From bc41a98a7264e7b5055be23e2cde00069f7b8848 Mon Sep 17 00:00:00 2001 From: Alex Bulankou Date: Thu, 2 Sep 2021 12:24:52 -0700 Subject: [PATCH] chore: Adding the code for Part3 of the ACM GKE blog - enabling Config Connector and initializing GCP resources (#980) --- examples/acm-terraform-blog-part1/README.md | 6 +- .../terraform/main.tf | 2 +- .../terraform/terraform.tfvars | 21 ++ .../terraform/variables.tf | 5 - examples/acm-terraform-blog-part2/README.md | 6 +- .../terraform/main.tf | 2 +- .../terraform/terraform.tfvars | 21 ++ .../terraform/variables.tf | 5 - examples/acm-terraform-blog-part3/README.md | 89 +++++++ .../config-root/Kptfile | 11 + .../config-root/audit-config.yaml | 22 ++ ....1_restrict-clusteradmin-rolebindings.yaml | 31 +++ .../5.1.3_prohibit-role-wildcard-access.yaml | 22 ++ .../5.2.1_psp-privileged-container.yaml | 28 +++ .../5.2.2-5.2.3_psp-host-namespace.yaml | 26 ++ .../5.2.4_psp-host-network-ports.yaml | 30 +++ ...-allow-privilege-escalation-container.yaml | 26 ++ .../5.2.6_psp-restrict_root_containers.yaml | 29 +++ .../5.2.7-5.2.8-5.2.9_psp-capabilities.yaml | 29 +++ ....2_require-namespace-network-policies.yaml | 22 ++ .../5.4.1_no-secrets-as-env-vars.yaml | 22 ++ .../5.7.2_seccomp-docker-default.yaml | 29 +++ .../5.7.3_pods-require-security-context.yaml | 22 ++ .../5.7.4_restrict-default-namespace.yaml | 25 ++ .../config-root/cis-k8s-1.5.1/Kptfile | 25 ++ .../config-root/cis-k8s-1.5.1/README.md | 6 + .../config-root/configconnector.yaml | 22 ++ .../config-root/wordpress-bundle.yaml | 226 ++++++++++++++++++ .../acm-terraform-blog-part3/terraform/gke.tf | 61 +++++ .../terraform/main.tf | 58 +++++ .../terraform/outputs.tf | 23 ++ .../terraform/providers.tf | 29 +++ .../terraform/terraform.tfvars | 21 ++ .../terraform/variables.tf | 45 ++++ 34 files changed, 1029 insertions(+), 18 deletions(-) create mode 100644 examples/acm-terraform-blog-part1/terraform/terraform.tfvars create mode 100644 examples/acm-terraform-blog-part2/terraform/terraform.tfvars create mode 100644 examples/acm-terraform-blog-part3/README.md create mode 100644 examples/acm-terraform-blog-part3/config-root/Kptfile create mode 100644 examples/acm-terraform-blog-part3/config-root/audit-config.yaml create mode 100644 examples/acm-terraform-blog-part3/config-root/cis-k8s-1.5.1/5.1.1_restrict-clusteradmin-rolebindings.yaml create mode 100644 examples/acm-terraform-blog-part3/config-root/cis-k8s-1.5.1/5.1.3_prohibit-role-wildcard-access.yaml create mode 100644 examples/acm-terraform-blog-part3/config-root/cis-k8s-1.5.1/5.2.1_psp-privileged-container.yaml create mode 100644 examples/acm-terraform-blog-part3/config-root/cis-k8s-1.5.1/5.2.2-5.2.3_psp-host-namespace.yaml create mode 100644 examples/acm-terraform-blog-part3/config-root/cis-k8s-1.5.1/5.2.4_psp-host-network-ports.yaml create mode 100644 examples/acm-terraform-blog-part3/config-root/cis-k8s-1.5.1/5.2.5_psp-allow-privilege-escalation-container.yaml create mode 100644 examples/acm-terraform-blog-part3/config-root/cis-k8s-1.5.1/5.2.6_psp-restrict_root_containers.yaml create mode 100644 examples/acm-terraform-blog-part3/config-root/cis-k8s-1.5.1/5.2.7-5.2.8-5.2.9_psp-capabilities.yaml create mode 100644 examples/acm-terraform-blog-part3/config-root/cis-k8s-1.5.1/5.3.2_require-namespace-network-policies.yaml create mode 100644 examples/acm-terraform-blog-part3/config-root/cis-k8s-1.5.1/5.4.1_no-secrets-as-env-vars.yaml create mode 100644 examples/acm-terraform-blog-part3/config-root/cis-k8s-1.5.1/5.7.2_seccomp-docker-default.yaml create mode 100644 examples/acm-terraform-blog-part3/config-root/cis-k8s-1.5.1/5.7.3_pods-require-security-context.yaml create mode 100644 examples/acm-terraform-blog-part3/config-root/cis-k8s-1.5.1/5.7.4_restrict-default-namespace.yaml create mode 100644 examples/acm-terraform-blog-part3/config-root/cis-k8s-1.5.1/Kptfile create mode 100644 examples/acm-terraform-blog-part3/config-root/cis-k8s-1.5.1/README.md create mode 100644 examples/acm-terraform-blog-part3/config-root/configconnector.yaml create mode 100644 examples/acm-terraform-blog-part3/config-root/wordpress-bundle.yaml create mode 100644 examples/acm-terraform-blog-part3/terraform/gke.tf create mode 100644 examples/acm-terraform-blog-part3/terraform/main.tf create mode 100644 examples/acm-terraform-blog-part3/terraform/outputs.tf create mode 100644 examples/acm-terraform-blog-part3/terraform/providers.tf create mode 100644 examples/acm-terraform-blog-part3/terraform/terraform.tfvars create mode 100644 examples/acm-terraform-blog-part3/terraform/variables.tf diff --git a/examples/acm-terraform-blog-part1/README.md b/examples/acm-terraform-blog-part1/README.md index a736c09d92..5f78aa7b71 100644 --- a/examples/acm-terraform-blog-part1/README.md +++ b/examples/acm-terraform-blog-part1/README.md @@ -36,10 +36,10 @@ Subsequent articles will discuss other aspects of ACM to manage your GCP infrast # continue in /terraform directory cd terraform - + export TF_VAR_project=$PROJECT_ID terraform init - terraform plan -var=project=$PROJECT_ID - terraform apply -var=project=$PROJECT_ID + terraform plan + terraform