment" "AmazonEC2ContainerRegistryReadOnly-EKS" {
 44 |   policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
 45 |   role       = aws_iam_role.eks-iam-role.name
 46 | }
 47 | 
 48 | ## Create the EKS cluster
 49 | resource "aws_eks_cluster" "k8squickstart-eks" {
 50 |   name     = "k8squickstart-cluster"
 51 |   role_arn = aws_iam_role.eks-iam-role.arn
 52 | 
 53 |   enabled_cluster_log_types = ["api", "audit", "scheduler", "controllerManager"]
 54 |   version                   = "1.24"
 55 |   vpc_config {
 56 |     subnet_ids = [var.subnet_id_1, var.subnet_id_2]
 57 |   }
 58 | 
 59 |   depends_on = [
 60 |     aws_iam_role.eks-iam-role,
 61 |   ]
 62 | }
 63 | 
 64 | ## Worker Nodes
 65 | resource "aws_iam_role" "workernodes" {
 66 |   name = "eks-node-group-example"
 67 | 
 68 |   assume_role_policy = jsonencode({
 69 |     Statement = [{
 70 |       Action = "sts:AssumeRole"
 71 |       Effect = "Allow"
 72 |       Principal = {
 73 |         Service = "ec2.amazonaws.com"
 74 |       }
 75 |     }]
 76 |     Version = "2012-10-17"
 77 |   })
 78 | }
 79 | 
 80 | resource "aws_iam_role_policy_attachment" "AmazonEKSWorkerNodePolicy" {
 81 |   policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
 82 |   role       = aws_iam_role.workernodes.name
 83 | }
 84 | 
 85 | resource "aws_iam_role_policy_attachment" "AmazonEKS_CNI_Policy" {
 86 |   policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
 87 |   role       = aws_iam_role.workernodes.name
 88 | }
 89 | 
 90 | resource "aws_iam_role_policy_attachment" "EC2InstanceProfileForImageBuilderECRContainerBuilds" {
 91 |   policy_arn = "arn:aws:iam::aws:policy/EC2InstanceProfileForImageBuilderECRContainerBuilds"
 92 |   role       = aws_iam_role.workernodes.name
 93 | }
 94 | 
 95 | resource "aws_iam_role_policy_attachment" "AmazonEC2ContainerRegistryReadOnly" {
 96 |   policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
 97 |   role       = aws_iam_role.workernodes.name
 98 | }
 99 | 
100 | resource "aws_iam_role_policy_attachment" "CloudWatchAgentServerPolicy-eks" {
101 |   policy_arn = "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy"
102 |   role       = aws_iam_role.workernodes.name
103 | }
104 | 
105 | resource "aws_iam_role_policy_attachment" "AmazonEBSCSIDriverPolicy" {
106 |   policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"
107 |   role       = aws_iam_role.workernodes.name
108 | }
109 | 
110 | resource "aws_eks_node_group" "worker-node-group" {
111 |   cluster_name    = aws_eks_cluster.k8squickstart-eks.name
112 |   ami_type        = var.AMI
113 |   node_group_name = "k8squickstart-workernodes"
114 |   node_role_arn   = aws_iam_role.workernodes.arn
115 |   subnet_ids      = [var.subnet_id_1, var.subnet_id_2]
116 |   instance_types  = ["t3.xlarge"]
117 | 
118 |   scaling_config {
119 |     desired_size = var.desired_size
120 |     max_size     = 4
121 |     min_size     = var.min_size
122 |   }
123 | 
124 |   depends_on = [
125 |     aws_iam_role_policy_attachment.AmazonEKSWorkerNodePolicy,
126 |     aws_iam_role_policy_attachment.AmazonEKS_CNI_Policy,
127 |     #aws_iam_role_policy_attachment.AmazonEC2ContainerRegistryReadOnly,
128 |   ]
129 | }
130 | 
131 | resource "aws_eks_addon" "csi" {
132 |   cluster_name = aws_eks_cluster.k8squickstart-eks.name
133 |   addon_name   = "aws-ebs-csi-driver"
134 | }
135 | 


--------------------------------------------------------------------------------
/aws/eks-bottlerocket/variables.tf:
--------------------------------------------------------------------------------
 1 | variable "subnet_id_1" {
 2 |   type = string
 3 |   default = "subnet-00eaa3ab643abea76"
 4 | }
 5 | 
 6 | variable "subnet_id_2" {
 7 |   type = string
 8 |   default = "subnet-081d97174d250cffd"
 9 | }
10 | 
11 | variable "AMI" {
12 |   type = string
13 |   default = "BOTTLEROCKET_x86_64"
14 | }
15 | 
16 | variable "desired_size" {
17 |   type = string
18 |   default = 1
19 | }
20 | variable "min_size" {
21 |   type = string
22 |   default = 1
23 | }


--------------------------------------------------------------------------------
/aws/eks-fargate/main.tf:
--------------------------------------------------------------------------------
  1 | terraform {
  2 |   backend "s3" {
  3 |     bucket = "terraform-state-k8senv"
  4 |     key    = "eks-terraform.tfstate"
  5 |     region = "us-east-1"
  6 |   }
  7 |   required_providers {
  8 |     aws = {
  9 |       source = "hashicorp/aws"
 10 |     }
 11 |   }
 12 | }
 13 | 
 14 | 
 15 | # IAM Role for EKS to have access to the appropriate resources
 16 | resource "aws_iam_role" "eks-iam-role" {
 17 |   name = "k8senv-eks-iam-role"
 18 | 
 19 |   path = "/"
 20 | 
 21 |   assume_role_policy = <<EOF
 22 | {
 23 |   "Version": "2012-10-17",
 24 |   "Statement": [
 25 |     {
 26 |       "Effect": "Allow",
 27 |       "Principal": {
 28 |         "Service": "eks.amazonaws.com"
 29 |       },
 30 |       "Action": "sts:AssumeRole"
 31 |     }
 32 |   ]
 33 | }
 34 | EOF
 35 | 
 36 | }
 37 | 
 38 | ## Attach the IAM policy to the IAM role
 39 | resource "aws_iam_role_policy_attachment" "AmazonEKSClusterPolicy" {
 40 |   policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
 41 |   role       = aws_iam_role.eks-iam-role.name
 42 | }
 43 | 
 44 | resource "aws_iam_role_policy_attachment" "CloudWatchAgentServerPolicy-eks" {
 45 |   policy_arn = "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy"
 46 |   role       = aws_iam_role.eks-iam-role.name
 47 | }
 48 | 
 49 | ## Create the EKS cluster
 50 | resource "aws_eks_cluster" "k8senv-eks" {
 51 |   name = "k8senv-cluster"
 52 |   role_arn = aws_iam_role.eks-iam-role.arn
 53 | 
 54 |   enabled_cluster_log_types = ["api", "audit", "scheduler", "controllerManager"]
 55 | 
 56 |   vpc_config {
 57 |     subnet_ids = [var.subnet_id_1, var.subnet_id_2]
 58 |   }
 59 | 
 60 |   depends_on = [
 61 |     aws_iam_role.eks-iam-role,
 62 |   ]
 63 | }
 64 | 
 65 | 
 66 | resource "aws_iam_role" "eks-fargate" {
 67 |   name = "eks-fargate-k8senv"
 68 | 
 69 |   assume_role_policy = jsonencode({
 70 |     Statement = [{
 71 |       Action = "sts:AssumeRole"
 72 |       Effect = "Allow"
 73 |       Principal = {
 74 |         Service = "eks-fargate-pods.amazonaws.com"
 75 |       }
 76 |     }]
 77 |     Version = "2012-10-17"
 78 |   })
 79 | }
 80 | 
 81 | resource "aws_iam_role_policy_attachment" "AmazonEKSFargatePodExecutionRolePolicy" {
 82 |   policy_arn = "arn:aws:iam::aws:policy/AmazonEKSFargatePodExecutionRolePolicy"
 83 |   role       = aws_iam_role.eks-fargate.name
 84 | }
 85 | 
 86 | resource "aws_iam_role_policy_attachment" "AmazonEKSClusterPolicy-fargate" {
 87 |   policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
 88 |   role       = aws_iam_role.eks-fargate.name
 89 | }
 90 | 
 91 | resource "aws_iam_role_policy_attachment" "CloudWatchAgentServerPolicy" {
 92 |   policy_arn = "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy"
 93 |   role       = aws_iam_role.eks-fargate.name
 94 | }
 95 | 
 96 | resource "aws_eks_fargate_profile" "k8senv-eks-serverless" {
 97 |   cluster_name           = aws_eks_cluster.k8senv-eks.name
 98 |   fargate_profile_name   = "k8senv-serverless-eks"
 99 |   pod_execution_role_arn = aws_iam_role.eks-fargate.arn
100 |   subnet_ids             = [var.private_subnet_id_1]
101 | 
102 |   selector {
103 |     namespace = "default"
104 |   }
105 | }


--------------------------------------------------------------------------------
/aws/eks-fargate/variables.tf:
--------------------------------------------------------------------------------
 1 | variable "subnet_id_1" {
 2 |   type = string
 3 |   default = "subnet-00eaa3ab643abea76"
 4 | }
 5 | 
 6 | variable "subnet_id_2" {
 7 |   type = string
 8 |   default = "subnet-081d97174d250cffd"
 9 | }
10 | 
11 | variable "private_subnet_id_1" {
12 |   type = string
13 |   default = "subnet-05af3ab0479a38e85"
14 | }


--------------------------------------------------------------------------------
/aws/eks-private-cluster/main.tf:
--------------------------------------------------------------------------------
  1 | terraform {
  2 |   backend "s3" {
  3 |     bucket = "terraform-state-k8senv"
  4 |     key    = "eks-terraform-workernodes.tfstate"
  5 |     region = "us-east-1"
  6 |   }
  7 |   required_providers {
  8 |     aws = {
  9 |       source = "hashicorp/aws"
 10 |     }
 11 |   }
 12 | }
 13 | 
 14 | 
 15 | # IAM Role for EKS to have access to the appropriate resources
 16 | resource "aws_iam_role" "eks-iam-role" {
 17 |   name = "k8squickstart-eks-iam-role"
 18 | 
 19 |   path = "/"
 20 | 
 21 |   assume_role_policy = <<EOF
 22 | {
 23 |   "Version": "2012-10-17",
 24 |   "Statement": [
 25 |     {
 26 |       "Effect": "Allow",
 27 |       "Principal": {
 28 |         "Service": "eks.amazonaws.com"
 29 |       },
 30 |       "Action": "sts:AssumeRole"
 31 |     }
 32 |   ]
 33 | }
 34 | EOF
 35 | 
 36 | }
 37 | 
 38 | ## Attach the IAM policy to the IAM role
 39 | resource "aws_iam_role_policy_attachment" "AmazonEKSClusterPolicy" {
 40 |   policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
 41 |   role       = aws_iam_role.eks-iam-role.name
 42 | }
 43 | resource "aws_iam_role_policy_attachment" "AmazonEC2ContainerRegistryReadOnly-EKS" {
 44 |   policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
 45 |   role       = aws_iam_role.eks-iam-role.name
 46 | }
 47 | 
 48 | ## Create the EKS cluster
 49 | resource "aws_eks_cluster" "k8squickstart-eks" {
 50 |   name     = "k8squickstart-cluster"
 51 |   role_arn = aws_iam_role.eks-iam-role.arn
 52 | 
 53 |   enabled_cluster_log_types = ["api", "audit", "scheduler", "controllerManager"]
 54 |   version                   = "1.25"
 55 | 
 56 |   vpc_config {
 57 |     endpoint_private_access = true
 58 |     endpoint_public_access  = false
 59 |     public_access_cidrs = [
 60 |       "0.0.0.0/0",
 61 |     ]
 62 | 
 63 |     subnet_ids = [var.private_subnet_id_1, var.private_subnet_id_2]
 64 |   }
 65 | 
 66 |   depends_on = [
 67 |     aws_iam_role.eks-iam-role,
 68 |   ]
 69 | }
 70 | 
 71 | ## Worker Nodes
 72 | resource "aws_iam_role" "workernodes" {
 73 |   name = "eks-node-group-example"
 74 | 
 75 |   assume_role_policy = jsonencode({
 76 |     Statement = [{
 77 |       Action = "sts:AssumeRole"
 78 |       Effect = "Allow"
 79 |       Principal = {
 80 |         Service = "ec2.amazonaws.com"
 81 |       }
 82 |     }]
 83 |     Version = "2012-10-17"
 84 |   })
 85 | }
 86 | 
 87 | resource "aws_iam_role_policy_attachment" "AmazonEKSWorkerNodePolicy" {
 88 |   policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
 89 |   role       = aws_iam_role.workernodes.name
 90 | }
 91 | 
 92 | resource "aws_iam_role_policy_attachment" "AmazonEKS_CNI_Policy" {
 93 |   policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
 94 |   role       = aws_iam_role.workernodes.name
 95 | }
 96 | 
 97 | resource "aws_iam_role_policy_attachment" "EC2InstanceProfileForImageBuilderECRContainerBuilds" {
 98 |   policy_arn = "arn:aws:iam::aws:policy/EC2InstanceProfileForImageBuilderECRContainerBuilds"
 99 |   role       = aws_iam_role.workernodes.name
100 | }
101 | 
102 | resource "aws_iam_role_policy_attachment" "AmazonEC2ContainerRegistryReadOnly" {
103 |   policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
104 |   role       = aws_iam_role.workernodes.name
105 | }
106 | 
107 | resource "aws_iam_role_policy_attachment" "CloudWatchAgentServerPolicy-eks" {
108 |   policy_arn = "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy"
109 |   role       = aws_iam_role.workernodes.name
110 | }
111 | 
112 | resource "aws_iam_role_policy_attachment" "AmazonEBSCSIDriverPolicy" {
113 |   policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"
114 |   role       = aws_iam_role.workernodes.name
115 | }
116 | resource "aws_eks_node_group" "worker-node-group" {
117 |   cluster_name    = aws_eks_cluster.k8squickstart-eks.name
118 |   node_group_name = "k8squickstart-workernodes"
119 |   node_role_arn   = aws_iam_role.workernodes.arn
120 |   subnet_ids      = [var.private_subnet_id_1, var.private_subnet_id_2]
121 |   instance_types  = ["t3.xlarge"]
122 | 
123 |   scaling_config {
124 |     desired_size = var.desired_size
125 |     max_size     = 4
126 |     min_size     = var.min_size
127 |   }
128 | 
129 |   depends_on = [
130 |     aws_iam_role_policy_attachment.AmazonEKSWorkerNodePolicy,
131 |     aws_iam_role_policy_attachment.AmazonEKS_CNI_Policy,
132 |     #aws_iam_role_policy_attachment.AmazonEC2ContainerRegistryReadOnly,
133 |   ]
134 | }
135 | 
136 | resource "aws_eks_addon" "csi" {
137 |   cluster_name = aws_eks_cluster.k8squickstart-eks.name
138 |   addon_name   = "aws-ebs-csi-driver"
139 | }
140 | 


--------------------------------------------------------------------------------
/aws/eks-private-cluster/variables.tf:
--------------------------------------------------------------------------------
 1 | variable "private_subnet_id_1" {
 2 |   type = string
 3 |   default = "subnet-0fe1b0e51b1b06de8"
 4 | }
 5 | 
 6 | variable "private_subnet_id_2" {
 7 |   type = string
 8 |   default = "subnet-05af3ab0479a38e85"
 9 | }
10 | 
11 | variable "desired_size" {
12 |   type = string
13 |   default = 1
14 | }
15 | variable "min_size" {
16 |   type = string
17 |   default = 1
18 | }


--------------------------------------------------------------------------------
/aws/eks-with-cilium-cni/cilium/helm.md:
--------------------------------------------------------------------------------
 1 | helm repo add cilium https://helm.cilium.io/
 2 | 
 3 |   helm install cilium cilium/cilium \
 4 |   --namespace kube-system \
 5 |   --set eni.enabled=true \
 6 |   --set ipam.mode=eni \
 7 |   --set egressMasqueradeInterfaces=eth0 \
 8 |   --set tunnel=disabled \
 9 |   --set nodeinit.enabled=true \
10 |   --set kubeProxyReplacement=strict
11 | 
12 |   
13 | 
14 | kubectl delete daemonset kube-proxy -n kube-system
15 | 


--------------------------------------------------------------------------------
/aws/eks-with-cilium-cni/main.tf:
--------------------------------------------------------------------------------
  1 | terraform {
  2 |   backend "s3" {
  3 |     bucket = "terraform-state-k8senv"
  4 |     key    = "eks-terraform-workernodes.tfstate"
  5 |     region = "us-east-1"
  6 |   }
  7 |   required_providers {
  8 |     aws = {
  9 |       source = "hashicorp/aws"
 10 |     }
 11 |   }
 12 | }
 13 | 
 14 | 
 15 | # IAM Role for EKS to have access to the appropriate resources
 16 | resource "aws_iam_role" "eks-iam-role" {
 17 |   name = "k8squickstart-eks-iam-role"
 18 | 
 19 |   path = "/"
 20 | 
 21 |   assume_role_policy = <<EOF
 22 | {
 23 |   "Version": "2012-10-17",
 24 |   "Statement": [
 25 |     {
 26 |       "Effect": "Allow",
 27 |       "Principal": {
 28 |         "Service": "eks.amazonaws.com"
 29 |       },
 30 |       "Action": "sts:AssumeRole"
 31 |     }
 32 |   ]
 33 | }
 34 | EOF
 35 | 
 36 | }
 37 | 
 38 | ## Attach the IAM policy to the IAM role
 39 | resource "aws_iam_role_policy_attachment" "AmazonEKSClusterPolicy" {
 40 |   policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
 41 |   role       = aws_iam_role.eks-iam-role.name
 42 | }
 43 | resource "aws_iam_role_policy_attachment" "AmazonEC2ContainerRegistryReadOnly-EKS" {
 44 |   policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
 45 |   role       = aws_iam_role.eks-iam-role.name
 46 | }
 47 | 
 48 | ## Create the EKS cluster
 49 | resource "aws_eks_cluster" "k8squickstart-eks" {
 50 |   name = "k8squickstart-cluster"
 51 |   role_arn = aws_iam_role.eks-iam-role.arn
 52 | 
 53 |   enabled_cluster_log_types = ["api", "audit", "scheduler", "controllerManager"]
 54 |   version = "1.25"
 55 |   vpc_config {
 56 |     subnet_ids = [var.subnet_id_1, var.subnet_id_2]
 57 |   }
 58 | 
 59 |   depends_on = [
 60 |     aws_iam_role.eks-iam-role,
 61 |   ]
 62 | }
 63 | 
 64 | ## Worker Nodes
 65 | resource "aws_iam_role" "workernodes" {
 66 |   name = "eks-node-group-example"
 67 | 
 68 |   assume_role_policy = jsonencode({
 69 |     Statement = [{
 70 |       Action = "sts:AssumeRole"
 71 |       Effect = "Allow"
 72 |       Principal = {
 73 |         Service = "ec2.amazonaws.com"
 74 |       }
 75 |     }]
 76 |     Version = "2012-10-17"
 77 |   })
 78 | }
 79 | 
 80 | resource "aws_iam_role_policy_attachment" "AmazonEKSWorkerNodePolicy" {
 81 |   policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
 82 |   role       = aws_iam_role.workernodes.name
 83 | }
 84 | 
 85 | resource "aws_iam_role_policy_attachment" "AmazonEKS_CNI_Policy" {
 86 |   policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
 87 |   role       = aws_iam_role.workernodes.name
 88 | }
 89 | 
 90 | resource "aws_iam_role_policy_attachment" "EC2InstanceProfileForImageBuilderECRContainerBuilds" {
 91 |   policy_arn = "arn:aws:iam::aws:policy/EC2InstanceProfileForImageBuilderECRContainerBuilds"
 92 |   role       = aws_iam_role.workernodes.name
 93 | }
 94 | 
 95 | resource "aws_iam_role_policy_attachment" "AmazonEC2ContainerRegistryReadOnly" {
 96 |   policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
 97 |   role       = aws_iam_role.workernodes.name
 98 | }
 99 | 
100 | resource "aws_iam_role_policy_attachment" "CloudWatchAgentServerPolicy-eks" {
101 |   policy_arn = "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy"
102 |   role       = aws_iam_role.workernodes.name
103 | }
104 | 
105 | resource "aws_iam_role_policy_attachment" "AmazonEBSCSIDriverPolicy" {
106 |   policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"
107 |   role       = aws_iam_role.workernodes.name
108 | }
109 | resource "aws_eks_node_group" "worker-node-group" {
110 |   cluster_name    = aws_eks_cluster.k8squickstart-eks.name
111 |   node_group_name = "k8squickstart-workernodes"
112 |   node_role_arn   = aws_iam_role.workernodes.arn
113 |   subnet_ids      = [var.subnet_id_1, var.subnet_id_2]
114 |   instance_types = ["t3.xlarge"]
115 | 
116 |   scaling_config {
117 |     desired_size = var.desired_size
118 |     max_size     = 4
119 |     min_size     = var.min_size
120 |   }
121 | 
122 |   depends_on = [
123 |     aws_iam_role_policy_attachment.AmazonEKSWorkerNodePolicy,
124 |     aws_iam_role_policy_attachment.AmazonEKS_CNI_Policy,
125 |     #aws_iam_role_policy_attachment.AmazonEC2ContainerRegistryReadOnly,
126 |   ]
127 | }
128 | 
129 | resource "aws_eks_addon" "csi" {
130 |   cluster_name = aws_eks_cluster.k8squickstart-eks.name
131 |   addon_name   = "aws-ebs-csi-driver"
132 | }


