Added network policy and upgrade

04-sa/pod.yaml

@@ -10,7 +10,7 @@ spec:
   - image: nginx
     name: pod
     resources: {}
-  serviceAccount: podaccess
+  automountServiceAccountToken: true
   dnsPolicy: ClusterFirst
   restartPolicy: Always
 status: {}

14-networkpolicies/db.yaml

@@ -0,0 +1,17 @@
+# allows cassandra pods having incoming connection from backend namespace
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: cassandra
+  namespace: cassandra
+spec:
+  podSelector:
+    matchLabels:
+      run: cassandra
+  policyTypes:
+    - Ingress
+  ingress:
+    - from:
+      - namespaceSelector:
+          matchLabels:
+            ns: default

14-networkpolicies/default-deny-allow-dns.yaml

@@ -0,0 +1,19 @@
+# deny all incoming and outgoing traffic from all pods in namespace default
+# but allow DNS traffic. This way you can do for example: kubectl exec frontend -- curl backend
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: deny
+  namespace: default
+spec:
+  podSelector: {}
+  policyTypes:
+  - Egress
+  - Ingress
+  egress:
+  - to:
+    ports:
+      - port: 53
+        protocol: TCP
+      - port: 53
+        protocol: UDP

14-networkpolicies/default-deny.yaml

@@ -0,0 +1,11 @@
+# deny all incoming and outgoing traffic from all pods in namespace default
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: deny
+  namespace: default
+spec:
+  podSelector: {}
+  policyTypes:
+  - Egress
+  - Ingress

14-networkpolicies/merged.yaml

@@ -0,0 +1,66 @@
+# all outgoing traffic if:
+# (destination namespace label=id=ns1 AND port=80) OR (destination pod label=id=backend in default namespace)
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: example
+  namespace: default
+spec:
+  podSelector:
+    matchLabels:
+      id: frontend
+  policyTypes:
+  - Egress
+  egress:
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          id: ns1
+    ports:
+    - protocol: TCP
+      port: 80
+
+  - to:
+    - podSelector:
+        matchLabels:
+          id: backend
+
+---
+
+# the following two NPs combined/merged are the same as the top one
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: example2a
+  namespace: default
+spec:
+  podSelector:
+    matchLabels:
+      id: frontend
+  policyTypes:
+  - Egress
+  egress:
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          id: ns1
+    ports:
+    - protocol: TCP
+      port: 80
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: example2b
+  namespace: default
+spec:
+  podSelector:
+    matchLabels:
+      id: frontend
+  policyTypes:
+  - Egress
+  egress:
+  - to:
+    - podSelector:
+        matchLabels:
+          id: backend

14-networkpolicies/pod-selector.yaml

@@ -0,0 +1,35 @@
+# allows frontend pods to communicate with backend pods
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: frontend
+  namespace: default
+spec:
+  podSelector:
+    matchLabels:
+      run: frontend
+  policyTypes:
+  - Egress
+  egress:
+  - to:
+    - podSelector:
+        matchLabels:
+          run: backend
+---
+# allows backend pods to have incoming traffic from frontend pods
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: backend
+  namespace: default
+spec:
+  podSelector:
+    matchLabels:
+      run: backend
+  policyTypes:
+  - Ingress
+  ingress:
+  - from:
+    - podSelector:
+        matchLabels:
+          run: frontend

19-upgrade-scenario/1.18.0/master/destroy_master.sh

@@ -0,0 +1,7 @@
+#!/bin/sh
+# Use this script to destroy master prior to shut down
+
+kubeadm reset -f
+rm -rf /etc/cni/net.d /etc/kubernetes /var/lib/etcd /var/lib/kubelet /var/run/kubernetes /var/lib/cni ~/.kube
+iptables -F
+init 0

19-upgrade-scenario/1.18.0/master/init_master.sh

@@ -0,0 +1,18 @@
+#!/bin/sh
+# Use this script to initialize master
+
+KUBE_VERSION=1.18.0
+HOST_IP=`/sbin/ifconfig enp0s8 | egrep -o 'inet [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'  | cut -d' ' -f2`
+### init k8s
+kubeadm init --apiserver-advertise-address=${HOST_IP} --kubernetes-version=${KUBE_VERSION} --ignore-preflight-errors=NumCPU --skip-token-print
+ip route add 10.96.0.0/16 dev enp0s8 src ${HOST_IP}
+
+mkdir -p $HOME/.kube
+sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
+sudo chown $(id -u):$(id -g) $HOME/.kube/config
+
+kubectl apply -f "https://cloud.weave.works/k8s/net?k8s-version=$(kubectl version | base64 | tr -d '\n')"
+
+echo
+echo "### COMMAND TO ADD A WORKER NODE ###"
+kubeadm token create --print-join-command --ttl 0