apply ``` NOTE: if you get an error due to default network not being present, run `gcloud compute networks create default --subnet-mode=auto` and retry the commands. diff --git a/examples/acm-terraform-blog-part1/terraform/main.tf b/examples/acm-terraform-blog-part1/terraform/main.tf index 05573760be..6575db39e7 100644 --- a/examples/acm-terraform-blog-part1/terraform/main.tf +++ b/examples/acm-terraform-blog-part1/terraform/main.tf @@ -16,7 +16,7 @@ resource "google_gke_hub_membership" "membership" { provider = google-beta - membership_id = "membership-hub" + membership_id = "membership-hub-${module.gke.name}" endpoint { gke_cluster { resource_link = "//container.googleapis.com/${module.gke.cluster_id}" diff --git a/examples/acm-terraform-blog-part1/terraform/terraform.tfvars b/examples/acm-terraform-blog-part1/terraform/terraform.tfvars new file mode 100644 index 0000000000..12dca13ee2 --- /dev/null +++ b/examples/acm-terraform-blog-part1/terraform/terraform.tfvars @@ -0,0 +1,21 @@ +/** + * Copyright 2021 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +region = "us-central1" +zone = "us-central1-c" +sync_repo = "https://github.com/terraform-google-modules/terraform-google-kubernetes-engine.git" +sync_branch = "master" +policy_dir = "examples/acm-terraform-blog-part1/config-root" diff --git a/examples/acm-terraform-blog-part1/terraform/variables.tf b/examples/acm-terraform-blog-part1/terraform/variables.tf index e856ba7156..4343f4a3e0 100644 --- a/examples/acm-terraform-blog-part1/terraform/variables.tf +++ b/examples/acm-terraform-blog-part1/terraform/variables.tf @@ -22,29 +22,24 @@ variable "project" { variable "region" { type = string description = "the GCP region where the cluster will be created" - default = "us-central1" } variable "zone" { type = string description = "the GCP zone in the region where the cluster will be created" - default = "us-central1-c" } variable "sync_repo" { type = string description = "git URL for the repo which will be sync'ed into the cluster via Config Management" - default = "https://github.com/terraform-google-modules/terraform-google-kubernetes-engine.git" } variable "sync_branch" { type = string description = "the git branch in the repo to sync" - default = "master" } variable "policy_dir" { type = string description = "the root directory in the repo branch that contains the resources." - default = "examples/acm-terraform-blog-part1/config-root" } diff --git a/examples/acm-terraform-blog-part2/README.md b/examples/acm-terraform-blog-part2/README.md index 979619232a..99fff87464 100644 --- a/examples/acm-terraform-blog-part2/README.md +++ b/examples/acm-terraform-blog-part2/README.md @@ -24,10 +24,10 @@ Subsequent articles will discuss other aspects of ACM to manage your GCP infrast # continue in /terraform directory cd terraform - + export TF_VAR_project=$PROJECT_ID terraform init - terraform plan -var=project=$PROJECT_ID - terraform apply -var=project=$PROJECT_ID + terraform plan + terraform apply ``` NOTE: if you get an error due to default network not being present, run `gcloud compute networks create default --subnet-mode=auto` and retry the commands. diff --git a/examples/acm-terraform-blog-part2/terraform/main.tf b/examples/acm-terraform-blog-part2/terraform/main.tf index 7b6d0dfe9d..f6b67b3e7a 100644 --- a/examples/acm-terraform-blog-part2/terraform/main.tf +++ b/examples/acm-terraform-blog-part2/terraform/main.tf @@ -16,7 +16,7 @@ resource "google_gke_hub_membership" "membership" { provider = google-beta - membership_id = "membership-hub" + membership_id = "membership-hub-${module.gke.name}" endpoint { gke_cluster { resource_link = "//container.googleapis.com/${module.gke.cluster_id}" diff --git a/examples/acm-terraform-blog-part2/terraform/terraform.tfvars b/examples/acm-terraform-blog-part2/terraform/terraform.tfvars new file mode 100644 index 0000000000..5c0aec0b3f --- /dev/null +++ b/examples/acm-terraform-blog-part2/terraform/terraform.tfvars @@ -0,0 +1,21 @@ +/** + * Copyright 2021 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +region = "us-central1" +zone = "us-central1-c" +sync_repo = "https://github.com/terraform-google-modules/terraform-google-kubernetes-engine.git" +sync_branch = "master" +policy_dir = "examples/acm-terraform-blog-part2/config-root" diff --git a/examples/acm-terraform-blog-part2/terraform/variables.tf b/examples/acm-terraform-blog-part2/terraform/variables.tf index e856ba7156..4343f4a3e0 100644 --- a/examples/acm-terraform-blog-part2/terraform/variables.tf +++ b/examples/acm-terraform-blog-part2/terraform/variables.tf @@ -22,29 +22,24 @@ variable "project" { variable "region" { type = string description = "the GCP region where the cluster will be created" - default = "us-central1" } variable "zone" { type = string description = "the GCP zone in the region where the cluster will be created" - default = "us-central1-c" } variable "sync_repo" { type = string description = "git URL for the repo which will be sync'ed into the cluster via Config Management" - default = "https://github.com/terraform-google-modules/terraform-google-kubernetes-engine.git" } variable "sync_branch" { type = string description = "the git branch in the repo to sync" - default = "master" } variable "policy_dir" { type = string description = "the root directory in the repo branch that contains the resources." - default = "examples/acm-terraform-blog-part1/config-root" } diff --git a/examples/acm-terraform-blog-part3/README.md b/examples/acm-terraform-blog-part3/README.md new file mode 100644 index 0000000000..7e76f28b40 --- /dev/null +++ b/examples/acm-terraform-blog-part3/README.md @@ -0,0 +1,89 @@ +# Enable ACM features with Terraform - Part 3 + +This is part three of the tutorial to accompany a short series of blog articles explaining how to enable [Anthos Config Management (ACM)](https://cloud.google.com/anthos/config-management) with Terraform. + +In the [first part](../acm-terraform-blog-part1), we explained how to use Terraform to create a cluster and manage its config from git via [Config Sync](https://cloud.google.com/anthos-config-management/docs/config-sync-overview). + +In the [second part](../acm-terraform-blog-part2) we added guard rails for the cluster configuration via [Policy Controller](https://cloud.google.com/anthos-config-management/docs/concepts/policy-controller). + +In this article we'll demonstrate how, using Config Connector, you can provision your GCP cloud resources following the same Kubernetes-native model. + +## Provision GCP resources + +1. Set the variable for the project from [part two](../acm-terraform-blog-part2). We will re-use that project but create a new cluster since we cleaned up at the end of the first section. If you are working in a different project, enable required GCP APIs, as described in [part one](../part1/README.md). + + ```bash + PROJECT_ID = [PROJECT_ID] + ``` +1. Note that [wordpress-bundle.yaml](./config-root/wordpress-bundle) was updated to use GCP MySQL database. Also we added [configconnector.yaml](./config-root/configconnector.yaml) to initialize the instance of Config Connector add-on on the cluster. + +1. Use [kpt](https://kpt.dev) to customize the `config-root` directory that will be configured as the source of the objects installed on the cluster. + + ```bash + kpt fn eval --include-meta-resources --image gcr.io/kpt-fn/set-project-id:v0.1 ./config-root -- "project-id=$PROJECT_ID" + kpt fn render ./config-root + ``` +1. Submit the updated configuration into your branch. +1. Ensure that `sync_repo` and `sync_branch` variables are updated in [terraform.tfvars](./terraform/terraform.tfvars) +1. Before running Terraform, notice the changes in [gke.tf](./terraform/gke.tf): + - We are using the `[beta-public-cluster](../modules/beta-public-cluster)` module + - `config_connector` variable is set to true + - We are using `workload-identity` module to create a Google Service Account and connect it to a Kubernetes Service Account that is running in Config Connector `cnrm-system` namespace, allowing Config Connector to create GCP resource. +1. As as in the previous part, create the cluster using Terraform: + + ```bash + # obtain user access credentials to use for Terraform commands + gcloud auth application-default login + + # continue in /terraform directory + cd terraform + export TF_VAR_project=$PROJECT_ID + terraform init + terraform plan + terraform apply + ``` + NOTE: if you get an error due to the default network not being present, run `gcloud compute networks create default --subnet-mode=auto` and retry the commands. + +1. To verify things have synced and Policy Controller is installed, you can again use `gcloud` to check status: + + ```bash + gcloud alpha container hub config-management status --project $PROJECT_ID + ``` + + As things initialize, you may see a few transient `error: KNV1021: No CustomResourceDefinition is defined` messages. This occurs when constraints from the repo are synced before Policy Controller has had a chance to load the appropriate template from the policy library. It will eventually reconcile. + + After a short time, in addition to the `Status` showing as `SYNCED` and the `Last_Synced_Token` matching the repo, there should also be a value of `INSTALLED` for `Policy_Controller`. + + +1. Connect your kubectl instance to the newly created cluster: + + ```bash + # get values from cluster that was created + export CLUSTER_ZONE=$(terraform output -raw cluster_location) + export CLUSTER_NAME=$(terraform output -raw cluster_name) + + # then get creditials for it + gcloud container clusters get-credentials $CLUSTER_NAME --zone $CLUSTER_ZONE --project $PROJECT_ID + + ``` + +1. Verify that Config Connector addon is installed and configured: + ```bash + kubectl wait -n cnrm-system --for=condition=Ready pod --all + ``` + + Note: The controller Pod can take several minutes to start. Once Config Connector is installed correctly, the output is similar to the following: + + ```bash + pod/cnrm-controller-manager-0 condition met + ``` +1. It will take a while for the SQL database to be created. You can check on the status: + ```bash + kubectl describe sqlinstance -n wp + ``` + +1. Finally, validate that Wordpress powered Cloud SQL