From c84a251c933dd674211d0a96605e56abcb63fde1 Mon Sep 17 00:00:00 2001 From: Denis Mishin Date: Mon, 8 Jan 2024 12:08:14 -0500 Subject: [PATCH] zero/k8s: deployment manifests (#4763) * zero/k8s: deployment manifests * convert to statefulset so that it has persistent volume claim * use standard ports to avoid config customization for k8s * add XDG_DATA_HOME mapping --- k8s/zero/.gitignore | 1 + k8s/zero/README.md | 43 +++++++++++++++++++++++ k8s/zero/deployment/base.yaml | 15 ++++++++ k8s/zero/deployment/env.yaml | 25 +++++++++++++ k8s/zero/deployment/image.yaml | 12 +++++++ k8s/zero/deployment/kustomization.yaml | 10 ++++++ k8s/zero/deployment/no-root.yaml | 22 ++++++++++++ k8s/zero/deployment/ports.yaml | 19 ++++++++++ k8s/zero/deployment/readonly-root-fs.yaml | 11 ++++++ k8s/zero/deployment/resources.yaml | 16 +++++++++ k8s/zero/deployment/volumes.yaml | 34 ++++++++++++++++++ k8s/zero/kustomization.yaml | 7 ++++ k8s/zero/namespace.yaml | 4 +++ k8s/zero/pomerium-secret.yaml.example | 8 +++++ k8s/zero/service/kustomization.yaml | 2 ++ k8s/zero/service/proxy.yaml | 15 ++++++++ 16 files changed, 244 insertions(+) create mode 100644 k8s/zero/.gitignore create mode 100644 k8s/zero/README.md create mode 100644 k8s/zero/deployment/base.yaml create mode 100644 k8s/zero/deployment/env.yaml create mode 100644 k8s/zero/deployment/image.yaml create mode 100644 k8s/zero/deployment/kustomization.yaml create mode 100644 k8s/zero/deployment/no-root.yaml create mode 100644 k8s/zero/deployment/ports.yaml create mode 100644 k8s/zero/deployment/readonly-root-fs.yaml create mode 100644 k8s/zero/deployment/resources.yaml create mode 100644 k8s/zero/deployment/volumes.yaml create mode 100644 k8s/zero/kustomization.yaml create mode 100644 k8s/zero/namespace.yaml create mode 100644 k8s/zero/pomerium-secret.yaml.example create mode 100644 k8s/zero/service/kustomization.yaml create mode 100644 k8s/zero/service/proxy.yaml diff --git a/k8s/zero/.gitignore b/k8s/zero/.gitignore new file mode 100644 index 000000000..b2ca1171a --- /dev/null +++ b/k8s/zero/.gitignore @@ -0,0 +1 @@ +pomerium-secret.yaml diff --git a/k8s/zero/README.md b/k8s/zero/README.md new file mode 100644 index 000000000..f944acc32 --- /dev/null +++ b/k8s/zero/README.md @@ -0,0 +1,43 @@ +# Installing Pomerium Zero + +Visit https://console.pomerium.app and register for an account. + +# Install base pomerium zero + +```shell +kubectl apply -k https://github.com/pomerium/pomerium/k8s/zero?ref=main +``` + +(that would install an evergreen `main`) + +# Create a secret with Pomerium Zero token to complete your installation + +```yaml filename="pomerium-secret.yaml" +apiVersion: v1 +kind: Secret +metadata: + name: pomerium + namespace: pomerium-zero +type: Opaque +stringData: + pomerium_zero_token: +``` + +```shell +kubectl apply -f pomerium-secret.yaml +``` + +Now your Pomerium deployment should be up and running. + +# Update Pomerium cluster configuration + +1. The externally available address of your Pomerium Cluster should be set to the value assigned by your Load Balancer: + +```shell +kubectl get svc/pomerium-proxy -n pomerium-zero -o=jsonpath='{.status.loadBalancer.ingress[0].ip}' +``` + +2. Because container is configured to run as non-root, the following should be adjusted: + +- http redirect address set to `:8080` +- server address set to `:8443` diff --git a/k8s/zero/deployment/base.yaml b/k8s/zero/deployment/base.yaml new file mode 100644 index 000000000..ece3b8337 --- /dev/null +++ b/k8s/zero/deployment/base.yaml @@ -0,0 +1,15 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: pomerium +spec: + serviceName: "pomerium-proxy" + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: pomerium-zero + template: + spec: + containers: + - name: pomerium + terminationGracePeriodSeconds: 10 diff --git a/k8s/zero/deployment/env.yaml b/k8s/zero/deployment/env.yaml new file mode 100644 index 000000000..c0ad02eb1 --- /dev/null +++ b/k8s/zero/deployment/env.yaml @@ -0,0 +1,25 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: pomerium +spec: + template: + spec: + containers: + - name: pomerium + env: + - name: POMERIUM_ZERO_TOKEN + valueFrom: + secretKeyRef: + name: pomerium + key: pomerium_zero_token + optional: false + - name: POMERIUM_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP diff --git a/k8s/zero/deployment/image.yaml b/k8s/zero/deployment/image.yaml new file mode 100644 index 000000000..ea4fb07cc --- /dev/null +++ b/k8s/zero/deployment/image.yaml @@ -0,0 +1,12 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: pomerium +spec: + replicas: 1 + template: + spec: + containers: + - name: