-
Notifications
You must be signed in to change notification settings - Fork 15
Expand file tree
/
Copy pathkubernetes.yaml
More file actions
204 lines (204 loc) · 5.81 KB
/
kubernetes.yaml
File metadata and controls
204 lines (204 loc) · 5.81 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
---
# We are creating a new namespace that ContainerSSH will run in.
apiVersion: v1
kind: Namespace
metadata:
name: containerssh
---
# We are creating a new namespace we can use to launch guest containers. This will be locked down.
apiVersion: v1
kind: Namespace
metadata:
name: containerssh-guests
---
# Let's apply a network policy for the containerssh-guests namespace so guests can't connect any network resources.
# This might not work if your CNI doesn't support network policies (e.g. Docker Desktop)
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: containerssh-guest-policy
namespace: containerssh-guests
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
---
# Let's create a ConfigMap that contains the ContainerSSH configuration
apiVersion: v1
kind: ConfigMap
metadata:
name: containerssh-config
namespace: containerssh
data:
config.yaml: |
# Let's log on the debug level so we can see what's going on.
log:
level: debug
ssh:
hostkeys:
# This points to the host key we will create in the next step.
- /etc/containerssh/ssh_host_rsa_key
- /etc/containerssh/ssh_host_ed25519_key
- /etc/containerssh/ssh_host_ecdsa_key
auth:
# The authentication server will be running in the same pod, so we use 127.0.0.1
url: http://127.0.0.1:8080
# We run the guest containers in the same Kubernetes cluster as ContainerSSH is running in
backend: kubernetes
kubernetes:
connection:
host: kubernetes.default.svc
cacertFile: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
pod:
metadata:
namespace: containerssh-guests
spec:
containers:
- name: shell
image: containerssh/containerssh-guest-image
## Further options to lock down the execution.
## See https://containerssh.io/reference/kubernetes/ for mre options
#
# securityContext:
# runAsNonRoot: true
# runAsUser: 1000
# resources:
# limits:
# memory: "128Mi"
# cpu: "500m"
---
# We create a secret that holds the host key.
# This is hard-coded for the example, for production you'd need to generate
# a new host key with openssl genrsa and then base64-encode it.
apiVersion: v1
kind: Secret
metadata:
name: containerssh-hostkey
namespace: containerssh
data:
ssh_host_rsa_key: |
@@SSH_HOST_RSA_KEY@@
ssh_host_ed25519_key: |
@@SSH_HOST_ED25519_KEY@@
ssh_host_ecdsa_key: |
@@SSH_HOST_ECDSA_KEY@@
---
# We are creating a new service account that can be used to launch new containers.
apiVersion: v1
kind: ServiceAccount
metadata:
name: containerssh
namespace: containerssh
automountServiceAccountToken: true
---
# We are creating a new role that will let the service account launch pods in the containerssh-guests namespace.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: containerssh
namespace: containerssh-guests
rules:
- apiGroups:
- ""
resources:
- pods
- pods/logs
- pods/exec
verbs:
- '*'
---
# We are creating a role binding that binds the containerssh service account to the containerssh role.
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: containerssh
namespace: containerssh-guests
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: containerssh
subjects:
- kind: ServiceAccount
name: containerssh
namespace: containerssh
---
# Now we are creating a deployment that runs ContainerSSH.
apiVersion: apps/v1
kind: Deployment
metadata:
name: containerssh
namespace: containerssh
labels:
app: containerssh
spec:
replicas: 1
selector:
matchLabels:
app: containerssh
template:
metadata:
labels:
app: containerssh
spec:
# We are using the containerssh service account
serviceAccountName: containerssh
containers:
# Run ContainerSSH
- name: containerssh
image: containerssh/containerssh:0.4
securityContext:
# Read only container
readOnlyRootFilesystem: true
ports:
- containerPort: 2222
volumeMounts:
# Mount the host keys
- name: hostkey
mountPath: /etc/containerssh/ssh_host_rsa_key
subPath: ssh_host_rsa_key
readOnly: true
- name: hostkey
mountPath: /etc/containerssh/ssh_host_ed25519_key
subPath: ssh_host_ed25519_key
readOnly: true
- name: hostkey
mountPath: /etc/containerssh/ssh_host_ecdsa_key
subPath: ssh_host_ecdsa_key
readOnly: true
# Mount the config file
- name: config
mountPath: /etc/containerssh/config.yaml
subPath: config.yaml
readOnly: true
# Run the auth-config test server for authentication
- name: containerssh-authconfig
image: containerssh/containerssh-test-authconfig:0.4
securityContext:
readOnlyRootFilesystem: true
# Don't allow containers running as root (ContainerSSH doesn't need it)
securityContext:
runAsNonRoot: true
volumes:
- name: hostkey
secret:
secretName: containerssh-hostkey
- name: config
configMap:
name: containerssh-config
---
# Create a service that makes the SSH service public on port 22
apiVersion: v1
kind: Service
metadata:
name: containerssh
namespace: containerssh
spec:
selector:
app: containerssh
ports:
- protocol: TCP
port: 2222
targetPort: 2222
type: LoadBalancer