database was created: + + ```bash + curl -L $( kubectl get service wordpress-external -n wp -o=json | \ + jq -r '.status["loadBalancer"]["ingress"][0]["ip"]') diff --git a/examples/acm-terraform-blog-part3/config-root/Kptfile b/examples/acm-terraform-blog-part3/config-root/Kptfile new file mode 100644 index 0000000000..181b0fb104 --- /dev/null +++ b/examples/acm-terraform-blog-part3/config-root/Kptfile @@ -0,0 +1,11 @@ +apiVersion: kpt.dev/v1 +kind: Kptfile +metadata: + name: WordPress powered by Google Cloud SQL +info: + description: create a WordPress in a container and connect it to a GCP-managed MySQL database +pipeline: + mutators: + - image: gcr.io/kpt-fn/apply-setters:v0.1 + configMap: + project-id: "" diff --git a/examples/acm-terraform-blog-part3/config-root/audit-config.yaml b/examples/acm-terraform-blog-part3/config-root/audit-config.yaml new file mode 100644 index 0000000000..a04d51a605 --- /dev/null +++ b/examples/acm-terraform-blog-part3/config-root/audit-config.yaml @@ -0,0 +1,22 @@ +# Copyright 2018 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: config.gatekeeper.sh/v1alpha1 +kind: Config +metadata: + name: config + namespace: "gatekeeper-system" +spec: + match: + - excludedNamespaces: ["kube-system", "kube-public", "kube-node-lease", "config-management-system", "config-management-monitoring", "gatekeeper-system", "resource-group-system"] + processes: ["audit"] diff --git a/examples/acm-terraform-blog-part3/config-root/cis-k8s-1.5.1/5.1.1_restrict-clusteradmin-rolebindings.yaml b/examples/acm-terraform-blog-part3/config-root/cis-k8s-1.5.1/5.1.1_restrict-clusteradmin-rolebindings.yaml new file mode 100644 index 0000000000..3f214042e7 --- /dev/null +++ b/examples/acm-terraform-blog-part3/config-root/cis-k8s-1.5.1/5.1.1_restrict-clusteradmin-rolebindings.yaml @@ -0,0 +1,31 @@ +# Copyright 2018 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sRestrictRoleBindings +metadata: # kpt-merge: /restrict-clusteradmin-rolebindings + name: restrict-clusteradmin-rolebindings + annotations: + # This constraint is not certified by CIS. + description: "Restricts use of the cluster-admin role." +spec: + enforcementAction: dryrun # kpt-set: ${enforcementAction} + parameters: + allowedSubjects: + - name: "system:masters" + kind: "Group" + apiGroup: "rbac.authorization.k8s.io" + restrictedRole: + name: "cluster-admin" + kind: "ClusterRole" + apiGroup: "rbac.authorization.k8s.io" diff --git a/examples/acm-terraform-blog-part3/config-root/cis-k8s-1.5.1/5.1.3_prohibit-role-wildcard-access.yaml b/examples/acm-terraform-blog-part3/config-root/cis-k8s-1.5.1/5.1.3_prohibit-role-wildcard-access.yaml new file mode 100644 index 0000000000..f0d85a61e5 --- /dev/null +++ b/examples/acm-terraform-blog-part3/config-root/cis-k8s-1.5.1/5.1.3_prohibit-role-wildcard-access.yaml @@ -0,0 +1,22 @@ +# Copyright 2018 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sProhibitRoleWildcardAccess +metadata: # kpt-merge: /prohibit-role-wildcard-access + name: prohibit-role-wildcard-access + annotations: + # This constraint is not certified by CIS. + description: "Restricts use of wildcards in Roles and ClusterRoles." +spec: + enforcementAction: dryrun # kpt-set: ${enforcementAction} diff --git a/examples/acm-terraform-blog-part3/config-root/cis-k8s-1.5.1/5.2.1_psp-privileged-container.yaml b/examples/acm-terraform-blog-part3/config-root/cis-k8s-1.5.1/5.2.1_psp-privileged-container.yaml new file mode 100644 index 0000000000..beb86142d5 --- /dev/null +++ b/examples/acm-terraform-blog-part3/config-root/cis-k8s-1.5.1/5.2.1_psp-privileged-container.yaml @@ -0,0 +1,28 @@ +# Copyright 2018 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sPSPPrivilegedContainer +metadata: # kpt-merge: /psp-privileged-container + name: psp-privileged-container + annotations: + # This constraint is not certified by CIS. + description: "Restricts containers with `securityContext.privileged` set to `true`." +spec: + enforcementAction: dryrun # kpt-set: ${enforcementAction} + match: + kinds: + - apiGroups: + - '' + kinds: + - Pod diff --git a/examples/acm-terraform-blog-part3/config-root/cis-k8s-1.5.1/5.2.2-5.2.3_psp-host-namespace.yaml b/examples/acm-terraform-blog-part3/config-root/cis-k8s-1.5.1/5.2.2-5.2.3_psp-host-namespace.yaml new file mode 100644 index 0000000000..17d97c6ddb --- /dev/null +++ b/examples/acm-terraform-blog-part3/config-root/cis-k8s-1.5.1/5.2.2-5.2.3_psp-host-namespace.yaml @@ -0,0 +1,26 @@ +# Copyright 2018 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sPSPHostNamespace +metadata: # kpt-merge: /psp-host-namespace + name: psp-host-namespace + annotations: + # This constraint is not certified by CIS. + description: "Prohibits containers from running with `hostPID` or `hostIPC` set to `true`." +spec: + enforcementAction: dryrun # kpt-set: ${enforcementAction} + match: + kinds: + - apiGroups: [""] + kinds: ["Pod"] diff --git a/examples/acm-terraform-blog-part3/config-root/cis-k8s-1.5.1/5.2.4_psp-host-network-ports.yaml b/examples/acm-terraform-blog-part3/config-root/cis-k8s-1.5.1/5.2.4_psp-host-network-ports.yaml new file mode 100644 index 