Last active
January 3, 2025 03:47
-
-
Save donnitriosa/c81fcbbf17e180813dcfefc0673177e2 to your computer and use it in GitHub Desktop.
Script to create a namespace in Kubernetes and apply resource quota and network policies to it
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Script to create a namespace in Kubernetes and apply resource quota and network policies to it | |
| # Created by Donni Triosa ([email protected]) | |
| # Check if the namespace argument is provided | |
| if [ -z "$1" ]; then | |
| echo "Usage: $0 <namespace>" | |
| exit 1 | |
| fi | |
| # Define variables | |
| NAMESPACE=$1 | |
| CREATE_NS_FILE="/tmp/$NAMESPACE-ns.yaml" | |
| RESOURCE_QUOTA_FILE="/tmp/$NAMESPACE-quota.yaml" | |
| EGRESS_DENY="/tmp/$NAMESPACE-egress-deny.yaml" | |
| INGRESS_ALLOW="/tmp/$NAMESPACE-ingress-allow.yaml" | |
| # Create the namespace file | |
| cat <<EOF > $CREATE_NS_FILE | |
| apiVersion: v1 | |
| kind: Namespace | |
| metadata: | |
| name: ${NAMESPACE} | |
| labels: | |
| pod-security.kubernetes.io/enforce: restricted | |
| pod-security.kubernetes.io/enforce-version: latest | |
| pod-security.kubernetes.io/audit: restricted | |
| pod-security.kubernetes.io/audit-version: latest | |
| pod-security.kubernetes.io/warn: restricted | |
| pod-security.kubernetes.io/warn-version: latest | |
| EOF | |
| # Create the egress deny network policy file | |
| cat <<EOF > $EGRESS_DENY | |
| apiVersion: networking.k8s.io/v1 | |
| kind: NetworkPolicy | |
| metadata: | |
| name: egress-deny | |
| spec: | |
| podSelector: {} | |
| egress: | |
| - to: | |
| # Deny to Metadata OpenStack / Huawei / AWS | |
| - ipBlock: | |
| cidr: 128.0.0.0/1 | |
| except: | |
| - 169.254.169.254/32 | |
| # Deny to Metadata Alibaba Cloud | |
| - ipBlock: | |
| cidr: 0.0.0.0/1 | |
| except: | |
| - 100.100.100.200/32 | |
| policyTypes: | |
| - Egress | |
| EOF | |
| # Create the ingress allow network policy file | |
| cat <<EOF > $INGRESS_ALLOW | |
| apiVersion: networking.k8s.io/v1 | |
| kind: NetworkPolicy | |
| metadata: | |
| name: ingress-allow | |
| spec: | |
| podSelector: {} | |
| ingress: | |
| # Allow from Kube Ingress | |
| - from: | |
| - namespaceSelector: | |
| matchLabels: | |
| project: kube-ingress | |
| # Allow from Datadog | |
| - from: | |
| - namespaceSelector: | |
| matchLabels: | |
| project: datadog | |
| # Allow from Internal Namespace | |
| - from: | |
| - podSelector: {} | |
| policyTypes: | |
| - Ingress | |
| EOF | |
| # Create the resource quota file | |
| cat <<EOF > $RESOURCE_QUOTA_FILE | |
| apiVersion: v1 | |
| kind: ResourceQuota | |
| metadata: | |
| name: ${NAMESPACE}-quota | |
| spec: | |
| hard: | |
| cpu: "2" | |
| memory: 4Gi | |
| persistentvolumeclaims: "0" | |
| --- | |
| apiVersion: v1 | |
| kind: LimitRange | |
| metadata: | |
| name: ${NAMESPACE}-limits | |
| spec: | |
| limits: | |
| - default: | |
| cpu: 100m | |
| memory: 128Mi | |
| defaultRequest: | |
| cpu: 100m | |
| memory: 128Mi | |
| type: Container | |
| EOF | |
| # Create the namespace | |
| kubectl apply -f $CREATE_NS_FILE | |
| # Apply the resource quota to the namespace | |
| kubectl apply -f $RESOURCE_QUOTA_FILE -n $NAMESPACE | |
| # Apply the network policies to the namespace | |
| kubectl apply -f $EGRESS_DENY -n $NAMESPACE | |
| kubectl apply -f $INGRESS_ALLOW -n $NAMESPACE | |
| # Apply label to inject DNS | |
| kubectl label namespace $NAMESPACE node-local-dns-injection=enabled | |
| #delete the files | |
| rm -f $CREATE_NS_FILE $RESOURCE_QUOTA_FILE $EGRESS_DENY $INGRESS_ALLOW | |
| echo "Namespace '$NAMESPACE' has been created and configured." |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment