diff --git a/.infrastructure/app/deployment.yml b/.infrastructure/app/deployment.yml index 6d86d03..f998a8c 100644 --- a/.infrastructure/app/deployment.yml +++ b/.infrastructure/app/deployment.yml @@ -1,3 +1,4 @@ +--- apiVersion: apps/v1 kind: Deployment metadata: @@ -91,4 +92,4 @@ spec: secretName: app-secret - name: app-config-volume configMap: - name: app-config \ No newline at end of file + name: app-config diff --git a/.infrastructure/app/secret.yml b/.infrastructure/app/secret.yml index ca8de35..694c9ac 100644 --- a/.infrastructure/app/secret.yml +++ b/.infrastructure/app/secret.yml @@ -9,4 +9,4 @@ data: DB_NAME: "YXBwX2RiCg==" DB_USER: "YXBwX3VzZXI=" DB_PASSWORD: "MTIzNA==" - DB_HOST: "bXlzcWwtMC5teXNxbC5teXNxbC5zdmMuY2x1c3Rlci5sb2NhbAo=" \ No newline at end of file + DB_HOST: "bXlzcWwtMC5teXNxbC5teXNxbC5zdmMuY2x1c3Rlci5sb2NhbAo=" diff --git a/.infrastructure/security/rbac.yml b/.infrastructure/security/rbac.yml new file mode 100644 index 0000000..0e466b9 --- /dev/null +++ b/.infrastructure/security/rbac.yml @@ -0,0 +1,29 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: secrets-reader + namespace: todoapp +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: secrets-reader + namespace: todoapp +rules: + - apiGroups: [""] + resources: ["pods", "secrets"] + verbs: ["list", "get"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: pods-lister-binding + namespace: todoapp +subjects: + - kind: ServiceAccount + name: secrets-reader +roleRef: + kind: Role + name: secrets-reader + apiGroup: rbac.authorization.k8s.io diff --git "a/.infrastructure/security/\320\241\320\275\320\270\320\274\320\276\320\272 \321\215\320\272\321\200\320\260\320\275\320\260 2024-12-20 \320\262 13.28.06.png" "b/.infrastructure/security/\320\241\320\275\320\270\320\274\320\276\320\272 \321\215\320\272\321\200\320\260\320\275\320\260 2024-12-20 \320\262 13.28.06.png" new file mode 100644 index 0000000..4af8269 Binary files /dev/null and "b/.infrastructure/security/\320\241\320\275\320\270\320\274\320\276\320\272 \321\215\320\272\321\200\320\260\320\275\320\260 2024-12-20 \320\262 13.28.06.png" differ diff --git a/README.md b/README.md index d180d67..0c8b74b 100644 --- a/README.md +++ b/README.md @@ -43,3 +43,34 @@ You can now browse the [API](http://localhost:8000/api/) or start on the [landin 1. Make a screenshot of the output and attach it to the PR 1. Create the `INSTRUCTION.md` with instructions on how to validate the changes 1. Create PR with your changes and attach it for validation on a platform. + + + +# ----------------------------- + +# Cluster creation: + +kubectl create cluster --config cluster.yml + +# Apply all manifests: + +./bootstrap.sh + +# Check availability of pods: + +kubectl get pods -n todoapp + +# Go inside the pod: + +kubectl exec -it -n todoapp -- sh + +# Now let's make a query using these variables: + +APISERVER=https://kubernetes.default.svc +SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount +TOKEN=$(cat ${SERVICEACCOUNT}/token) +CACERT=${SERVICEACCOUNT}/ca.crt + +# Let's make a curl request: + +curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/api/v1/namespaces/todoapp/pods diff --git a/bootstrap.sh b/bootstrap.sh old mode 100644 new mode 100755 index 2d534d7..c5391a9 --- a/bootstrap.sh +++ b/bootstrap.sh @@ -17,4 +17,5 @@ kubectl apply -f .infrastructure/app/deployment.yml # Install Ingress Controller kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml -# kubectl apply -f .infrastructure/ingress/ingress.yml +kubectl apply -f .infrastructure/ingress/ingress.yml +kubectl apply -f .infrastructure/security/rbac.yml