pomerium + image: pomerium/pomerium:main + imagePullPolicy: Always diff --git a/k8s/zero/deployment/kustomization.yaml b/k8s/zero/deployment/kustomization.yaml new file mode 100644 index 000000000..daa4b2a50 --- /dev/null +++ b/k8s/zero/deployment/kustomization.yaml @@ -0,0 +1,10 @@ +resources: + - base.yaml +patchesStrategicMerge: + - env.yaml + - image.yaml + - ports.yaml + - resources.yaml + - no-root.yaml + - readonly-root-fs.yaml + - volumes.yaml diff --git a/k8s/zero/deployment/no-root.yaml b/k8s/zero/deployment/no-root.yaml new file mode 100644 index 000000000..f00cb3746 --- /dev/null +++ b/k8s/zero/deployment/no-root.yaml @@ -0,0 +1,22 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: pomerium +spec: + template: + spec: + securityContext: + fsGroup: 1000 + runAsNonRoot: true + runAsGroup: 1000 + runAsUser: 1000 + sysctls: + - name: net.ipv4.ip_unprivileged_port_start + value: "80" + containers: + - name: pomerium + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL diff --git a/k8s/zero/deployment/ports.yaml b/k8s/zero/deployment/ports.yaml new file mode 100644 index 000000000..08181d539 --- /dev/null +++ b/k8s/zero/deployment/ports.yaml @@ -0,0 +1,19 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: pomerium +spec: + template: + spec: + containers: + - name: pomerium + ports: + - containerPort: 443 + name: https + protocol: TCP + - name: http + containerPort: 80 + protocol: TCP + - name: metrics + containerPort: 9090 + protocol: TCP diff --git a/k8s/zero/deployment/readonly-root-fs.yaml b/k8s/zero/deployment/readonly-root-fs.yaml new file mode 100644 index 000000000..7c5c98641 --- /dev/null +++ b/k8s/zero/deployment/readonly-root-fs.yaml @@ -0,0 +1,11 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: pomerium +spec: + template: + spec: + containers: + - name: pomerium + securityContext: + readOnlyRootFilesystem: true diff --git a/k8s/zero/deployment/resources.yaml b/k8s/zero/deployment/resources.yaml new file mode 100644 index 000000000..bad226505 --- /dev/null +++ b/k8s/zero/deployment/resources.yaml @@ -0,0 +1,16 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: pomerium +spec: + template: + spec: + containers: + - name: pomerium + resources: + limits: + cpu: 5000m + memory: 1Gi + requests: + cpu: 300m + memory: 200Mi diff --git a/k8s/zero/deployment/volumes.yaml b/k8s/zero/deployment/volumes.yaml new file mode 100644 index 000000000..871df36bf --- /dev/null +++ b/k8s/zero/deployment/volumes.yaml @@ -0,0 +1,34 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: pomerium +spec: + template: + spec: + nodeSelector: + kubernetes.io/os: linux + containers: + - name: pomerium + env: + - name: TMPDIR + value: "/tmp/pomerium" + - name: XDG_CACHE_HOME + value: "/var/cache" + - name: XDG_DATA_HOME + value: "/var/cache" + volumeMounts: + - mountPath: "/tmp/pomerium" + name: tmp + - mountPath: "/var/cache" + name: pomerium-cache + volumes: + - name: tmp + emptyDir: {} + volumeClaimTemplates: + - metadata: + name: pomerium-cache + spec: + accessModes: [ "ReadWriteOnce" ] + resources: + requests: + storage: 100Mi diff --git a/k8s/zero/kustomization.yaml b/k8s/zero/kustomization.yaml new file mode 100644 index 000000000..bed5cf7ed --- /dev/null +++ b/k8s/zero/kustomization.yaml @@ -0,0 +1,7 @@ +namespace: pomerium-zero +commonLabels: + app.kubernetes.io/name: pomerium-zero +resources: + - namespace.yaml + - ./deployment + - ./service diff --git a/k8s/zero/namespace.yaml b/k8s/zero/namespace.yaml new file mode 100644 index 000000000..2fd27e429 --- /dev/null +++ b/k8s/zero/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: pomerium-zero diff --git a/k8s/zero/pomerium-secret.yaml.example b/k8s/zero/pomerium-secret.yaml.example new file mode 100644 index 000000000..abe06f179 --- /dev/null +++ b/k8s/zero/pomerium-secret.yaml.example @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Secret +metadata: + name: pomerium + namespace: pomerium-zero +type: Opaque +stringData: + pomerium_zero_token: YOUR_TOKEN_HERE diff --git a/k8s/zero/service/kustomization.yaml b/k8s/zero/service/kustomization.yaml new file mode 100644 index 000000000..a9e08b914 --- /dev/null +++ b/k8s/zero/service/kustomization.yaml @@ -0,0 +1,2 @@ +resources: + - proxy.yaml diff --git a/k8s/zero/service/proxy.yaml b/k8s/zero/service/proxy.yaml new file mode 100644 index 000000000..3e1df1f5e --- /dev/null +++ b/k8s/zero/service/proxy.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: pomerium-proxy +spec: + type: LoadBalancer + ports: + - port: 443 + targetPort: https + protocol: TCP + name: https + - name: http + targetPort: http + protocol: TCP + port: 80