subfuzion · April 9, 2020 17:29 · subfuzion · Apr 2, 2020
diff --git a/anthos-sample-deployment.env b/anthos-sample-deployment.env
 # This file is meant to be sourced into your shell for the Anthos Sample Deployment tutorial, ex:
 # $ source init-anthos-tutorial.env

 function info() {
  printf "$1\n"
 }

 function warn() {
  info $1
 }

 function error() {
  err=${1:-'error sourcing script'}
  info "${err}"
  # exit bash function stack without exiting current shell
  kill -INT $$
 }

 function precheck {
  if [[ ${OSTYPE} != "linux-gnu" || ${CLOUD_SHELL} != true ]]; then
    info "Warning: This has only been tested in GCP Cloud Shell. Only Linux (debian) is supported."
  fi

  command -v gcloud || (
    error "gcloud not installed, follow https://cloud.google.com/sdk/install to install it first."
  )

  command -v kubectl || (
    error "Kubectl not installed, you can run the following command to install it:\n\nsudo apt-get install kubectl"
  )

  PROJECT=$(gcloud config get-value project)
  if [[ -z ${PROJECT} ]]; then
    error "Failed to find project, please use 'gcloud config set project PROJECT_ID' to select the right project."
  fi
  export PROJECT
  info "export PROJECT as ${PROJECT}"
 }

 function init_kubeconfig {
  KUBECONFIG=${HOME}/.kube/${PROJECT}.anthos-trial-gcp.config
  mkdir -p "$(dirname "${KUBECONFIG}")"
  export KUBECONFIG
  info "export KUBECONFIG as ${KUBECONFIG}"

  clusters=$(gcloud container clusters list | grep -v NAME )
  echo "${clusters}" | while read -r cluster; do
    eval "$(echo "${cluster}" | awk '{print "gcloud container clusters get-credentials "$1" --zone="$2}')"
  done
 }

 function install_nomos {
  if command -v nomos; then
    info "nomos already installed."
    return 0
  fi

  mkdir -p "${HOME}/bin"
  gsutil cp gs://config-management-release/released/latest/linux_amd64/nomos "${HOME}/bin/nomos"
  chmod a+x "${HOME}/bin/nomos"

  PATH=${PATH}:${HOME}/bin
  export PATH
  info "Installed nomos into ${HOME}/bin."
 }

 function clone_config_repo {
  upstream="${DEPLOYMENT}-config-repo" #hack since currently the upstream repo name isn't just 'config-repo'
  clone=config-repo
  if [[ -d $clone ]]; then
    tempdir="/tmp/$clone-$(date +%s)"
    info "Backing up current ACM config repo ($clone) to $tempdir"
    mv $clone $tempdir 2>/dev/null || true
  fi
  gcloud source repos clone $upstream $clone 2>/dev/null \
    && info "Cloned ACM config repo: ./$clone" \
    || error "Failed to clone ACM repo: $clone"
 }

 precheck
 init_kubeconfig
 install_nomos
 clone_config_repo

 names=($(kubectl config get-contexts -o name))
 function watchmtls {
  watch -n 1 'status=$(nomos status) && printf "%s\n\n" "$status" && printf "cluster1: " && kubectl get destinationrule default -n istio-system --context '${names[0]}' -o yaml | grep "mode: " && printf "cluster2: " && kubectl get destinationrule default -n istio-system --context '${names[1]}' -o yaml | grep "mode: "'
 }
diff --git a/constraint.yaml b/constraint.yaml
 apiVersion: constraints.gatekeeper.sh/v1beta1
 kind: K8sPSPPrivilegedContainer
 metadata:
  name: psp-privileged-container
 spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
    namespaces: ["default", "onlineboutique"]
diff --git a/destination-rule.yaml b/destination-rule.yaml
 apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
  annotations:
    meshsecurityinsights.googleapis.com/generated: "1561996419000000000"
  name: default
  namespace: istio-system
 spec:
  host: '*.local'
  trafficPolicy:
    tls:
      mode: DISABLE
 #      mode: ISTIO_MUTUAL
diff --git a/mesh-policy.yaml b/mesh-policy.yaml
 apiVersion: "authentication.istio.io/v1alpha1"
 kind: "MeshPolicy"
 metadata:
  name: "default"
 spec:
  peers:
  - mtls:
      mode: PERMISSIVE # allow plaintext
 # - mtls: {}
 