--------------------------------------------------------------------------------
/aws/eks-with-cilium-cni/variables.tf:
--------------------------------------------------------------------------------
 1 | variable "subnet_id_1" {
 2 |   type = string
 3 |   default = "subnet-00eaa3ab643abea76"
 4 | }
 5 | 
 6 | variable "subnet_id_2" {
 7 |   type = string
 8 |   default = "subnet-081d97174d250cffd"
 9 | }
10 | 
11 | variable "desired_size" {
12 |   type = string
13 |   default = 3
14 | }
15 | variable "min_size" {
16 |   type = string
17 |   default = 3
18 | }


--------------------------------------------------------------------------------
/aws/eks/main.tf:
--------------------------------------------------------------------------------
  1 | terraform {
  2 |   backend "s3" {
  3 |     bucket = "terraform-state-k8senv"
  4 |     key    = "eks-terraform-workernodes.tfstate"
  5 |     region = "us-east-1"
  6 |   }
  7 |   required_providers {
  8 |     aws = {
  9 |       source = "hashicorp/aws"
 10 |     }
 11 |   }
 12 | }
 13 | 
 14 | 
 15 | # IAM Role for EKS to have access to the appropriate resources
 16 | resource "aws_iam_role" "eks-iam-role" {
 17 |   name = "k8squickstart-eks-iam-role"
 18 | 
 19 |   path = "/"
 20 | 
 21 |   assume_role_policy = <<EOF
 22 | {
 23 |   "Version": "2012-10-17",
 24 |   "Statement": [
 25 |     {
 26 |       "Effect": "Allow",
 27 |       "Principal": {
 28 |         "Service": "eks.amazonaws.com"
 29 |       },
 30 |       "Action": "sts:AssumeRole"
 31 |     }
 32 |   ]
 33 | }
 34 | EOF
 35 | 
 36 | }
 37 | 
 38 | ## Attach the IAM policy to the IAM role
 39 | resource "aws_iam_role_policy_attachment" "AmazonEKSClusterPolicy" {
 40 |   policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
 41 |   role       = aws_iam_role.eks-iam-role.name
 42 | }
 43 | resource "aws_iam_role_policy_attachment" "AmazonEC2ContainerRegistryReadOnly-EKS" {
 44 |   policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
 45 |   role       = aws_iam_role.eks-iam-role.name
 46 | }
 47 | 
 48 | ## Create the EKS cluster
 49 | resource "aws_eks_cluster" "k8squickstart-eks" {
 50 |   name = "k8squickstart-cluster"
 51 |   role_arn = aws_iam_role.eks-iam-role.arn
 52 | 
 53 |   enabled_cluster_log_types = ["api", "audit", "scheduler", "controllerManager"]
 54 |   version = var.k8sVersion
 55 |   vpc_config {
 56 |     subnet_ids = [var.subnet_id_1, var.subnet_id_2]
 57 |   }
 58 | 
 59 |   depends_on = [
 60 |     aws_iam_role.eks-iam-role,
 61 |   ]
 62 | }
 63 | 
 64 | ## Worker Nodes
 65 | resource "aws_iam_role" "workernodes" {
 66 |   name = "eks-node-group-example"
 67 | 
 68 |   assume_role_policy = jsonencode({
 69 |     Statement = [{
 70 |       Action = "sts:AssumeRole"
 71 |       Effect = "Allow"
 72 |       Principal = {
 73 |         Service = "ec2.amazonaws.com"
 74 |       }
 75 |     }]
 76 |     Version = "2012-10-17"
 77 |   })
 78 | }
 79 | 
 80 | resource "aws_iam_role_policy_attachment" "AmazonEKSWorkerNodePolicy" {
 81 |   policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
 82 |   role       = aws_iam_role.workernodes.name
 83 | }
 84 | 
 85 | resource "aws_iam_role_policy_attachment" "AmazonEKS_CNI_Policy" {
 86 |   policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
 87 |   role       = aws_iam_role.workernodes.name
 88 | }
 89 | 
 90 | resource "aws_iam_role_policy_attachment" "EC2InstanceProfileForImageBuilderECRContainerBuilds" {
 91 |   policy_arn = "arn:aws:iam::aws:policy/EC2InstanceProfileForImageBuilderECRContainerBuilds"
 92 |   role       = aws_iam_role.workernodes.name
 93 | }
 94 | 
 95 | resource "aws_iam_role_policy_attachment" "AmazonEC2ContainerRegistryReadOnly" {
 96 |   policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
 97 |   role       = aws_iam_role.workernodes.name
 98 | }
 99 | 
100 | resource "aws_iam_role_policy_attachment" "CloudWatchAgentServerPolicy-eks" {
101 |   policy_arn = "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy"
102 |   role       = aws_iam_role.workernodes.name
103 | }
104 | 
105 | resource "aws_iam_role_policy_attachment" "AmazonEBSCSIDriverPolicy" {
106 |   policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"
107 |   role       = aws_iam_role.workernodes.name
108 | }
109 | resource "aws_eks_node_group" "worker-node-group" {
110 |   cluster_name    = aws_eks_cluster.k8squickstart-eks.name
111 |   node_group_name = "k8squickstart-workernodes"
112 |   node_role_arn   = aws_iam_role.workernodes.arn
113 |   subnet_ids      = [var.subnet_id_1, var.subnet_id_2]
114 |   instance_types = ["t3.2xlarge"]
115 | 
116 |   scaling_config {
117 |     desired_size = var.desired_size
118 |     max_size     = 4
119 |     min_size     = var.min_size
120 |   }
121 | 
122 |   depends_on = [
123 |     aws_iam_role_policy_attachment.AmazonEKSWorkerNodePolicy,
124 |     aws_iam_role_policy_attachment.AmazonEKS_CNI_Policy,
125 |     #aws_iam_role_policy_attachment.AmazonEC2ContainerRegistryReadOnly,
126 |   ]
127 | }
128 | 
129 | resource "aws_eks_addon" "csi" {
130 |   cluster_name = aws_eks_cluster.k8squickstart-eks.name
131 |   addon_name   = "aws-ebs-csi-driver"
132 | }


--------------------------------------------------------------------------------
/aws/eks/variables.tf:
--------------------------------------------------------------------------------
 1 | variable "subnet_id_1" {
 2 |   type = string
 3 |   default = "subnet-00eaa3ab643abea76"
 4 | }
 5 | 
 6 | variable "subnet_id_2" {
 7 |   type = string
 8 |   default = "subnet-081d97174d250cffd"
 9 | }
10 | 
11 | variable "desired_size" {
12 |   type = string
13 |   default = 3
14 | }
15 | variable "min_size" {
16 |   type = string
17 |   default = 3
18 | }
19 | 
20 | variable "k8sVersion" {
21 |   default = "1.29"
22 |   type = string
23 | }


--------------------------------------------------------------------------------
/azure/aks-calico/main.tf:
--------------------------------------------------------------------------------
 1 | terraform {
 2 |   required_providers {
 3 |     azurerm = {
 4 |       source  = "hashicorp/azurerm"
 5 |       version = ">= 3.0.0"
 6 |     }
 7 |   }
 8 | }
 9 | 
10 | provider "azurerm" {
11 |   features {}
12 | }
13 | 
14 | resource "azurerm_kubernetes_cluster" "k8squickstart" {
15 |   name                = var.name
16 |   location            = var.location
17 |   resource_group_name = var.resource_group_name
18 |   dns_prefix          = "${var.name}-dns01"
19 | 
20 |   network_profile {
21 |   network_plugin = "azure"
22 |   network_policy = "cilium" # you can also choose "calico"
23 |   network_plugin_mode = "Overlay"
24 |   ebpf_data_plane = "cilium"
25 | }
26 | 
27 |   default_node_pool {
28 |     name       = "default"
29 |     node_count = var.node_count
30 |     vm_size    = "Standard_A2_v2"
31 |   }
32 | 
33 |   identity {
34 |     type = "SystemAssigned"
35 |   }
36 | 
37 |   tags = {
38 |     Environment = "Production"
39 |   }
40 | }


--------------------------------------------------------------------------------
/azure/aks-calico/variables.tf:
--------------------------------------------------------------------------------
 1 | variable "name" {
 2 |   type = string
 3 |   default = "aksenvironment01"
 4 | }
 5 | 
 6 | variable "resource_group_name" {
 7 |   type = string
 8 |   default = "devrelasaservice"
 9 | }
10 | 
11 | variable "location" {
12 |   type = string
13 |   default = "eastus"
14 | }
15 | 
16 | variable "node_count" {
17 |   type = string
18 |   default = 3
19 | }


--------------------------------------------------------------------------------
/azure/aks-cilium/main.tf:
--------------------------------------------------------------------------------
 1 | terraform {
 2 |   required_providers {
 3 |     azurerm = {
 4 |       source  = "hashicorp/azurerm"
 5 |       version = ">= 3.0.0"
 6 |     }
 7 |   }
 8 | }
 9 | 
10 | provider "azurerm" {
11 |   features {}
12 | }
13 | 
14 | resource "azurerm_kubernetes_cluster" "k8squickstart" {
15 |   name                = var.name
16 |   location            = var.location
17 |   resource_group_name = var.resource_group_name
18 |   dns_prefix          = "${var.name}-dns01"
19 | 
20 |   network_profile {
21 |   network_plugin = "azure"
22 |   network_policy = "cilium"
23 | }
24 | 
25 |   default_node_pool {
26 |     name       = "default"
27 |     node_count = var.node_count
28 |     vm_size    = "Standard_A2_v2"
29 |   }
30 | 
31 |   identity {
32 |     type = "SystemAssigned"
33 |   }
34 | 
35 |   tags = {
36 |     Environment = "Production"
37 |   }
38 | }


--------------------------------------------------------------------------------
/azure/aks-cilium/variables.tf:
--------------------------------------------------------------------------------
 1 | variable "name" {
 2 |   type = string
 3 |   default = "aksenvironment01"
 4 | }
 5 | 
 6 | variable "resource_group_name" {
 7 |   type = string
 8 |   default = "devrelasaservice"
 9 | }
10 | 
11 | variable "location" {
12 |   type = string
13 |   default = "eastus"
14 | }
15 | 
16 | variable "node_count" {
17 |   type = string
18 |   default = 1
19 | }


--------------------------------------------------------------------------------
/azure/aks-rbac-enabled/main.tf:
--------------------------------------------------------------------------------
 1 | terraform {
 2 |   required_providers {
 3 |     azurerm = {
 4 |       source  = "hashicorp/azurerm"
 5 |       version = "=3.0.0"
 6 |     }
 7 |   }
 8 | }
 9 | 
10 | provider "azurerm" {
11 |   features {}
12 | }
13 | 
14 | resource "azurerm_kubernetes_cluster" "k8squickstart" {
15 |   name                = var.name
16 |   location            = var.location
17 |   resource_group_name = var.resource_group_name
18 |   dns_prefix          = "${var.name}-dns01"
19 | 
20 |   default_node_pool {
21 |     name       = "default"
22 |     node_count = var.node_count
23 |     vm_size    = "Standard_A2_v2"
24 |   }
25 | 
26 |   identity {
27 |     type = "SystemAssigned"
28 |   }
29 | 
30 |   azure_active_directory_role_based_access_control {
31 |     managed = true
32 |     azure_rbac_enabled     = true
33 |   }
34 | 
35 |   tags = {
36 |     Environment = "Production"
37 |   }
38 | }


--------------------------------------------------------------------------------
/azure/aks-rbac-enabled/variables.tf:
--------------------------------------------------------------------------------
 1 | variable "name" {
 2 |   type = string
 3 |   default = "aksenvironment01"
 4 | }
 5 | 
 6 | variable "resource_group_name" {
 7 |   type = string
 8 |   default = "devrelasaservice"
 9 | }
10 | 
11 | variable "location" {
12 |   type = string
13 |   default = "eastus"
14 | }
15 | 
16 | variable "node_count" {
17 |   type = string
18 |   default = 1
19 | }


--------------------------------------------------------------------------------
/azure/aks-with-virtual-kubelet/instructions.md:
--------------------------------------------------------------------------------
 1 | After you deploy AKS, you'll need to add the virtual-kubelet add-on. To do that:
 2 | 
 3 | 1. Run the following command to connect to the AKS cluster from a terminal:
 4 | ```
 5 | az aks get-credentials --name aksenvironment-vkubelet-01 --resource-group resource_group_name
 6 | ```
 7 | 
 8 | 1. Add a new subnet to the AKS vNet. If you don't, you'll see an error similar to the below:
 9 | ```
10 | got HTTP response status code 400 error code \"SubnetDelegationsCannotChangeWhenSubnetUsedByResource\": Delegations of subnet cannot be changed from [] to [Microsoft.ContainerInstance/containerGroups] because it is being used by the resource
11 | ```
12 | 
13 | 2. Run the `enable-addons` command:
14 | ```
15 | az aks enable-addons --name aksenvironment-vkubelet-01 --resource-group resource_group_name --addons virtual-node --subnet-name akssubnetvkube
16 | ```


--------------------------------------------------------------------------------
/azure/aks-with-virtual-kubelet/main.tf:
--------------------------------------------------------------------------------
 1 | terraform {
 2 |   required_providers {
 3 |     azurerm = {
 4 |       source  = "hashicorp/azurerm"
 5 |       version = "=3.0.0"
 6 |     }
 7 |   }
 8 | }
 9 | 
10 | provider "azurerm" {
11 |   features {}
12 | }
13 | 
14 | resource "azurerm_virtual_network" "aksnet" {
15 |   name                = "aksnet"
16 |   address_space       = ["192.168.0.0/16"]
17 |   location            = var.location
18 |   resource_group_name = var.resource_group_name
19 | }
20 | 
21 | resource "azurerm_subnet" "akssubnet" {
22 |   name                 = "akssubnet01"
23 |   resource_group_name  = var.resource_group_name
24 |   virtual_network_name = azurerm_virtual_network.aksnet.name
25 |   address_prefixes     = ["192.168.1.0/24"]
26 | }
27 | 
28 | resource "azurerm_subnet" "akssubnet-vkube" {
29 |   name                 = "akssubnetvkube"
30 |   resource_group_name  = var.resource_group_name
31 |   virtual_network_name = azurerm_virtual_network.aksnet.name
32 |   address_prefixes     = ["192.168.100.0/24"]
33 | }
34 | 
35 | resource "azurerm_kubernetes_cluster" "k8squickstart" {
36 |   name                = var.name
37 |   location            = var.location
38 |   resource_group_name = var.resource_group_name
39 |   dns_prefix          = "${var.name}-dns01"
40 | 
41 |   network_profile {
42 |     network_plugin = "azure"
43 |   }
44 | 
45 |   default_node_pool {
46 |     name       = "default"
47 |     node_count = var.node_count
48 |     vm_size    = "Standard_A2_v2"
49 |     vnet_subnet_id = azurerm_subnet.akssubnet.id
50 |   }
51 | 
52 |   identity {
53 |     type = "SystemAssigned"
54 |   }
55 | 
56 |   tags = {
57 |     Environment = "Production"
58 |   }
59 | }


--------------------------------------------------------------------------------
/azure/aks-with-virtual-kubelet/variables.tf:
--------------------------------------------------------------------------------
 1 | variable "name" {
 2 |   type = string
 3 |   default = "aksenvironment-vkubelet-01"
 4 | }
 5 | 
 6 | variable "resource_group_name" {
 7 |   type = string
 8 |   default = "devrelasaservice"
 9 | }
10 | 
11 | variable "location" {
12 |   type = string
13 |   default = "eastus"
14 | }
15 | 
16 | variable "node_count" {
17 |   type = string
18 |   default = 3
19 | }


--------------------------------------------------------------------------------
/azure/aks/Wasm/wasm.sh:
--------------------------------------------------------------------------------
 1 | clusterName=aksenvironment01
 2 | resourceGroup=devrelasaservice
 3 | wasmNodePool=wasmnodepool
 4 | 
 5 | az aks nodepool add \
 6 |     --resource-group $resourceGroup \
 7 |     --cluster-name $clusterName \
 8 |     --name $wasmNodePool \
 9 |     --node-count 2 \
10 |     --workload-runtime WasmWasi 


--------------------------------------------------------------------------------
/azure/aks/kubernetes_export_sa.sh:
--------------------------------------------------------------------------------
  1 | #!/bin/bash
  2 | set -e
  3 | set -o pipefail
  4 | 
  5 | # Add user to k8s using service account, no RBAC (must create RBAC after this script)
  6 | if [[ -z "$1" ]] || [[ -z "$2" ]] || [[ -z "$2" ]]; then
  7 |  echo "usage: $0 <service_account_name> <namespace>"
  8 |  echo "ex: sh ./kubeconfig-exporter/kubernetes_export_sa.sh cd-user cd-user"
  9 |  exit 1
 10 | fi
 11 | 
 12 | SERVICE_ACCOUNT_NAME=$1
 13 | NAMESPACE="$2"
 14 | KUBECFG_FILE_NAME="tmp/k8s-${SERVICE_ACCOUNT_NAME}-${NAMESPACE}-conf-${RANDOM}.conf"
 15 | TARGET_FOLDER="tmp/"
 16 | SERVER_URL=""
 17 | TOKEN=""
 18 | 
 19 | create_cluster_role_binding(){
 20 |    echo -e "\\nCreating cluster role binding of name ${SERVICE_ACCOUNT_NAME} with clusterRole cluster-admin" 
 21 |    kubectl apply -f - <<EOF
 22 | apiVersion: v1
 23 | kind: Namespace
 24 | metadata:
 25 |   name: devtroncd
 26 | ---
 27 | apiVersion: rbac.authorization.k8s.io/v1
 28 | kind: ClusterRoleBinding
 29 | metadata:
 30 |   name: $SERVICE_ACCOUNT_NAME
 31 | roleRef:
 32 |   apiGroup: rbac.authorization.k8s.io
 33 |   kind: ClusterRole
 34 |   name: cluster-admin
 35 | subjects:
 36 |   - kind: ServiceAccount
 37 |     name: $SERVICE_ACCOUNT_NAME
 38 |     namespace: devtroncd
 39 | EOF
 40 | echo "cluster rolebinding created"
 41 | }
 42 | 
 43 | create_target_folder() {
 44 |     echo -n "Creating target directory to hold files in ${TARGET_FOLDER}..."
 45 |     mkdir -p "${TARGET_FOLDER}"
 46 |     printf "done"
 47 | }
 48 | 
 49 | create_service_account() {
 50 |     echo -e "\\nCreating a service account in ${NAMESPACE} namespace: ${SERVICE_ACCOUNT_NAME}"
 51 |     kubectl create sa "${SERVICE_ACCOUNT_NAME}" --namespace "${NAMESPACE}"
 52 | }
 53 | 
 54 | create_serviceaccount_token(){
 55 |     echo -e "\\nCreating service account token in ${NAMESPACE} namespace: ${SERVICE_ACCOUNT_NAME}\n"
 56 | 
 57 |     TOKEN=$(kubectl create token "${SERVICE_ACCOUNT_NAME}" -n "${NAMESPACE}")
 58 | }
 59 | 
 60 | create_secret(){
 61 |     echo -e "creating secret of service account ${SERVICE_ACCOUNT_NAME} on ${NAMESPACE}"
 62 |     kubectl apply -n "${NAMESPACE}" -f - <<EOF
 63 | apiVersion: v1
 64 | kind: Secret
 65 | metadata:
 66 |   name: $SERVICE_ACCOUNT_NAME
 67 |   annotations:
 68 |     kubernetes.io/service-account.name: $SERVICE_ACCOUNT_NAME
 69 | type: kubernetes.io/service-account-token
 70 | EOF
 71 | echo "secret created"
 72 | }
 73 | 
 74 | get_secret_name_from_secret() {
 75 |     echo -e "\\nGetting secret of service account ${SERVICE_ACCOUNT_NAME} on ${NAMESPACE}"
 76 |     SECRET_NAME=$(kubectl get secret "${SERVICE_ACCOUNT_NAME}" --namespace="${NAMESPACE}" -o=jsonpath={.metadata.name})
 77 |     echo "Secret name: ${SECRET_NAME}"
 78 |  }
 79 | 
 80 | get_secret_name_from_service_account() {
 81 |     echo -e "\\nGetting secret of service account ${SERVICE_ACCOUNT_NAME} on ${NAMESPACE}"
 82 |     SECRET_NAME=$(kubectl get sa "${SERVICE_ACCOUNT_NAME}" --namespace="${NAMESPACE}" -o=jsonpath='{.secrets[*].name}')
 83 |     echo "Secret name: ${SECRET_NAME}"
 84 | }
 85 | 
 86 | extract_ca_crt_from_secret() {
 87 |     echo -e -n "\\nExtracting ca.crt from secret..."
 88 |     kubectl get secret --namespace "${NAMESPACE}" "${SECRET_NAME}" -o=jsonpath="{.data.ca\.crt}"| base64 --decode > "${TARGET_FOLDER}/ca.crt"
 89 |     printf "done"
 90 | }
 91 | 
 92 | get_user_token_from_secret() {
 93 |     echo -e -n "\\nGetting user token from secret..."
 94 |     TOKEN=$(kubectl get secret --namespace "${NAMESPACE}" "${SECRET_NAME}" -o=jsonpath={.data.token}|base64 --decode)
 95 |     printf "done"
 96 | }
 97 | 
 98 | set_kube_config_values() {
 99 |     context=$(kubectl config current-context)
100 |     echo -e "\\nSetting current context to: $context"
101 | 
102 |     CLUSTER_NAME=$(kubectl config get-contexts "$context" | awk '{print $3}' | tail -n 1)
103 |     echo "Cluster name: ${CLUSTER_NAME}"
104 | 
105 |    SERVER_URL=$(kubectl config view \
106 |     -o jsonpath="{.clusters[?(@.name == \"${CLUSTER_NAME}\")].cluster.server}")
107 | 
108 | 
109 |     # Set up the config
110 |     echo -e "\\nPreparing k8s-${SERVICE_ACCOUNT_NAME}-${NAMESPACE}-conf"
111 |     echo -n "Setting a cluster entry in kubeconfig..."
112 |     kubectl config set-cluster "${CLUSTER_NAME}" \
113 |     --kubeconfig="${KUBECFG_FILE_NAME}" \
114 |     --server="${SERVER_URL}" \
115 |     --certificate-authority="${TARGET_FOLDER}/ca.crt" \
116 |     --embed-certs=true
117 | 
118 |     echo -n "Setting token credentials entry in kubeconfig..."
119 |     kubectl config set-credentials \
120 |     "${SERVICE_ACCOUNT_NAME}-${NAMESPACE}-${CLUSTER_NAME}" \
121 |     --kubeconfig="${KUBECFG_FILE_NAME}" \
122 |     --token="${TOKEN}"
123 | 
124 |     echo -n "Setting a context entry in kubeconfig..."
125 |         kubectl config set-context \
126 |     "${SERVICE_ACCOUNT_NAME}-${NAMESPACE}-${CLUSTER_NAME}" \
127 |     --kubeconfig="${KUBECFG_FILE_NAME}" \
128 |     --cluster="${CLUSTER_NAME}" \
129 |     --user="${SERVICE_ACCOUNT_NAME}-${NAMESPACE}-${CLUSTER_NAME}" \
130 |     --namespace="${NAMESPACE}"
131 | 
132 |     echo -n "Setting the current-context in the kubeconfig file..."
133 |     kubectl config use-context "${SERVICE_ACCOUNT_NAME}-${NAMESPACE}-${CLUSTER_NAME}" \
134 |     --kubeconfig="${KUBECFG_FILE_NAME}"
135 | }
136 | 
137 | 
138 | CLIENT_VERSION=$(kubectl version --client | awk '/Client Version: /{print $3}'| cut -d '.' -f 2)
139 | echo "$CLIENT_VERSION"
140 | if [[ $CLIENT_VERSION -gt 27 ]]
141 | then 
142 |     VERSION=$(kubectl version | awk '/Server Version: /{print $3}' | cut -d '.' -f 2 )
143 |     VERSION=$(expr $VERSION)
144 | else
145 |     VERSION=$(kubectl version --short | awk '/Server Version: /{print $3}' | cut -d '.' -f 2 )
146 |     VERSION=$(expr $VERSION)
147 | fi
148 | 
149 | if [[ $VERSION -ge 24 ]]
150 | then
151 |  create_target_folder
152 |  create_cluster_role_binding
153 |  create_service_account
154 |  create_secret
155 |  get_secret_name_from_secret
156 |  extract_ca_crt_from_secret
157 |  get_user_token_from_secret
158 |  set_kube_config_values
159 | else
160 |  create_target_folder
161 |  create_cluster_role_binding
162 |  create_service_account
163 |  get_secret_name_from_service_account
164 |  extract_ca_crt_from_secret
165 |  get_user_token_from_secret
166 |  set_kube_config_values
167 | fi 
168 | 
169 | echo -e "\\nAll done! Test with:"
170 | echo "KUBECONFIG=${KUBECFG_FILE_NAME} kubectl get pods"
171 | echo "you should not have any permissions by default - you have just created the authentication part"
172 | echo "You will need to create RBAC permissions"
173 | echo "- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - "
174 | echo "SERVER URL := ${SERVER_URL} "
175 | echo "- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - "
176 | echo "BEARER TOKEN := ${TOKEN} "
177 | echo "- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - "
178 | 
179 | KUBECONFIG=${KUBECFG_FILE_NAME} kubectl get pods
180 | 


