ccollicutt

apiVersion: v1
kind: ConfigMap
metadata:
  name: hello-world-configmap
data:
  hello.py: |
    import logging
    import time
    import signal
    import sys

ccollicutt

set -euo pipefail
# Note that yq must be version above or equal to version 4.9.2 and below version 5.
# Processing TKG BOM file tkg-bom-v1.5.3.yaml

imgpkg copy -i projects.registry.vmware.com/tkg/tkg-bom:v1.5.3 --to-repo 10.0.26.249/tkg-1-5-3/tkg-bom --registry-ca-cert-path /tmp/cacrtbase64d.crt

imgpkg copy -i projects.registry.vmware.com/tkg/cluster-api/mic:v1.8.0_vmware.1 --to-repo 10.0.26.249/tkg-1-5-3/cluster-api/mic --registry-ca-cert-path /tmp/cacrtbase64d.crt

imgpkg copy -i projects.registry.vmware.com/tkg/cluster-api/nmi:v1.8.0_vmware.1 --to-repo 10.0.26.249/tkg-1-5-3/cluster-api/nmi --registry-ca-cert-path /tmp/cacrtbase64d.crt

ccollicutt

apiVersion: v1
kind: Service
metadata:
  name: http-echo
spec:
  ports:
  - port: 80
    targetPort: 5678
  selector:
    app: http-echo

ccollicutt

---

resources:

  - name: spring-petclinic-testing-branch
    type: git
    source:
      uri: ((spring-petclinic-repo-uri))
      icon: github
      branch: testing

ccollicutt

What does this GIST do or not do

1. Shows you how to use Istio 1.4 on Kubernetes 1.14+ with a modicum of runtime security for your workloads.
2. Specifically it installs Istio with CNI support, and allows the use of restrictive PodSecurityPolicies for your workloads.
3. It is designed for VMware PKS, but doesn't require it ... (just change the CNI bin dir and excluded namespaces in values-cni.yml, also swap the ClusterRole pks-privileged and pks-restricted mentioned throughout these files with your own PSP roles).
4. It doesn't fix the need for Istio itself to run as root, but that should be fixed in a future Istio release as it's already fixed in trunk.

Prerequisites

1. You are logged into your cluster as a cluster admin, K8s 1.14 at least

ccollicutt

#| WAN (gateway) Configuration:
#|  gateway:        ether1  (renamed with extension '-gateway');
#|  firewall:       enabled;
#|  NAT:            enabled;
#|  DHCP Client:    enabled;
#| 
#| LAN Configuration:
#|  LAN Port:       bridge-local;
#|  switch group:   ether6 (master), ether7, ether8, ether9, ether10
#|          (renamed with extensions '-master-local' and '-slave-local')

ccollicutt

root@kata:~/go/src/github.com/kata-containers/runtime# git log --format=%h -1 HEAD
5f7fcd7
root@kata:~/go/src/github.com/kata-containers/runtime# uname -a
Linux kata 4.4.0-134-generic #160-Ubuntu SMP Wed Aug 15 14:58:00 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
root@kata:~/go/src/github.com/kata-containers/runtime# make test
     TEST    go-test
WARNING: Already running as root so will not re-run tests as non-root user.
WARNING: As a result, only a subset of tests will be run
WARNING: (run this script as a non-privileged to ensure all tests are run).
INFO: Currently running as user 'root'

ccollicutt

This notes applied to Kubernetes version 1.9.1-00 on Ubuntu Xenial.

Basic concept

TO BE WRITTEN

Installation and starting up 🏁

Installation

• Swap should be disabled (see /etc/fstab)

ccollicutt

apiVersion: apps/v1
kind: Deployment
metadata:
  name: web-dep
  labels:
    tier: frontend
  annotations:
    AppVersion: "3.4"
spec:
  replicas: 2

ccollicutt

Kubernetes Commands

Helper setup to edit .yaml files with Vim:

• VIM Setup for Yaml files

List of general purpose commands for Kubernetes management:

• PODS
• Create Deployments