Joey McDonald jmcdice

Step-by-Step Network Policy Deployment Plan

Summary: How These Network Policies Work

Network policies in Kubernetes are like traffic rules for your application's components. They control which parts of your application can talk to each other and how. Here's a simple breakdown of how the policies in this guide work:

Zero-Trust Starting Point: We begin by assuming no communication is allowed. It's like having walls between all parts of your application.
Allowing Necessary Communication: We then create "doors" in these walls, but only where needed. For example:
- We allow components in the same environment (like production) to talk to each other.

We let the backend talk to the frontend, but not the other way around.

	FROM ubuntu:latest

	ENV DEBIAN_FRONTEND noninteractive
	RUN sed -i 's#http://archive.ubuntu.com/#http://ubuntu.mirrors.tds.net/ubuntu/#' /etc/apt/sources.list

	# built-in packages
	RUN apt-get update
	RUN apt-get -o Dpkg::Options::='--force-confold' --force-yes -fuy dist-upgrade

	# common utils apt

	# Deploy Concourse to PKS

	$ helm init --wait
	$ kubectl create serviceaccount --namespace kube-system tiller
	$ kubectl create clusterrolebinding tiller-cluster-rule --clusterrole=cluster-admin --serviceaccount=kube-system:tiller
	$ kubectl patch deploy --namespace kube-system tiller-deploy -p '{"spec":{"template":{"spec":{"serviceAccount":"tiller"}}}}'
	$ helm install --name concourse stable/concourse

	# View Concourse via your browser
	$ export POD_NAME=$(kubectl get pods --namespace default\|perl -lane 'print @F[0] if /web/')

	## Install Utils:
	$ sudo apt-get update
	$ sudo apt-get install tmux youtube-dl htop ccze vlc

	## Install and use youtube-dl
	$ youtube-dl https://www.youtube.com/watch?v=cC9r0jHF-Fw
	$ youtube-dl -F <video> (list video formats)
	$ youtube-dl -f <index> <video> download video at <format> --output fish.webm

	## Example

	# Install gcloud

	export CLOUD_SDK_REPO="cloud-sdk-$(lsb_release -c -s)"
	echo "deb http://packages.cloud.google.com/apt $CLOUD_SDK_REPO main" \| sudo tee -a /etc/apt/sources.list.d/google-cloud-sdk.list
	curl https://packages.cloud.google.com/apt/doc/apt-key.gpg \| apt-key add -
	apt-get -y update
	apt-get -y --allow-unauthenticated install google-cloud-sdk kubectl

	# Install GCSFuse

	#!/usr/bin/env bash

	TARGET='concourse'
	TASK='deploy-healthwatch/apply-changes'


	function wait_for_pipeline_to_complete() {

	local JOB=$1
	local count=1

	#!/usr/bin/env bash
	#
	# Have you ever deleted the default fw rules in your gcp project?
	# Of course you have! Here's how to re-create them.

	PROJECT=''

	function create_default_ruleset() {

	# Allow ICMP from Anywhere

	## Training for PRE

	If on AWS or GCP use BBL
	Setup Standalone Bosh (Bosh Boot Loader)
	- https://github.com/cloudfoundry/bosh-bootloader

	If on other, use bosh create-env (init)
	https://bosh.io/docs/init.html

	Deploy the Vault Bosh Release (secure credential storage)

	#!/usr/bin/env bash

	function get_binary() {

	wget https://github.com/concourse/bin/releases/download/v2.8.0-rc.125/concourse_linux_amd64 -O /usr/sbin/concourse
	chmod 755 /usr/sbin/concourse
	}

	function create_keys() {


	cat >cloudinit.sh<<EOF
	#cloud-config

	users:
	- default
	- name: stack
	lock_passwd: False
	sudo: ["ALL=(ALL) NOPASSWD:ALL\nDefaults:stack !requiretty"]
	shell: /bin/bash