From 5fd8cf60d5c2008739b68bd9a9922b2dde0dba9d Mon Sep 17 00:00:00 2001 From: Denis Mishin Date: Thu, 29 Aug 2024 15:16:32 -0400 Subject: [PATCH] zero/k8s: use deployments (#5248) * zero/k8s: use deployments * secret mount readonly Co-authored-by: Joe Kralicky * adjust according to comments --------- Co-authored-by: Joe Kralicky --- k8s/zero/deployment/base.yaml | 4 ++-- k8s/zero/deployment/env.yaml | 6 +++++- k8s/zero/deployment/image.yaml | 2 +- k8s/zero/deployment/no-root.yaml | 2 +- k8s/zero/deployment/ports.yaml | 2 +- k8s/zero/deployment/readonly-root-fs.yaml | 2 +- k8s/zero/deployment/resources.yaml | 2 +- k8s/zero/deployment/volumes.yaml | 26 +++++++++++------------ k8s/zero/kustomization.yaml | 1 + k8s/zero/rbac/kustomization.yaml | 6 ++++++ k8s/zero/rbac/role.yaml | 14 ++++++++++++ k8s/zero/rbac/role_binding.yaml | 11 ++++++++++ k8s/zero/rbac/service_account.yaml | 4 ++++ 13 files changed, 61 insertions(+), 21 deletions(-) create mode 100644 k8s/zero/rbac/kustomization.yaml create mode 100644 k8s/zero/rbac/role.yaml create mode 100644 k8s/zero/rbac/role_binding.yaml create mode 100644 k8s/zero/rbac/service_account.yaml diff --git a/k8s/zero/deployment/base.yaml b/k8s/zero/deployment/base.yaml index ece3b8337..5d5254568 100644 --- a/k8s/zero/deployment/base.yaml +++ b/k8s/zero/deployment/base.yaml @@ -1,15 +1,15 @@ apiVersion: apps/v1 -kind: StatefulSet +kind: Deployment metadata: name: pomerium spec: - serviceName: "pomerium-proxy" replicas: 1 selector: matchLabels: app.kubernetes.io/name: pomerium-zero template: spec: + serviceAccountName: pomerium-zero containers: - name: pomerium terminationGracePeriodSeconds: 10 diff --git a/k8s/zero/deployment/env.yaml b/k8s/zero/deployment/env.yaml index c0ad02eb1..6cb28d7f9 100644 --- a/k8s/zero/deployment/env.yaml +++ b/k8s/zero/deployment/env.yaml @@ -1,5 +1,5 @@ apiVersion: apps/v1 -kind: StatefulSet +kind: Deployment metadata: name: pomerium spec: @@ -19,6 +19,10 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.namespace + - name: BOOTSTRAP_CONFIG_FILE + value: "/var/run/secrets/pomerium/bootstrap.dat" + - name: BOOTSTRAP_CONFIG_WRITEBACK_URI + value: "secret://$(POMERIUM_NAMESPACE)/pomerium/bootstrap" - name: POD_IP valueFrom: fieldRef: diff --git a/k8s/zero/deployment/image.yaml b/k8s/zero/deployment/image.yaml index ea4fb07cc..671d47e6d 100644 --- a/k8s/zero/deployment/image.yaml +++ b/k8s/zero/deployment/image.yaml @@ -1,5 +1,5 @@ apiVersion: apps/v1 -kind: StatefulSet +kind: Deployment metadata: name: pomerium spec: diff --git a/k8s/zero/deployment/no-root.yaml b/k8s/zero/deployment/no-root.yaml index f00cb3746..b708193f8 100644 --- a/k8s/zero/deployment/no-root.yaml +++ b/k8s/zero/deployment/no-root.yaml @@ -1,5 +1,5 @@ apiVersion: apps/v1 -kind: StatefulSet +kind: Deployment metadata: name: pomerium spec: diff --git a/k8s/zero/deployment/ports.yaml b/k8s/zero/deployment/ports.yaml index 08181d539..547e777b0 100644 --- a/k8s/zero/deployment/ports.yaml +++ b/k8s/zero/deployment/ports.yaml @@ -1,5 +1,5 @@ apiVersion: apps/v1 -kind: StatefulSet +kind: Deployment metadata: name: pomerium spec: diff --git