diff --git a/bootstrap/terraform/kube-prometheus-stack-values.yaml b/bootstrap/terraform/kube-prometheus-stack-values.yaml new file mode 100644 index 00000000..f5e8fd8e --- /dev/null +++ b/bootstrap/terraform/kube-prometheus-stack-values.yaml @@ -0,0 +1,50 @@ +prometheus: + service: + type: "LoadBalancer" + additionalPodMonitors: + - name: "crossplane" + namespaceSelector: + matchNames: + - "crossplane-system" + podMetricsEndpoints: + - port: "metrics" + selector: {} +grafana: + service: + type: "LoadBalancer" + resources: + requests: + cpu : "100m" + memory : "1Gi" + limits: + cpu: "1" + memory: "2Gi" + datasources: + datasources.yaml: + apiVersion: 1 + datasources: + - name: Prometheus + type: prometheus + access: proxy + url: http://kube-prometheus-stack-prometheus.kube-prometheus-stack:9090/ + isDefault: true + uid: prometheusdatasource + deleteDatasources: + - name: Prometheus + dashboardProviders: + dashboardproviders.yaml: + apiVersion: 1 + providers: + - name: 'default' + orgId: 1 + type: file + disableDeletion: false + editable: true + options: + path: /var/lib/grafana/dashboards/default + dashboards: + default: + crossplane: + gnetId: 19747 + revision: 5 + datasource: prometheusdatasource \ No newline at end of file diff --git a/bootstrap/terraform/main.tf b/bootstrap/terraform/main.tf index a1c3e89c..cc89231b 100644 --- a/bootstrap/terraform/main.tf +++ b/bootstrap/terraform/main.tf @@ -149,13 +149,7 @@ module "eks_blueprints_addons" { enable_kube_prometheus_stack = true enable_aws_load_balancer_controller = true kube_prometheus_stack = { - values = [yamlencode({ - prometheus = { - service = { - type = "LoadBalancer" - } - } - })] + values = [file("${path.module}/kube-prometheus-stack-values.yaml")] } depends_on = [module.eks.eks_managed_node_groups] diff --git a/examples/gatekeeper/region-restrict/README.md b/examples/gatekeeper/region-restrict/README.md new file mode 100644 index 00000000..da84d1ee --- /dev/null +++ b/examples/gatekeeper/region-restrict/README.md @@ -0,0 +1,13 @@ +### Restrict resources provisioning to specific regions + +This example covers a Gatekeeper policy that denies requests for resources +provisioning in any region, except those that are explicitly allowed + +Examples and test cases are available under the `samples` directory. +Tests can be ran using the [gator cli](https://open-policy-agent.github.io/gatekeeper/website/docs/gator/). + +To run tests for this example run: +```bash +cd examples/gatekeeper/region-restrict/ +gator verify . -v +``` \ No newline at end of file diff --git a/examples/gatekeeper/region-restrict/samples/constraint.yaml b/examples/gatekeeper/region-restrict/samples/constraint.yaml new file mode 100644 index 00000000..dbfee130 --- /dev/null +++ b/examples/gatekeeper/region-restrict/samples/constraint.yaml @@ -0,0 +1,11 @@ +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: AwsRegionRestrict +metadata: + name: awsregionrestrict +spec: + match: + kinds: + - apiGroups: ["*"] + kinds: ["*"] + parameters: + regions: ["eu-west-1", "eu-west-2"] \ No newline at end of file diff --git a/examples/gatekeeper/region-restrict/samples/sample-table-eu-west-2-pass.yaml b/examples/gatekeeper/region-restrict/samples/sample-table-eu-west-2-pass.yaml new file mode 100644 index 00000000..6ce5d65b --- /dev/null +++ b/examples/gatekeeper/region-restrict/samples/sample-table-eu-west-2-pass.yaml @@ -0,0 +1,23 @@ +apiVersion: dynamodb.aws.crossplane.io/v1alpha1 +kind: Table +metadata: + name: sample-table +spec: + deletionPolicy: Delete + forProvider: + region: eu-west-2 + attributeDefinitions: + - attributeName: id + attributeType: S + keySchema: + - attributeName: id + keyType: HASH + billingMode: PROVISIONED + provisionedThroughput: + readCapacityUnits: 1 + writeCapacityUnits: 1 + tags: + - key: "owner" + value: "finance" + providerConfigRef: + name: aws-provider-config \ No newline at end of file diff --git a/examples/gatekeeper/region-restrict/samples/sample-table-us-east-1-fail.yaml b/examples/gatekeeper/region-restrict/samples/sample-table-us-east-1-fail.yaml new