Demos and use cases for MCSPS
- creates configmap for nginx content
- creates 2 pods from nginx image
- creates service
- creates ingress
- deploys DNS entry with external-dns app
- deploys LetsEncrypt cert with cert-manager and letsencrypt-prod issuer
- k8s 1.21
Change cluster name and app name in CHANGEME lines!
Create:
kubectl create namespace demoapp
kubectl apply -f demoapp.yaml -n demoapp
Destroy:
kubectl delete -f demoapp.yaml -n demoapp
kubectl delete namespace demoapp
Create or use htpasswd user to access security spaces in your app:
Create:
htpasswd -c auth foo
kubectl create namespace demoapp
kubectl create secret generic htaccess-secret --from-file=auth -n demoapp
kubectl apply -f basicauth-demoapp.yaml -n demoapp
Destroy:
kubectl delete -f basicauth-demoapp.yaml -n demoapp
kubectl delete secret htaccess-secret -n demoapp
kubectl delete namespace demoapp
Reference: https://kubernetes.github.io/ingress-nginx/examples/auth/basic/
If your company/organization provide smartcards for the employees you can use Ingress Client Auth to verify if the client is a member of your organization. Example for "Deutsche Telekom AG Issuing CA 02". Adapt create-smartcard-secret.sh if required.
Create:
kubectl create namespace demoapp
./create-smartcard-secret.sh
kubectl apply -f smartcard-demoapp.yaml -n demoapp
Destroy:
kubectl delete -f smartcard-demoapp.yaml -n demoapp
kubectl delete namespace demoapp
Please note, there is user verification in the demoapp example. If this is required,
you can use nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "false"
to send cert to upstream service and make a selection
of users. Or add a configuration-snippet to set additional header and proceed this also on upstream service:
nginx.ingress.kubernetes.io/configuration-snippet: |
if ($ssl_client_verify != SUCCESS) { return 403; }
proxy_set_header x-smardcard-auth "true";
Provides a save https demo service behind Keycloak OAuth2 through oauth-proxy
Howto:
- Create OpenID Client in Keycloak Realm
- Authorization Enabled, set Valid Redirect URIs = /*, pick up secret key
- Setup a mapper "groups", Full group path = off, al other = on, Token Claim Name = groups
- Adjust app name, cluster name, keycloak-server-name, oauth client id and secret in
oauth2-keycloak.yaml
Create:
kubectl create namespace demoapp
kubectl apply -f oauth2-keycloak.yaml -n demoapp
Destroy:
kubectl delete -f oauth2-keycloak.yaml -n demoapp
kubectl delete namespace demoapp
Link: https://github.com/oauth2-proxy/oauth2-proxy
Like Simple demo app
- creates SATA pvc
- mount pvc to pods
Create:
kubectl create namespace demoappvol
kubectl apply -f demoapp_volume.yaml -n demoappvol
POD=$(kubectl get pods -n demoappvol --no-headers | tail -1 | awk '{print $1}')
kubectl cp README.md demoappvol/$POD:/usr/share/nginx/html/
curl https://<app_name>/README.md
Delete:
kubectl delete -f demoapp_volume.yaml -n demoappvol
kubectl delete namespace demoappvol
Create an external enhanced loadbalancer (ELB) with sticky session
kubectl create -f otc-lb.yaml
The new storage solution after migration to External Cloud Provider
Create OTC storage classes:
kubectl create -f cinder-csi-plugin/otc-storageclasses.yaml
Create OTC storage snapshot class:
kubectl create -f cinder-csi-plugin/otc-volumesnapshotclass.yaml
Create OTC storage (PVC):
kubectl create -f cinder-csi-plugin/otc-pvc.yaml
Create OTC Volume Snapshot:
kubectl create -f cinder-csi-plugin/otc-volumesnapshot.yaml
Create OTC Volume Block-Device (with POD):
kubectl create -f cinder-csi-plugin/otc-blockdevice.yaml
see subfolder
see subfolder
see kustomization.yaml and helloworld folder
Create:
kubectl apply -k . -n helloworld
Delete:
kubectl delete -k . -n helloworld
Example how to install a new instance of Prometheus Operator in specific namespace (demoapp)
Adjust namespace, app labels, ServiceMonitor, and alertmanager secret Refer to flask folder for a Python demo app to monitor
Create:
kubectl apply -f monitoring
Delete:
kubectl delete -f monitoring
Test your deployment files agains K8s security advisories
Create:
adjust clustername and ingress name in kubesec.yaml
kubectl create namespace kubesec
kubectl apply -f kubesec.yaml -n kubesec
Howto:
curl -sSX POST --data-binary @kubesec.yaml https://kubesec.mcsps.telekomcloud.com/scan/
Test connectivity between PODs in Overlay Network (needs image root access, run in kube-system namespace)
kubectl apply -f overlaytest.yaml
sh overlaytest.sh
Install a POD with mysql-client
Create:
kubectl apply -f mysql-client.yaml
kubectl exec -it mysql-client-0 -- bash
# apk add mysql-client
Delete:
kubectl delete -f mysql-client.yaml
Use mysql-client_volume.yaml
if you need to create and mount PVC
Install a POD with k8s-client
Create:
kubectl apply -f k8s-client.yaml
kubectl exec -it k8s-client-0 -- bash
Delete:
kubectl delete -f k8s-client.yaml
verify image signature within init container
see demo-cosign.yaml
see subfolder
see kube-backup.yaml