Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add draft README for Kubernetes Workload Registrar tutorial #59

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Add draft README for Kubernetes Workload Registrar tutorial #59

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
72e8202
add draft readme for k8s workload registrar tutorial
lucianozablocki Mar 23, 2021
d7e9a62
checkpoint
lucianozablocki Apr 14, 2021
5b97785
add tests and modify readme
lucianozablocki May 17, 2021
efcb6c2
switch to minikube
lucianozablocki Jun 11, 2021
76a6368
address PR comments
lucianozablocki Aug 2, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
696 changes: 696 additions & 0 deletions k8s/k8s-workload-registrar/README.md
View file
Open in desktop

Large diffs are not rendered by default.

4 changes: 4 additions & 0 deletions k8s/k8s-workload-registrar/mode-crd/k8s/namespace.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: spire
35 changes: 35 additions & 0 deletions k8s/k8s-workload-registrar/mode-crd/k8s/not-annotated-workload.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: example-workload
namespace: spire
labels:
app: example-workload
spec:
selector:
matchLabels:
app: example-workload
template:
metadata:
namespace: spire
labels:
app: example-workload
spec:
hostPID: true
hostNetwork: true
dnsPolicy: ClusterFirstWithHostNet
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since this is just an example workload, can we remove these three lines? The agent won't actually be running and attesting things so I don't think it's needed?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep, a little too much copy-paste in here.

containers:
- name: example-workload
image: gcr.io/spiffe-io/spire-agent:0.12.0
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

latest release is 1.0.1 and on sept 2 there will be 1.0.2

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will update the versions used

imagePullPolicy: IfNotPresent
command: ["/usr/bin/dumb-init", "/opt/spire/bin/spire-agent", "api", "watch"]
args: ["-socketPath", "/tmp/spire-agent/public/api.sock"]
volumeMounts:
- name: spire-agent-socket
mountPath: /tmp/spire-agent/public
readOnly: true
volumes:
- name: spire-agent-socket
hostPath:
path: /run/spire/agent-sockets
type: Directory
106 changes: 106 additions & 0 deletions k8s/k8s-workload-registrar/mode-crd/k8s/spiffeid.spiffe.io_spiffeids.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,106 @@

---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.2.4
creationTimestamp: null
name: spiffeids.spiffeid.spiffe.io
spec:
group: spiffeid.spiffe.io
names:
kind: SpiffeID
listKind: SpiffeIDList
plural: spiffeids
singular: spiffeid
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
description: SpiffeID is the Schema for the spiffeid API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: SpiffeIDSpec defines the desired state of SpiffeID
properties:
dnsNames:
items:
type: string
type: array
parentId:
type: string
selector:
properties:
arbitrary:
description: Arbitrary selectors
items:
type: string
type: array
containerImage:
description: Container image to match for this spiffe ID
type: string
containerName:
description: Container name to match for this spiffe ID
type: string
namespace:
description: Namespace to match for this spiffe ID
type: string
nodeName:
description: Node name to match for this spiffe ID
type: string
podLabel:
additionalProperties:
type: string
description: Pod label name/value to match for this spiffe ID
type: object
podName:
description: Pod name to match for this spiffe ID
type: string
podUid:
description: Pod UID to match for this spiffe ID
type: string
serviceAccount:
description: ServiceAccount to match for this spiffe ID
type: string
type: object
spiffeId:
type: string
required:
- parentId
- selector
- spiffeId
type: object
status:
description: SpiffeIDStatus defines the observed state of SpiffeID
properties:
entryId:
description: 'INSERT ADDITIONAL STATUS FIELD - define observed state
of cluster Important: Run "make" to regenerate code after modifying
this file'
type: string
type: object
type: object
version: v1beta1
versions:
- name: v1beta1
served: true
storage: true
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
163 changes: 163 additions & 0 deletions k8s/k8s-workload-registrar/mode-crd/k8s/spire-agent.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,163 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: spire-agent
namespace: spire

---

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: spire-agent-cluster-role
rules:
- apiGroups: [""]
resources: ["pods","nodes","nodes/proxy"]
verbs: ["get"]

---

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: spire-agent-cluster-role-binding
subjects:
- kind: ServiceAccount
name: spire-agent
namespace: spire
roleRef:
kind: ClusterRole
name: spire-agent-cluster-role
apiGroup: rbac.authorization.k8s.io

---

apiVersion: v1
kind: ConfigMap
metadata:
name: spire-agent
namespace: spire
data:
agent.conf: |
agent {
data_dir = "/run/spire"
log_level = "DEBUG"
server_address = "spire-server"
server_port = "8081"
trust_bundle_path = "/run/spire/bundle/bundle.crt"
trust_domain = "example.org"
socket_path = "/tmp/spire-agent/public/api.sock"
}

plugins {
NodeAttestor "k8s_psat" {
plugin_data {
cluster = "demo-cluster"
}
}

KeyManager "memory" {
plugin_data {
}
}

WorkloadAttestor "k8s" {
plugin_data {
# Defaults to the secure kubelet port by default.
# Minikube does not have a cert in the cluster CA bundle that
# can authenticate the kubelet cert, so skip validation.
skip_kubelet_verification = true
}
}
}

health_checks {
listener_enabled = true
bind_address = "0.0.0.0"
bind_port = "8080"
live_path = "/live"
ready_path = "/ready"
}

---

apiVersion: apps/v1
kind: DaemonSet
metadata:
name: spire-agent
namespace: spire
labels:
app: spire-agent
spec:
selector:
matchLabels:
app: spire-agent
updateStrategy:
type: RollingUpdate
template:
metadata:
namespace: spire
labels:
app: spire-agent
spire-workload: agent
annotations:
spiffe.io/spiffe-id: "testing/agent"
spec:
hostPID: true
hostNetwork: true
dnsPolicy: ClusterFirstWithHostNet
serviceAccountName: spire-agent
initContainers:
- name: init
# This is a small image with wait-for-it, choose whatever image
# you prefer that waits for a service to be up. This image is built
# from https://github.com/lqhl/wait-for-it
image: gcr.io/spiffe-io/wait-for-it
args: ["-t", "30", "spire-server:8081"]
containers:
- name: spire-agent
image: gcr.io/spiffe-io/spire-agent:0.12.0
imagePullPolicy: IfNotPresent
args: ["-config", "/run/spire/config/agent.conf"]
volumeMounts:
- name: spire-config
mountPath: /run/spire/config
readOnly: true
- name: spire-bundle
mountPath: /run/spire/bundle
readOnly: true
- name: spire-agent-socket
mountPath: /tmp/spire-agent/public
readOnly: false
- name: spire-token
mountPath: /var/run/secrets/tokens
livenessProbe:
httpGet:
path: /live
port: 8080
initialDelaySeconds: 10
periodSeconds: 10
readinessProbe:
httpGet:
path: /ready
port: 8080
initialDelaySeconds: 10
periodSeconds: 10
volumes:
- name: spire-config
configMap:
name: spire-agent
- name: spire-bundle
configMap:
name: spire-bundle
- name: spire-agent-socket
hostPath:
path: /run/spire/agent-sockets
type: DirectoryOrCreate
- name: spire-token
projected:
sources:
- serviceAccountToken:
path: spire-agent
expirationSeconds: 7200
audience: spire-server
Loading