a/k8s/zero/deployment/readonly-root-fs.yaml b/k8s/zero/deployment/readonly-root-fs.yaml index 7c5c98641..7159c9eab 100644 --- a/k8s/zero/deployment/readonly-root-fs.yaml +++ b/k8s/zero/deployment/readonly-root-fs.yaml @@ -1,5 +1,5 @@ apiVersion: apps/v1 -kind: StatefulSet +kind: Deployment metadata: name: pomerium spec: diff --git a/k8s/zero/deployment/resources.yaml b/k8s/zero/deployment/resources.yaml index bad226505..21a6ee65d 100644 --- a/k8s/zero/deployment/resources.yaml +++ b/k8s/zero/deployment/resources.yaml @@ -1,5 +1,5 @@ apiVersion: apps/v1 -kind: StatefulSet +kind: Deployment metadata: name: pomerium spec: diff --git a/k8s/zero/deployment/volumes.yaml b/k8s/zero/deployment/volumes.yaml index 871df36bf..15475674c 100644 --- a/k8s/zero/deployment/volumes.yaml +++ b/k8s/zero/deployment/volumes.yaml @@ -1,5 +1,5 @@ apiVersion: apps/v1 -kind: StatefulSet +kind: Deployment metadata: name: pomerium spec: @@ -13,22 +13,22 @@ spec: - name: TMPDIR value: "/tmp/pomerium" - name: XDG_CACHE_HOME - value: "/var/cache" + value: "/tmp/pomerium/cache" - name: XDG_DATA_HOME - value: "/var/cache" + value: "/tmp/pomerium/cache" volumeMounts: - mountPath: "/tmp/pomerium" name: tmp - - mountPath: "/var/cache" - name: pomerium-cache + - mountPath: "/var/run/secrets/pomerium" + name: bootstrap + readOnly: true volumes: - name: tmp emptyDir: {} - volumeClaimTemplates: - - metadata: - name: pomerium-cache - spec: - accessModes: [ "ReadWriteOnce" ] - resources: - requests: - storage: 100Mi + - name: bootstrap + secret: + optional: true + secretName: pomerium + items: + - key: bootstrap + path: bootstrap.dat diff --git a/k8s/zero/kustomization.yaml b/k8s/zero/kustomization.yaml index bed5cf7ed..60afd7e76 100644 --- a/k8s/zero/kustomization.yaml +++ b/k8s/zero/kustomization.yaml @@ -3,5 +3,6 @@ commonLabels: app.kubernetes.io/name: pomerium-zero resources: - namespace.yaml + - ./rbac - ./deployment - ./service diff --git a/k8s/zero/rbac/kustomization.yaml b/k8s/zero/rbac/kustomization.yaml new file mode 100644 index 000000000..6da23f403 --- /dev/null +++ b/k8s/zero/rbac/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- role.yaml +- role_binding.yaml +- service_account.yaml diff --git a/k8s/zero/rbac/role.yaml b/k8s/zero/rbac/role.yaml new file mode 100644 index 000000000..25a7bd64c --- /dev/null +++ b/k8s/zero/rbac/role.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: pomerium-zero +rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - patch + resourceNames: + - pomerium diff --git a/k8s/zero/rbac/role_binding.yaml b/k8s/zero/rbac/role_binding.yaml new file mode 100644 index 000000000..6f6bc3af5 --- /dev/null +++ b/k8s/zero/rbac/role_binding.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: pomerium-zero +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: pomerium-zero +subjects: + - kind: ServiceAccount + name: pomerium-zero diff --git a/k8s/zero/rbac/service_account.yaml b/k8s/zero/rbac/service_account.yaml new file mode 100644 index 000000000..6ad260336 --- /dev/null +++ b/k8s/zero/rbac/service_account.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: pomerium-zero