From cdc30755fd1bbb03db4531e4f8ca93a5688b011a Mon Sep 17 00:00:00 2001 From: SHCHERBANV Date: Sun, 9 Jun 2024 18:20:18 -0600 Subject: [PATCH 1/2] solution --- .infrastructure/Security/rbac.yml | 31 +++++++++++ .infrastructure/app/deployment.yml | 2 +- README.md | 17 ++++++ bootstrap.sh | 1 + security/rbac.yml | 29 +++++++++++ validate.sh | 83 ++++++++++++++++++++++++++++++ 6 files changed, 162 insertions(+), 1 deletion(-) create mode 100644 .infrastructure/Security/rbac.yml create mode 100644 security/rbac.yml create mode 100644 validate.sh diff --git a/.infrastructure/Security/rbac.yml b/.infrastructure/Security/rbac.yml new file mode 100644 index 0000000..73c2f95 --- /dev/null +++ b/.infrastructure/Security/rbac.yml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: secrets-reader + namespace: todoapp + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: secret-reader-role + namespace: todoapp +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list"] + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: secret-reader-rolebinding + namespace: todoapp +subjects: +- kind: ServiceAccount + name: secrets-reader + namespace: todoapp +roleRef: + kind: Role + name: secret-reader-role + apiGroup: rbac.authorization.k8s.io diff --git a/.infrastructure/app/deployment.yml b/.infrastructure/app/deployment.yml index 6d86d03..4b9d429 100644 --- a/.infrastructure/app/deployment.yml +++ b/.infrastructure/app/deployment.yml @@ -91,4 +91,4 @@ spec: secretName: app-secret - name: app-config-volume configMap: - name: app-config \ No newline at end of file + name: app-config diff --git a/README.md b/README.md index e876337..6fa28d8 100644 --- a/README.md +++ b/README.md @@ -43,3 +43,20 @@ Now you can browse the [API](http://localhost:8000/api/) or start on the [landin 1. Make a screenshot of the output and attach it to the PR 1. `README.md` should have instructuions on how to validate the changes 1. Create PR with your changes and attach it for validation on a platform. + + +Readme updated: + +1. Start cluster: +```sh +kind create cluster --config=cluster.yml +``` +2. Run project: +```sh +./bootstrap.sh +``` + +3. Use script to set up the RBAC, modify the deployment, and validate the changes: +```sh +./validate.sh +``` \ No newline at end of file diff --git a/bootstrap.sh b/bootstrap.sh index 2d534d7..d81f6a2 100644 --- a/bootstrap.sh +++ b/bootstrap.sh @@ -14,6 +14,7 @@ kubectl apply -f .infrastructure/app/clusterIp.yml kubectl apply -f .infrastructure/app/nodeport.yml kubectl apply -f .infrastructure/app/hpa.yml kubectl apply -f .infrastructure/app/deployment.yml +kubectl apply -f .infrastructure/security/rbac.yml # Install Ingress Controller kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml diff --git a/security/rbac.yml b/security/rbac.yml new file mode 100644 index 0000000..80bcd6d --- /dev/null +++ b/security/rbac.yml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: todoapp-sa + namespace: todoapp +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: secret-reader + namespace: todoapp +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: read-secrets-binding + namespace: todoapp +subjects: +- kind: ServiceAccount + name: todoapp-sa + namespace: todoapp +roleRef: + kind: Role + name: secret-reader + apiGroup: rbac.authorization.k8s.io diff --git a/validate.sh b/validate.sh new file mode 100644 index 0000000..2224299 --- /dev/null +++ b/validate.sh @@ -0,0 +1,83 @@ +#!/bin/bash + +set -e + +# Step 1: Create RBAC Manifest +echo "Creating RBAC manifest..." +mkdir -p security +cat < security/rbac.yml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: todoapp-sa + namespace: todoapp +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: secret-reader + namespace: todoapp +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: read-secrets-binding + namespace: todoapp +subjects: +- kind: ServiceAccount + name: todoapp-sa + namespace: todoapp +roleRef: + kind: Role + name: secret-reader + apiGroup: rbac.authorization.k8s.io +EOF + +if kubectl apply -f security/rbac.yml; then + echo "RBAC manifest applied successfully 😊" +else + echo "Failed to apply RBAC manifest πŸ˜Άβ€πŸŒ«οΈ" + exit 1 +fi + +# Step 2: Modify Deployment to Use ServiceAccount +echo "Modifying Deployment to use the new ServiceAccount..." +if kubectl patch deployment todoapp -n todoapp -p '{"spec": {"template": {"spec": {"serviceAccountName": "todoapp-sa"}}}}'; then + echo "Deployment modified successfully 😊" +else + echo "Failed to modify Deployment πŸ˜Άβ€πŸŒ«οΈ" + exit 1 +fi + +# Step 3: Wait for Pods to be Ready +echo "Waiting for pods to be ready..." +if kubectl wait --for=condition=ready pod -l app=todoapp -n todoapp --timeout=120s; then + echo "Pods are ready 😊" +else + echo "Pods did not become ready πŸ˜Άβ€πŸŒ«οΈ" + exit 1 +fi + +# Step 4: Execute curl to List Secrets +echo "Executing curl command to list secrets..." +POD_NAME=$(kubectl get pods -n todoapp -l app=todoapp -o jsonpath="{.items[0].metadata.name}") +CONTAINER_NAME=$(kubectl get pod $POD_NAME -n todoapp -o jsonpath="{.spec.containers[0].name}") + +if kubectl exec $POD_NAME -n todoapp -c $CONTAINER_NAME -- sh -c ' +APISERVER=https://kubernetes.default.svc +SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount +TOKEN=$(cat ${SERVICEACCOUNT}/token) +CACERT=${SERVICEACCOUNT}/ca.crt +curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/api/v1/namespaces/todoapp/secrets +'; then + echo "Secrets listed successfully 😊" +else + echo "Failed to list secrets πŸ˜Άβ€πŸŒ«οΈ" + exit 1 +fi + +echo "Validation complete. Please take a screenshot of the above output." From 69d1427ef3b8500fc65f9e540c8ae1c31deade96 Mon Sep 17 00:00:00 2001 From: SHCHERBANV Date: Mon, 10 Jun 2024 09:05:38 -0600 Subject: [PATCH 2/2] Solution --- security/rbac.yml | 29 ----------------------------- validate.sh | 41 ++++------------------------------------- 2 files changed, 4 insertions(+), 66 deletions(-) delete mode 100644 security/rbac.yml diff --git a/security/rbac.yml b/security/rbac.yml deleted file mode 100644 index 80bcd6d..0000000 --- a/security/rbac.yml +++ /dev/null @@ -1,29 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: todoapp-sa - namespace: todoapp ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: secret-reader - namespace: todoapp -rules: -- apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: read-secrets-binding - namespace: todoapp -subjects: -- kind: ServiceAccount - name: todoapp-sa - namespace: todoapp -roleRef: - kind: Role - name: secret-reader - apiGroup: rbac.authorization.k8s.io diff --git a/validate.sh b/validate.sh index 2224299..26336f1 100644 --- a/validate.sh +++ b/validate.sh @@ -2,42 +2,9 @@ set -e -# Step 1: Create RBAC Manifest -echo "Creating RBAC manifest..." -mkdir -p security -cat < security/rbac.yml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: todoapp-sa - namespace: todoapp ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: secret-reader - namespace: todoapp -rules: -- apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: read-secrets-binding - namespace: todoapp -subjects: -- kind: ServiceAccount - name: todoapp-sa - namespace: todoapp -roleRef: - kind: Role - name: secret-reader - apiGroup: rbac.authorization.k8s.io -EOF - -if kubectl apply -f security/rbac.yml; then +# Step 1: Apply RBAC Manifest +echo "Applying RBAC manifest from C:/Users/shche/mate/kubernetes/devops_todolist_kubernetes_task_12_rbac/.infrastructure/Security/rbac.yml..." +if kubectl apply -f C:/Users/shche/mate/kubernetes/devops_todolist_kubernetes_task_12_rbac/.infrastructure/Security/rbac.yml; then echo "RBAC manifest applied successfully 😊" else echo "Failed to apply RBAC manifest πŸ˜Άβ€πŸŒ«οΈ" @@ -80,4 +47,4 @@ else exit 1 fi -echo "Validation complete. Please take a screenshot of the above output." +echo "Validation complete."