--------------------------------------------------------------------------------
/azure/aks/main.tf:
--------------------------------------------------------------------------------
 1 | terraform {
 2 |   required_providers {
 3 |     azurerm = {
 4 |       source  = "hashicorp/azurerm"
 5 |     }
 6 |   }
 7 | }
 8 | 
 9 | provider "azurerm" {
10 |   features {}
11 | }
12 | 
13 | resource "azurerm_kubernetes_cluster" "k8squickstart" {
14 |   name                = var.name
15 |   location            = var.location
16 |   resource_group_name = var.resource_group_name
17 |   dns_prefix          = "${var.name}-dns01"
18 | 
19 |   kubernetes_version = var.k8s_version
20 | 
21 |   
22 |   network_profile {
23 |   network_plugin = "azure"
24 |   network_policy = "azure"
25 | }
26 | 
27 |   default_node_pool {
28 |     name       = "default"
29 |     node_count = var.node_count
30 |     vm_size    = "Standard_A2_v2"
31 |     
32 |   }
33 | 
34 |   identity {
35 |     type = "SystemAssigned"
36 |   }
37 | 
38 |   tags = {
39 |     Environment = "Production"
40 |   }
41 | }


--------------------------------------------------------------------------------
/azure/aks/startcluster.ps1:
--------------------------------------------------------------------------------
 1 | function startCluster {
 2 |     param (
 3 |         [string]$clusterName,
 4 |         [string]$resourceGroupName
 5 |     )
 6 | 
 7 |     begin {
 8 |         $azShow = az account show
 9 | 
10 |         if ($azShow -like $null) {
11 |             Write-Error "you are not logged into the AZ CLI."
12 |             $option = Read-Host "Would you like to log in? 1 for yes or 2 for no"
13 |         }
14 | 
15 |         switch ($option) {
16 |             '1' { az login }
17 |             '2' {exit}
18 |         }
19 |     }
20 | 
21 |     process {
22 |         az aks start `
23 |         --name $clusterName `
24 |         --resource-group $resourceGroupName
25 |     }
26 | 
27 |     end {
28 | 
29 |     }
30 | }


--------------------------------------------------------------------------------
/azure/aks/stopcluster.ps1:
--------------------------------------------------------------------------------
 1 | function stopCluster {
 2 |     param (
 3 |         [string]$clusterName,
 4 |         [string]$resourceGroupName
 5 |     )
 6 | 
 7 |     begin {
 8 |         $azShow = az account show
 9 | 
10 |         if ($azShow -like $null) {
11 |             Write-Error "you are not logged into the AZ CLI."
12 |             $option = Read-Host "Would you like to log in? 1 for yes or 2 for no"
13 |         }
14 | 
15 |         switch ($option) {
16 |             '1' { az login }
17 |             '2' {exit}
18 |         }
19 |     }
20 | 
21 |     process {
22 |         az aks stop `
23 |         --name $clusterName `
24 |         --resource-group $resourceGroupName
25 |     }
26 | 
27 |     end {
28 | 
29 |     }
30 | }


--------------------------------------------------------------------------------
/azure/aks/tmp/ca.crt:
--------------------------------------------------------------------------------
 1 | -----BEGIN CERTIFICATE-----
 2 | MIIE6TCCAtGgAwIBAgIRALihOPu9zlLYzw/0DDptmvowDQYJKoZIhvcNAQELBQAw
 3 | DTELMAkGA1UEAxMCY2EwIBcNMjQwMTAzMTU1NzE1WhgPMjA1NDAxMDMxNjA3MTVa
 4 | MA0xCzAJBgNVBAMTAmNhMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA
 5 | z3X+0xH+3f/vKhxTiMjtwOHJaX8DF76bo5aTSM9ZgmdGsL/YrKwWf3hUO8xIqTt6
 6 | zU8JoVk01ml5OpZpVRVCMwDdDEWwWmifqzhFwaytfN6X1yPdDUxNrPFTeX/yRP3i
 7 | hy5/fBqgGWAuc8e1cj26nsIUKfx4JbsXBCw0M9j3M2h1wPF9CbsiAsEXy7MbXk8b
 8 | TezxoGp8GpZGFSCXxDlQckYx0pmhnDaNJLqKbD0xOkVO9l2PkFEVq9nZvsjnjSGJ
 9 | PSp2XwwsAT3hEq9It3B9Y9HRSpmq0bFAFw/UcYa3z2v1nbkfavF9k7W3kSyz+niu
10 | vT/ZNZ0RMLs5aGsek6F0jPCfKBE11nZy16gbZ4zsmh89z1FBOnTwRqDLbtDhYcCn
11 | xKLJgmuQsbrSvytGrEypTzat2/WpibcxzqDHrunTHs1gfIXSNHfCiseDMuIwhyB7
12 | HOPBp5n4Mlah4OwD6DAayGjwhUPls1zH8lZLGvFWmKstnnII5zisyZrS/JjrYCy3
13 | j5OzkiRKRBbpL5A/rOrGm2VGKSACC9+UZTMUV/fhqhSGMIxNqSoUBDoabZxJ00Y+
14 | /o6IZBxpLPfr8F5SsMzHfELwrh5LxfzNJuddNUHbYiEOSPwDiBz1M0nAl4S1Oukt
15 | NVFgryp/PiwiBgW2dq7pmD6EsPb+uOm6iujrwRju5ZUCAwEAAaNCMEAwDgYDVR0P
16 | AQH/BAQDAgKkMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFJp9w9R31Z/Uw8m5
17 | +Vr3sBsxC3y2MA0GCSqGSIb3DQEBCwUAA4ICAQAVj8Ymqn6+WBRxHvvmjtMNIFQy
18 | PN4famwUzoHS3ZSxggJhZBeJtjZN2Gcz9dRmhjqP+GGs6vRP4EHzcTeJZymCiPzW
19 | L1ffi4LAmntPdI5uJE31LVf5Vm3ESM3ktLfaa6gbnkjN8EVYDyRSab/akvqDtgaJ
20 | HBzPeWr+zWcUIUFO4drguU2ZJgLFTDbGIFYtJ+wWrmwT1MBiXhDv+LBwsdUebelO
21 | wGwwGN0OewWlN1yr7p/gcdTKH+iCy3Y5Ut01AynfxcY4tlh1pD8ic1d2at/iRL7I
22 | ULiRoZOGws9rO9iD68wrs7omtEWfm5XXzRZnq1Imrg6bXI1pkZpCXPYO/NQDi9Ef
23 | VYtJFifVIYL0/qcyJMmNRbRpotfYQKv9t4mQVz0HgvLkA2ESMTnFke0GCwcLjLyl
24 | B4V1VkBpV8fcpbHrBk5rMyBvxFAv1IUi2L5GE/VoqrKygrrFilajNjmxo8vAwCDD
25 | e7dWSm6EXrpS7NU1i3jr+Wb2JuUS/1BzRzQHmG7obbQqyjbAcTptRUh9iQkI3+Bq
26 | m2eOKERxGU9T4jWAdCUUDpFYcji2+oiA+bigZ8Gr9hzfm3UIA2PJe12uj0gROfkx
27 | kqO/SYJ8ys/69m/sfuA+Rl+B/wEEBZT78aCaTvwlKCqsmXhwYYIlBdgCD/iqX7zV
28 | tB6CFfCh5+omqau9kA==
29 | -----END CERTIFICATE-----
30 | 


--------------------------------------------------------------------------------
/azure/aks/tmp/k8s-cd-user-devtroncd-conf-31406.conf:
--------------------------------------------------------------------------------
 1 | apiVersion: v1
 2 | clusters:
 3 | - cluster:
 4 |     certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUU2VENDQXRHZ0F3SUJBZ0lSQUxpaE9QdTl6bExZencvMEREcHRtdm93RFFZSktvWklodmNOQVFFTEJRQXcKRFRFTE1Ba0dBMVVFQXhNQ1kyRXdJQmNOTWpRd01UQXpNVFUxTnpFMVdoZ1BNakExTkRBeE1ETXhOakEzTVRWYQpNQTB4Q3pBSkJnTlZCQU1UQW1OaE1JSUNJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBZzhBTUlJQ0NnS0NBZ0VBCnozWCsweEgrM2YvdktoeFRpTWp0d09ISmFYOERGNzZibzVhVFNNOVpnbWRHc0wvWXJLd1dmM2hVTzh4SXFUdDYKelU4Sm9WazAxbWw1T3BacFZSVkNNd0RkREVXd1dtaWZxemhGd2F5dGZONlgxeVBkRFV4TnJQRlRlWC95UlAzaQpoeTUvZkJxZ0dXQXVjOGUxY2oyNm5zSVVLZng0SmJzWEJDdzBNOWozTTJoMXdQRjlDYnNpQXNFWHk3TWJYazhiClRlenhvR3A4R3BaR0ZTQ1h4RGxRY2tZeDBwbWhuRGFOSkxxS2JEMHhPa1ZPOWwyUGtGRVZxOW5adnNqbmpTR0oKUFNwMlh3d3NBVDNoRXE5SXQzQjlZOUhSU3BtcTBiRkFGdy9VY1lhM3oydjFuYmtmYXZGOWs3VzNrU3l6K25pdQp2VC9aTlowUk1MczVhR3NlazZGMGpQQ2ZLQkUxMW5aeTE2Z2JaNHpzbWg4OXoxRkJPblR3UnFETGJ0RGhZY0NuCnhLTEpnbXVRc2JyU3Z5dEdyRXlwVHphdDIvV3BpYmN4enFESHJ1blRIczFnZklYU05IZkNpc2VETXVJd2h5QjcKSE9QQnA1bjRNbGFoNE93RDZEQWF5R2p3aFVQbHMxekg4bFpMR3ZGV21Lc3RubklJNXppc3laclMvSmpyWUN5MwpqNU96a2lSS1JCYnBMNUEvck9yR20yVkdLU0FDQzkrVVpUTVVWL2ZocWhTR01JeE5xU29VQkRvYWJaeEowMFkrCi9vNklaQnhwTFBmcjhGNVNzTXpIZkVMd3JoNUx4ZnpOSnVkZE5VSGJZaUVPU1B3RGlCejFNMG5BbDRTMU91a3QKTlZGZ3J5cC9QaXdpQmdXMmRxN3BtRDZFc1BiK3VPbTZpdWpyd1JqdTVaVUNBd0VBQWFOQ01FQXdEZ1lEVlIwUApBUUgvQkFRREFnS2tNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdIUVlEVlIwT0JCWUVGSnA5dzlSMzFaL1V3OG01CitWcjNzQnN4QzN5Mk1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQ0FRQVZqOFltcW42K1dCUnhIdnZtanRNTklGUXkKUE40ZmFtd1V6b0hTM1pTeGdnSmhaQmVKdGpaTjJHY3o5ZFJtaGpxUCtHR3M2dlJQNEVIemNUZUpaeW1DaVB6VwpMMWZmaTRMQW1udFBkSTV1SkUzMUxWZjVWbTNFU00za3RMZmFhNmdibmtqTjhFVllEeVJTYWIvYWt2cUR0Z2FKCkhCelBlV3IreldjVUlVRk80ZHJndVUyWkpnTEZURGJHSUZZdEord1dybXdUMU1CaVhoRHYrTEJ3c2RVZWJlbE8Kd0d3d0dOME9ld1dsTjF5cjdwL2djZFRLSCtpQ3kzWTVVdDAxQXluZnhjWTR0bGgxcEQ4aWMxZDJhdC9pUkw3SQpVTGlSb1pPR3dzOXJPOWlENjh3cnM3b210RVdmbTVYWHpSWm5xMUltcmc2YlhJMXBrWnBDWFBZTy9OUURpOUVmClZZdEpGaWZWSVlMMC9xY3lKTW1OUmJScG90ZllRS3Y5dDRtUVZ6MEhndkxrQTJFU01UbkZrZTBHQ3djTGpMeWwKQjRWMVZrQnBWOGZjcGJIckJrNXJNeUJ2eEZBdjFJVWkyTDVHRS9Wb3FyS3lncnJGaWxhak5qbXhvOHZBd0NERAplN2RXU202RVhycFM3TlUxaTNqcitXYjJKdVVTLzFCelJ6UUhtRzdvYmJRcXlqYkFjVHB0UlVoOWlRa0kzK0JxCm0yZU9LRVJ4R1U5VDRqV0FkQ1VVRHBGWWNqaTIrb2lBK2JpZ1o4R3I5aHpmbTNVSUEyUEplMTJ1ajBnUk9ma3gKa3FPL1NZSjh5cy82OW0vc2Z1QStSbCtCL3dFRUJaVDc4YUNhVHZ3bEtDcXNtWGh3WVlJbEJkZ0NEL2lxWDd6Vgp0QjZDRmZDaDUrb21xYXU5a0E9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
 5 |     server: https://aksenvironment01-dns01-he5oiv3o.hcp.eastus.azmk8s.io:443
 6 |   name: aksenvironment01
 7 | contexts:
 8 | - context:
 9 |     cluster: aksenvironment01
10 |     namespace: devtroncd
11 |     user: cd-user-devtroncd-aksenvironment01
12 |   name: cd-user-devtroncd-aksenvironment01
13 | current-context: cd-user-devtroncd-aksenvironment01
14 | kind: Config
15 | preferences: {}
16 | users:
17 | - name: cd-user-devtroncd-aksenvironment01
18 |   user:
19 |     token: eyJhbGciOiJSUzI1NiIsImtpZCI6Indra2g2cndxaXpaUzhKOWV1WFJEUWkzelBJVjVtMV81UG52a05XWHNhTEkifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZXZ0cm9uY2QiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlY3JldC5uYW1lIjoiY2QtdXNlciIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJjZC11c2VyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiZTI0OWY3MDUtZGMwOS00N2UzLTg2YmYtNGVhMTNlYWFmZTY2Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmRldnRyb25jZDpjZC11c2VyIn0.tZlvlOeuxeUihm2m7pwLpWntPrPGfx5ssiJX2GQprr8nOGaa9Z3DBJF-eJTnht6pObZRfqCxVAZxtEv4dvL3FonARzcpnPpU50DP4brxfSwHV6wvGP7jqmDMjdyMzYHzObcWlHxMnBaqVEC7f8s71jh9yiIwi7w2qGy0AWeCwRtEWS1wI8wZ-ZIEkHqoB4h0DkBLywI4lzgPx5Vi2PaUs0csNx6sft3zBG0KtJILZSI13LTpvlnBiKZp2L1876BGRStWqDV6GPX8ChLiR8Ivzu-Z4M3N9U4GPLwSWCYh1zafPnVdiVY0oI8SEnIR6mJtIiz0Kwzqpa1Ub2cj0_kORwY_LPWEyCKM04KIEzjxnYNQEXwYeLBM0CX5hWV5X7_dB-FJ_o7PszvI-CQTq4JuQG10579Ch-yBvQBG0WIHAtHla4zWhvWwLumoWsKaF2Ml4nszV4ep7Sv1IdtuFoMZnNwauI8epoMwLOcIsC-pIoB7hQPfHIzwDGjyToZ1O7Eelx25jiFIczLjjjpUtdKsgHABWl9ri_wLEqN278_gNNmGMGjGnICaluoo1JAZ4qoQqFJ5IJPrKOp8Tozfb2pdVW3_tGNuyi3ExDUKjlCAi4e1aOxltAYwNt8F3ZFG5Q4rD6_Aca9Pvv5qmxRy3uOOsHdc0dkUhCpkfN0tGalQL6Y
20 | 


--------------------------------------------------------------------------------
/azure/aks/variables.tf:
--------------------------------------------------------------------------------
 1 | variable "name" {
 2 |   type = string
 3 |   default = "aksenvironment01"
 4 | }
 5 | 
 6 | variable "resource_group_name" {
 7 |   type = string
 8 |   default = "devrelasaservice"
 9 | }
10 | 
11 | variable "location" {
12 |   type = string
13 |   default = "eastus"
14 | }
15 | 
16 | variable "node_count" {
17 |   type = string
18 |   default = 3
19 | }
20 | 
21 |   variable "k8s_version" {
22 |     type = string
23 |     default = "1.29.4"
24 |   }


--------------------------------------------------------------------------------
/cfg/ack-1.0/config.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | ## Version-specific settings that override the values in cfg/config.yaml
3 | 


