add manifests for cis 3.0 (F5Networks#3158)

* add manifests for cis 3.0 * add security context, volume mounts to the sample deployment manifest * update deploy config, no verify ssl and trusted certs cfg map args values * remove trusted certs cfgmap arg
vklohiya · Nov 21, 2023 · 93660f7 · 93660f7
1 parent aad08ea
commit 93660f7
Show file tree

Hide file tree

Showing 2 changed files with 108 additions and 0 deletions.
diff --git a/docs/cis-3.x/install/k8s/sample-k8s-bigip-ctlr.yaml b/docs/cis-3.x/install/k8s/sample-k8s-bigip-ctlr.yaml
@@ -0,0 +1,71 @@
+# for reference only
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: k8s-bigip-ctlr-deployment
+  namespace: kube-system
+spec:
+  # DO NOT INCREASE REPLICA COUNT
+  replicas: 1
+  selector:
+    matchLabels:
+      app: k8s-bigip-ctlr-deployment
+  template:
+    metadata:
+      labels:
+        app: k8s-bigip-ctlr-deployment
+    spec:
+      # Name of the Service Account bound to a Cluster Role with the required
+      # permissions
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+      volumes:
+        - name: cm-creds
+          secret:
+            secretName: f5-bigip-ctlr-login
+      containers:
+        - name: k8s-bigip-ctlr
+          image: "f5networks/k8s-bigip-ctlr:latest"
+          livenessProbe:
+            failureThreshold: 3
+            httpGet:
+              path: /health
+              port: 8080
+              scheme: HTTP
+            initialDelaySeconds: 15
+            periodSeconds: 15
+            successThreshold: 1
+            timeoutSeconds: 15
+          readinessProbe:
+            failureThreshold: 3
+            httpGet:
+              path: /health
+              port: 8080
+              scheme: HTTP
+            initialDelaySeconds: 30
+            periodSeconds: 30
+            successThreshold: 1
+            timeoutSeconds: 15
+          volumeMounts:
+            - name: cm-creds
+              mountPath: "/tmp/creds"
+              readOnly: true
+          command: ["/app/bin/k8s-bigip-ctlr"]
+          args: [
+            # See the k8s-bigip-ctlr documentation for information about
+            # all config options
+            # https://clouddocs.f5.com/containers/latest/
+            "--cm-url=<ip_address-or-hostname>",
+            "--orchestration-cni=nodeport",
+            "--deploy-config=kube-system/cis-config",
+            "--manage-custom-resources=true",
+            "--credentials-directory=/tmp/creds",
+            "--kubeconfig=/tmp/kubeconfig",
+            "--log-file=/tmp/k8s-bigip-ctlr.log",
+            "--log-level=INFO",
+            "--http-client-metrics=true",
+            "--no-verify-ssl=true"
+          ]
+      serviceAccountName: bigip-ctlr
diff --git a/docs/cis-3.x/rbac/clusterrole.yaml b/docs/cis-3.x/rbac/clusterrole.yaml
@@ -0,0 +1,37 @@
+# for reference only
+# Should be changed as per your cluster requirements
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: bigip-ctlr-clusterrole
+rules:
+  - apiGroups: ["", "extensions"]
+    resources: ["nodes", "services", "endpoints", "namespaces", "pods"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["", "extensions"]
+    resources: ["events", "services/status"]
+    verbs: ["get", "list", "watch", "update", "create", "patch"]
+  - apiGroups: ["cis.f5.com"]
+    resources: ["transportservers", "transportservers/status", "deployconfigs", "policies"]
+    verbs: ["get", "list", "watch", "update", "patch"]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: bigip-ctlr-clusterrole-binding
+  namespace: kube-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: bigip-ctlr-clusterrole
+subjects:
+  - apiGroup: ""
+    kind: ServiceAccount
+    name: bigip-ctlr
+    namespace: kube-system
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: bigip-ctlr
+  namespace: kube-system