diff --git a/nginx-privileged.yaml b/nginx-privileged.yaml
 apiVersion: v1
 kind: Pod
 metadata:
  name: nginx-privileged
  labels:
    app: nginx-privileged
 spec:
  containers:
  - name: nginx
    image: nginx
    securityContext:
      privileged: true
	# This file is meant to be sourced into your shell for the Anthos Sample Deployment tutorial, ex:
	# $ source init-anthos-tutorial.env

	function info() {
	printf "$1\n"
	}

	function warn() {
	info $1
	}

	function error() {
	err=${1:-'error sourcing script'}
	info "${err}"
	# exit bash function stack without exiting current shell
	kill -INT $$
	}

	function precheck {
	if [[ ${OSTYPE} != "linux-gnu" \|\| ${CLOUD_SHELL} != true ]]; then
	info "Warning: This has only been tested in GCP Cloud Shell. Only Linux (debian) is supported."
	fi

	command -v gcloud \|\| (
	error "gcloud not installed, follow https://cloud.google.com/sdk/install to install it first."
	)

	command -v kubectl \|\| (
	error "Kubectl not installed, you can run the following command to install it:\n\nsudo apt-get install kubectl"
	)

	PROJECT=$(gcloud config get-value project)
	if [[ -z ${PROJECT} ]]; then
	error "Failed to find project, please use 'gcloud config set project PROJECT_ID' to select the right project."
	fi
	export PROJECT
	info "export PROJECT as ${PROJECT}"
	}

	function init_kubeconfig {
	KUBECONFIG=${HOME}/.kube/${PROJECT}.anthos-trial-gcp.config
	mkdir -p "$(dirname "${KUBECONFIG}")"
	export KUBECONFIG
	info "export KUBECONFIG as ${KUBECONFIG}"

	clusters=$(gcloud container clusters list \| grep -v NAME )
	echo "${clusters}" \| while read -r cluster; do
	eval "$(echo "${cluster}" \| awk '{print "gcloud container clusters get-credentials "$1" --zone="$2}')"
	done
	}

	function install_nomos {
	if command -v nomos; then
	info "nomos already installed."
	return 0
	fi

	mkdir -p "${HOME}/bin"
	gsutil cp gs://config-management-release/released/latest/linux_amd64/nomos "${HOME}/bin/nomos"
	chmod a+x "${HOME}/bin/nomos"

	PATH=${PATH}:${HOME}/bin
	export PATH
	info "Installed nomos into ${HOME}/bin."
	}

	function clone_config_repo {
	upstream="${DEPLOYMENT}-config-repo" #hack since currently the upstream repo name isn't just 'config-repo'
	clone=config-repo
	if [[ -d $clone ]]; then
	tempdir="/tmp/$clone-$(date +%s)"
	info "Backing up current ACM config repo ($clone) to $tempdir"
	mv $clone $tempdir 2>/dev/null \|\| true
	fi
	gcloud source repos clone $upstream $clone 2>/dev/null \
	&& info "Cloned ACM config repo: ./$clone" \
	\|\| error "Failed to clone ACM repo: $clone"
	}

	precheck
	init_kubeconfig
	install_nomos
	clone_config_repo

	names=($(kubectl config get-contexts -o name))
	function watchmtls {
	watch -n 1 'status=$(nomos status) && printf "%s\n\n" "$status" && printf "cluster1: " && kubectl get destinationrule default -n istio-system --context '${names[0]}' -o yaml \| grep "mode: " && printf "cluster2: " && kubectl get destinationrule default -n istio-system --context '${names[1]}' -o yaml \| grep "mode: "'
	}
	apiVersion: constraints.gatekeeper.sh/v1beta1
	kind: K8sPSPPrivilegedContainer
	metadata:
	name: psp-privileged-container
	spec:
	match:
	kinds:
	- apiGroups: [""]
	kinds: ["Pod"]
	namespaces: ["default", "onlineboutique"]
	apiVersion: networking.istio.io/v1alpha3
	kind: DestinationRule
	metadata:
	annotations:
	meshsecurityinsights.googleapis.com/generated: "1561996419000000000"
	name: default
	namespace: istio-system
	spec:
	host: '*.local'
	trafficPolicy:
	tls:
	mode: DISABLE
	# mode: ISTIO_MUTUAL
	apiVersion: "authentication.istio.io/v1alpha1"
	kind: "MeshPolicy"
	metadata:
	name: "default"
	spec:
	peers:
	- mtls:
	mode: PERMISSIVE # allow plaintext
	# - mtls: {}
	apiVersion: v1
	kind: Pod
	metadata:
	name: nginx-privileged
	labels:
	app: nginx-privileged
	spec:
	containers:
	- name: nginx
	image: nginx
	securityContext:
	privileged: true