--------------------------------------------------------------------------------
/cfg/ack-1.0/controlplane.yaml:
--------------------------------------------------------------------------------
 1 | ---
 2 | controls:
 3 | version: "ack-1.0"
 4 | id: 3
 5 | text: "Control Plane Configuration"
 6 | type: "controlplane"
 7 | groups:
 8 |   - id: 3.1
 9 |     text: "Authentication and Authorization"
10 |     checks:
11 |       - id: 3.1.1
12 |         text: "Revoke client certificate when possible leakage (Manual)"
13 |         type: "manual"
14 |         remediation: |
15 |           Kubernetes provides the option to use client certificates for user authentication.
16 |           ACK issues kubeconfig with its client certificates as the user credentials for connecing to target cluster.
17 |           User should revoke his/her issued kubeconfig when possible leakage.
18 |         scored: false
19 | 
20 |   - id: 3.2
21 |     text: "Logging"
22 |     checks:
23 |       - id: 3.2.1
24 |         text: "Ensure that a minimal audit policy is created (Manual)"
25 |         audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
26 |         tests:
27 |           test_items:
28 |             - flag: "--audit-policy-file"
29 |         remediation: |
30 |           Create an audit policy file for your cluster.
31 |         scored: false
32 | 
33 |       - id: 3.2.2
34 |         text: "Ensure that the audit policy covers key security concerns (Manual)"
35 |         type: "manual"
36 |         remediation: |
37 |           Consider modification of the audit policy in use on the cluster to include these items, at a
38 |           minimum.
39 |         scored: false
40 | 


--------------------------------------------------------------------------------
/cfg/ack-1.0/etcd.yaml:
--------------------------------------------------------------------------------
  1 | ---
  2 | controls:
  3 | version: "ack-1.0"
  4 | id: 2
  5 | text: "Etcd Node Configuration"
  6 | type: "etcd"
  7 | groups:
  8 |   - id: 2
  9 |     text: "Etcd Node Configuration Files"
 10 |     checks:
 11 |       - id: 2.1
 12 |         text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)"
 13 |         audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
 14 |         tests:
 15 |           bin_op: and
 16 |           test_items:
 17 |             - flag: "--cert-file"
 18 |               env: "ETCD_CERT_FILE"
 19 |             - flag: "--key-file"
 20 |               env: "ETCD_KEY_FILE"
 21 |         remediation: |
 22 |           Follow the etcd service documentation and configure TLS encryption.
 23 |           Then, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml
 24 |           on the master node and set the below parameters.
 25 |           --cert-file=</path/to/ca-file>
 26 |           --key-file=</path/to/key-file>
 27 |         scored: true
 28 | 
 29 |       - id: 2.2
 30 |         text: "Ensure that the --client-cert-auth argument is set to true (Automated)"
 31 |         audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
 32 |         tests:
 33 |           test_items:
 34 |             - flag: "--client-cert-auth"
 35 |               env: "ETCD_CLIENT_CERT_AUTH"
 36 |               compare:
 37 |                 op: eq
 38 |                 value: true
 39 |         remediation: |
 40 |           Edit the etcd pod specification file $etcdconf on the master
 41 |           node and set the below parameter.
 42 |           --client-cert-auth="true"
 43 |         scored: true
 44 | 
 45 |       - id: 2.3
 46 |         text: "Ensure that the --auto-tls argument is not set to true (Automated)"
 47 |         audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
 48 |         tests:
 49 |           bin_op: or
 50 |           test_items:
 51 |             - flag: "--auto-tls"
 52 |               env: "ETCD_AUTO_TLS"
 53 |               set: false
 54 |             - flag: "--auto-tls"
 55 |               env: "ETCD_AUTO_TLS"
 56 |               compare:
 57 |                 op: eq
 58 |                 value: false
 59 |         remediation: |
 60 |           Edit the etcd pod specification file $etcdconf on the master
 61 |           node and either remove the --auto-tls parameter or set it to false.
 62 |             --auto-tls=false
 63 |         scored: true
 64 | 
 65 |       - id: 2.4
 66 |         text: "Ensure that the --peer-cert-file and --peer-key-file arguments are
 67 |         set as appropriate (Automated)"
 68 |         audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
 69 |         tests:
 70 |           bin_op: and
 71 |           test_items:
 72 |             - flag: "--peer-cert-file"
 73 |               env: "ETCD_PEER_CERT_FILE"
 74 |             - flag: "--peer-key-file"
 75 |               env: "ETCD_PEER_KEY_FILE"
 76 |         remediation: |
 77 |           Follow the etcd service documentation and configure peer TLS encryption as appropriate
 78 |           for your etcd cluster.
 79 |           Then, edit the etcd pod specification file $etcdconf on the
 80 |           master node and set the below parameters.
 81 |           --peer-client-file=</path/to/peer-cert-file>
 82 |           --peer-key-file=</path/to/peer-key-file>
 83 |         scored: true
 84 | 
 85 |       - id: 2.5
 86 |         text: "Ensure that the --peer-client-cert-auth argument is set to true (Automated)"
 87 |         audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
 88 |         tests:
 89 |           test_items:
 90 |             - flag: "--peer-client-cert-auth"
 91 |               env: "ETCD_PEER_CLIENT_CERT_AUTH"
 92 |               compare:
 93 |                 op: eq
 94 |                 value: true
 95 |         remediation: |
 96 |           Edit the etcd pod specification file $etcdconf on the master
 97 |           node and set the below parameter.
 98 |           --peer-client-cert-auth=true
 99 |         scored: true
100 | 
101 |       - id: 2.6
102 |         text: "Ensure that the --peer-auto-tls argument is not set to true (Automated)"
103 |         audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
104 |         tests:
105 |           bin_op: or
106 |           test_items:
107 |             - flag: "--peer-auto-tls"
108 |               env: "ETCD_PEER_AUTO_TLS"
109 |               set: false
110 |             - flag: "--peer-auto-tls"
111 |               env: "ETCD_PEER_AUTO_TLS"
112 |               compare:
113 |                 op: eq
114 |                 value: false
115 |         remediation: |
116 |           Edit the etcd pod specification file $etcdconf on the master
117 |           node and either remove the --peer-auto-tls parameter or set it to false.
118 |           --peer-auto-tls=false
119 |         scored: true
120 | 
121 |       - id: 2.7
122 |         text: "Ensure that a unique Certificate Authority is used for etcd (Manual)"
123 |         audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
124 |         tests:
125 |           test_items:
126 |             - flag: "--trusted-ca-file"
127 |               env: "ETCD_TRUSTED_CA_FILE"
128 |         remediation: |
129 |           [Manual test]
130 |           Follow the etcd documentation and create a dedicated certificate authority setup for the
131 |           etcd service.
132 |           Then, edit the etcd pod specification file $etcdconf on the
133 |           master node and set the below parameter.
134 |           --trusted-ca-file=</path/to/ca-file>
135 |         scored: false
136 | 


--------------------------------------------------------------------------------
/cfg/ack-1.0/managedservices.yaml:
--------------------------------------------------------------------------------
  1 | ---
  2 | controls:
  3 | version: "ack-1.0"
  4 | id: 6
  5 | text: "Managed Services"
  6 | type: "managedservices"
  7 | groups:
  8 |   - id: 6.1
  9 |     text: "Image Registry and Image Scanning"
 10 |     checks:
 11 |       - id: 6.1.1
 12 |         text: "Ensure Image Vulnerability Scanning using ACR image scanning or a third party provider (Manual)"
 13 |         type: "manual"
 14 |         remediation: |
 15 |           Ensure Image Vulnerability Scanning using ACR image scanning or a third party provider by follow the ACR document: https://www.alibabacloud.com/help/doc-detail/160146.htm
 16 |         scored: false
 17 | 
 18 |       - id: 6.1.2
 19 |         text: "Minimize user access to ACR (Manual)"
 20 |         type: "manual"
 21 |         remediation: |
 22 |           Minimize user access to ACR by follow the ACR document to setup network access control: https://www.alibabacloud.com/help/doc-detail/142179.htm
 23 |           And follow the ACR document to setup Resource Access Management (RAM) policies for ACR: https://www.alibabacloud.com/help/doc-detail/144229.htm
 24 |         scored: false
 25 | 
 26 |       - id: 6.1.3
 27 |         text: "Minimize cluster access to read-only for ACR (Manual)"
 28 |         type: "manual"
 29 |         remediation: Minimize cluster access to read-only for ACR
 30 |         scored: false
 31 | 
 32 |       - id: 6.1.4
 33 |         text: "Minimize Container Registries to only those approved (Manual)"
 34 |         type: "manual"
 35 |         remediation: Minimize Container Registries to only those approved
 36 |         scored: false
 37 | 
 38 |   - id: 6.2
 39 |     text: "Key Management Service (KMS)"
 40 |     checks:
 41 |       - id: 6.2.1
 42 |         text: "Ensure Kubernetes Secrets are encrypted using keys managed in KMS (Manual)"
 43 |         type: "manual"
 44 |         remediation: |
 45 |           Ensure Kubernetes Secrets are encrypted using keys managed in KMS by follow The ACK document: https://www.alibabacloud.com/help/zh/doc-detail/177372.htm
 46 |         scored: false
 47 | 
 48 |   - id: 6.3
 49 |     text: "Cluster Networking"
 50 |     checks:
 51 |       - id: 6.3.1
 52 |         text: "Restrict Access to the Control Plane Endpoint (Manual)"
 53 |         type: "manual"
 54 |         remediation: Restrict Access to the Control Plane Endpoint
 55 |         scored: false
 56 | 
 57 |       - id: 6.3.2
 58 |         text: "Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled (Manual)"
 59 |         type: "manual"
 60 |         remediation: Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled
 61 |         scored: false
 62 | 
 63 |       - id: 6.3.3
 64 |         text: "Ensure clusters are created with Private Nodes (Manual)"
 65 |         type: "manual"
 66 |         remediation: Ensure clusters are created with Private Nodes
 67 |         scored: false
 68 | 
 69 |       - id: 6.3.4
 70 |         text: "Ensure Network Policy is Enabled and set as appropriate (Manual)"
 71 |         type: "manual"
 72 |         remediation: Ensure Network Policy is Enabled and set as appropriate
 73 |         scored: false
 74 | 
 75 |       - id: 6.3.5
 76 |         text: "Encrypt traffic to HTTPS load balancers with TLS certificates (Manual)"
 77 |         type: "manual"
 78 |         remediation: Encrypt traffic to HTTPS load balancers with TLS certificates
 79 |         scored: false
 80 | 
 81 |   - id: 6.4
 82 |     text: "Storage"
 83 |     checks:
 84 |       - id: 6.4.1
 85 |         text: "Enable data disk encryption for Alibaba Cloud Disks (Manual)"
 86 |         type: "manual"
 87 |         remediation: Enable data disk encryption for Alibaba Cloud Disks
 88 |         scored: false
 89 | 
 90 |   - id: 6.5
 91 |     text: "Logging"
 92 |     checks:
 93 |       - id: 6.5.1
 94 |         text: "Ensure Cluster Auditing is Enabled (Manual)"
 95 |         type: "manual"
 96 |         remediation: Ensure Cluster Auditing is Enabled
 97 |         scored: false
 98 | 
 99 |   - id: 6.6
100 |     text: "Other Cluster Configurations"
101 |     checks:
102 |       - id: 6.6.1
103 |         text: "Ensure Pod Security Policy is Enabled and set as appropriate (Manual)"
104 |         type: "manual"
105 |         remediation: Ensure Pod Security Policy is Enabled and set as appropriate
106 |         scored: false
107 | 
108 |       - id: 6.6.2
109 |         text: "Enable Cloud Security Center (Manual)"
110 |         type: "manual"
111 |         remediation: Enable Cloud Security Center
112 |         scored: false
113 | 
114 |       - id: 6.6.3
115 |         text: "Consider ACK Sandboxed-Container for running untrusted workloads (Manual)"
116 |         type: "manual"
117 |         remediation: Consider ACK Sandboxed-Container for running untrusted workloads
118 | 
119 |       - id: 6.6.4
120 |         text: "Consider ACK TEE-based when running confidential computing (Manual)"
121 |         type: "manual"
122 |         remediation: Consider ACK TEE-based when running confidential computing
123 | 
124 |       - id: 6.6.5
125 |         text: "Consider use service account token volume projection (Manual)"
126 |         type: "manual"
127 |         remediation: Consider use service account token volume projection
128 | 


--------------------------------------------------------------------------------
/cfg/ack-1.0/policies.yaml:
--------------------------------------------------------------------------------
  1 | ---
  2 | controls:
  3 | version: "ack-1.0"
  4 | id: 5
  5 | text: "Kubernetes Policies"
  6 | type: "policies"
  7 | groups:
  8 |   - id: 5.1
  9 |     text: "RBAC and Service Accounts"
 10 |     checks:
 11 |       - id: 5.1.1
 12 |         text: "Ensure that the cluster-admin role is only used where required (Manual)"
 13 |         type: "manual"
 14 |         remediation: |
 15 |           Identify all clusterrolebindings to the cluster-admin role. Check if they are used and
 16 |           if they need this role or if they could use a role with fewer privileges.
 17 |           Where possible, first bind users to a lower privileged role and then remove the
 18 |           clusterrolebinding to the cluster-admin role :
 19 |           kubectl delete clusterrolebinding [name]
 20 |         scored: false
 21 | 
 22 |       - id: 5.1.2
 23 |         text: "Minimize access to secrets (Manual)"
 24 |         type: "manual"
 25 |         remediation: |
 26 |           Where possible, remove get, list and watch access to secret objects in the cluster.
 27 |         scored: false
 28 | 
 29 |       - id: 5.1.3
 30 |         text: "Minimize wildcard use in Roles and ClusterRoles (Manual)"
 31 |         type: "manual"
 32 |         remediation: |
 33 |           Where possible replace any use of wildcards in clusterroles and roles with specific
 34 |           objects or actions.
 35 |         scored: false
 36 | 
 37 |       - id: 5.1.4
 38 |         text: "Minimize access to create pods (Manual)"
 39 |         type: "manual"
 40 |         remediation: |
 41 |           Where possible, remove create access to pod objects in the cluster.
 42 |         scored: false
 43 | 
 44 |       - id: 5.1.5
 45 |         text: "Ensure that default service accounts are not actively used. (Manual)"
 46 |         type: "manual"
 47 |         remediation: |
 48 |           Create explicit service accounts wherever a Kubernetes workload requires specific access
 49 |           to the Kubernetes API server.
 50 |           Modify the configuration of each default service account to include this value
 51 |           automountServiceAccountToken: false
 52 |         scored: false
 53 | 
 54 |       - id: 5.1.6
 55 |         text: "Ensure that Service Account Tokens are only mounted where necessary (Manual)"
 56 |         type: "manual"
 57 |         remediation: |
 58 |           Modify the definition of pods and service accounts which do not need to mount service
 59 |           account tokens to disable it.
 60 |         scored: false
 61 | 
 62 |   - id: 5.2
 63 |     text: "Pod Security Policies"
 64 |     checks:
 65 |       - id: 5.2.1
 66 |         text: "Minimize the admission of privileged containers (Manual)"
 67 |         type: "manual"
 68 |         remediation: |
 69 |           Create a PSP as described in the Kubernetes documentation, ensuring that
 70 |           the .spec.privileged field is omitted or set to false.
 71 |         scored: false
 72 | 
 73 |       - id: 5.2.2
 74 |         text: "Minimize the admission of containers wishing to share the host process ID namespace (Manual)"
 75 |         type: "manual"
 76 |         remediation: |
 77 |           Create a PSP as described in the Kubernetes documentation, ensuring that the
 78 |           .spec.hostPID field is omitted or set to false.
 79 |         scored: false
 80 | 
 81 |       - id: 5.2.3
 82 |         text: "Minimize the admission of containers wishing to share the host IPC namespace (Manual)"
 83 |         type: "manual"
 84 |         remediation: |
 85 |           Create a PSP as described in the Kubernetes documentation, ensuring that the
 86 |           .spec.hostIPC field is omitted or set to false.
 87 |         scored: false
 88 | 
 89 |       - id: 5.2.4
 90 |         text: "Minimize the admission of containers wishing to share the host network namespace (Manual)"
 91 |         type: "manual"
 92 |         remediation: |
 93 |           Create a PSP as described in the Kubernetes documentation, ensuring that the
 94 |           .spec.hostNetwork field is omitted or set to false.
 95 |         scored: false
 96 | 
 97 |       - id: 5.2.5
 98 |         text: "Minimize the admission of containers with allowPrivilegeEscalation (Manual)"
 99 |         type: "manual"
100 |         remediation: |
101 |           Create a PSP as described in the Kubernetes documentation, ensuring that the
102 |           .spec.allowPrivilegeEscalation field is omitted or set to false.
103 |         scored: false
104 | 
105 |       - id: 5.2.6
106 |         text: "Minimize the admission of root containers (Manual)"
107 |         type: "manual"
108 |         remediation: |
109 |           Create a PSP as described in the Kubernetes documentation, ensuring that the
110 |           .spec.runAsUser.rule is set to either MustRunAsNonRoot or MustRunAs with the range of
111 |           UIDs not including 0.
112 |         scored: false
113 | 
114 |       - id: 5.2.7
115 |         text: "Minimize the admission of containers with the NET_RAW capability (Manual)"
116 |         type: "manual"
117 |         remediation: |
118 |           Create a PSP as described in the Kubernetes documentation, ensuring that the
119 |           .spec.requiredDropCapabilities is set to include either NET_RAW or ALL.
120 |         scored: false
121 | 
122 |       - id: 5.2.8
123 |         text: "Minimize the admission of containers with added capabilities (Manual)"
124 |         type: "manual"
125 |         remediation: |
126 |           Ensure that allowedCapabilities is not present in PSPs for the cluster unless
127 |           it is set to an empty array.
128 |         scored: false
129 | 
130 |       - id: 5.2.9
131 |         text: "Minimize the admission of containers with capabilities assigned (Manual)"
132 |         type: "manual"
133 |         remediation: |
134 |           Review the use of capabilites in applications runnning on your cluster. Where a namespace
135 |           contains applicaions which do not require any Linux capabities to operate consider adding
136 |           a PSP which forbids the admission of containers which do not drop all capabilities.
137 |         scored: false
138 | 
139 |   - id: 5.3
140 |     text: "Network Policies and CNI"
141 |     checks:
142 |       - id: 5.3.1
143 |         text: "Ensure that the CNI in use supports Network Policies (Manual)"
144 |         type: "manual"
145 |         remediation: |
146 |           If the CNI plugin in use does not support network policies, consideration should be given to
147 |           making use of a different plugin, or finding an alternate mechanism for restricting traffic
148 |           in the Kubernetes cluster.
149 |         scored: false
150 | 
151 |       - id: 5.3.2
152 |         text: "Ensure that all Namespaces have Network Policies defined (Manual)"
153 |         type: "manual"
154 |         remediation: |
155 |           Follow the documentation and create NetworkPolicy objects as you need them.
156 |         scored: false
157 | 
158 |   - id: 5.4
159 |     text: "Secrets Management"
160 |     checks:
161 |       - id: 5.4.1
162 |         text: "Prefer using secrets as files over secrets as environment variables (Manual)"
163 |         type: "manual"
164 |         remediation: |
165 |           if possible, rewrite application code to read secrets from mounted secret files, rather than
166 |           from environment variables.
167 |         scored: false
168 | 
169 |       - id: 5.4.2
170 |         text: "Consider external secret storage (Manual)"
171 |         type: "manual"
172 |         remediation: |
173 |           Refer to the secrets management options offered by your cloud provider or a third-party
174 |           secrets management solution.
175 |         scored: false
176 | 
177 |   - id: 5.5
178 |     text: "Extensible Admission Control"
179 |     checks:
180 |       - id: 5.5.1
181 |         text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)"
182 |         type: "manual"
183 |         remediation: |
184 |           Follow the Kubernetes documentation and setup image provenance.
185 |         scored: false
186 | 
187 |   - id: 5.6
188 |     text: "General Policies"
189 |     checks:
190 |       - id: 5.6.1
191 |         text: "Create administrative boundaries between resources using namespaces (Manual)"
192 |         type: "manual"
193 |         remediation: |
194 |           Follow the documentation and create namespaces for objects in your deployment as you need
195 |           them.
196 |         scored: false
197 | 
198 |       - id: 5.6.2
199 |         text: "Ensure that the seccomp profile is set to docker/default in your pod definitions (Manual)"
200 |         type: "manual"
201 |         remediation: |
202 |           Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you
203 |           would need to enable alpha features in the apiserver by passing "--feature-
204 |           gates=AllAlpha=true" argument.
205 |           Edit the /etc/kubernetes/apiserver file on the master node and set the KUBE_API_ARGS
206 |           parameter to "--feature-gates=AllAlpha=true"
207 |           KUBE_API_ARGS="--feature-gates=AllAlpha=true"
208 |           Based on your system, restart the kube-apiserver service. For example:
209 |           systemctl restart kube-apiserver.service
210 |           Use annotations to enable the docker/default seccomp profile in your pod definitions. An
211 |           example is as below:
212 |           apiVersion: v1
213 |           kind: Pod
214 |           metadata:
215 |             name: trustworthy-pod
216 |             annotations:
217 |               seccomp.security.alpha.kubernetes.io/pod: docker/default
218 |           spec:
219 |             containers:
220 |               - name: trustworthy-container
221 |                 image: sotrustworthy:latest
222 |         scored: false
223 | 
224 |       - id: 5.6.3
225 |         text: "Apply Security Context to Your Pods and Containers (Manual)"
226 |         type: "manual"
227 |         remediation: |
228 |           Follow the Kubernetes documentation and apply security contexts to your pods. For a
229 |           suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
230 |           Containers.
231 |         scored: false
232 | 
233 |       - id: 5.6.4
234 |         text: "The default namespace should not be used (Manual)"
235 |         type: "manual"
236 |         remediation: |
237 |           Ensure that namespaces are created to allow for appropriate segregation of Kubernetes
238 |           resources and that all new resources are created in a specific namespace.
239 |         scored: false
240 | 


