From 93660f7724fd87bee6dc4eeeaa70982c8446a050 Mon Sep 17 00:00:00 2001 From: Vidya Sagar <42372699+vidyasagar-m@users.noreply.github.com> Date: Mon, 20 Nov 2023 15:53:38 +0530 Subject: [PATCH] add manifests for cis 3.0 (#3158) * add manifests for cis 3.0 * add security context, volume mounts to the sample deployment manifest * update deploy config, no verify ssl and trusted certs cfg map args values * remove trusted certs cfgmap arg --- .../install/k8s/sample-k8s-bigip-ctlr.yaml | 71 +++++++++++++++++++ docs/cis-3.x/rbac/clusterrole.yaml | 37 ++++++++++ 2 files changed, 108 insertions(+) create mode 100644 docs/cis-3.x/install/k8s/sample-k8s-bigip-ctlr.yaml create mode 100644 docs/cis-3.x/rbac/clusterrole.yaml diff --git a/docs/cis-3.x/install/k8s/sample-k8s-bigip-ctlr.yaml b/docs/cis-3.x/install/k8s/sample-k8s-bigip-ctlr.yaml new file mode 100644 index 000000000..4c87b9177 --- /dev/null +++ b/docs/cis-3.x/install/k8s/sample-k8s-bigip-ctlr.yaml @@ -0,0 +1,71 @@ +# for reference only +apiVersion: apps/v1 +kind: Deployment +metadata: + name: k8s-bigip-ctlr-deployment + namespace: kube-system +spec: + # DO NOT INCREASE REPLICA COUNT + replicas: 1 + selector: + matchLabels: + app: k8s-bigip-ctlr-deployment + template: + metadata: + labels: + app: k8s-bigip-ctlr-deployment + spec: + # Name of the Service Account bound to a Cluster Role with the required + # permissions + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + volumes: + - name: cm-creds + secret: + secretName: f5-bigip-ctlr-login + containers: + - name: k8s-bigip-ctlr + image: "f5networks/k8s-bigip-ctlr:latest" + livenessProbe: + failureThreshold: 3 + httpGet: + path: /health + port: 8080 + scheme: HTTP + initialDelaySeconds: 15 + periodSeconds: 15 + successThreshold: 1 + timeoutSeconds: 15 + readinessProbe: + failureThreshold: 3 + httpGet: + path: /health + port: 8080 + scheme: HTTP + initialDelaySeconds: 30 + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 15 + volumeMounts: + - name: cm-creds + mountPath: "/tmp/creds" + readOnly: true + command: ["/app/bin/k8s-bigip-ctlr"] + args: [ + # See the k8s-bigip-ctlr documentation for information about + # all config options + # https://clouddocs.f5.com/containers/latest/ + "--cm-url=", + "--orchestration-cni=nodeport", + "--deploy-config=kube-system/cis-config", + "--manage-custom-resources=true", + "--credentials-directory=/tmp/creds", + "--kubeconfig=/tmp/kubeconfig", + "--log-file=/tmp/k8s-bigip-ctlr.log", + "--log-level=INFO", + "--http-client-metrics=true", + "--no-verify-ssl=true" + ] + serviceAccountName: bigip-ctlr \ No newline at end of file diff --git a/docs/cis-3.x/rbac/clusterrole.yaml b/docs/cis-3.x/rbac/clusterrole.yaml new file mode 100644 index 000000000..973966636 --- /dev/null +++ b/docs/cis-3.x/rbac/clusterrole.yaml @@ -0,0 +1,37 @@ +# for reference only +# Should be changed as per your cluster requirements +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: bigip-ctlr-clusterrole +rules: + - apiGroups: ["", "extensions"] + resources: ["nodes", "services", "endpoints", "namespaces", "pods"] + verbs: ["get", "list", "watch"] + - apiGroups: ["", "extensions"] + resources: ["events", "services/status"] + verbs: ["get", "list", "watch", "update", "create", "patch"] + - apiGroups: ["cis.f5.com"] + resources: ["transportservers", "transportservers/status", "deployconfigs", "policies"] + verbs: ["get", "list", "watch", "update", "patch"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: bigip-ctlr-clusterrole-binding + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: bigip-ctlr-clusterrole +subjects: + - apiGroup: "" + kind: ServiceAccount + name: bigip-ctlr + namespace: kube-system +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: bigip-ctlr + namespace: kube-system \ No newline at end of file