Let's play around with persistent volumes on GKE.
$ gcloud init
<output_omitted>
Vagrant.configure("2") do |config| | |
config.vm.box = "bento/ubuntu-18.04" | |
config.vm.hostname = "node1" | |
config.vm.provision "shell", inline: <<-SHELL | |
# https://docs.docker.com/engine/install/ubuntu/ | |
apt-get update | |
apt-get install -y \ | |
apt-transport-https \ | |
ca-certificates \ |
apiVersion: audit.k8s.io/v1 | |
kind: Policy | |
rules: | |
# high-volume and low-risk | |
- level: None | |
users: ["system:kube-proxy"] | |
verbs: ["watch"] | |
resources: | |
- group: "" # core | |
resources: ["endpoints", "services", "services/status"] |
--- | |
apiVersion: v1 | |
kind: ServiceAccount | |
metadata: | |
name: vault-secrets-store-csi-driver-upgrade-crds | |
namespace: default | |
labels: | |
app.kubernetes.io/instance: "csi" | |
app.kubernetes.io/name: "secrets-store-csi-driver" | |
app.kubernetes.io/version: "1.2.4" |
302 :) This tutorial has been permanently moved to https://deployment.properties/posts/devsecops/workload-identity-getting-started/
This content has been permanently moved to https://deployment.properties/posts/devsecops/vault-eks-irsa/
This gist is the Terraform configuration for the previous tutorial on HashiCorp Vault AWS Auth with Amazon EKS and IAM Roles for Service Accounts.
This Terraform configuration replaces all the AWS and Vault CLI commands in the previous tutorial.
Before running the next steps make sure you have started Vault and ngrok locally. Take a look at the previous tutorial for more details.
This is an example of how to create a GKE cluster with some sensible defaults and best practices for security.
Please, notice that this example contains the minimum security configuration that you can get without impacting other features, requiring additional network config, or the installation of third-party tools.
Security items covered in this example:
package br.com.soeirosantos.twitter | |
import com.github.kittinunf.fuel.Fuel | |
import com.github.kittinunf.fuel.core.ResponseDeserializable | |
import com.google.gson.Gson | |
import org.slf4j.Logger | |
import org.slf4j.LoggerFactory | |
import twitter4j.* | |
import java.io.File | |
import kotlin.math.roundToInt |