--------------------------------------------------------------------------------
/cfg/aks-1.0/config.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | ## Version-specific settings that override the values in cfg/config.yaml
3 | 


--------------------------------------------------------------------------------
/cfg/aks-1.0/controlplane.yaml:
--------------------------------------------------------------------------------
 1 | ---
 2 | controls:
 3 | version: "aks-1.0"
 4 | id: 2
 5 | text: "Control Plane Configuration"
 6 | type: "controlplane"
 7 | groups:
 8 |   - id: 2.1
 9 |     text: "Authentication and Authorization"
10 |     checks:
11 |       - id: 2.1.1
12 |         text: "Enable Azure Active Directory Integration"
13 |         type: "manual"
14 |         remediation: |
15 |           Use of OIDC should be implemented in place of client certificates. Cluster administrators can configure Kubernetes role-based access control (RBAC) based on a user's identity or directory group membership. Azure AD authentication is provided to AKS clusters with OpenID Connect. See https://docs.microsoft.com/en-us/azure/aks/managed-aad.
16 |         scored: false
17 |       - id: 2.1.2
18 |         text: "Limit access to cluster configuration file"
19 |         type: "manual"
20 |         remediation: |
21 |           Use Azure role-based access control to define access to the Kubernetes configuration file in Azure Kubernetes Service (AKS). See https://docs.microsoft.com/en-us/azure/aks/control-kubeconfig-access
22 |         scored: false
23 | 
24 |   - id: 2.2
25 |     text: "Logging"
26 |     checks:
27 |       - id: 2.2.1
28 |         text: "Enable logging for the Kubernetes master components"
29 |         type: "manual"
30 |         remediation: "Enable log collection for the Kubernetes master components in the AKS cluster using Diagnostic settings."
31 |         scored: false
32 | 


--------------------------------------------------------------------------------
/cfg/aks-1.0/master.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | controls:
3 | version: "aks-1.0"
4 | id: 1
5 | text: "Control Plane Components"
6 | type: "master"
7 | 


--------------------------------------------------------------------------------
/cfg/cis-1.5/config.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | ## Version-specific settings that override the values in cfg/config.yaml
3 | 


--------------------------------------------------------------------------------
/cfg/cis-1.5/controlplane.yaml:
--------------------------------------------------------------------------------
 1 | ---
 2 | controls:
 3 | version: "cis-1.5"
 4 | id: 3
 5 | text: "Control Plane Configuration"
 6 | type: "controlplane"
 7 | groups:
 8 |   - id: 3.1
 9 |     text: "Authentication and Authorization"
10 |     checks:
11 |       - id: 3.1.1
12 |         text: "Client certificate authentication should not be used for users (Not Scored)"
13 |         type: "manual"
14 |         remediation: |
15 |           Alternative mechanisms provided by Kubernetes such as the use of OIDC should be
16 |           implemented in place of client certificates.
17 |         scored: false
18 | 
19 |   - id: 3.2
20 |     text: "Logging"
21 |     checks:
22 |       - id: 3.2.1
23 |         text: "Ensure that a minimal audit policy is created (Scored)"
24 |         audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
25 |         tests:
26 |           test_items:
27 |             - flag: "--audit-policy-file"
28 |               set: true
29 |         remediation: |
30 |           Create an audit policy file for your cluster.
31 |         scored: true
32 | 
33 |       - id: 3.2.2
34 |         text: "Ensure that the audit policy covers key security concerns (Not Scored)"
35 |         type: "manual"
36 |         remediation: |
37 |           Consider modification of the audit policy in use on the cluster to include these items, at a
38 |           minimum.
39 |         scored: false
40 | 


--------------------------------------------------------------------------------
/cfg/cis-1.5/etcd.yaml:
--------------------------------------------------------------------------------
  1 | ---
  2 | controls:
  3 | version: "cis-1.5"
  4 | id: 2
  5 | text: "Etcd Node Configuration"
  6 | type: "etcd"
  7 | groups:
  8 |   - id: 2
  9 |     text: "Etcd Node Configuration Files"
 10 |     checks:
 11 |       - id: 2.1
 12 |         text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Scored)"
 13 |         audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
 14 |         tests:
 15 |           bin_op: and
 16 |           test_items:
 17 |             - flag: "--cert-file"
 18 |               set: true
 19 |             - flag: "--key-file"
 20 |               set: true
 21 |         remediation: |
 22 |           Follow the etcd service documentation and configure TLS encryption.
 23 |           Then, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml
 24 |           on the master node and set the below parameters.
 25 |           --cert-file=</path/to/ca-file>
 26 |           --key-file=</path/to/key-file>
 27 |         scored: true
 28 | 
 29 |       - id: 2.2
 30 |         text: "Ensure that the --client-cert-auth argument is set to true (Scored)"
 31 |         audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
 32 |         tests:
 33 |           test_items:
 34 |             - flag: "--client-cert-auth"
 35 |               compare:
 36 |                 op: eq
 37 |                 value: true
 38 |               set: true
 39 |         remediation: |
 40 |           Edit the etcd pod specification file $etcdconf on the master
 41 |           node and set the below parameter.
 42 |           --client-cert-auth="true"
 43 |         scored: true
 44 | 
 45 |       - id: 2.3
 46 |         text: "Ensure that the --auto-tls argument is not set to true (Scored)"
 47 |         audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
 48 |         tests:
 49 |           bin_op: or
 50 |           test_items:
 51 |             - flag: "--auto-tls"
 52 |               set: false
 53 |             - flag: "--auto-tls"
 54 |               compare:
 55 |                 op: eq
 56 |                 value: false
 57 |         remediation: |
 58 |           Edit the etcd pod specification file $etcdconf on the master
 59 |           node and either remove the --auto-tls parameter or set it to false.
 60 |             --auto-tls=false
 61 |         scored: true
 62 | 
 63 |       - id: 2.4
 64 |         text: "Ensure that the --peer-cert-file and --peer-key-file arguments are
 65 |         set as appropriate (Scored)"
 66 |         audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
 67 |         tests:
 68 |           bin_op: and
 69 |           test_items:
 70 |             - flag: "--peer-cert-file"
 71 |               set: true
 72 |             - flag: "--peer-key-file"
 73 |               set: true
 74 |         remediation: |
 75 |           Follow the etcd service documentation and configure peer TLS encryption as appropriate
 76 |           for your etcd cluster. Then, edit the etcd pod specification file $etcdconf on the
 77 |           master node and set the below parameters.
 78 |           --peer-client-file=</path/to/peer-cert-file>
 79 |           --peer-key-file=</path/to/peer-key-file>
 80 |         scored: true
 81 | 
 82 |       - id: 2.5
 83 |         text: "Ensure that the --peer-client-cert-auth argument is set to true (Scored)"
 84 |         audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
 85 |         tests:
 86 |           test_items:
 87 |             - flag: "--peer-client-cert-auth"
 88 |               compare:
 89 |                 op: eq
 90 |                 value: true
 91 |               set: true
 92 |         remediation: |
 93 |           Edit the etcd pod specification file $etcdconf on the master
 94 |           node and set the below parameter.
 95 |           --peer-client-cert-auth=true
 96 |         scored: true
 97 | 
 98 |       - id: 2.6
 99 |         text: "Ensure that the --peer-auto-tls argument is not set to true (Scored)"
100 |         audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
101 |         tests:
102 |           bin_op: or
103 |           test_items:
104 |             - flag: "--peer-auto-tls"
105 |               set: false
106 |             - flag: "--peer-auto-tls"
107 |               compare:
108 |                 op: eq
109 |                 value: false
110 |               set: true
111 |         remediation: |
112 |           Edit the etcd pod specification file $etcdconf on the master
113 |           node and either remove the --peer-auto-tls parameter or set it to false.
114 |           --peer-auto-tls=false
115 |         scored: true
116 | 
117 |       - id: 2.7
118 |         text: "Ensure that a unique Certificate Authority is used for etcd (Not Scored)"
119 |         audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
120 |         tests:
121 |           test_items:
122 |             - flag: "--trusted-ca-file"
123 |               set: true
124 |         remediation: |
125 |           [Manual test]
126 |           Follow the etcd documentation and create a dedicated certificate authority setup for the
127 |           etcd service.
128 |           Then, edit the etcd pod specification file $etcdconf on the
129 |           master node and set the below parameter.
130 |           --trusted-ca-file=</path/to/ca-file>
131 |         scored: false
132 | 


--------------------------------------------------------------------------------
/cfg/cis-1.6/config.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | ## Version-specific settings that override the values in cfg/config.yaml
3 | 


--------------------------------------------------------------------------------
/cfg/cis-1.6/controlplane.yaml:
--------------------------------------------------------------------------------
 1 | ---
 2 | controls:
 3 | version: "cis-1.6"
 4 | id: 3
 5 | text: "Control Plane Configuration"
 6 | type: "controlplane"
 7 | groups:
 8 |   - id: 3.1
 9 |     text: "Authentication and Authorization"
10 |     checks:
11 |       - id: 3.1.1
12 |         text: "Client certificate authentication should not be used for users (Manual)"
13 |         type: "manual"
14 |         remediation: |
15 |           Alternative mechanisms provided by Kubernetes such as the use of OIDC should be
16 |           implemented in place of client certificates.
17 |         scored: false
18 | 
19 |   - id: 3.2
20 |     text: "Logging"
21 |     checks:
22 |       - id: 3.2.1
23 |         text: "Ensure that a minimal audit policy is created (Manual)"
24 |         audit: "/bin/ps -ef | grep $apiserverbin | grep -v grep"
25 |         tests:
26 |           test_items:
27 |             - flag: "--audit-policy-file"
28 |               set: true
29 |         remediation: |
30 |           Create an audit policy file for your cluster.
31 |         scored: false
32 | 
33 |       - id: 3.2.2
34 |         text: "Ensure that the audit policy covers key security concerns (Manual)"
35 |         type: "manual"
36 |         remediation: |
37 |           Consider modification of the audit policy in use on the cluster to include these items, at a
38 |           minimum.
39 |         scored: false
40 | 


--------------------------------------------------------------------------------
/cfg/cis-1.6/etcd.yaml:
--------------------------------------------------------------------------------
  1 | ---
  2 | controls:
  3 | version: "cis-1.6"
  4 | id: 2
  5 | text: "Etcd Node Configuration"
  6 | type: "etcd"
  7 | groups:
  8 |   - id: 2
  9 |     text: "Etcd Node Configuration Files"
 10 |     checks:
 11 |       - id: 2.1
 12 |         text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated)"
 13 |         audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
 14 |         tests:
 15 |           bin_op: and
 16 |           test_items:
 17 |             - flag: "--cert-file"
 18 |               env: "ETCD_CERT_FILE"
 19 |             - flag: "--key-file"
 20 |               env: "ETCD_KEY_FILE"
 21 |         remediation: |
 22 |           Follow the etcd service documentation and configure TLS encryption.
 23 |           Then, edit the etcd pod specification file /etc/kubernetes/manifests/etcd.yaml
 24 |           on the master node and set the below parameters.
 25 |           --cert-file=</path/to/ca-file>
 26 |           --key-file=</path/to/key-file>
 27 |         scored: true
 28 | 
 29 |       - id: 2.2
 30 |         text: "Ensure that the --client-cert-auth argument is set to true (Automated)"
 31 |         audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
 32 |         tests:
 33 |           test_items:
 34 |             - flag: "--client-cert-auth"
 35 |               env: "ETCD_CLIENT_CERT_AUTH"
 36 |               compare:
 37 |                 op: eq
 38 |                 value: true
 39 |         remediation: |
 40 |           Edit the etcd pod specification file $etcdconf on the master
 41 |           node and set the below parameter.
 42 |           --client-cert-auth="true"
 43 |         scored: true
 44 | 
 45 |       - id: 2.3
 46 |         text: "Ensure that the --auto-tls argument is not set to true (Automated)"
 47 |         audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
 48 |         tests:
 49 |           bin_op: or
 50 |           test_items:
 51 |             - flag: "--auto-tls"
 52 |               env: "ETCD_AUTO_TLS"
 53 |               set: false
 54 |             - flag: "--auto-tls"
 55 |               env: "ETCD_AUTO_TLS"
 56 |               compare:
 57 |                 op: eq
 58 |                 value: false
 59 |         remediation: |
 60 |           Edit the etcd pod specification file $etcdconf on the master
 61 |           node and either remove the --auto-tls parameter or set it to false.
 62 |             --auto-tls=false
 63 |         scored: true
 64 | 
 65 |       - id: 2.4
 66 |         text: "Ensure that the --peer-cert-file and --peer-key-file arguments are
 67 |         set as appropriate (Automated)"
 68 |         audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
 69 |         tests:
 70 |           bin_op: and
 71 |           test_items:
 72 |             - flag: "--peer-cert-file"
 73 |               env: "ETCD_PEER_CERT_FILE"
 74 |             - flag: "--peer-key-file"
 75 |               env: "ETCD_PEER_KEY_FILE"
 76 |         remediation: |
 77 |           Follow the etcd service documentation and configure peer TLS encryption as appropriate
 78 |           for your etcd cluster.
 79 |           Then, edit the etcd pod specification file $etcdconf on the
 80 |           master node and set the below parameters.
 81 |           --peer-client-file=</path/to/peer-cert-file>
 82 |           --peer-key-file=</path/to/peer-key-file>
 83 |         scored: true
 84 | 
 85 |       - id: 2.5
 86 |         text: "Ensure that the --peer-client-cert-auth argument is set to true (Automated)"
 87 |         audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
 88 |         tests:
 89 |           test_items:
 90 |             - flag: "--peer-client-cert-auth"
 91 |               env: "ETCD_PEER_CLIENT_CERT_AUTH"
 92 |               compare:
 93 |                 op: eq
 94 |                 value: true
 95 |         remediation: |
 96 |           Edit the etcd pod specification file $etcdconf on the master
 97 |           node and set the below parameter.
 98 |           --peer-client-cert-auth=true
 99 |         scored: true
100 | 
101 |       - id: 2.6
102 |         text: "Ensure that the --peer-auto-tls argument is not set to true (Automated)"
103 |         audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
104 |         tests:
105 |           bin_op: or
106 |           test_items:
107 |             - flag: "--peer-auto-tls"
108 |               env: "ETCD_PEER_AUTO_TLS"
109 |               set: false
110 |             - flag: "--peer-auto-tls"
111 |               env: "ETCD_PEER_AUTO_TLS"
112 |               compare:
113 |                 op: eq
114 |                 value: false
115 |         remediation: |
116 |           Edit the etcd pod specification file $etcdconf on the master
117 |           node and either remove the --peer-auto-tls parameter or set it to false.
118 |           --peer-auto-tls=false
119 |         scored: true
120 | 
121 |       - id: 2.7
122 |         text: "Ensure that a unique Certificate Authority is used for etcd (Manual)"
123 |         audit: "/bin/ps -ef | /bin/grep $etcdbin | /bin/grep -v grep"
124 |         tests:
125 |           test_items:
126 |             - flag: "--trusted-ca-file"
127 |               env: "ETCD_TRUSTED_CA_FILE"
128 |         remediation: |
129 |           [Manual test]
130 |           Follow the etcd documentation and create a dedicated certificate authority setup for the
131 |           etcd service.
132 |           Then, edit the etcd pod specification file $etcdconf on the
133 |           master node and set the below parameter.
134 |           --trusted-ca-file=</path/to/ca-file>
135 |         scored: false
136 | 


--------------------------------------------------------------------------------
/cfg/cis-1.6/policies.yaml:
--------------------------------------------------------------------------------
  1 | ---
  2 | controls:
  3 | version: "cis-1.6"
  4 | id: 5
  5 | text: "Kubernetes Policies"
  6 | type: "policies"
  7 | groups:
  8 |   - id: 5.1
  9 |     text: "RBAC and Service Accounts"
 10 |     checks:
 11 |       - id: 5.1.1
 12 |         text: "Ensure that the cluster-admin role is only used where required (Manual)"
 13 |         type: "manual"
 14 |         remediation: |
 15 |           Identify all clusterrolebindings to the cluster-admin role. Check if they are used and
 16 |           if they need this role or if they could use a role with fewer privileges.
 17 |           Where possible, first bind users to a lower privileged role and then remove the
 18 |           clusterrolebinding to the cluster-admin role :
 19 |           kubectl delete clusterrolebinding [name]
 20 |         scored: false
 21 | 
 22 |       - id: 5.1.2
 23 |         text: "Minimize access to secrets (Manual)"
 24 |         type: "manual"
 25 |         remediation: |
 26 |           Where possible, remove get, list and watch access to secret objects in the cluster.
 27 |         scored: false
 28 | 
 29 |       - id: 5.1.3
 30 |         text: "Minimize wildcard use in Roles and ClusterRoles (Manual)"
 31 |         type: "manual"
 32 |         remediation: |
 33 |           Where possible replace any use of wildcards in clusterroles and roles with specific
 34 |           objects or actions.
 35 |         scored: false
 36 | 
 37 |       - id: 5.1.4
 38 |         text: "Minimize access to create pods (Manual)"
 39 |         type: "manual"
 40 |         remediation: |
 41 |           Where possible, remove create access to pod objects in the cluster.
 42 |         scored: false
 43 | 
 44 |       - id: 5.1.5
 45 |         text: "Ensure that default service accounts are not actively used. (Manual)"
 46 |         type: "manual"
 47 |         remediation: |
 48 |           Create explicit service accounts wherever a Kubernetes workload requires specific access
 49 |           to the Kubernetes API server.
 50 |           Modify the configuration of each default service account to include this value
 51 |           automountServiceAccountToken: false
 52 |         scored: false
 53 | 
 54 |       - id: 5.1.6
 55 |         text: "Ensure that Service Account Tokens are only mounted where necessary (Manual)"
 56 |         type: "manual"
 57 |         remediation: |
 58 |           Modify the definition of pods and service accounts which do not need to mount service
 59 |           account tokens to disable it.
 60 |         scored: false
 61 | 
 62 |   - id: 5.2
 63 |     text: "Pod Security Policies"
 64 |     checks:
 65 |       - id: 5.2.1
 66 |         text: "Minimize the admission of privileged containers (Manual)"
 67 |         type: "manual"
 68 |         remediation: |
 69 |           Create a PSP as described in the Kubernetes documentation, ensuring that
 70 |           the .spec.privileged field is omitted or set to false.
 71 |         scored: false
 72 | 
 73 |       - id: 5.2.2
 74 |         text: "Minimize the admission of containers wishing to share the host process ID namespace (Manual)"
 75 |         type: "manual"
 76 |         remediation: |
 77 |           Create a PSP as described in the Kubernetes documentation, ensuring that the
 78 |           .spec.hostPID field is omitted or set to false.
 79 |         scored: false
 80 | 
 81 |       - id: 5.2.3
 82 |         text: "Minimize the admission of containers wishing to share the host IPC namespace (Manual)"
 83 |         type: "manual"
 84 |         remediation: |
 85 |           Create a PSP as described in the Kubernetes documentation, ensuring that the
 86 |           .spec.hostIPC field is omitted or set to false.
 87 |         scored: false
 88 | 
 89 |       - id: 5.2.4
 90 |         text: "Minimize the admission of containers wishing to share the host network namespace (Manual)"
 91 |         type: "manual"
 92 |         remediation: |
 93 |           Create a PSP as described in the Kubernetes documentation, ensuring that the
 94 |           .spec.hostNetwork field is omitted or set to false.
 95 |         scored: false
 96 | 
 97 |       - id: 5.2.5
 98 |         text: "Minimize the admission of containers with allowPrivilegeEscalation (Manual)"
 99 |         type: "manual"
100 |         remediation: |
101 |           Create a PSP as described in the Kubernetes documentation, ensuring that the
102 |           .spec.allowPrivilegeEscalation field is omitted or set to false.
103 |         scored: false
104 | 
105 |       - id: 5.2.6
106 |         text: "Minimize the admission of root containers (Manual)"
107 |         type: "manual"
108 |         remediation: |
109 |           Create a PSP as described in the Kubernetes documentation, ensuring that the
110 |           .spec.runAsUser.rule is set to either MustRunAsNonRoot or MustRunAs with the range of
111 |           UIDs not including 0.
112 |         scored: false
113 | 
114 |       - id: 5.2.7
115 |         text: "Minimize the admission of containers with the NET_RAW capability (Manual)"
116 |         type: "manual"
117 |         remediation: |
118 |           Create a PSP as described in the Kubernetes documentation, ensuring that the
119 |           .spec.requiredDropCapabilities is set to include either NET_RAW or ALL.
120 |         scored: false
121 | 
122 |       - id: 5.2.8
123 |         text: "Minimize the admission of containers with added capabilities (Manual)"
124 |         type: "manual"
125 |         remediation: |
126 |           Ensure that allowedCapabilities is not present in PSPs for the cluster unless
127 |           it is set to an empty array.
128 |         scored: false
129 | 
130 |       - id: 5.2.9
131 |         text: "Minimize the admission of containers with capabilities assigned (Manual)"
132 |         type: "manual"
133 |         remediation: |
134 |           Review the use of capabilites in applications running on your cluster. Where a namespace
135 |           contains applicaions which do not require any Linux capabities to operate consider adding
136 |           a PSP which forbids the admission of containers which do not drop all capabilities.
137 |         scored: false
138 | 
139 |   - id: 5.3
140 |     text: "Network Policies and CNI"
141 |     checks:
142 |       - id: 5.3.1
143 |         text: "Ensure that the CNI in use supports Network Policies (Manual)"
144 |         type: "manual"
145 |         remediation: |
146 |           If the CNI plugin in use does not support network policies, consideration should be given to
147 |           making use of a different plugin, or finding an alternate mechanism for restricting traffic
148 |           in the Kubernetes cluster.
149 |         scored: false
150 | 
151 |       - id: 5.3.2
152 |         text: "Ensure that all Namespaces have Network Policies defined (Manual)"
153 |         type: "manual"
154 |         remediation: |
155 |           Follow the documentation and create NetworkPolicy objects as you need them.
156 |         scored: false
157 | 
158 |   - id: 5.4
159 |     text: "Secrets Management"
160 |     checks:
161 |       - id: 5.4.1
162 |         text: "Prefer using secrets as files over secrets as environment variables (Manual)"
163 |         type: "manual"
164 |         remediation: |
165 |           if possible, rewrite application code to read secrets from mounted secret files, rather than
166 |           from environment variables.
167 |         scored: false
168 | 
169 |       - id: 5.4.2
170 |         text: "Consider external secret storage (Manual)"
171 |         type: "manual"
172 |         remediation: |
173 |           Refer to the secrets management options offered by your cloud provider or a third-party
174 |           secrets management solution.
175 |         scored: false
176 | 
177 |   - id: 5.5
178 |     text: "Extensible Admission Control"
179 |     checks:
180 |       - id: 5.5.1
181 |         text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Manual)"
182 |         type: "manual"
183 |         remediation: |
184 |           Follow the Kubernetes documentation and setup image provenance.
185 |         scored: false
186 | 
187 |   - id: 5.7
188 |     text: "General Policies"
189 |     checks:
190 |       - id: 5.7.1
191 |         text: "Create administrative boundaries between resources using namespaces (Manual)"
192 |         type: "manual"
193 |         remediation: |
194 |           Follow the documentation and create namespaces for objects in your deployment as you need
195 |           them.
196 |         scored: false
197 | 
198 |       - id: 5.7.2
199 |         text: "Ensure that the seccomp profile is set to docker/default in your pod definitions (Manual)"
200 |         type: "manual"
201 |         remediation: |
202 |           Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you
203 |           would need to enable alpha features in the apiserver by passing "--feature-
204 |           gates=AllAlpha=true" argument.
205 |           Edit the /etc/kubernetes/apiserver file on the master node and set the KUBE_API_ARGS
206 |           parameter to "--feature-gates=AllAlpha=true"
207 |           KUBE_API_ARGS="--feature-gates=AllAlpha=true"
208 |           Based on your system, restart the kube-apiserver service. For example:
209 |           systemctl restart kube-apiserver.service
210 |           Use annotations to enable the docker/default seccomp profile in your pod definitions. An
211 |           example is as below:
212 |           apiVersion: v1
213 |           kind: Pod
214 |           metadata:
215 |             name: trustworthy-pod
216 |             annotations:
217 |               seccomp.security.alpha.kubernetes.io/pod: docker/default
218 |           spec:
219 |             containers:
220 |               - name: trustworthy-container
221 |                 image: sotrustworthy:latest
222 |         scored: false
223 | 
224 |       - id: 5.7.3
225 |         text: "Apply Security Context to Your Pods and Containers (Manual)"
226 |         type: "manual"
227 |         remediation: |
228 |           Follow the Kubernetes documentation and apply security contexts to your pods. For a
229 |           suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
230 |           Containers.
231 |         scored: false
232 | 
233 |       - id: 5.7.4
234 |         text: "The default namespace should not be used (Manual)"
235 |         type: "manual"
236 |         remediation: |
237 |           Ensure that namespaces are created to allow for appropriate segregation of Kubernetes
238 |           resources and that all new resources are created in a specific namespace.
239 |         scored: false
240 | 