file mode 100644 index 00000000..211eb5a4 --- /dev/null +++ b/examples/gatekeeper/region-restrict/samples/sample-table-us-east-1-fail.yaml @@ -0,0 +1,24 @@ +apiVersion: dynamodb.aws.crossplane.io/v1alpha1 +kind: Table +metadata: + name: failing-table +spec: + deletionPolicy: Delete + forProvider: + region: us-east-1 + attributeDefinitions: + - attributeName: id + attributeType: S + keySchema: + - attributeName: id + keyType: HASH + billingMode: PROVISIONED + provisionedThroughput: + readCapacityUnits: 1 + writeCapacityUnits: 1 + tags: + - key: "owner" + value: "finance" + + providerConfigRef: + name: aws-provider-config \ No newline at end of file diff --git a/examples/gatekeeper/region-restrict/suite.yaml b/examples/gatekeeper/region-restrict/suite.yaml new file mode 100644 index 00000000..acb2b34c --- /dev/null +++ b/examples/gatekeeper/region-restrict/suite.yaml @@ -0,0 +1,17 @@ +kind: Suite +apiVersion: test.gatekeeper.sh/v1alpha1 +metadata: + name: awsregionrestrict-suite +tests: +- name: awsregionrestrict-suite + template: template.yaml + constraint: samples/constraint.yaml + cases: + - name: unauthorised region + object: samples/sample-table-us-east-1-fail.yaml + assertions: + - violations: yes + - name: authorised region + object: samples/sample-table-eu-west-2-pass.yaml + assertions: + - violations: no \ No newline at end of file diff --git a/examples/gatekeeper/region-restrict/template.yaml b/examples/gatekeeper/region-restrict/template.yaml new file mode 100644 index 00000000..3b2be8d1 --- /dev/null +++ b/examples/gatekeeper/region-restrict/template.yaml @@ -0,0 +1,30 @@ +apiVersion: templates.gatekeeper.sh/v1 +kind: ConstraintTemplate +metadata: + name: awsregionrestrict +spec: + crd: + spec: + names: + kind: AwsRegionRestrict + validation: + # Schema for the `parameters` field + openAPIV3Schema: + type: object + properties: + regions: + type: array + items: + type: string + targets: + - target: admission.k8s.gatekeeper.sh + rego: | + package awsregionrestrict + + import future.keywords + + violation[{"msg": msg}] { + region := input.review.object.spec.forProvider.region + not region in input.parameters.regions + msg := sprintf("Attempting to provision the resource in '%s', which is not an authorised region. Authorised regions are: '%v'", [region, input.parameters.regions]) + } \ No newline at end of file diff --git a/examples/gatekeeper/required-tags/README.md b/examples/gatekeeper/required-tags/README.md new file mode 100644 index 00000000..d965d420 --- /dev/null +++ b/examples/gatekeeper/required-tags/README.md @@ -0,0 +1,13 @@ +### Prevent provisioning resources that do not have the required tags + +This example covers a Gatekeeper policy that denies requests for provisioning +resources without the required tags + +Examples and test cases are available under the `samples` directory. +Tests can be ran using the [gator cli](https://open-policy-agent.github.io/gatekeeper/website/docs/gator/). + +To run tests for this example run: +```bash +cd examples/gatekeeper/required-tags/ +gator verify . -v +``` \ No newline at end of file diff --git a/examples/gatekeeper/required-tags/samples/constraint.yaml b/examples/gatekeeper/required-tags/samples/constraint.yaml new file mode 100644 index 00000000..228bc4f6 --- /dev/null +++ b/examples/gatekeeper/required-tags/samples/constraint.yaml @@ -0,0 +1,11 @@ +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: AwsRequiredTags +metadata: + name: awsrequiredtags +spec: + match: + kinds: + - apiGroups: ["*"] + kinds: ["*"] + parameters: + tags: ["owner"] \ No newline at end of file diff --git a/examples/gatekeeper/required-tags/samples/dummy-table-missing-tag-fail.yaml b/examples/gatekeeper/required-tags/samples/dummy-table-missing-tag-fail.yaml new file mode 100644 index 00000000..683f3c01 --- /dev/null +++ b/examples/gatekeeper/required-tags/samples/dummy-table-missing-tag-fail.yaml @@ -0,0 +1,23 @@ +apiVersion: dynamodb.aws.crossplane.io/v1alpha1 +kind: Table +metadata: + name: dummy-table +spec: + deletionPolicy: Delete + forProvider: + region: eu-west-2 + attributeDefinitions: + - attributeName: id + attributeType: S + keySchema: + - attributeName: id + keyType: HASH + billingMode: PROVISIONED + provisionedThroughput: + readCapacityUnits: 1 + writeCapacityUnits: 1 + tags: + - key: "aaa" + value: "finance" + providerConfigRef: + name: aws-provider-config \ No newline at end of file diff --git a/examples/gatekeeper/required-tags/samples/dummy-table-no-tags-fail.yaml b/examples/gatekeeper/required-tags/samples/dummy-table-no-tags-fail.yaml new file mode 100644 index 00000000..ecbc4a64 --- /dev/null +++ b/examples/gatekeeper/required-tags/samples/dummy-table-no-tags-fail.yaml @@ -0,0 +1,20 @@ +apiVersion: dynamodb.aws.crossplane.io/v1alpha1 +kind: Table +metadata: + name: dummy-table +spec: + deletionPolicy: Delete + forProvider: + region: eu-west-2 + attributeDefinitions: + - attributeName: id + attributeType: S + keySchema: + - attributeName: id + keyType: HASH + billingMode: PROVISIONED + provisionedThroughput: + readCapacityUnits: 1 + writeCapacityUnits: 1 + providerConfigRef: + name: aws-provider-config \ No newline at end of file diff --git a/examples/gatekeeper/required-tags/samples/finance-table-pass.yaml b/examples/gatekeeper/required-tags/samples/finance-table-pass.yaml new file mode 100644 index 00000000..29e4c5da --- /dev/null +++ b/examples/gatekeeper/required-tags/samples/finance-table-pass.yaml @@ -0,0 +1,23 @@ +apiVersion: dynamodb.aws.crossplane.io/v1alpha1 +kind: Table +metadata: + name: finance-table +spec: + deletionPolicy: Delete + forProvider: + region: eu-west-2 + attributeDefinitions: + - attributeName: id + attributeType: S + keySchema: + - attributeName: id + keyType: HASH + billingMode: PROVISIONED + provisionedThroughput: + readCapacityUnits: 1 + writeCapacityUnits: 1 + tags: + - key: "owner" + value: "finance" + providerConfigRef: + name: aws-provider-config \ No newline at end of file diff --git a/examples/gatekeeper/required-tags/suite.yaml b/examples/gatekeeper/required-tags/suite.yaml new file mode 100644 index 00000000..379ecd4b --- /dev/null +++ b/examples/gatekeeper/required-tags/suite.yaml @@ -0,0 +1,21 @@ +kind: Suite +apiVersion: test.gatekeeper.sh/v1alpha1 +metadata: + name: awsrequiredtags-suite +tests: +- name: awsrequiredtags-suite + template: template.yaml + constraint: samples/constraint.yaml + cases: + - name: table with no tags + object: samples/dummy-table-no-tags-fail.yaml + assertions: + - violations: yes + - name: table with missing tags + object: samples/dummy-table-missing-tag-fail.yaml + assertions: + - violations: yes + - name: table with required tags + object: samples/finance-table-pass.yaml + assertions: + - violations: no \ No newline at end of file diff --git a/examples/gatekeeper/required-tags/template.yaml b/examples/gatekeeper/required-tags/template.yaml new file mode 100644 index 00000000..b48bee7e --- /dev/null +++ b/examples/gatekeeper/required-tags/template.yaml @@ -0,0 +1,38 @@ +apiVersion: templates.gatekeeper.sh/v1 +kind: ConstraintTemplate +metadata: + name: awsrequiredtags +spec: + crd: + spec: + names: + kind: AwsRequiredTags + validation: + # Schema for the `parameters` field + openAPIV3Schema: + type: object + properties: + tags: + type: array + items: + type: string + targets: + - target: admission.k8s.gatekeeper.sh + rego: | + package awsrequiredtags + import future.keywords.every + + violation[{"msg": msg}] { + endswith(input.review.kind.group, "aws.crossplane.io") + not startswith(input.review.kind.kind, "ProviderConfig") + not input.review.object.spec.forProvider.tags + msg := sprintf("Attempting to provision a resource without tags, the following tags are required '%v'", [input.parameters.tags]) + } + + violation[{"msg": msg}] { + some requested_tag in input.parameters.tags + every i in input.review.object.spec.forProvider.tags { + requested_tag != i.key + } + msg := sprintf("Attempting to provision a resource with the following tags '%v', one or more of the required tags '%v' is missing", [input.review.object.spec.forProvider.tags, input.parameters.tags]) + } \ No newline at end of file