Agraj Mangal agrajm
agrajm
/ spboot-internal-svc.yaml
Created
May 4, 2021 02:43
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: v1 | |
| kind: Service | |
| metadata: | |
| name: spboot-svc | |
| namespace: spboot-app | |
| annotations: | |
| service.beta.kubernetes.io/azure-load-balancer-internal: "true" | |
| spec: | |
| type: LoadBalancer | |
| selector: |
agrajm
/ aks-subnet-ignore-pe.tf
Created
May 3, 2021 15:56
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| resource "azurerm_subnet" "akssubnet" { | |
| name = var.aks-subnet-name | |
| ... | |
| lifecycle { | |
| ignore_changes = [enforce_private_link_endpoint_network_policies] | |
| } | |
| } |
agrajm
/ stripped-aks-outboundtype-egress.tf
Created
April 30, 2021 15:55
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| resource "azurerm_kubernetes_cluster" "aks" { | |
| ... | |
| network_profile { | |
| ... | |
| network_plugin = "azure" # for Azure CNI | |
| # Default value is LoadBalancer. Changed to userDefinedRouting to force all egress traffic through Firewall | |
| outbound_type = "userDefinedRouting" | |
| } |
agrajm
/ udr-aks-subnet-firewall.tf
Created
April 30, 2021 15:44
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Route table: UDR for AKS Subnet to force traffic via Firewall | |
| resource "azurerm_route_table" "rt" { | |
| name = var.rt_name | |
| location = azurerm_resource_group.core.location | |
| resource_group_name = azurerm_resource_group.core.name | |
| disable_bgp_route_propagation = false | |
| route { | |
| name = "kubenetfw_fw_r" | |
| address_prefix = "0.0.0.0/0" |
agrajm
/ dnsutils.yaml
Created
April 26, 2021 09:46
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: v1 | |
| kind: Pod | |
| metadata: | |
| name: dnsutils | |
| namespace: default | |
| spec: | |
| containers: | |
| - name: dnsutils | |
| image: gcr.io/kubernetes-e2e-test-images/dnsutils:1.3 | |
| command: |
agrajm
/ sql-private-endpoint.tf
Created
April 26, 2021 06:04
Enabling Private Endpoint for SQL Server
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Private Endpoint | |
| resource "azurerm_private_endpoint" "sqlplink" { | |
| name = "pe-sql-spboot" | |
| location = azurerm_resource_group.core.location | |
| resource_group_name = azurerm_resource_group.core.name | |
| subnet_id = azurerm_subnet.privateepsubnet.id | |
| private_service_connection { | |
| name = "sqlprivatelink" | |
| is_manual_connection = "false" |
agrajm
/ unprivileged-pod.yaml
Created
April 19, 2021 13:08
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: v1 | |
| kind: Pod | |
| metadata: | |
| name: nginx-unprivileged | |
| spec: | |
| containers: | |
| - name: nginx-unprivileged | |
| image: mcr.microsoft.com/oss/nginx/nginx:1.15.5-alpine |
agrajm
/ privileged-pod.yaml
Created
April 19, 2021 13:01
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: v1 | |
| kind: Pod | |
| metadata: | |
| name: nginx-privileged | |
| spec: | |
| containers: | |
| - name: nginx-privileged | |
| image: mcr.microsoft.com/oss/nginx/nginx:1.15.5-alpine | |
| securityContext: | |
| privileged: true |
agrajm
/ constraint.yaml
Created
April 19, 2021 05:59
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: constraints.gatekeeper.sh/v1beta1 | |
| kind: K8sAzureContainerNoPrivilege | |
| metadata: | |
| name: container-no-privilege | |
| spec: | |
| match: | |
| kinds: | |
| - apiGroups: [""] | |
| kinds: ["Pod"] |
agrajm
/ constrainttemplate.yaml
Created
April 19, 2021 05:58
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: templates.gatekeeper.sh/v1beta1 | |
| kind: ConstraintTemplate | |
| metadata: | |
| name: k8sazurecontainernoprivilege | |
| spec: | |
| crd: | |
| spec: | |
| names: | |
| kind: K8sAzureContainerNoPrivilege | |
| listKind: K8sAzureContainerNoPrivilegeList |
NewerOlder