--------------------------------------------------------------------------------
/cfg/config.yaml:
--------------------------------------------------------------------------------
  1 | ---
  2 | ## Controls Files.
  3 | # These are YAML files that hold all the details for running checks.
  4 | #
  5 | ## Uncomment to use different control file paths.
  6 | # masterControls: ./cfg/master.yaml
  7 | # nodeControls: ./cfg/node.yaml
  8 | 
  9 | master:
 10 |   components:
 11 |     - apiserver
 12 |     - scheduler
 13 |     - controllermanager
 14 |     - etcd
 15 |     - flanneld
 16 |     # kubernetes is a component to cover the config file /etc/kubernetes/config that is referred to in the benchmark
 17 |     - kubernetes
 18 |     - kubelet
 19 | 
 20 |   kubernetes:
 21 |     defaultconf: /etc/kubernetes/config
 22 | 
 23 |   apiserver:
 24 |     bins:
 25 |       - "kube-apiserver"
 26 |       - "hyperkube apiserver"
 27 |       - "hyperkube kube-apiserver"
 28 |       - "apiserver"
 29 |       - "openshift start master api"
 30 |       - "hypershift openshift-kube-apiserver"
 31 |     confs:
 32 |       - /etc/kubernetes/manifests/kube-apiserver.yaml
 33 |       - /etc/kubernetes/manifests/kube-apiserver.yml
 34 |       - /etc/kubernetes/manifests/kube-apiserver.manifest
 35 |       - /var/snap/kube-apiserver/current/args
 36 |       - /var/snap/microk8s/current/args/kube-apiserver
 37 |       - /etc/origin/master/master-config.yaml
 38 |     defaultconf: /etc/kubernetes/manifests/kube-apiserver.yaml
 39 | 
 40 |   scheduler:
 41 |     bins:
 42 |       - "kube-scheduler"
 43 |       - "hyperkube scheduler"
 44 |       - "hyperkube kube-scheduler"
 45 |       - "scheduler"
 46 |       - "openshift start master controllers"
 47 |     confs:
 48 |       - /etc/kubernetes/manifests/kube-scheduler.yaml
 49 |       - /etc/kubernetes/manifests/kube-scheduler.yml
 50 |       - /etc/kubernetes/manifests/kube-scheduler.manifest
 51 |       - /var/snap/kube-scheduler/current/args
 52 |       - /var/snap/microk8s/current/args/kube-scheduler
 53 |       - /etc/origin/master/scheduler.json
 54 |     defaultconf: /etc/kubernetes/manifests/kube-scheduler.yaml
 55 |     kubeconfig:
 56 |       - /etc/kubernetes/scheduler.conf
 57 |       - /var/lib/kube-scheduler/kubeconfig
 58 |       - /var/lib/kube-scheduler/config.yaml
 59 |     defaultkubeconfig: /etc/kubernetes/scheduler.conf
 60 | 
 61 |   controllermanager:
 62 |     bins:
 63 |       - "kube-controller-manager"
 64 |       - "kube-controller"
 65 |       - "hyperkube controller-manager"
 66 |       - "hyperkube kube-controller-manager"
 67 |       - "controller-manager"
 68 |       - "openshift start master controllers"
 69 |       - "hypershift openshift-controller-manager"
 70 |     confs:
 71 |       - /etc/kubernetes/manifests/kube-controller-manager.yaml
 72 |       - /etc/kubernetes/manifests/kube-controller-manager.yml
 73 |       - /etc/kubernetes/manifests/kube-controller-manager.manifest
 74 |       - /var/snap/kube-controller-manager/current/args
 75 |       - /var/snap/microk8s/current/args/kube-controller-manager
 76 |     defaultconf: /etc/kubernetes/manifests/kube-controller-manager.yaml
 77 |     kubeconfig:
 78 |       - /etc/kubernetes/controller-manager.conf
 79 |       - /var/lib/kube-controller-manager/kubeconfig
 80 |     defaultkubeconfig: /etc/kubernetes/controller-manager.conf
 81 | 
 82 |   etcd:
 83 |     optional: true
 84 |     bins:
 85 |       - "etcd"
 86 |       - "openshift start etcd"
 87 |     confs:
 88 |       - /etc/kubernetes/manifests/etcd.yaml
 89 |       - /etc/kubernetes/manifests/etcd.yml
 90 |       - /etc/kubernetes/manifests/etcd.manifest
 91 |       - /etc/etcd/etcd.conf
 92 |       - /var/snap/etcd/common/etcd.conf.yml
 93 |       - /var/snap/etcd/common/etcd.conf.yaml
 94 |       - /var/snap/microk8s/current/args/etcd
 95 |       - /usr/lib/systemd/system/etcd.service
 96 |     defaultconf: /etc/kubernetes/manifests/etcd.yaml
 97 | 
 98 |   flanneld:
 99 |     optional: true
100 |     bins:
101 |       - flanneld
102 |     defaultconf: /etc/sysconfig/flanneld
103 | 
104 |   kubelet:
105 |     optional: true
106 |     bins:
107 |       - "hyperkube kubelet"
108 |       - "kubelet"
109 | 
110 | node:
111 |   components:
112 |     - kubelet
113 |     - proxy
114 |     # kubernetes is a component to cover the config file /etc/kubernetes/config that is referred to in the benchmark
115 |     - kubernetes
116 | 
117 |   kubernetes:
118 |     defaultconf: "/etc/kubernetes/config"
119 | 
120 |   kubelet:
121 |     cafile:
122 |       - "/etc/kubernetes/pki/ca.crt"
123 |       - "/etc/kubernetes/certs/ca.crt"
124 |       - "/etc/kubernetes/cert/ca.pem"
125 |       - "/var/snap/microk8s/current/certs/ca.crt"
126 |     svc:
127 |       # These paths must also be included
128 |       #  in the 'confs' property below
129 |       - "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf"
130 |       - "/etc/systemd/system/kubelet.service"
131 |       - "/lib/systemd/system/kubelet.service"
132 |       - "/etc/systemd/system/snap.kubelet.daemon.service"
133 |       - "/etc/systemd/system/snap.microk8s.daemon-kubelet.service"
134 |       - "/etc/systemd/system/atomic-openshift-node.service"
135 |       - "/etc/systemd/system/origin-node.service"
136 |     bins:
137 |       - "hyperkube kubelet"
138 |       - "kubelet"
139 |     kubeconfig:
140 |       - "/etc/kubernetes/kubelet.conf"
141 |       - "/var/lib/kubelet/kubeconfig"
142 |       - "/etc/kubernetes/kubelet-kubeconfig"
143 |       - "/var/snap/microk8s/current/credentials/kubelet.config"
144 |     confs:
145 |       - "/var/lib/kubelet/config.yaml"
146 |       - "/var/lib/kubelet/config.yml"
147 |       - "/etc/kubernetes/kubelet/kubelet-config.json"
148 |       - "/home/kubernetes/kubelet-config.yaml"
149 |       - "/home/kubernetes/kubelet-config.yml"
150 |       - "/etc/default/kubeletconfig.json"
151 |       - "/etc/default/kubelet"
152 |       - "/var/lib/kubelet/kubeconfig"
153 |       - "/var/snap/kubelet/current/args"
154 |       - "/var/snap/microk8s/current/args/kubelet"
155 |       ## Due to the fact that the kubelet might be configured
156 |       ## without a kubelet-config file, we use a work-around
157 |       ## of pointing to the systemd service file (which can also
158 |       ## hold kubelet configuration).
159 |       ## Note: The following paths must match the one under 'svc'
160 |       - "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf"
161 |       - "/etc/systemd/system/kubelet.service"
162 |       - "/lib/systemd/system/kubelet.service"
163 |       - "/etc/systemd/system/snap.kubelet.daemon.service"
164 |       - "/etc/systemd/system/snap.microk8s.daemon-kubelet.service"
165 |     defaultconf: "/var/lib/kubelet/config.yaml"
166 |     defaultsvc: "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf"
167 |     defaultkubeconfig: "/etc/kubernetes/kubelet.conf"
168 |     defaultcafile: "/etc/kubernetes/pki/ca.crt"
169 | 
170 |   proxy:
171 |     optional: true
172 |     bins:
173 |       - "kube-proxy"
174 |       - "hyperkube proxy"
175 |       - "hyperkube kube-proxy"
176 |       - "proxy"
177 |       - "openshift start network"
178 |     confs:
179 |       - /etc/kubernetes/proxy
180 |       - /etc/kubernetes/addons/kube-proxy-daemonset.yaml
181 |       - /etc/kubernetes/addons/kube-proxy-daemonset.yml
182 |       - /var/snap/kube-proxy/current/args
183 |       - /var/snap/microk8s/current/args/kube-proxy
184 |     kubeconfig:
185 |       - "/etc/kubernetes/kubelet-kubeconfig"
186 |       - "/var/lib/kubelet/kubeconfig"
187 |       - "/var/snap/microk8s/current/credentials/proxy.config"
188 |     svc:
189 |       - "/lib/systemd/system/kube-proxy.service"
190 |       - "/etc/systemd/system/snap.microk8s.daemon-proxy.service"
191 |     defaultconf: /etc/kubernetes/addons/kube-proxy-daemonset.yaml
192 |     defaultkubeconfig: "/etc/kubernetes/proxy.conf"
193 | 
194 | etcd:
195 |   components:
196 |     - etcd
197 | 
198 |   etcd:
199 |     bins:
200 |       - "etcd"
201 |     confs:
202 |       - /etc/kubernetes/manifests/etcd.yaml
203 |       - /etc/kubernetes/manifests/etcd.yml
204 |       - /etc/kubernetes/manifests/etcd.manifest
205 |       - /etc/etcd/etcd.conf
206 |       - /var/snap/etcd/common/etcd.conf.yml
207 |       - /var/snap/etcd/common/etcd.conf.yaml
208 |       - /var/snap/microk8s/current/args/etcd
209 |       - /usr/lib/systemd/system/etcd.service
210 |     defaultconf: /etc/kubernetes/manifests/etcd.yaml
211 | 
212 | controlplane:
213 |   components:
214 |     - apiserver
215 | 
216 |   apiserver:
217 |     bins:
218 |       - "kube-apiserver"
219 |       - "hyperkube apiserver"
220 |       - "hyperkube kube-apiserver"
221 |       - "apiserver"
222 | 
223 | policies:
224 |   components: []
225 | 
226 | managedservices:
227 |   components: []
228 | 
229 | version_mapping:
230 |   "1.15": "cis-1.5"
231 |   "1.16": "cis-1.6"
232 |   "1.17": "cis-1.6"
233 |   "1.18": "cis-1.6"
234 |   "1.19": "cis-1.6"
235 |   "eks-1.0": "eks-1.0"
236 |   "gke-1.0": "gke-1.0"
237 |   "ocp-3.10": "rh-0.7"
238 |   "ocp-3.11": "rh-0.7"
239 |   "ocp-4.0": "rh-1.0"
240 |   "aks-1.0": "aks-1.0"
241 |   "ack-1.0": "ack-1.0"
242 | 
243 | target_mapping:
244 |   "cis-1.5":
245 |     - "master"
246 |     - "node"
247 |     - "controlplane"
248 |     - "etcd"
249 |     - "policies"
250 |   "cis-1.6":
251 |     - "master"
252 |     - "node"
253 |     - "controlplane"
254 |     - "etcd"
255 |     - "policies"
256 |   "gke-1.0":
257 |     - "master"
258 |     - "node"
259 |     - "controlplane"
260 |     - "etcd"
261 |     - "policies"
262 |     - "managedservices"
263 |   "eks-1.0":
264 |     - "master"
265 |     - "node"
266 |     - "controlplane"
267 |     - "policies"
268 |     - "managedservices"
269 |   "rh-0.7":
270 |     - "master"
271 |     - "node"
272 |   "aks-1.0":
273 |     - "master"
274 |     - "node"
275 |     - "controlplane"
276 |     - "policies"
277 |     - "managedservices"
278 |   "ack-1.0":
279 |     - "master"
280 |     - "node"
281 |     - "controlplane"
282 |     - "etcd"
283 |     - "policies"
284 |     - "managedservices"
285 |   "rh-1.0":
286 |     - "master"
287 |     - "node"
288 |     - "controlplane"
289 |     - "policies"
290 |     - "etcd"
291 | 


--------------------------------------------------------------------------------
/cfg/eks-1.0/config.yaml:
--------------------------------------------------------------------------------
 1 | ---
 2 | ## Version-specific settings that override the values in cfg/config.yaml
 3 | ## These settings are required if you are using the --asff option to report findings to AWS Security Hub
 4 | ## AWS account number is required.
 5 | AWS_ACCOUNT: "<AWS_ACCT_NUMBER>"
 6 | ## AWS region is required.
 7 | AWS_REGION: "<AWS_REGION>"
 8 | ## EKS Cluster ARN is required.
 9 | CLUSTER_ARN: "<AWS_CLUSTER_ARN>"
10 | 


--------------------------------------------------------------------------------
/cfg/eks-1.0/controlplane.yaml:
--------------------------------------------------------------------------------
 1 | ---
 2 | controls:
 3 | version: "eks-1.0"
 4 | id: 2
 5 | text: "Control Plane Configuration"
 6 | type: "controlplane"
 7 | groups:
 8 |   - id: 2.1
 9 |     text: "Logging"
10 |     checks:
11 |       - id: 2.1.1
12 |         text: "Enable audit logs"
13 |         remediation: "Enable control plane logging for API Server, Audit, Authenticator, Controller Manager, and Scheduler."
14 |         scored: false
15 | 


--------------------------------------------------------------------------------
/cfg/eks-1.0/managedservices.yaml:
--------------------------------------------------------------------------------
  1 | ---
  2 | controls:
  3 | version: "eks-1.0"
  4 | id: 5
  5 | text: "Managed Services"
  6 | type: "managedservices"
  7 | groups:
  8 |   - id: 5.1
  9 |     text: "Image Registry and Image Scanning"
 10 |     checks:
 11 |       - id: 5.1.1
 12 |         text: "Ensure Image Vulnerability Scanning using Amazon ECR image scanning or a third-party provider (Not Scored)"
 13 |         type: "manual"
 14 |         remediation:
 15 |         scored: false
 16 | 
 17 |       - id: 5.1.2
 18 |         text: "Minimize user access to Amazon ECR (Not Scored)"
 19 |         type: "manual"
 20 |         remediation:
 21 |         scored: false
 22 | 
 23 |       - id: 5.1.3
 24 |         text: "Minimize cluster access to read-only for Amazon ECR (Not Scored)"
 25 |         type: "manual"
 26 |         remediation:
 27 |         scored: false
 28 | 
 29 |       - id: 5.1.4
 30 |         text: "Minimize Container Registries to only those approved (Not Scored)"
 31 |         type: "manual"
 32 |         remediation:
 33 |         scored: false
 34 | 
 35 |   - id: 5.2
 36 |     text: "Identity and Access Management (IAM)"
 37 |     checks:
 38 |       - id: 5.2.1
 39 |         text: "Prefer using dedicated Amazon EKS Service Accounts (Not Scored)"
 40 |         type: "manual"
 41 |         remediation:
 42 |         scored: false
 43 | 
 44 |   - id: 5.3
 45 |     text: "AWS Key Management Service (AWS KMS)"
 46 |     checks:
 47 |       - id: 5.3.1
 48 |         text: "Ensure Kubernetes Secrets are encrypted using Customer Master Keys (CMKs) managed in AWS KMS (Not Scored)"
 49 |         type: "manual"
 50 |         remediation:
 51 |         scored: false
 52 | 
 53 |   - id: 5.4
 54 |     text: "Cluster Networking"
 55 |     checks:
 56 |       - id: 5.4.1
 57 |         text: "Restrict Access to the Control Plane Endpoint (Not Scored)"
 58 |         type: "manual"
 59 |         remediation:
 60 |         scored: false
 61 | 
 62 |       - id: 5.4.2
 63 |         text: "Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled (Not Scored)"
 64 |         type: "manual"
 65 |         remediation:
 66 |         scored: false
 67 | 
 68 |       - id: 5.4.3
 69 |         text: "Ensure clusters are created with Private Nodes (Not Scored)"
 70 |         type: "manual"
 71 |         remediation:
 72 |         scored: false
 73 | 
 74 |       - id: 5.4.4
 75 |         text: "Ensure Network Policy is Enabled and set as appropriate (Not Scored)"
 76 |         type: "manual"
 77 |         remediation:
 78 |         scored: false
 79 | 
 80 |       - id: 5.4.5
 81 |         text: "Encrypt traffic to HTTPS load balancers with TLS certificates (Not Scored)"
 82 |         type: "manual"
 83 |         remediation:
 84 |         scored: false
 85 | 
 86 | 
 87 |   - id: 5.5
 88 |     text: "Authentication and Authorization"
 89 |     checks:
 90 |       - id: 5.5.1
 91 |         text: "Manage Kubernetes RBAC users with AWS IAM Authenticator for Kubernetes (Not Scored)"
 92 |         type: "manual"
 93 |         remediation:
 94 |         scored: false
 95 | 
 96 | 
 97 |   - id: 5.6
 98 |     text: "Other Cluster Configurations"
 99 |     checks:
100 |       - id: 5.6.1
101 |         text: "Consider Fargate for running untrusted workloads (Not Scored)"
102 |         type: "manual"
103 |         remediation:
104 |         scored: false
105 | 


