From 10464a7a4aa9cc0fdd55f2cc8ff09302640b2c89 Mon Sep 17 00:00:00 2001 From: 7navyasa <140163168+7navyasa@users.noreply.github.com> Date: Tue, 26 Sep 2023 13:04:22 +1000 Subject: [PATCH 1/3] Adding Management Policies as Enabled for AWS-Upbound and AWS Providers (#152) * management policies addition * management policies removal from K8-provider --- .../terraform/providers/aws-upbound/controller-config.yaml | 1 + bootstrap/terraform/providers/aws/controller-config.yaml | 1 + bootstrap/terraform/providers/kubernetes/controller-config.yaml | 2 +- 3 files changed, 3 insertions(+), 1 deletion(-) diff --git a/bootstrap/terraform/providers/aws-upbound/controller-config.yaml b/bootstrap/terraform/providers/aws-upbound/controller-config.yaml index 6806bfd8..351d1e92 100644 --- a/bootstrap/terraform/providers/aws-upbound/controller-config.yaml +++ b/bootstrap/terraform/providers/aws-upbound/controller-config.yaml @@ -11,3 +11,4 @@ spec: fsGroup: 2000 args: - --debug + - --enable-management-policies diff --git a/bootstrap/terraform/providers/aws/controller-config.yaml b/bootstrap/terraform/providers/aws/controller-config.yaml index ea416165..4fe55ff5 100644 --- a/bootstrap/terraform/providers/aws/controller-config.yaml +++ b/bootstrap/terraform/providers/aws/controller-config.yaml @@ -9,3 +9,4 @@ spec: fsGroup: 2000 args: - --debug + - --enable-management-policies diff --git a/bootstrap/terraform/providers/kubernetes/controller-config.yaml b/bootstrap/terraform/providers/kubernetes/controller-config.yaml index ebb41ac7..17cf9465 100644 --- a/bootstrap/terraform/providers/kubernetes/controller-config.yaml +++ b/bootstrap/terraform/providers/kubernetes/controller-config.yaml @@ -5,4 +5,4 @@ metadata: spec: serviceAccountName: ${sa-name} args: - - --debug + - --debug \ No newline at end of file From 3bd9bb36d0749d6570ebece9018216560d577ae9 Mon Sep 17 00:00:00 2001 From: candonov <25967713+candonov@users.noreply.github.com> Date: Fri, 13 Oct 2023 11:58:25 -0700 Subject: [PATCH 2/3] feat: grafana updates and dashboard (#154) --- .../kube-prometheus-stack-values.yaml | 50 +++++++++++++++++++ bootstrap/terraform/main.tf | 8 +-- 2 files changed, 51 insertions(+), 7 deletions(-) create mode 100644 bootstrap/terraform/kube-prometheus-stack-values.yaml diff --git a/bootstrap/terraform/kube-prometheus-stack-values.yaml b/bootstrap/terraform/kube-prometheus-stack-values.yaml new file mode 100644 index 00000000..f5e8fd8e --- /dev/null +++ b/bootstrap/terraform/kube-prometheus-stack-values.yaml @@ -0,0 +1,50 @@ +prometheus: + service: + type: "LoadBalancer" + additionalPodMonitors: + - name: "crossplane" + namespaceSelector: + matchNames: + - "crossplane-system" + podMetricsEndpoints: + - port: "metrics" + selector: {} +grafana: + service: + type: "LoadBalancer" + resources: + requests: + cpu : "100m" + memory : "1Gi" + limits: + cpu: "1" + memory: "2Gi" + datasources: + datasources.yaml: + apiVersion: 1 + datasources: + - name: Prometheus + type: prometheus + access: proxy + url: http://kube-prometheus-stack-prometheus.kube-prometheus-stack:9090/ + isDefault: true + uid: prometheusdatasource + deleteDatasources: + - name: Prometheus + dashboardProviders: + dashboardproviders.yaml: + apiVersion: 1 + providers: + - name: 'default' + orgId: 1 + type: file + disableDeletion: false + editable: true + options: + path: /var/lib/grafana/dashboards/default + dashboards: + default: + crossplane: + gnetId: 19747 + revision: 5 + datasource: prometheusdatasource \ No newline at end of file diff --git a/bootstrap/terraform/main.tf b/bootstrap/terraform/main.tf index b3b3bdc5..6802f603 100644 --- a/bootstrap/terraform/main.tf +++ b/bootstrap/terraform/main.tf @@ -148,13 +148,7 @@ module "eks_blueprints_addons" { enable_metrics_server = true enable_kube_prometheus_stack = true kube_prometheus_stack = { - values = [yamlencode({ - prometheus = { - service = { - type = "LoadBalancer" - } - } - })] + values = [file("${path.module}/kube-prometheus-stack-values.yaml")] } depends_on = [module.eks.eks_managed_node_groups] From 97174af28b9403b218f22c7847a935e0b961df2c Mon Sep 17 00:00:00 2001 From: Islam Mahgoub <87230837+iamahgoub@users.noreply.github.com> Date: Fri, 20 Oct 2023 03:33:48 +0100 Subject: [PATCH 3/3] Additional gatekeeper policies (#155) * adding a gatekeeper policy for restricting AWS regions resources can be deployed into * adding a gatekeeper policy for preventing provisioning without the required tags --- examples/gatekeeper/region-restrict/README.md | 13 +++++++ .../region-restrict/samples/constraint.yaml | 11 ++++++ .../samples/sample-table-eu-west-2-pass.yaml | 23 +++++++++++ .../samples/sample-table-us-east-1-fail.yaml | 24 ++++++++++++ .../gatekeeper/region-restrict/suite.yaml | 17 +++++++++ .../gatekeeper/region-restrict/template.yaml | 30 +++++++++++++++ examples/gatekeeper/required-tags/README.md | 13 +++++++ .../required-tags/samples/constraint.yaml | 11 ++++++ .../samples/dummy-table-missing-tag-fail.yaml | 23 +++++++++++ .../samples/dummy-table-no-tags-fail.yaml | 20 ++++++++++ .../samples/finance-table-pass.yaml | 23 +++++++++++ examples/gatekeeper/required-tags/suite.yaml | 21 ++++++++++ .../gatekeeper/required-tags/template.yaml | 38 +++++++++++++++++++ 13 files changed, 267 insertions(+) create mode 100644 examples/gatekeeper/region-restrict/README.md create mode 100644 examples/gatekeeper/region-restrict/samples/constraint.yaml create mode 100644 examples/gatekeeper/region-restrict/samples/sample-table-eu-west-2-pass.yaml create mode 100644 examples/gatekeeper/region-restrict/samples/sample-table-us-east-1-fail.yaml create mode 100644 examples/gatekeeper/region-restrict/suite.yaml create mode 100644 examples/gatekeeper/region-restrict/template.yaml create mode 100644 examples/gatekeeper/required-tags/README.md create mode 100644 examples/gatekeeper/required-tags/samples/constraint.yaml create mode 100644 examples/gatekeeper/required-tags/samples/dummy-table-missing-tag-fail.yaml create mode 100644 examples/gatekeeper/required-tags/samples/dummy-table-no-tags-fail.yaml create mode 100644 examples/gatekeeper/required-tags/samples/finance-table-pass.yaml create mode 100644 examples/gatekeeper/required-tags/suite.yaml create mode 100644 examples/gatekeeper/required-tags/template.yaml diff --git a/examples/gatekeeper/region-restrict/README.md b/examples/gatekeeper/region-restrict/README.md new file mode 100644 index 00000000..da84d1ee --- /dev/null +++ b/examples/gatekeeper/region-restrict/README.md @@ -0,0 +1,13 @@ +### Restrict resources provisioning to specific regions + +This example covers a Gatekeeper policy that denies requests for resources +provisioning in any region, except those that are explicitly allowed + +Examples and test cases are available under the `samples` directory. +Tests can be ran using the [gator cli](https://open-policy-agent.github.io/gatekeeper/website/docs/gator/). + +To run tests for this example run: +```bash +cd examples/gatekeeper/region-restrict/ +gator verify . -v +``` \ No newline at end of file diff --git a/examples/gatekeeper/region-restrict/samples/constraint.yaml b/examples/gatekeeper/region-restrict/samples/constraint.yaml new file mode 100644 index 00000000..dbfee130 --- /dev/null +++ b/examples/gatekeeper/region-restrict/samples/constraint.yaml @@ -0,0 +1,11 @@ +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: AwsRegionRestrict +metadata: + name: awsregionrestrict +spec: + match: + kinds: + - apiGroups: ["*"] + kinds: ["*"] + parameters: + regions: ["eu-west-1", "eu-west-2"] \ No newline at end of file diff --git a/examples/gatekeeper/region-restrict/samples/sample-table-eu-west-2-pass.yaml b/examples/gatekeeper/region-restrict/samples/sample-table-eu-west-2-pass.yaml new file mode 100644 index 00000000..6ce5d65b --- /dev/null +++ b/examples/gatekeeper/region-restrict/samples/sample-table-eu-west-2-pass.yaml @@ -0,0 +1,23 @@ +apiVersion: dynamodb.aws.crossplane.io/v1alpha1 +kind: Table +metadata: + name: sample-table +spec: + deletionPolicy: Delete + forProvider: + region: eu-west-2 + attributeDefinitions: + - attributeName: id + attributeType: S + keySchema: + - attributeName: id + keyType: HASH + billingMode: PROVISIONED + provisionedThroughput: + readCapacityUnits: 1 + writeCapacityUnits: 1 + tags: + - key: "owner" + value: "finance" + providerConfigRef: + name: aws-provider-config \ No newline at end of file diff --git a/examples/gatekeeper/region-restrict/samples/sample-table-us-east-1-fail.yaml b/examples/gatekeeper/region-restrict/samples/sample-table-us-east-1-fail.yaml new file mode 100644 index 00000000..211eb5a4 --- /dev/null +++ b/examples/gatekeeper/region-restrict/samples/sample-table-us-east-1-fail.yaml @@ -0,0 +1,24 @@ +apiVersion: dynamodb.aws.crossplane.io/v1alpha1 +kind: Table +metadata: + name: failing-table +spec: + deletionPolicy: Delete + forProvider: + region: us-east-1 + attributeDefinitions: + - attributeName: id + attributeType: S + keySchema: + - attributeName: id + keyType: HASH + billingMode: PROVISIONED + provisionedThroughput: + readCapacityUnits: 1 + writeCapacityUnits: 1 + tags: + - key: "owner" + value: "finance" + + providerConfigRef: + name: aws-provider-config \ No newline at end of file diff --git a/examples/gatekeeper/region-restrict/suite.yaml b/examples/gatekeeper/region-restrict/suite.yaml new file mode 100644 index 00000000..acb2b34c --- /dev/null +++ b/examples/gatekeeper/region-restrict/suite.yaml @@ -0,0 +1,17 @@ +kind: Suite +apiVersion: test.gatekeeper.sh/v1alpha1 +metadata: + name: awsregionrestrict-suite +tests: +- name: awsregionrestrict-suite + template: template.yaml + constraint: samples/constraint.yaml + cases: + - name: unauthorised region + object: samples/sample-table-us-east-1-fail.yaml + assertions: + - violations: yes + - name: authorised region + object: samples/sample-table-eu-west-2-pass.yaml + assertions: + - violations: no \ No newline at end of file diff --git a/examples/gatekeeper/region-restrict/template.yaml b/examples/gatekeeper/region-restrict/template.yaml new file mode 100644 index 00000000..3b2be8d1 --- /dev/null +++ b/examples/gatekeeper/region-restrict/template.yaml @@ -0,0 +1,30 @@ +apiVersion: templates.gatekeeper.sh/v1 +kind: ConstraintTemplate +metadata: + name: awsregionrestrict +spec: + crd: + spec: + names: + kind: AwsRegionRestrict + validation: + # Schema for the `parameters` field + openAPIV3Schema: + type: object + properties: + regions: + type: array + items: + type: string + targets: + - target: admission.k8s.gatekeeper.sh + rego: | + package awsregionrestrict + + import future.keywords + + violation[{"msg": msg}] { + region := input.review.object.spec.forProvider.region + not region in input.parameters.regions + msg := sprintf("Attempting to provision the resource in '%s', which is not an authorised region. Authorised regions are: '%v'", [region, input.parameters.regions]) + } \ No newline at end of file diff --git a/examples/gatekeeper/required-tags/README.md b/examples/gatekeeper/required-tags/README.md new file mode 100644 index 00000000..d965d420 --- /dev/null +++ b/examples/gatekeeper/required-tags/README.md @@ -0,0 +1,13 @@ +### Prevent provisioning resources that do not have the required tags + +This example covers a Gatekeeper policy that denies requests for provisioning +resources without the required tags + +Examples and test cases are available under the `samples` directory. +Tests can be ran using the [gator cli](https://open-policy-agent.github.io/gatekeeper/website/docs/gator/). + +To run tests for this example run: +```bash +cd examples/gatekeeper/required-tags/ +gator verify . -v +``` \ No newline at end of file diff --git a/examples/gatekeeper/required-tags/samples/constraint.yaml b/examples/gatekeeper/required-tags/samples/constraint.yaml new file mode 100644 index 00000000..228bc4f6 --- /dev/null +++ b/examples/gatekeeper/required-tags/samples/constraint.yaml @@ -0,0 +1,11 @@ +apiVersion: constraints.gatekeeper.sh/v1beta1 +kind: AwsRequiredTags +metadata: + name: awsrequiredtags +spec: + match: + kinds: + - apiGroups: ["*"] + kinds: ["*"] + parameters: + tags: ["owner"] \ No newline at end of file diff --git a/examples/gatekeeper/required-tags/samples/dummy-table-missing-tag-fail.yaml b/examples/gatekeeper/required-tags/samples/dummy-table-missing-tag-fail.yaml new file mode 100644 index 00000000..683f3c01 --- /dev/null +++ b/examples/gatekeeper/required-tags/samples/dummy-table-missing-tag-fail.yaml @@ -0,0 +1,23 @@ +apiVersion: dynamodb.aws.crossplane.io/v1alpha1 +kind: Table +metadata: + name: dummy-table +spec: + deletionPolicy: Delete + forProvider: + region: eu-west-2 + attributeDefinitions: + - attributeName: id + attributeType: S + keySchema: + - attributeName: id + keyType: HASH + billingMode: PROVISIONED + provisionedThroughput: + readCapacityUnits: 1 + writeCapacityUnits: 1 + tags: + - key: "aaa" + value: "finance" + providerConfigRef: + name: aws-provider-config \ No newline at end of file diff --git a/examples/gatekeeper/required-tags/samples/dummy-table-no-tags-fail.yaml b/examples/gatekeeper/required-tags/samples/dummy-table-no-tags-fail.yaml new file mode 100644 index 00000000..ecbc4a64 --- /dev/null +++ b/examples/gatekeeper/required-tags/samples/dummy-table-no-tags-fail.yaml @@ -0,0 +1,20 @@ +apiVersion: dynamodb.aws.crossplane.io/v1alpha1 +kind: Table +metadata: + name: dummy-table +spec: + deletionPolicy: Delete + forProvider: + region: eu-west-2 + attributeDefinitions: + - attributeName: id + attributeType: S + keySchema: + - attributeName: id + keyType: HASH + billingMode: PROVISIONED + provisionedThroughput: + readCapacityUnits: 1 + writeCapacityUnits: 1 + providerConfigRef: + name: aws-provider-config \ No newline at end of file diff --git a/examples/gatekeeper/required-tags/samples/finance-table-pass.yaml b/examples/gatekeeper/required-tags/samples/finance-table-pass.yaml new file mode 100644 index 00000000..29e4c5da --- /dev/null +++ b/examples/gatekeeper/required-tags/samples/finance-table-pass.yaml @@ -0,0 +1,23 @@ +apiVersion: dynamodb.aws.crossplane.io/v1alpha1 +kind: Table +metadata: + name: finance-table +spec: + deletionPolicy: Delete + forProvider: + region: eu-west-2 + attributeDefinitions: + - attributeName: id + attributeType: S + keySchema: + - attributeName: id + keyType: HASH + billingMode: PROVISIONED + provisionedThroughput: + readCapacityUnits: 1 + writeCapacityUnits: 1 + tags: + - key: "owner" + value: "finance" + providerConfigRef: + name: aws-provider-config \ No newline at end of file diff --git a/examples/gatekeeper/required-tags/suite.yaml b/examples/gatekeeper/required-tags/suite.yaml new file mode 100644 index 00000000..379ecd4b --- /dev/null +++ b/examples/gatekeeper/required-tags/suite.yaml @@ -0,0 +1,21 @@ +kind: Suite +apiVersion: test.gatekeeper.sh/v1alpha1 +metadata: + name: awsrequiredtags-suite +tests: +- name: awsrequiredtags-suite + template: template.yaml + constraint: samples/constraint.yaml + cases: + - name: table with no tags + object: samples/dummy-table-no-tags-fail.yaml + assertions: + - violations: yes + - name: table with missing tags + object: samples/dummy-table-missing-tag-fail.yaml + assertions: + - violations: yes + - name: table with required tags + object: samples/finance-table-pass.yaml + assertions: + - violations: no \ No newline at end of file diff --git a/examples/gatekeeper/required-tags/template.yaml b/examples/gatekeeper/required-tags/template.yaml new file mode 100644 index 00000000..b48bee7e --- /dev/null +++ b/examples/gatekeeper/required-tags/template.yaml @@ -0,0 +1,38 @@ +apiVersion: templates.gatekeeper.sh/v1 +kind: ConstraintTemplate +metadata: + name: awsrequiredtags +spec: + crd: + spec: + names: + kind: AwsRequiredTags + validation: + # Schema for the `parameters` field + openAPIV3Schema: + type: object + properties: + tags: + type: array + items: + type: string + targets: + - target: admission.k8s.gatekeeper.sh + rego: | + package awsrequiredtags + import future.keywords.every + + violation[{"msg": msg}] { + endswith(input.review.kind.group, "aws.crossplane.io") + not startswith(input.review.kind.kind, "ProviderConfig") + not input.review.object.spec.forProvider.tags + msg := sprintf("Attempting to provision a resource without tags, the following tags are required '%v'", [input.parameters.tags]) + } + + violation[{"msg": msg}] { + some requested_tag in input.parameters.tags + every i in input.review.object.spec.forProvider.tags { + requested_tag != i.key + } + msg := sprintf("Attempting to provision a resource with the following tags '%v', one or more of the required tags '%v' is missing", [input.review.object.spec.forProvider.tags, input.parameters.tags]) + } \ No newline at end of file