🏭 Standardize application labeling for cleaner and more consistent re…

…source definitions
ndebuhr · Jul 7, 2021 · f839d72 · f839d72
1 parent 145ec2a
commit f839d72
Show file tree

Hide file tree

Showing 3 changed files with 100 additions and 7 deletions.
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -42,6 +42,10 @@ jobs:
         kubectl create namespace cloud-native-workstation
         kubectl config set-context --current --namespace cloud-native-workstation
 
+    - name: Install OPA gatekeeper
+      run: |
+        kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/release-3.5/deploy/gatekeeper.yaml
+
     - name: Deploy to GKE
       working-directory: ./helm
       run: |

diff --git a/README.md b/README.md
@@ -33,7 +33,9 @@ My own use and testing is with Google Kubernetes Engine, but folks should find t
     - [Domain](#domain)
     - [Certbot](#certbot)
 - [Installation](#installation)
+    - [Open Policy Agent](#open-policy-agent)
     - [Update `vm.max_map_count` (Optional)](#update-`vm.max_map_count`-(optional))
+    - [Cloud-native development platform](#cloud-native-development-platform)
 - [Usage](#usage)
 - [Contributing](#contributing)
 - [License](#license)
@@ -193,6 +195,22 @@ The `certbot.email` should be configured if you are using the Certbot option for
 
 ## Installation
 
+### Open Policy Agent
+
+Open Policy Agent is used for policy-based workstation controls and security.  Install with:
+```bash
+kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/release-3.5/deploy/gatekeeper.yaml
+```
+
+### Update `vm.max_map_count` (Optional)
+
+If your work requires monitoring a large number of files (e.g., continually running a development server as you work on a large application), then you may want to bump vm.max_map_count on the Kubernetes nodes.
+```
+kubectl apply -f kubernetes/node-max-map-count.yaml
+```
+
+### Cloud-native development platform
+
 Install the workstation on the Kubernetes cluster with Helm:
 ```
 cd helm
@@ -209,13 +227,6 @@ The domain must resolve before the components will work (access by IP only is no
 
 Note that workstation creation can take a few minutes.  The DNS propagation is particularly time consuming.
 
-### Update `vm.max_map_count` (Optional)
-
-If your work requires monitoring a large number of files (e.g., continually running a development server as you work on a large application), then you may want to bump vm.max_map_count on the Kubernetes nodes.
-```
-kubectl apply -f kubernetes/node-max-map-count.yaml
-```
-
 ## Usage
 
 Access the components that you've enabled in the Helm values (after authenticating with the Keycloak proxy):

diff --git a/helm/templates/policy-app-labels.yaml b/helm/templates/policy-app-labels.yaml
@@ -0,0 +1,78 @@
+apiVersion: templates.gatekeeper.sh/v1beta1
+kind: ConstraintTemplate
+metadata:
+  name: requiredlabels
+spec:
+  crd:
+    spec:
+      names:
+        kind: RequiredLabels
+      validation:
+        openAPIV3Schema:
+          properties:
+            labels:
+              type: array
+              items: string
+  targets:
+  - target: admission.k8s.gatekeeper.sh
+    rego: |
+      package requiredlabels
+      violation[{"msg": msg, "details": {"missing_labels": missing}}] {
+        provided := {label | input.review.object.metadata.labels[label]}
+        required := {label | label := input.parameters.labels[_]}
+        missing := required - provided
+        count(missing) > 0
+        msg := sprintf("you must provide labels: %v", [missing])
+      }
+---
+apiVersion: templates.gatekeeper.sh/v1beta1
+kind: ConstraintTemplate
+metadata:
+  name: deploymentselector
+spec:
+  crd:
+    spec:
+      names:
+        kind: DeploymentSelector
+      validation:
+        openAPIV3Schema:
+          properties:
+            selector:
+              type: string
+  targets:
+    - target: admission.k8s.gatekeeper.sh
+      rego: |
+        package deploymentselector
+        violation[{"msg": msg, "details": {"missing_selector": missing}}] {
+          not input.review.object.spec.selector.matchLabels[input.parameters.selector]
+          missing := input.parameters.selector
+          msg := sprintf("you must include the deployment label selector: %v", [input.parameters.selector])
+        }
+---
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: RequiredLabels
+metadata:
+  name: app-label-on-pods
+spec:
+  match:
+    kinds:
+    - apiGroups: [""]
+      kinds: ["Pod"]
+    namespaces:
+    - "cloud-native-workstation"
+  parameters:
+    labels: ["app"]
+---
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: DeploymentSelector
+metadata:
+  name: app-label-selector-for-deployments
+spec:
+  match:
+    kinds:
+    - apiGroups: ["apps"]
+      kinds: ["Deployment"]
+    namespaces:
+    - "cloud-native-workstation"
+  parameters:
+    selector: "app"