0000000000..a4798a4b4d --- /dev/null +++ b/examples/acm-terraform-blog-part3/config-root/cis-k8s-1.5.1/5.2.4_psp-host-network-ports.yaml @@ -0,0 +1,30 @@ +# Copyright 2018 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sPSPHostNetworkingPorts +metadata: # kpt-merge: /psp-host-network-ports + name: psp-host-network-ports + annotations: + # This constraint is not certified by CIS. + description: "Restricts containers from rnuning with the `hostNetwork` flag set to `true`." +spec: + enforcementAction: dryrun # kpt-set: ${enforcementAction} + match: + kinds: + - apiGroups: [""] + kinds: ["Pod"] + parameters: + hostNetwork: true + #min: 80 + #max: 9000 diff --git a/examples/acm-terraform-blog-part3/config-root/cis-k8s-1.5.1/5.2.5_psp-allow-privilege-escalation-container.yaml b/examples/acm-terraform-blog-part3/config-root/cis-k8s-1.5.1/5.2.5_psp-allow-privilege-escalation-container.yaml new file mode 100644 index 0000000000..9d046f1a47 --- /dev/null +++ b/examples/acm-terraform-blog-part3/config-root/cis-k8s-1.5.1/5.2.5_psp-allow-privilege-escalation-container.yaml @@ -0,0 +1,26 @@ +# Copyright 2018 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sPSPAllowPrivilegeEscalationContainer +metadata: # kpt-merge: /psp-allow-privilege-escalation-container + name: psp-allow-privilege-escalation-container + annotations: + # This constraint is not certified by CIS. + description: "Restricts containers with `allowPrivilegeEscalation` set to `true`." +spec: + enforcementAction: dryrun # kpt-set: ${enforcementAction} + match: + kinds: + - apiGroups: [""] + kinds: ["Pod"] diff --git a/examples/acm-terraform-blog-part3/config-root/cis-k8s-1.5.1/5.2.6_psp-restrict_root_containers.yaml b/examples/acm-terraform-blog-part3/config-root/cis-k8s-1.5.1/5.2.6_psp-restrict_root_containers.yaml new file mode 100644 index 0000000000..156a2c971e --- /dev/null +++ b/examples/acm-terraform-blog-part3/config-root/cis-k8s-1.5.1/5.2.6_psp-restrict_root_containers.yaml @@ -0,0 +1,29 @@ +# Copyright 2018 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sPSPAllowedUsers +metadata: # kpt-merge: /psp-pods-must-run-as-nonroot + name: psp-pods-must-run-as-nonroot + annotations: + # This constraint is not certified by CIS. + description: "Restricts containers from running as the root user." +spec: + enforcementAction: dryrun # kpt-set: ${enforcementAction} + match: + kinds: + - apiGroups: [""] + kinds: ["Pod"] + parameters: + runAsUser: + rule: MustRunAsNonRoot diff --git a/examples/acm-terraform-blog-part3/config-root/cis-k8s-1.5.1/5.2.7-5.2.8-5.2.9_psp-capabilities.yaml b/examples/acm-terraform-blog-part3/config-root/cis-k8s-1.5.1/5.2.7-5.2.8-5.2.9_psp-capabilities.yaml new file mode 100644 index 0000000000..2ce81ac7dc --- /dev/null +++ b/examples/acm-terraform-blog-part3/config-root/cis-k8s-1.5.1/5.2.7-5.2.8-5.2.9_psp-capabilities.yaml @@ -0,0 +1,29 @@ +# Copyright 2018 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sPSPCapabilities +metadata: # kpt-merge: /psp-capabilities + name: psp-capabilities + annotations: + # This constraint is not certified by CIS. + description: "Requires containers to drop the `NET_RAW` capability; constainers may not have allowedCapabilities set to anything other than an empty array; " +spec: + enforcementAction: dryrun # kpt-set: ${enforcementAction} + match: + kinds: + - apiGroups: [""] + kinds: ["Pod"] + parameters: + allowedCapabilities: [] + requiredDropCapabilities: ["NET_RAW"] diff --git a/examples/acm-terraform-blog-part3/config-root/cis-k8s-1.5.1/5.3.2_require-namespace-network-policies.yaml b/examples/acm-terraform-blog-part3/config-root/cis-k8s-1.5.1/5.3.2_require-namespace-network-policies.yaml new file mode 100644 index 0000000000..e3331f0d4a --- /dev/null +++ b/examples/acm-terraform-blog-part3/config-root/cis-k8s-1.5.1/5.3.2_require-namespace-network-policies.yaml @@ -0,0 +1,22 @@ +# Copyright 2018 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sRequireNamespaceNetworkPolicies +metadata: # kpt-merge: /require-namespace-network-policies + name: require-namespace-network-policies + annotations: + # This constraint is not certified by CIS. + description: "Requires that every namespace defined in the cluster has a NetworkPolicy." +spec: + enforcementAction: dryrun # kpt-set: ${enforcementAction} diff --git a/examples/acm-terraform-blog-part3/config-root/cis-k8s-1.5.1/5.4.1_no-secrets-as-env-vars.yaml b/examples/acm-terraform-blog-part3/config-root/cis-k8s-1.5.1/5.4.1_no-secrets-as-env-vars.yaml new file mode 100644 index 0000000000..61cc561ea2 --- /dev/null +++ b/examples/acm-terraform-blog-part3/config-root/cis-k8s-1.5.1/5.4.1_no-secrets-as-env-vars.yaml @@ -0,0 +1,22 @@ +# Copyright 2018 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sNoEnvVarSecrets +metadata: # kpt-merge: /no-secrets-as-env-vars + name: no-secrets-as-env-vars + annotations: + # This constraint is not certified by CIS. + description: "Prohibits secrets as environment variables in container definitions; instead, use mounted secret files in data volumes." +spec: + enforcementAction: dryrun # kpt-set: ${enforcementAction} diff --git