--------------------------------------------------------------------------------
/cfg/eks-1.0/master.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | controls:
3 | version: "eks-1.0"
4 | id: 1
5 | text: "Control Plane Components"
6 | type: "master"
7 | 


--------------------------------------------------------------------------------
/cfg/eks-1.0/policies.yaml:
--------------------------------------------------------------------------------
  1 | ---
  2 | controls:
  3 | version: "eks-1.0"
  4 | id: 4
  5 | text: "Policies"
  6 | type: "policies"
  7 | groups:
  8 |   - id: 4.1
  9 |     text: "RBAC and Service Accounts"
 10 |     checks:
 11 |       - id: 4.1.1
 12 |         text: "Ensure that the cluster-admin role is only used where required (Not Scored)"
 13 |         type: "manual"
 14 |         remediation: |
 15 |           Identify all clusterrolebindings to the cluster-admin role. Check if they are used and
 16 |           if they need this role or if they could use a role with fewer privileges.
 17 |           Where possible, first bind users to a lower privileged role and then remove the
 18 |           clusterrolebinding to the cluster-admin role :
 19 |           kubectl delete clusterrolebinding [name]
 20 |         scored: false
 21 | 
 22 |       - id: 4.1.2
 23 |         text: "Minimize access to secrets (Not Scored)"
 24 |         type: "manual"
 25 |         remediation: |
 26 |           Where possible, remove get, list and watch access to secret objects in the cluster.
 27 |         scored: false
 28 | 
 29 |       - id: 4.1.3
 30 |         text: "Minimize wildcard use in Roles and ClusterRoles (Not Scored)"
 31 |         type: "manual"
 32 |         remediation: |
 33 |           Where possible replace any use of wildcards in clusterroles and roles with specific
 34 |           objects or actions.
 35 |         scored: false
 36 | 
 37 |       - id: 4.1.4
 38 |         text: "Minimize access to create pods (Not Scored)"
 39 |         type: "manual"
 40 |         Remediation: |
 41 |           Where possible, remove create access to pod objects in the cluster.
 42 |         scored: false
 43 | 
 44 |       - id: 4.1.5
 45 |         text: "Ensure that default service accounts are not actively used. (Not Scored)"
 46 |         type: "manual"
 47 |         remediation: |
 48 |           Create explicit service accounts wherever a Kubernetes workload requires specific access
 49 |           to the Kubernetes API server.
 50 |           Modify the configuration of each default service account to include this value
 51 |           automountServiceAccountToken: false
 52 |         scored: false
 53 | 
 54 |       - id: 4.1.6
 55 |         text: "Ensure that Service Account Tokens are only mounted where necessary (Not Scored)"
 56 |         type: "manual"
 57 |         remediation: |
 58 |           Modify the definition of pods and service accounts which do not need to mount service
 59 |           account tokens to disable it.
 60 |         scored: false
 61 | 
 62 |   - id: 4.2
 63 |     text: "Pod Security Policies"
 64 |     checks:
 65 |       - id: 4.2.1
 66 |         text: "Minimize the admission of privileged containers (Not Scored)"
 67 |         type: "manual"
 68 |         remediation: |
 69 |           Create a PSP as described in the Kubernetes documentation, ensuring that
 70 |           the .spec.privileged field is omitted or set to false.
 71 |         scored: false
 72 | 
 73 |       - id: 4.2.2
 74 |         text: "Minimize the admission of containers wishing to share the host process ID namespace (Not Scored)"
 75 |         type: "manual"
 76 |         remediation: |
 77 |           Create a PSP as described in the Kubernetes documentation, ensuring that the
 78 |           .spec.hostPID field is omitted or set to false.
 79 |         scored: false
 80 | 
 81 |       - id: 4.2.3
 82 |         text: "Minimize the admission of containers wishing to share the host IPC namespace (Not Scored)"
 83 |         type: "manual"
 84 |         remediation: |
 85 |           Create a PSP as described in the Kubernetes documentation, ensuring that the
 86 |           .spec.hostIPC field is omitted or set to false.
 87 |         scored: false
 88 | 
 89 |       - id: 4.2.4
 90 |         text: "Minimize the admission of containers wishing to share the host network namespace (Not Scored)"
 91 |         type: "manual"
 92 |         remediation: |
 93 |           Create a PSP as described in the Kubernetes documentation, ensuring that the
 94 |           .spec.hostNetwork field is omitted or set to false.
 95 |         scored: false
 96 | 
 97 |       - id: 4.2.5
 98 |         text: "Minimize the admission of containers with allowPrivilegeEscalation (Not Scored)"
 99 |         type: "manual"
100 |         remediation: |
101 |           Create a PSP as described in the Kubernetes documentation, ensuring that the
102 |           .spec.allowPrivilegeEscalation field is omitted or set to false.
103 |         scored: false
104 | 
105 |       - id: 4.2.6
106 |         text: "Minimize the admission of root containers (Not Scored)"
107 |         type: "manual"
108 |         remediation: |
109 |           Create a PSP as described in the Kubernetes documentation, ensuring that the
110 |           .spec.runAsUser.rule is set to either MustRunAsNonRoot or MustRunAs with the range of
111 |           UIDs not including 0.
112 |         scored: false
113 | 
114 |       - id: 4.2.7
115 |         text: "Minimize the admission of containers with the NET_RAW capability (Not Scored)"
116 |         type: "manual"
117 |         remediation: |
118 |           Create a PSP as described in the Kubernetes documentation, ensuring that the
119 |           .spec.requiredDropCapabilities is set to include either NET_RAW or ALL.
120 |         scored: false
121 | 
122 |       - id: 4.2.8
123 |         text: "Minimize the admission of containers with added capabilities (Not Scored)"
124 |         type: "manual"
125 |         remediation: |
126 |           Ensure that allowedCapabilities is not present in PSPs for the cluster unless
127 |           it is set to an empty array.
128 |         scored: false
129 | 
130 |       - id: 4.2.9
131 |         text: "Minimize the admission of containers with capabilities assigned (Not Scored)"
132 |         type: "manual"
133 |         remediation: |
134 |           Review the use of capabilities in applications running on your cluster. Where a namespace
135 |           contains applications which do not require any Linux capabities to operate consider adding
136 |           a PSP which forbids the admission of containers which do not drop all capabilities.
137 |         scored: false
138 | 
139 |   - id: 4.3
140 |     text: "CNI Plugin"
141 |     checks:
142 |       - id: 4.3.1
143 |         text: "Ensure that the latest CNI version is used (Not Scored)"
144 |         type: "manual"
145 |         remediation: |
146 |           Review the documentation of AWS CNI plugin, and ensure latest CNI version is used.
147 |         scored: false
148 | 
149 |       - id: 4.3.2
150 |         text: "Ensure that all Namespaces have Network Policies defined (Not Scored)"
151 |         type: "manual"
152 |         remediation: |
153 |           Follow the documentation and create NetworkPolicy objects as you need them.
154 |         scored: false
155 | 
156 |   - id: 4.4
157 |     text: "Secrets Management"
158 |     checks:
159 |       - id: 4.4.1
160 |         text: "Prefer using secrets as files over secrets as environment variables (Not Scored)"
161 |         type: "manual"
162 |         remediation: |
163 |           If possible, rewrite application code to read secrets from mounted secret files, rather than
164 |           from environment variables.
165 |         scored: false
166 | 
167 |       - id: 4.4.2
168 |         text: "Consider external secret storage (Not Scored)"
169 |         type: "manual"
170 |         remediation: |
171 |           Refer to the secrets management options offered by your cloud provider or a third-party
172 |           secrets management solution.
173 |         scored: false
174 | 
175 |   - id: 4.5
176 |     text: "Extensible Admission Control"
177 |     checks:
178 |       - id: 4.5.1
179 |         text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)"
180 |         type: "manual"
181 |         remediation: |
182 |           Follow the Kubernetes documentation and setup image provenance.
183 |         scored: false
184 | 
185 |   - id: 4.6
186 |     text: "General Policies"
187 |     checks:
188 |       - id: 4.6.1
189 |         text: "Create administrative boundaries between resources using namespaces (Not Scored)"
190 |         type: "manual"
191 |         remediation: |
192 |           Follow the documentation and create namespaces for objects in your deployment as you need
193 |           them.
194 |         scored: false
195 | 
196 |       - id: 4.6.2
197 |         text: "Ensure that the seccomp profile is set to docker/default in your pod definitions (Not Scored)"
198 |         type: "manual"
199 |         remediation: |
200 |           Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you
201 |           would need to enable alpha features in the apiserver by passing "--feature-
202 |           gates=AllAlpha=true" argument.
203 |           Edit the /etc/kubernetes/apiserver file on the master node and set the KUBE_API_ARGS
204 |           parameter to "--feature-gates=AllAlpha=true"
205 |           KUBE_API_ARGS="--feature-gates=AllAlpha=true"
206 |           Based on your system, restart the kube-apiserver service. For example:
207 |           systemctl restart kube-apiserver.service
208 |           Use annotations to enable the docker/default seccomp profile in your pod definitions. An
209 |           example is as below:
210 |           apiVersion: v1
211 |           kind: Pod
212 |           metadata:
213 |             name: trustworthy-pod
214 |             annotations:
215 |               seccomp.security.alpha.kubernetes.io/pod: docker/default
216 |           spec:
217 |             containers:
218 |               - name: trustworthy-container
219 |                 image: sotrustworthy:latest
220 |         scored: false
221 | 
222 |       - id: 4.6.3
223 |         text: "Apply Security Context to Your Pods and Containers (Not Scored)"
224 |         type: "manual"
225 |         remediation: |
226 |           Follow the Kubernetes documentation and apply security contexts to your pods. For a
227 |           suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
228 |           Containers.
229 |         scored: false
230 | 
231 |       - id: 4.6.4
232 |         text: "The default namespace should not be used (Not Scored)"
233 |         type: "manual"
234 |         remediation: |
235 |           Ensure that namespaces are created to allow for appropriate segregation of Kubernetes
236 |           resources and that all new resources are created in a specific namespace.
237 |         scored: false
238 | 


--------------------------------------------------------------------------------
/cfg/gke-1.0/config.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | ## Version-specific settings that override the values in cfg/config.yaml
3 | 


--------------------------------------------------------------------------------
/cfg/gke-1.0/controlplane.yaml:
--------------------------------------------------------------------------------
 1 | ---
 2 | controls:
 3 | version: "gke-1.0"
 4 | id: 3
 5 | text: "Control Plane Configuration"
 6 | type: "controlplane"
 7 | groups:
 8 |   - id: 3.1
 9 |     text: "Authentication and Authorization"
10 |     checks:
11 |       - id: 3.1.1
12 |         text: "Client certificate authentication should not be used for users (Not Scored)"
13 |         type: "manual"
14 |         remediation: |
15 |           Alternative mechanisms provided by Kubernetes such as the use of OIDC should be
16 |           implemented in place of client certificates.
17 |           You can remediate the availability of client certificates in your GKE cluster. See
18 |           Recommendation 6.8.2.
19 |         scored: false
20 | 
21 |   - id: 3.2
22 |     text: "Logging"
23 |     type: skip
24 |     checks:
25 |       - id: 3.2.1
26 |         text: "Ensure that a minimal audit policy is created (Not Scored)"
27 |         remediation: "This control cannot be modified in GKE."
28 |         scored: false
29 | 
30 |       - id: 3.2.2
31 |         text: "Ensure that the audit policy covers key security concerns (Not Scored) "
32 |         remediation: "This control cannot be modified in GKE."
33 |         scored: false
34 | 


--------------------------------------------------------------------------------
/cfg/gke-1.0/etcd.yaml:
--------------------------------------------------------------------------------
 1 | ---
 2 | controls:
 3 | version: "gke-1.0"
 4 | id: 2
 5 | text: "Etcd Node Configuration"
 6 | type: "etcd"
 7 | groups:
 8 |   - id: 2
 9 |     text: "Etcd Node Configuration Files"
10 |     type: skip
11 |     checks:
12 |       - id: 2.1
13 |         text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Not Scored)"
14 |         remediation: "This control cannot be modified in GKE."
15 |         scored: false
16 | 
17 |       - id: 2.2
18 |         text: "Ensure that the --client-cert-auth argument is set to true (Not Scored)"
19 |         remediation: "This control cannot be modified in GKE."
20 |         scored: false
21 | 
22 |       - id: 2.3
23 |         text: "Ensure that the --auto-tls argument is not set to true (Not Scored)"
24 |         remediation: "This control cannot be modified in GKE."
25 |         scored: false
26 | 
27 |       - id: 2.4
28 |         text: "Ensure that the --peer-cert-file and --peer-key-file arguments are
29 |         set as appropriate (Not Scored)"
30 |         remediation: "This control cannot be modified in GKE."
31 |         scored: false
32 | 
33 |       - id: 2.5
34 |         text: "Ensure that the --peer-client-cert-auth argument is set to true (Not Scored)"
35 |         remediation: "This control cannot be modified in GKE."
36 |         scored: false
37 | 
38 |       - id: 2.6
39 |         text: "Ensure that the --peer-auto-tls argument is not set to true (Not Scored)"
40 |         remediation: "This control cannot be modified in GKE."
41 |         scored: false
42 | 
43 |       - id: 2.7
44 |         text: "Ensure that a unique Certificate Authority is used for etcd (Not Scored)"
45 |         remediation: "This control cannot be modified in GKE."
46 |         scored: false
47 | 


--------------------------------------------------------------------------------
/cfg/gke-1.0/policies.yaml:
--------------------------------------------------------------------------------
  1 | ---
  2 | controls:
  3 | version: "gke-1.0"
  4 | id: 5
  5 | text: "Kubernetes Policies"
  6 | type: "policies"
  7 | groups:
  8 |   - id: 5.1
  9 |     text: "RBAC and Service Accounts"
 10 |     checks:
 11 |       - id: 5.1.1
 12 |         text: "Ensure that the cluster-admin role is only used where required (Not Scored)"
 13 |         type: "manual"
 14 |         remediation: |
 15 |           Identify all clusterrolebindings to the cluster-admin role. Check if they are used and
 16 |           if they need this role or if they could use a role with fewer privileges.
 17 |           Where possible, first bind users to a lower privileged role and then remove the
 18 |           clusterrolebinding to the cluster-admin role :
 19 |           kubectl delete clusterrolebinding [name]
 20 |         scored: false
 21 | 
 22 |       - id: 5.1.2
 23 |         text: "Minimize access to secrets (Not Scored)"
 24 |         type: "manual"
 25 |         remediation: |
 26 |           Where possible, remove get, list and watch access to secret objects in the cluster.
 27 |         scored: false
 28 | 
 29 |       - id: 5.1.3
 30 |         text: "Minimize wildcard use in Roles and ClusterRoles (Not Scored)"
 31 |         type: "manual"
 32 |         remediation: |
 33 |           Where possible replace any use of wildcards in clusterroles and roles with specific
 34 |           objects or actions.
 35 |         scored: false
 36 | 
 37 |       - id: 5.1.4
 38 |         text: "Minimize access to create pods (Not Scored)"
 39 |         type: "manual"
 40 |         Remediation: |
 41 |           Where possible, remove create access to pod objects in the cluster.
 42 |         scored: false
 43 | 
 44 |       - id: 5.1.5
 45 |         text: "Ensure that default service accounts are not actively used. (Scored)"
 46 |         type: "manual"
 47 |         remediation: |
 48 |           Create explicit service accounts wherever a Kubernetes workload requires specific access
 49 |           to the Kubernetes API server.
 50 |           Modify the configuration of each default service account to include this value
 51 |           automountServiceAccountToken: false
 52 |         scored: true
 53 | 
 54 |       - id: 5.1.6
 55 |         text: "Ensure that Service Account Tokens are only mounted where necessary (Not Scored)"
 56 |         type: "manual"
 57 |         remediation: |
 58 |           Modify the definition of pods and service accounts which do not need to mount service
 59 |           account tokens to disable it.
 60 |         scored: false
 61 | 
 62 |   - id: 5.2
 63 |     text: "Pod Security Policies"
 64 |     checks:
 65 |       - id: 5.2.1
 66 |         text: "Minimize the admission of privileged containers (Not Scored)"
 67 |         type: "manual"
 68 |         remediation: |
 69 |           Create a PSP as described in the Kubernetes documentation, ensuring that
 70 |           the .spec.privileged field is omitted or set to false.
 71 |         scored: false
 72 | 
 73 |       - id: 5.2.2
 74 |         text: "Minimize the admission of containers wishing to share the host process ID namespace (Scored)"
 75 |         type: "manual"
 76 |         remediation: |
 77 |           Create a PSP as described in the Kubernetes documentation, ensuring that the
 78 |           .spec.hostPID field is omitted or set to false.
 79 |         scored: true
 80 | 
 81 |       - id: 5.2.3
 82 |         text: "Minimize the admission of containers wishing to share the host IPC namespace (Scored)"
 83 |         type: "manual"
 84 |         remediation: |
 85 |           Create a PSP as described in the Kubernetes documentation, ensuring that the
 86 |           .spec.hostIPC field is omitted or set to false.
 87 |         scored: true
 88 | 
 89 |       - id: 5.2.4
 90 |         text: "Minimize the admission of containers wishing to share the host network namespace (Scored)"
 91 |         type: "manual"
 92 |         remediation: |
 93 |           Create a PSP as described in the Kubernetes documentation, ensuring that the
 94 |           .spec.hostNetwork field is omitted or set to false.
 95 |         scored: true
 96 | 
 97 |       - id: 5.2.5
 98 |         text: "Minimize the admission of containers with allowPrivilegeEscalation (Scored)"
 99 |         type: "manual"
100 |         remediation: |
101 |           Create a PSP as described in the Kubernetes documentation, ensuring that the
102 |           .spec.allowPrivilegeEscalation field is omitted or set to false.
103 |         scored: true
104 | 
105 |       - id: 5.2.6
106 |         text: "Minimize the admission of root containers (Scored)"
107 |         type: "manual"
108 |         remediation: |
109 |           Create a PSP as described in the Kubernetes documentation, ensuring that the
110 |           .spec.runAsUser.rule is set to either MustRunAsNonRoot or MustRunAs with the range of
111 |           UIDs not including 0.
112 |         scored: true
113 | 
114 |       - id: 5.2.7
115 |         text: "Minimize the admission of containers with the NET_RAW capability (Scored)"
116 |         type: "manual"
117 |         remediation: |
118 |           Create a PSP as described in the Kubernetes documentation, ensuring that the
119 |           .spec.requiredDropCapabilities is set to include either NET_RAW or ALL.
120 |         scored: true
121 | 
122 |       - id: 5.2.8
123 |         text: "Minimize the admission of containers with added capabilities (Scored)"
124 |         type: "manual"
125 |         remediation: |
126 |           Ensure that allowedCapabilities is not present in PSPs for the cluster unless
127 |           it is set to an empty array.
128 |         scored: true
129 | 
130 |       - id: 5.2.9
131 |         text: "Minimize the admission of containers with capabilities assigned (Scored) "
132 |         type: "manual"
133 |         remediation: |
134 |           Review the use of capabilites in applications running on your cluster. Where a namespace
135 |           contains applications which do not require any Linux capabities to operate consider adding
136 |           a PSP which forbids the admission of containers which do not drop all capabilities.
137 |         scored: true
138 | 
139 |   - id: 5.3
140 |     text: "Network Policies and CNI"
141 |     checks:
142 |       - id: 5.3.1
143 |         text: "Ensure that the CNI in use supports Network Policies (Not Scored)"
144 |         type: "manual"
145 |         remediation: |
146 |           To use a CNI plugin with Network Policy, enable Network Policy in GKE, and the CNI plugin
147 |           will be updated. See Recommendation 6.6.7.
148 |         scored: false
149 | 
150 |       - id: 5.3.2
151 |         text: "Ensure that all Namespaces have Network Policies defined (Scored)"
152 |         type: "manual"
153 |         remediation: |
154 |           Follow the documentation and create NetworkPolicy objects as you need them.
155 |         scored: true
156 | 
157 |   - id: 5.4
158 |     text: "Secrets Management"
159 |     checks:
160 |       - id: 5.4.1
161 |         text: "Prefer using secrets as files over secrets as environment variables (Not Scored)"
162 |         type: "manual"
163 |         remediation: |
164 |           if possible, rewrite application code to read secrets from mounted secret files, rather than
165 |           from environment variables.
166 |         scored: false
167 | 
168 |       - id: 5.4.2
169 |         text: "Consider external secret storage (Not Scored)"
170 |         type: "manual"
171 |         remediation: |
172 |           Refer to the secrets management options offered by your cloud provider or a third-party
173 |           secrets management solution.
174 |         scored: false
175 | 
176 |   - id: 5.5
177 |     text: "Extensible Admission Control"
178 |     checks:
179 |       - id: 5.5.1
180 |         text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)"
181 |         type: "manual"
182 |         remediation: |
183 |           Follow the Kubernetes documentation and setup image provenance.
184 |           See also Recommendation 6.10.5 for GKE specifically.
185 |         scored: false
186 | 
187 |   - id: 5.6
188 |     text: "General Policies"
189 |     checks:
190 |       - id: 5.6.1
191 |         text: "Create administrative boundaries between resources using namespaces (Not Scored)"
192 |         type: "manual"
193 |         remediation: |
194 |           Follow the documentation and create namespaces for objects in your deployment as you need
195 |           them.
196 |         scored: false
197 | 
198 |       - id: 5.6.2
199 |         text: "Ensure that the seccomp profile is set to docker/default in your pod definitions (Not Scored)"
200 |         type: "manual"
201 |         remediation: |
202 |           Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you
203 |           would need to enable alpha features in the apiserver by passing "--feature-
204 |           gates=AllAlpha=true" argument.
205 |           Edit the /etc/kubernetes/apiserver file on the master node and set the KUBE_API_ARGS
206 |           parameter to "--feature-gates=AllAlpha=true"
207 |           KUBE_API_ARGS="--feature-gates=AllAlpha=true"
208 |           Based on your system, restart the kube-apiserver service. For example:
209 |           systemctl restart kube-apiserver.service
210 |           Use annotations to enable the docker/default seccomp profile in your pod definitions. An
211 |           example is as below:
212 |           apiVersion: v1
213 |           kind: Pod
214 |           metadata:
215 |             name: trustworthy-pod
216 |             annotations:
217 |               seccomp.security.alpha.kubernetes.io/pod: docker/default
218 |           spec:
219 |             containers:
220 |               - name: trustworthy-container
221 |                 image: sotrustworthy:latest
222 |         scored: false
223 | 
224 |       - id: 5.6.3
225 |         text: "Apply Security Context to Your Pods and Containers (Not Scored)"
226 |         type: "manual"
227 |         remediation: |
228 |           Follow the Kubernetes documentation and apply security contexts to your pods. For a
229 |           suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
230 |           Containers.
231 |         scored: false
232 | 
233 |       - id: 5.6.4
234 |         text: "The default namespace should not be used (Scored)"
235 |         type: "manual"
236 |         remediation: |
237 |           Ensure that namespaces are created to allow for appropriate segregation of Kubernetes
238 |           resources and that all new resources are created in a specific namespace.
239 |         scored: true
240 | 


