diff --git a/k8s/kyverno-ingress-domain-name-1.yaml b/k8s/kyverno-ingress-domain-name-1.yaml new file mode 100644 index 00000000..50e55645 --- /dev/null +++ b/k8s/kyverno-ingress-domain-name-1.yaml @@ -0,0 +1,28 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: ingress-domain-name +spec: + rules: + - name: create-ingress + match: + resources: + kinds: + - Service + generate: + kind: Ingress + name: "{{request.object.metadata.name}}" + namespace: "{{request.object.metadata.namespace}}" + data: + spec: + rules: + - host: "{{request.object.metadata.name}}.{{request.object.metadata.namespace}}.A.B.C.D.nip.io" + http: + paths: + - backend: + service: + name: "{{request.object.metadata.name}}" + port: + number: 80 + path: / + pathType: Prefix diff --git a/k8s/kyverno-ingress-domain-name-2.yaml b/k8s/kyverno-ingress-domain-name-2.yaml new file mode 100644 index 00000000..4b2acbc2 --- /dev/null +++ b/k8s/kyverno-ingress-domain-name-2.yaml @@ -0,0 +1,32 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: ingress-domain-name +spec: + rules: + - name: create-ingress + match: + resources: + kinds: + - Service + preconditions: + - key: "{{request.object.spec.ports[0].name}}" + operator: Equals + value: http + generate: + kind: Ingress + name: "{{request.object.metadata.name}}" + namespace: "{{request.object.metadata.namespace}}" + data: + spec: + rules: + - host: "{{request.object.metadata.name}}.{{request.object.metadata.namespace}}.A.B.C.D.nip.io" + http: + paths: + - backend: + service: + name: "{{request.object.metadata.name}}" + port: + name: http + path: / + pathType: Prefix diff --git a/k8s/kyverno-ingress-domain-name-3.yaml b/k8s/kyverno-ingress-domain-name-3.yaml new file mode 100644 index 00000000..00a74840 --- /dev/null +++ b/k8s/kyverno-ingress-domain-name-3.yaml @@ -0,0 +1,37 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: ingress-domain-name +spec: + rules: + - name: create-ingress + context: + - name: configmap + configMap: + name: ingress-domain-name + namespace: "{{request.object.metadata.namespace}}" + match: + resources: + kinds: + - Service + preconditions: + - key: "{{request.object.spec.ports[0].name}}" + operator: Equals + value: http + generate: + kind: Ingress + name: "{{request.object.metadata.name}}" + namespace: "{{request.object.metadata.namespace}}" + data: + spec: + rules: + - host: "{{request.object.metadata.name}}.{{request.object.metadata.namespace}}.{{configmap.data.domain}}" + http: + paths: + - backend: + service: + name: "{{request.object.metadata.name}}" + port: + name: http + path: / + pathType: Prefix diff --git a/slides/exercises/ingress-secret-policy-brief.md b/slides/exercises/ingress-secret-policy-brief.md index 41617b5a..5b06d165 100644 --- a/slides/exercises/ingress-secret-policy-brief.md +++ b/slides/exercises/ingress-secret-policy-brief.md @@ -1,3 +1,5 @@ +⚠️ BROKEN EXERCISE - DO NOT USE + ## Exercise — Ingress Secret Policy *Implement policy to limit impact of ingress controller vulnerabilities.* diff --git a/slides/exercises/ingress-secret-policy-details.md b/slides/exercises/ingress-secret-policy-details.md index 29355ef9..866bd49d 100644 --- a/slides/exercises/ingress-secret-policy-details.md +++ b/slides/exercises/ingress-secret-policy-details.md @@ -1,3 +1,5 @@ +⚠️ BROKEN EXERCISE - DO NOT USE + # Exercise — Ingress Secret Policy - Most ingress controllers have access to all Secrets diff --git a/slides/exercises/kyverno-ingress-domain-name-brief.md b/slides/exercises/kyverno-ingress-domain-name-brief.md new file mode 100644 index 00000000..a35172a2 --- /dev/null +++ b/slides/exercises/kyverno-ingress-domain-name-brief.md @@ -0,0 +1,9 @@ +## Exercise — Generating Ingress With Kyverno + +- When a Service gets created, automatically generate an Ingress + +- Step 1: expose all services with a hard-coded domain name + +- Step 2: only expose services that have a port named `http` + +- Step 3: configure the domain name with a per-namespace ConfigMap diff --git a/slides/exercises/kyverno-ingress-domain-name-details.md b/slides/exercises/kyverno-ingress-domain-name-details.md new file mode 100644 index 00000000..b8840110 --- /dev/null +++ b/slides/exercises/kyverno-ingress-domain-name-details.md @@ -0,0 +1,33 @@ +# Exercise — Generating Ingress With Kyverno + +When a Service gets created... + +*(for instance, Service `blue` in Namespace `rainbow`)* + +...Automatically generate an Ingress. + +*(for instance, with host name `blue.rainbow.MYDOMAIN.COM`)* + +--- + +## Goals + +- Step 1: expose all services with a hard-coded domain name + +- Step 2: only expose services that have a port named `http` + +- Step 3: configure the domain name with a per-namespace ConfigMap + + (e.g. `kubectl create configmap ingress-domain-name --from-literal=domain=1.2.3.4.nip.io`) + +--- + +## Hints + +- We want to use a Kyverno `generate` ClusterPolicy + +- For step 1, check [Generate Resources](https://kyverno.io/docs/writing-policies/generate/) documentation + +- For step 2, check [Preconditions](https://kyverno.io/docs/writing-policies/preconditions/) documentation + +- For step 3, check [External Data Sources](https://kyverno.io/docs/writing-policies/external-data-sources/) documentation