a/examples/acm-terraform-blog-part3/config-root/cis-k8s-1.5.1/5.7.2_seccomp-docker-default.yaml b/examples/acm-terraform-blog-part3/config-root/cis-k8s-1.5.1/5.7.2_seccomp-docker-default.yaml new file mode 100644 index 0000000000..964376c22e --- /dev/null +++ b/examples/acm-terraform-blog-part3/config-root/cis-k8s-1.5.1/5.7.2_seccomp-docker-default.yaml @@ -0,0 +1,29 @@ +# Copyright 2018 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sPSPSeccomp +metadata: # kpt-merge: /psp-seccomp-docker-default + name: psp-seccomp-docker-default + annotations: + # This constraint is not certified by CIS. + description: "Requires that Pods have seccomp profile set to `docker/default`." +spec: + enforcementAction: dryrun # kpt-set: ${enforcementAction} + match: + kinds: + - apiGroups: [""] + kinds: ["Pod"] + parameters: + allowedProfiles: + - docker/default diff --git a/examples/acm-terraform-blog-part3/config-root/cis-k8s-1.5.1/5.7.3_pods-require-security-context.yaml b/examples/acm-terraform-blog-part3/config-root/cis-k8s-1.5.1/5.7.3_pods-require-security-context.yaml new file mode 100644 index 0000000000..0e30a05254 --- /dev/null +++ b/examples/acm-terraform-blog-part3/config-root/cis-k8s-1.5.1/5.7.3_pods-require-security-context.yaml @@ -0,0 +1,22 @@ +# Copyright 2018 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sPodsRequireSecurityContext +metadata: # kpt-merge: /pods-require-security-context + name: pods-require-security-context + annotations: + # This constraint is not certified by CIS. + description: "Requires that Pods must have a `securityContext` defined." +spec: + enforcementAction: dryrun # kpt-set: ${enforcementAction} diff --git a/examples/acm-terraform-blog-part3/config-root/cis-k8s-1.5.1/5.7.4_restrict-default-namespace.yaml b/examples/acm-terraform-blog-part3/config-root/cis-k8s-1.5.1/5.7.4_restrict-default-namespace.yaml new file mode 100644 index 0000000000..91c47a160f --- /dev/null +++ b/examples/acm-terraform-blog-part3/config-root/cis-k8s-1.5.1/5.7.4_restrict-default-namespace.yaml @@ -0,0 +1,25 @@ +# Copyright 2018 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: K8sRestrictNamespaces +metadata: # kpt-merge: /restrict-default-namespace + name: restrict-default-namespace + annotations: + # This constraint is not certified by CIS. + description: "Restricts resources from using the `default` namespace." +spec: + enforcementAction: dryrun # kpt-set: ${enforcementAction} + parameters: + restrictedNamespaces: + - default diff --git a/examples/acm-terraform-blog-part3/config-root/cis-k8s-1.5.1/Kptfile b/examples/acm-terraform-blog-part3/config-root/cis-k8s-1.5.1/Kptfile new file mode 100644 index 0000000000..3ea5f521f3 --- /dev/null +++ b/examples/acm-terraform-blog-part3/config-root/cis-k8s-1.5.1/Kptfile @@ -0,0 +1,25 @@ +apiVersion: kpt.dev/v1 +kind: Kptfile +metadata: + name: cis-k8s-1.5.1 +upstream: + type: git + git: + repo: https://github.com/GoogleCloudPlatform/acm-policy-controller-library + directory: /bundles/cis-k8s-1.5.1 + ref: master + updateStrategy: resource-merge +upstreamLock: + type: git + git: + repo: https://github.com/GoogleCloudPlatform/acm-policy-controller-library + directory: /bundles/cis-k8s-1.5.1 + ref: master + commit: dd914200aa4768ad59ebb6ef56b5bf2062c06fb3 +info: + description: CIS Benchmark Kubernetes v1.5.1 +pipeline: + mutators: + - image: gcr.io/kpt-fn/apply-setters:v0.1 + configMap: + enforcementAction: dryrun diff --git a/examples/acm-terraform-blog-part3/config-root/cis-k8s-1.5.1/README.md b/examples/acm-terraform-blog-part3/config-root/cis-k8s-1.5.1/README.md new file mode 100644 index 0000000000..861b1bb20b --- /dev/null +++ b/examples/acm-terraform-blog-part3/config-root/cis-k8s-1.5.1/README.md @@ -0,0 +1,6 @@ +CIS Kubernetes Benchmark v.1.5.1 +================================================== + +## Description + +These constraints are intended to address the recommendations the CIS Kubernetes Benchmark v.1.5.1. They have not been certified by CIS. diff --git a/examples/acm-terraform-blog-part3/config-root/configconnector.yaml b/examples/acm-terraform-blog-part3/config-root/configconnector.yaml new file mode 100644 index 0000000000..2c348fd378 --- /dev/null +++ b/examples/acm-terraform-blog-part3/config-root/configconnector.yaml @@ -0,0 +1,22 @@ +# Copyright 2018 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: core.cnrm.cloud.google.com/v1beta1 +kind: ConfigConnector +metadata: + # the name is restricted to ensure that there is only one + # ConfigConnector instance installed in your cluster + name: configconnector.core.cnrm.cloud.google.com +spec: + googleServiceAccount: "cnrmsa@to-be-specified.iam.gserviceaccount.com" # kpt-set: cnrmsa@${projectId}.iam.gserviceaccount.com + mode: cluster diff --git a/examples/acm-terraform-blog-part3/config-root/wordpress-bundle.yaml b/examples/acm-terraform-blog-part3/config-root/wordpress-bundle.yaml new file mode 100644 index 0000000000..e1b87fa1b3 --- /dev/null +++ b/examples/acm-terraform-blog-part3/config-root/wordpress-bundle.yaml @@ -0,0 +1,226 @@ +# Copyright 2021 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: v1 +kind: