OpsDigest ops-digest
ops-digest
/ disallow-pod-from-unapproved-registry.yaml
Last active
October 2, 2025 04:56
Reject pod with unapproved registry in Kubernetes #opsdigest #kubernetes #istio #rego #service_mesh
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: constraints.gatekeeper.sh/v1beta1 | |
| kind: K8sAllowedRepos | |
| metadata: | |
| name: repo-is-gcr-or-docker | |
| spec: | |
| match: | |
| kinds: | |
| - apiGroups: [""] | |
| kinds: ["Pod"] | |
| parameters: |
ops-digest
/ istio-rego-policy-to-require-all-container-images-are-from-a-trusted-registry.yaml
Last active
October 2, 2025 04:57
requires all container images to come from a trusted registry #kubernetes #opsdigest #security #rego #istio #service_mesh
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: templates.gatekeeper.sh/v1 | |
| kind: ConstraintTemplate | |
| metadata: | |
| name: k8sallowedrepos | |
| spec: | |
| crd: | |
| spec: | |
| names: | |
| kind: K8sAllowedRepos | |
| validation: |
ops-digest
/ istio-enforce_mtls.yaml
Last active
October 2, 2025 04:57
Yaml to enforce MTLS using istio #kubernetes #opsdigest #istio #service_mesh
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: security.istio.io/v1beta1 | |
| kind: PeerAuthentication | |
| metadata: | |
| name: "default-strict-mtls" | |
| namespace: "app-staging" | |
| spec: | |
| mtls: | |
| mode: STRICT |
ops-digest
/ inject-istio-sidecar.sh
Created
October 1, 2025 10:27
Command to Inject Istio side to namespace #kubernetes #opsdigest #istio #service_mesh
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| kubectl label namespace app-staging istio-injection=enabled |
ops-digest
/ download-istio.sh
Created
October 1, 2025 10:24
Bash script to download Istio #istio #opsdigest #kubernetes #service_mesh #security
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Install Istio CLI | |
| curl -L https://istio.io/downloadIstio | sh - | |
| cd istio-*/ | |
| # Install Istio with a minimal profile to start | |
| bin/istioctl install --set profile=minimal -y |
ops-digest
/ network-policy-deny-on-specific-namespace.yaml
Created
October 1, 2025 10:22
Kubernetes NetworkPolicy to deny pod to pod traffic to a specific namesapce #opsdigest #kubernetes #NetworkPolicy #deny_traffic #security
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: networking.k8s.io/v1 | |
| kind: NetworkPolicy | |
| metadata: | |
| name: default-deny-all | |
| namespace: app-staging | |
| spec: | |
| podSelector: {} # Selects all pods in the namespace | |
| policyTypes: | |
| - Ingress | |
| - Egress |
ops-digest
/ tightly-scoped-role-for-CI-CD-service-account.yaml
Last active
October 2, 2025 04:58
A tightly-scoped Kubernetes Role for a CI/CD pipeline service account #opsdigest #kubernetes #CI/CD #service_account #security
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: rbac.authorization.k8s.io/v1 | |
| kind: Role | |
| metadata: | |
| namespace: app-staging | |
| name: cicd-deployer-role | |
| rules: | |
| - apiGroups: ["apps"] | |
| resources: ["deployments", "replicasets"] | |
| verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] | |
| - apiGroups: [""] |
ops-digest
/ Kyverno-policy.yaml
Last active
October 2, 2025 04:58
Kyverno policy to block `latest` tag - #opsdigest #devops #Kyverno #security
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: kyverno.io/v1 | |
| kind: ClusterPolicy | |
| metadata: | |
| name: disallow-latest-tag | |
| spec: | |
| validationFailureAction: Enforce | |
| rules: | |
| - name: require-image-tag | |
| match: | |
| any: |
ops-digest
/ istio-authorization-policy.yaml
Created
October 1, 2025 09:50
AuthorizationPolicy for Istio #devops #istio #security #kubernetes
ops-digest
/ kube-apiserver-flags-for-oidc
Created
September 30, 2025 15:02
📄 Configuration Snippet: kube-apiserver Flags for OIDC. #opsdigest #kubernentes #apiserver #oidc
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --oidc-issuer-url=https://issuer.your-idp.com | |
| --oidc-client-id=kubernetes | |
| --oidc-username-claim=email | |
| --oidc-groups-claim=groups |
NewerOlder