--------------------------------------------------------------------------------
/cfg/rh-0.7/config.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | ## Version-specific settings that override the values in cfg/config.yaml
3 | 


--------------------------------------------------------------------------------
/cfg/rh-1.0/config.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | ## Version-specific settings that override the values in cfg/config.yaml
3 | 


--------------------------------------------------------------------------------
/cfg/rh-1.0/controlplane.yaml:
--------------------------------------------------------------------------------
 1 | ---
 2 | controls:
 3 | version: rh-1.0
 4 | id: 3
 5 | text: "Control Plane Configuration"
 6 | type: "controlplane"
 7 | groups:
 8 |   - id: 3.1
 9 |     text: "Authentication and Authorization"
10 |     checks:
11 |       - id: 3.1.1
12 |         text: "Client certificate authentication should not be used for users (Manual)"
13 |         audit: |
14 |           # To verify user authentication is enabled
15 |           oc describe authentication
16 |           # To verify that an identity provider is configured
17 |           oc get identity
18 |           # To verify that a custom cluster-admin user exists
19 |           oc get clusterrolebindings -o=custom-columns=NAME:.metadata.name,ROLE:.roleRef.name,SUBJECT:.subjects[*].kind | grep cluster-admin | grep User
20 |           # To verity that kbueadmin is removed, no results should be returned
21 |           oc get secrets kubeadmin -n kube-system
22 |         type: manual
23 |         remediation: |
24 |           Configure an identity provider for the OpenShift cluster.
25 |           Understanding identity provider configuration | Authentication | OpenShift
26 |           Container Platform 4.5. Once an identity provider has been defined,
27 |           you can use RBAC to define and apply permissions.
28 |           After you define an identity provider and create a new cluster-admin user,
29 |           remove the kubeadmin user to improve cluster security.
30 |         scored: false
31 | 
32 |   - id: 3.2
33 |     text: "Logging"
34 |     checks:
35 |       - id: 3.2.1
36 |         text: "Ensure that a minimal audit policy is created (Manual)"
37 |         audit: |
38 |           #To view kube apiserver log files
39 |           oc adm node-logs --role=master --path=kube-apiserver/
40 |           #To view openshift apiserver log files
41 |           oc adm node-logs --role=master --path=openshift-apiserver/
42 |           #To verify kube apiserver audit config
43 |           oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.auditConfig[]'
44 |           #To verify openshift apiserver audit config
45 |           oc get configmap config -n openshift-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.auditConfig[]'
46 |         type: manual
47 |         remediation: |
48 |           No remediation required.
49 |         scored: false
50 | 
51 |       - id: 3.2.2
52 |         text: "Ensure that the audit policy covers key security concerns (Manual)"
53 |         audit: |
54 |           #To verify openshift apiserver audit config
55 |           oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.auditConfig.policyConfiguration.rules[]'
56 |           #To verify kube apiserver audit config
57 |           oc get configmap config -n openshift-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.auditConfig.policyConfiguration.rules[]'
58 |         type: manual
59 |         remediation: |
60 |           In OpenShift 4.6 and higher, if appropriate for your needs,
61 |           modify the audit policy.
62 |         scored: false
63 | 


--------------------------------------------------------------------------------
/cfg/rh-1.0/etcd.yaml:
--------------------------------------------------------------------------------
  1 | ---
  2 | controls:
  3 | version: rh-1.0
  4 | id: 2
  5 | text: "Etcd Node Configuration"
  6 | type: "etcd"
  7 | groups:
  8 |   - id: 2
  9 |     text: "Etcd Node Configuration Files"
 10 |     checks:
 11 |       - id: 2.1
 12 |         text: "Ensure that the --cert-file and --key-file arguments are set as appropriate (Manual)"
 13 |         audit: |
 14 |           # For --cert-file
 15 |           for i in $(oc get pods -oname -n openshift-etcd)
 16 |           do
 17 |             oc exec -n openshift-etcd -c etcd $i -- ps -o command= -C etcd | sed 's/.*\(--cert-file=[^ ]*\).*/\1/'
 18 |           done 2>/dev/null
 19 |           # For --key-file
 20 |           for i in $(oc get pods -oname -n openshift-etcd)
 21 |           do
 22 |             oc exec -n openshift-etcd -c etcd $i -- ps -o command= -C etcd | sed 's/.*\(--key-file=[^ ]*\).*/\1/'
 23 |           done 2>/dev/null
 24 |         use_multiple_values: true
 25 |         tests:
 26 |           test_items:
 27 |             - flag: "file"
 28 |               compare:
 29 |                 op: regex
 30 |                 value: '\/etc\/kubernetes\/static-pod-certs\/secrets\/etcd-all-serving\/etcd-serving-.*\.(?:crt|key)'
 31 |         remediation: |
 32 |           OpenShift does not use the etcd-certfile or etcd-keyfile flags.
 33 |           Certificates for etcd are managed by the etcd cluster operator.
 34 |         scored: false
 35 | 
 36 |       - id: 2.2
 37 |         text: "Ensure that the --client-cert-auth argument is set to true (Manual)"
 38 |         audit: |
 39 |           for i in $(oc get pods -oname -n openshift-etcd)
 40 |           do
 41 |             oc exec -n openshift-etcd -c etcd $i -- ps -o command= -C etcd | sed 's/.*\(--client-cert-auth=[^ ]*\).*/\1/'
 42 |           done 2>/dev/null
 43 |         use_multiple_values: true
 44 |         tests:
 45 |           test_items:
 46 |             - flag: "--client-cert-auth"
 47 |               compare:
 48 |                 op: eq
 49 |                 value: true
 50 |         remediation: |
 51 |           This setting is managed by the cluster etcd operator. No remediation required."
 52 |         scored: false
 53 | 
 54 |       - id: 2.3
 55 |         text: "Ensure that the --auto-tls argument is not set to true (Manual)"
 56 |         audit: |
 57 |           # Returns 0 if found, 1 if not found
 58 |           for i in $(oc get pods -oname -n openshift-etcd)
 59 |           do
 60 |             oc exec -n openshift-etcd -c etcd $i -- ps -o command= -C etcd | grep -- --auto-tls=true 2>&1>/dev/null ; echo exit_code=$?
 61 |           done 2>/dev/null
 62 |         use_multiple_values: true
 63 |         tests:
 64 |           test_items:
 65 |             - flag: "exit_code"
 66 |               compare:
 67 |                 op: eq
 68 |                 value: "1"
 69 |         remediation: |
 70 |           This setting is managed by the cluster etcd operator. No remediation required.e
 71 |         scored: false
 72 | 
 73 |       - id: 2.4
 74 |         text: "Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate (Manual)"
 75 |         audit: |
 76 |           # For --peer-cert-file
 77 |           for i in $(oc get pods -oname -n openshift-etcd)
 78 |           do
 79 |             oc exec -n openshift-etcd -c etcd $i -- ps -o command= -C etcd | sed 's/.*\(--peer-cert-file=[^ ]*\).*/\1/'
 80 |           done 2>/dev/null
 81 |           # For --peer-key-file
 82 |           for i in $(oc get pods -oname -n openshift-etcd)
 83 |           do
 84 |             oc exec -n openshift-etcd -c etcd $i -- ps -o command= -C etcd | sed 's/.*\(--peer-key-file=[^ ]*\).*/\1/'
 85 |           done 2>/dev/null
 86 |         use_multiple_values: true
 87 |         tests:
 88 |           test_items:
 89 |             - flag: "file"
 90 |               compare:
 91 |                 op: regex
 92 |                 value: '\/etc\/kubernetes\/static-pod-certs\/secrets\/etcd-all-peer\/etcd-peer-.*\.(?:crt|key)'
 93 |         remediation: |
 94 |           None. This configuration is managed by the etcd operator.
 95 |         scored: false
 96 | 
 97 |       - id: 2.5
 98 |         text: "Ensure that the --peer-client-cert-auth argument is set to true (Manual)"
 99 |         audit: |
100 |           for i in $(oc get pods -oname -n openshift-etcd)
101 |           do
102 |             oc exec -n openshift-etcd -c etcd $i -- ps -o command= -C etcd | sed 's/.*\(--peer-client-cert-auth=[^ ]*\).*/\1/'
103 |           done 2>/dev/null
104 |         use_multiple_values: true
105 |         tests:
106 |           test_items:
107 |             - flag: "--peer-client-cert-auth"
108 |               compare:
109 |                 op: eq
110 |                 value: true
111 |         remediation: |
112 |           This setting is managed by the cluster etcd operator. No remediation required.
113 |         scored: false
114 | 
115 |       - id: 2.6
116 |         text: "Ensure that the --peer-auto-tls argument is not set to true (Manual)"
117 |         audit: |
118 |           # Returns 0 if found, 1 if not found
119 |           for i in $(oc get pods -oname -n openshift-etcd)
120 |           do
121 |             oc exec -n openshift-etcd -c etcd $i -- ps -o command= -C etcd | grep -- --peer-auto-tls=true 2>&1>/dev/null ; echo exit_code=$?
122 |           done 2>/dev/null
123 |         use_multiple_values: true
124 |         tests:
125 |           test_items:
126 |             - flag: "exit_code"
127 |               compare:
128 |                 op: eq
129 |                 value: "1"
130 |         remediation: |
131 |           This setting is managed by the cluster etcd operator. No remediation required.
132 |         scored: false
133 | 
134 |       - id: 2.7
135 |         text: "Ensure that a unique Certificate Authority is used for etcd (Manual)"
136 |         audit: |
137 |           for i in $(oc get pods -oname -n openshift-etcd)
138 |           do
139 |             oc exec -n openshift-etcd -c etcd $i -- ps -o command= -C etcd | sed 's/.*\(--trusted-ca-file=[^ ]*\).*/\1/'
140 |           done 2>/dev/null
141 |           for i in $(oc get pods -oname -n openshift-etcd)
142 |           do
143 |             oc exec -n openshift-etcd -c etcd $i -- ps -o command= -C etcd | sed 's/.*\(--peer-trusted-ca-file=[^ ]*\).*/\1/'
144 |           done 2>/dev/null
145 |         use_multiple_values: true
146 |         tests:
147 |           test_items:
148 |             - flag: "file"
149 |               compare:
150 |                 op: regex
151 |                 value: '\/etc\/kubernetes\/static-pod-certs\/configmaps\/etcd-(?:serving|peer-client)-ca\/ca-bundle\.(?:crt|key)'
152 |         remediation: |
153 |           None required. Certificates for etcd are managed by the OpenShift cluster etcd operator.
154 |         scored: false
155 | 


--------------------------------------------------------------------------------
/deployment.yaml:
--------------------------------------------------------------------------------
 1 | apiVersion: apps/v1
 2 | kind: Deployment
 3 | metadata:
 4 |   name: nginx-deployment
 5 | spec:
 6 |   selector:
 7 |     matchLabels:
 8 |       app: nginxdeployment
 9 |   replicas: 2
10 |   template:
11 |     metadata:
12 |       labels:
13 |         app: nginxdeployment
14 |     spec:
15 |       containers:
16 |       - name: nginxdeployment
17 |         image: nginx:latest
18 |         ports:
19 |         - containerPort: 80
20 | # ---
21 | # apiVersion: v1
22 | # kind: Service
23 | # metadata:
24 | #   name: nginxservice
25 | # spec:
26 | #   selector:
27 | #     app: nginxdeployment
28 | #   ports:
29 | #     - protocol: TCP
30 | #       port: 80
31 | #   type: LoadBalancer
32 | 


--------------------------------------------------------------------------------
/env0/eks-fargate/main.tf:
--------------------------------------------------------------------------------
 1 | terraform {
 2 |   required_providers {
 3 |     aws = {
 4 |       source = "hashicorp/aws"
 5 |     }
 6 |   }
 7 | }
 8 | 
 9 | resource "aws_iam_role" "eks-iam-role" {
10 |   name = "k8senv-eks-iam-role"
11 | 
12 |   path = "/"
13 | 
14 |   assume_role_policy = <<EOF
15 | {
16 |   "Version": "2012-10-17",
17 |   "Statement": [
18 |     {
19 |       "Effect": "Allow",
20 |       "Principal": {
21 |         "Service": "eks.amazonaws.com"
22 |       },
23 |       "Action": "sts:AssumeRole"
24 |     }
25 |   ]
26 | }
27 | EOF
28 | 
29 | }
30 | 
31 | resource "aws_iam_role_policy_attachment" "AmazonEKSClusterPolicy" {
32 |   policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
33 |   role       = aws_iam_role.eks-iam-role.name
34 | }
35 | 
36 | resource "aws_iam_role_policy_attachment" "CloudWatchAgentServerPolicy-eks" {
37 |   policy_arn = "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy"
38 |   role       = aws_iam_role.eks-iam-role.name
39 | }
40 | 
41 | resource "aws_eks_cluster" "k8senv-eks" {
42 |   name = "k8senv-cluster"
43 |   role_arn = aws_iam_role.eks-iam-role.arn
44 | 
45 |   enabled_cluster_log_types = ["api", "audit", "scheduler", "controllerManager"]
46 | 
47 |   vpc_config {
48 |     subnet_ids = [var.subnet_id_1, var.subnet_id_2]
49 |   }
50 | 
51 |   depends_on = [
52 |     aws_iam_role.eks-iam-role,
53 |   ]
54 | }
55 | 
56 | 
57 | resource "aws_iam_role" "eks-fargate" {
58 |   name = "eks-fargate-k8senv"
59 | 
60 |   assume_role_policy = jsonencode({
61 |     Statement = [{
62 |       Action = "sts:AssumeRole"
63 |       Effect = "Allow"
64 |       Principal = {
65 |         Service = "eks-fargate-pods.amazonaws.com"
66 |       }
67 |     }]
68 |     Version = "2012-10-17"
69 |   })
70 | }
71 | 
72 | resource "aws_iam_role_policy_attachment" "AmazonEKSFargatePodExecutionRolePolicy" {
73 |   policy_arn = "arn:aws:iam::aws:policy/AmazonEKSFargatePodExecutionRolePolicy"
74 |   role       = aws_iam_role.eks-fargate.name
75 | }
76 | 
77 | resource "aws_iam_role_policy_attachment" "AmazonEKSClusterPolicy-fargate" {
78 |   policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
79 |   role       = aws_iam_role.eks-fargate.name
80 | }
81 | 
82 | resource "aws_iam_role_policy_attachment" "CloudWatchAgentServerPolicy" {
83 |   policy_arn = "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy"
84 |   role       = aws_iam_role.eks-fargate.name
85 | }
86 | 
87 | resource "aws_eks_fargate_profile" "k8senv-eks-serverless" {
88 |   cluster_name           = aws_eks_cluster.k8senv-eks.name
89 |   fargate_profile_name   = "k8senv-serverless-eks"
90 |   pod_execution_role_arn = aws_iam_role.eks-fargate.arn
91 |   subnet_ids             = [var.private_subnet_id_1]
92 | 
93 |   selector {
94 |     namespace = "default"
95 |   }
96 | }


--------------------------------------------------------------------------------
/images/k8s.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AdminTurnedDevOps/Kubernetes-Quickstart-Environments/7b9cb39375efefc90c345a7d07799c945520ed85/images/k8s.png


--------------------------------------------------------------------------------
/kube-bench_0.6.2_linux_amd64.tar.gz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/AdminTurnedDevOps/Kubernetes-Quickstart-Environments/7b9cb39375efefc90c345a7d07799c945520ed85/kube-bench_0.6.2_linux_amd64.tar.gz


--------------------------------------------------------------------------------
/readme.md:
--------------------------------------------------------------------------------
 1 | # Kubernetes Quickstart Environments
 2 | 
 3 | Code to create and clean up Kubernetes environments in the cloud and on-prem.
 4 | 
 5 | ![](images/k8s.png)
 6 | 
 7 | ## Description
 8 | 
 9 | If you need to create Kubernetes environments for:
10 | - Cloud
11 | - On-prem
12 | - Hybrid environments
13 | 
14 | Take a look at the code in this repo!
15 | 
16 | All of the Infrastructure-as-Code to create environments is written in Terraform
17 | 
18 | All of the configuration code to configure the environments is written in *TBD*
19 | 
20 | Scripts are written in Bash and Go
21 | 
22 | ### Dependencies
23 | 
24 | * Terraform
25 | * A Code editor like VS Code
26 | 
27 | ## Environments
28 | 1. Bare Metal
29 |     - [Equinix](https://github.com/AdminTurnedDevOps/Kubernetes-Quickstart-Environments/tree/main/Bare-Metal/EquinixMetal) and [Kubeadm](https://github.com/AdminTurnedDevOps/Kubernetes-Quickstart-Environments/blob/main/Bare-Metal/kubeadm/instructions_for_kubeadm/kubeadm_on_equinix/read.md)
30 | 
31 | 2. GCP
32 |     - [GKE](https://github.com/AdminTurnedDevOps/Kubernetes-Quickstart-Environments/tree/main/Google/GKE)
33 |     - [Anthos Bare Metal](https://github.com/AdminTurnedDevOps/Kubernetes-Quickstart-Environments/tree/main/Google/anthos-bare-metal)
34 |     - [Anthos In The Cloud](https://github.com/AdminTurnedDevOps/Kubernetes-Quickstart-Environments/tree/main/Google/anthos-in-the-cloud)
35 | 3. Azure
36 |     - [AKS](https://github.com/AdminTurnedDevOps/Kubernetes-Quickstart-Environments/tree/main/azure/aks)
37 |     - [AKS With Virtual Kubelet For ACI](https://github.com/AdminTurnedDevOps/Kubernetes-Quickstart-Environments/tree/main/azure/aks-with-virtual-kubelet)
38 | 4. AWS
39 |     - [EKS](https://github.com/AdminTurnedDevOps/Kubernetes-Quickstart-Environments/tree/main/aws/eks)
40 | ## Authors
41 | 
42 | Contributors names and contact info
43 | 
44 | [@TheNJDevOpsGuy](https://twitter.com/thenjdevopsguy)
45 | 
46 | ## WIP
47 | As of April 2022, this project is still being worked on. The code that currently exists is ready for use, but there will be additional environments and configurations coming.


--------------------------------------------------------------------------------
/value2.yaml:
--------------------------------------------------------------------------------
1 | --- 
2 | global: 
3 |   authentication: 
4 |     adminPassword: "zerto"
5 |     adminUser: "zerto"
6 |     imagePullSecret: "Y2JkYmVlYTQtMGNkMS00OTNkLWFmOTktNmNiYzYxOGVjZDEwOlRaRDZFSFpYamc1YU13aExDZDlBQklBb0lkQXJHRUtUcWdYY1cwVTc="
7 |     managementPassword: "zerto"
8 |     managementUser: "zerto"


--------------------------------------------------------------------------------
/values.yaml:
--------------------------------------------------------------------------------
1 | clusterName: aks
2 | stormforge:
3 |   address: https://api.stormforge.io/
4 | authorization:
5 |   issuer: https://api.stormforge.io/
6 |   clientID: 4aebf64a4c8e405f8950f80bd083d8d2
7 |   clientSecret: _v08_zz.EPr1VQmBN_df2GmXGJ
8 | 


--------------------------------------------------------------------------------