19-upgrade-scenario/1.18.0/setup_node.sh

@@ -0,0 +1,78 @@
+#!/bin/sh
+# Use this script to setup any node in your Kuberntes cluster 
+# Either master or worker
+# Source: http://kubernetes.io/docs/getting-started-guides/kubeadm/
+
+### setup terminal
+KUBE_VERSION=1.18.0
+apt-get install -y bash-completion binutils apparmor-utils
+echo 'colorscheme ron' >> ~/.vimrc
+echo 'set tabstop=2' >> ~/.vimrc
+echo 'set shiftwidth=2' >> ~/.vimrc
+echo 'set expandtab' >> ~/.vimrc
+echo 'source <(kubectl completion bash)' >> ~/.bashrc
+echo 'alias k=kubectl' >> ~/.bashrc
+echo 'alias c=clear' >> ~/.bashrc
+echo 'complete -F __start_kubectl k' >> ~/.bashrc
+sed -i '1s/^/force_color_prompt=yes\n/' ~/.bashrc
+
+
+### install k8s and docker
+apt-get remove -y docker.io kubelet kubeadm kubectl kubernetes-cni docker-ce
+apt-get autoremove -y
+apt-get install -y etcd-client vim build-essential
+
+###
+docker rmi -f $(docker images -aq)
+
+### install kube-bench
+curl -L https://github.com/aquasecurity/kube-bench/releases/download/v0.3.1/kube-bench_0.3.1_linux_amd64.deb -o /tmp/kube-bench_0.3.1_linux_amd64.deb
+sudo apt install /tmp/kube-bench_0.3.1_linux_amd64.deb -f
+rm -rf /tmp/kube-bench*
+
+### install falco
+curl -s https://falco.org/repo/falcosecurity-3672BA8F.asc | apt-key add -
+echo "deb https://dl.bintray.com/falcosecurity/deb stable main" | tee -a /etc/apt/sources.list.d/falcosecurity.list
+
+### install kubesec
+
+curl -L https://github.com/controlplaneio/kubesec/releases/download/v2.8.0/kubesec_linux_386.tar.gz -o /tmp/kubesec_linux_386.tar.gz
+tar -xvf /tmp/kubesec_linux_386.tar.gz -C /tmp/kubesec/
+cp /tmp/kubesec/kubesec /usr/bin/kubesec
+rm -rf /tmp/kubesec*
+
+apt-get update -y
+apt-get -y install linux-headers-$(uname -r)
+apt-get install -y falco
+
+systemctl daemon-reload
+curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add -
+cat <<EOF > /etc/apt/sources.list.d/kubernetes.list
+deb http://apt.kubernetes.io/ kubernetes-xenial main
+EOF
+apt-get update
+apt-get install -y docker.io kubelet=${KUBE_VERSION}-00 kubeadm=${KUBE_VERSION}-00 kubectl=${KUBE_VERSION}-00 kubernetes-cni=0.8.7-00
+
+cat > /etc/docker/daemon.json <<EOF
+{
+  "exec-opts": ["native.cgroupdriver=systemd"],
+  "log-driver": "json-file",
+  "storage-driver": "overlay2"
+}
+EOF
+mkdir -p /etc/systemd/system/docker.service.d
+
+# Restart docker.
+systemctl daemon-reload
+systemctl restart docker
+
+# start docker on reboot
+systemctl enable docker
+
+docker info | grep -i "storage"
+docker info | grep -i "cgroup"
+
+systemctl enable kubelet && systemctl start kubelet
+
+#Pull images
+kubeadm config images pull

19-upgrade-scenario/1.18.0/worker/destroy_worker.sh

@@ -0,0 +1,7 @@
+#!/bin/sh
+# Use this script to destroy worker node prior to shut down
+
+kubeadm reset -f
+rm -rf /etc/cni/net.d /etc/kubernetes /var/lib/etcd /var/lib/kubelet /var/run/kubernetes /var/lib/cni
+iptables -F
+init 0

19-upgrade-scenario/1.18.0/worker/init_worker.sh

@@ -0,0 +1,10 @@
+#!/bin/sh
+# Use this script to initialize worker node
+
+HOST_IP=`/sbin/ifconfig enp0s8 | egrep -o 'inet [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'  | cut -d' ' -f2`
+ip route add 10.96.0.0/16 dev enp0s8 src ${HOST_IP}
+
+echo
+echo "EXECUTE ON MASTER: kubeadm token create --print-join-command --ttl 0"
+echo "THEN RUN THE OUTPUT AS COMMAND HERE TO ADD AS WORKER"
+echo