Namespace +metadata: + name: wp + annotations: + cnrm.cloud.google.com/project-id: to-be-specified # kpt-set: ${project-id} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: sql-wp-ksa-wi + namespace: wp + annotations: + iam.gke.io/gcp-service-account: sql-wp-sa@to-be-specified.iam.gserviceaccount.com # kpt-set: sql-wp-sa@${project-id}.iam.gserviceaccount.com +--- +apiVersion: v1 +kind: Secret +metadata: + name: wordpress-cloudsql-db-credentials + namespace: wp +stringData: + connectionName: us-central1:wp-db + password: change-me + projectId: to-be-specified # kpt-set: ${project-id} + username: wordpress +--- +apiVersion: serviceusage.cnrm.cloud.google.com/v1beta1 +kind: Service +metadata: + name: sqladmin.googleapis.com + namespace: wp + annotations: + cnrm.cloud.google.com/deletion-policy: abandon + cnrm.cloud.google.com/disable-dependent-services: "false" +--- +# Source: wordpress-gcp/templates/k8s-external-load-balancer.yaml +apiVersion: v1 +kind: Service +metadata: + name: wordpress-external + namespace: wp + labels: + app: wordpress +spec: + type: LoadBalancer + selector: + app: wordpress + ports: + - name: web + protocol: TCP + port: 80 + targetPort: 80 +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: wordpress + namespace: wp +spec: + replicas: 1 + selector: + matchLabels: + app: wordpress + template: + metadata: + labels: + app: wordpress + spec: + terminationGracePeriodSeconds: 30 + serviceAccountName: sql-wp-ksa-wi + containers: + - name: cloudsql-proxy + image: gcr.io/cloudsql-docker/gce-proxy:1.11 + command: ["/cloud_sql_proxy", "-instances=$(PROJECT_ID):$(CONNECTION_NAME)=tcp:3306"] + env: + - name: CONNECTION_NAME + valueFrom: + secretKeyRef: + name: wordpress-cloudsql-db-credentials + key: connectionName + - name: PROJECT_ID + valueFrom: + secretKeyRef: + name: wordpress-cloudsql-db-credentials + key: projectId + resources: + limits: + cpu: "200m" + memory: "100Mi" + - name: wordpress + image: wordpress:5.2.2-apache + ports: + - containerPort: 80 + env: + - name: WORDPRESS_DB_HOST + value: 127.0.0.1:3306 + - name: WORDPRESS_DB_USER + valueFrom: + secretKeyRef: + name: wordpress-cloudsql-db-credentials + key: username + - name: WORDPRESS_DB_PASSWORD + valueFrom: + secretKeyRef: + name: wordpress-cloudsql-db-credentials + key: password + resources: + limits: + cpu: 200m + memory: 100Mi + volumeMounts: + - name: wordpress-volume + mountPath: /var/www/html + livenessProbe: + failureThreshold: 20 + httpGet: + port: 80 + path: / + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 10 + readinessProbe: + failureThreshold: 10 + httpGet: + port: 80 + path: / + initialDelaySeconds: 180 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 10 + imagePullPolicy: IfNotPresent + volumeClaimTemplates: + - metadata: + name: wordpress-volume + spec: + resources: + requests: + storage: 10Gi + accessModes: ["ReadWriteOnce"] + serviceName: "wordpress" +--- +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPolicy +metadata: + name: sql-wp-sa-wi-policy + namespace: wp +spec: + bindings: + - members: + - serviceAccount:to-be-specified.svc.id.goog[wp/sql-wp-ksa-wi] # kpt-set: serviceAccount:${project-id}.svc.id.goog[wp/sql-wp-ksa-wi] + role: roles/iam.workloadIdentityUser + resourceRef: + name: sql-wp-sa + apiVersion: iam.cnrm.cloud.google.com/v1beta1 + kind: IAMServiceAccount +--- +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMPolicyMember +metadata: + name: sql-wp-sa-project-policymember + namespace: wp +spec: + member: serviceAccount:sql-wp-sa@to-be-specified.iam.gserviceaccount.com # kpt-set: serviceAccount:sql-wp-sa@${project-id}.iam.gserviceaccount.com + resourceRef: + apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 + kind: Project + external: to-be-specified # kpt-set: ${project-id} + role: roles/cloudsql.client +--- +apiVersion: iam.cnrm.cloud.google.com/v1beta1 +kind: IAMServiceAccount +metadata: + name: sql-wp-sa + namespace: wp +spec: + displayName: Service Account for WordPress Config Connector Sample +--- +apiVersion: sql.cnrm.cloud.google.com/v1beta1 +kind: SQLDatabase +metadata: + name: wordpress + namespace: wp +spec: + charset: utf8 + instanceRef: + name: wp-db +--- +apiVersion: sql.cnrm.cloud.google.com/v1beta1 +kind: SQLInstance +metadata: + name: wp-db + namespace: wp +spec: + databaseVersion: MYSQL_5_7 + region: us-central1 + settings: + tier: db-f1-micro +--- +apiVersion: sql.cnrm.cloud.google.com/v1beta1 +kind: SQLUser +metadata: + name: wordpress + namespace: wp +spec: + host: "%" + instanceRef: + name: wp-db + password: + valueFrom: + secretKeyRef: + name: wordpress-cloudsql-db-credentials + key: password diff --git a/examples/acm-terraform-blog-part3/terraform/gke.tf b/examples/acm-terraform-blog-part3/terraform/gke.tf new file mode 100644 index 0000000000..cbe55dfa89 --- /dev/null +++ b/examples/acm-terraform-blog-part3/terraform/gke.tf @@ -0,0 +1,61 @@ +/** + * Copyright 2021 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +module "enabled_google_apis" { + source = "terraform-google-modules/project-factory/google//modules/project_services" + version = "~> 10.0" + + project_id = var.project + disable_services_on_destroy = false + + activate_apis = [ + "compute.googleapis.com", + "container.googleapis.com", + "gkehub.googleapis.com", + "anthosconfigmanagement.googleapis.com", + "cloudresourcemanager.googleapis.com", + "sqladmin.googleapis.com" + ] +} + +module "gke" { + source = "terraform-google-modules/kubernetes-engine/google//modules/beta-public-cluster" + version = "~> 16.0" + project_id = module.enabled_google_apis.project_id + name = "sfl-acm-part3" + region = var.region + zones = [var.zone] + initial_node_count = 4 + network = "default" + subnetwork = "default" + ip_range_pods = "" + ip_range_services = "" + config_connector = true +} + +module "wi" { + source = "terraform-google-modules/kubernetes-engine/google//modules/workload-identity" + version = "~> 16.0.1" + gcp_sa_name = "cnrmsa" + cluster_name = module.gke.name + name = "cnrm-controller-manager" + location = var.zone + use_existing_k8s_sa = true + annotate_k8s_sa = false + namespace = "cnrm-system" + project_id = module.enabled_google_apis.project_id + roles = ["roles/owner"] +} diff --git a/examples/acm-terraform-blog-part3/terraform/main.tf b/examples/acm-terraform-blog-part3/terraform/main.tf new file mode 100644 index 0000000000..f6b67b3e7a --- /dev/null +++ b/examples/acm-terraform-blog-part3/terraform/main.tf @@ -0,0 +1,58 @@ +/** + * Copyright 2021 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +resource "google_gke_hub_membership" "membership" { + provider = google-beta + membership_id = "membership-hub-${module.gke.name}" + endpoint { + gke_cluster { + resource_link = "//container.googleapis.com/${module.gke.cluster_id}" + } + } +} + +resource "google_gke_hub_feature" "configmanagement_acm_feature" { + name = "configmanagement" + location = "global" + provider = google-beta +} + +resource "google_gke_hub_feature_membership" "feature_member" { + provider = google-beta + location = "global" + feature = "configmanagement" + membership = google_gke_hub_membership.membership.membership_id + configmanagement { + version = "1.8.0" + config_sync { + source_format = "unstructured" + git { + sync_repo = var.sync_repo + sync_branch = var.sync_branch + policy_dir = var.policy_dir + secret_type = "none" + } + } + policy_controller { + enabled = true + template_library_installed = true + referential_rules_enabled = true + } + } + depends_on = [ + google_gke_hub_feature.configmanagement_acm_feature + ] +} diff --git a/examples/acm-terraform-blog-part3/terraform/outputs.tf b/examples/acm-terraform-blog-part3/terraform/outputs.tf new file mode 100644 index 0000000000..9cd70d5ce6 --- /dev/null +++ b/examples/acm-terraform-blog-part3/terraform/outputs.tf @@ -0,0 +1,23 @@ +/** + * Copyright 2021 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +output "cluster_location" { + value = module.gke.location +} + +output "cluster_name" { + value = module.gke.name +} diff --git a/examples/acm-terraform-blog-part3/terraform/providers.tf b/examples/acm-terraform-blog-part3/terraform/providers.tf new file mode 100644 index 0000000000..6debb7dc12 --- /dev/null +++ b/examples/acm-terraform-blog-part3/terraform/providers.tf @@ -0,0 +1,29 @@ +/** + * Copyright 2021 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +terraform { + required_providers { + google-beta = { + source = "hashicorp/google-beta" + version = "3.73.0" + } + } +} +provider "google-beta" { + project = var.project + region = var.region + zone = var.zone +} diff --git a/examples/acm-terraform-blog-part3/terraform/terraform.tfvars b/examples/acm-terraform-blog-part3/terraform/terraform.tfvars new file mode 100644 index 0000000000..df55548fb3 --- /dev/null +++ b/examples/acm-terraform-blog-part3/terraform/terraform.tfvars @@ -0,0 +1,21 @@ +/** + * Copyright 2021 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +region = "us-central1" +zone = "us-central1-c" +sync_repo = "https://github.com/terraform-google-modules/terraform-google-kubernetes-engine.git" +sync_branch = "master" +policy_dir = "examples/acm-terraform-blog-part3/config-root" diff --git a/examples/acm-terraform-blog-part3/terraform/variables.tf b/examples/acm-terraform-blog-part3/terraform/variables.tf new file mode 100644 index 0000000000..4343f4a3e0 --- /dev/null +++ b/examples/acm-terraform-blog-part3/terraform/variables.tf @@ -0,0 +1,45 @@ +/** + * Copyright 2021 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +variable "project" { + type = string + description = "the GCP project where the cluster will be created" +} + +variable "region" { + type = string + description = "the GCP region where the cluster will be created" +} + +variable "zone" { + type = string + description = "the GCP zone in the region where the cluster will be created" +} + +variable "sync_repo" { + type = string + description = "git URL for the repo which will be sync'ed into the cluster via Config Management" +} + +variable "sync_branch" { + type = string + description = "the git branch in the repo to sync" +} + +variable "policy_dir" { + type = string + description = "the root directory in the repo branch that contains the resources." +}