update by ank

4a0e28b9 · root · 3f0bc3a5 · 4a0e28b9 · 4a0e28b9 · 4a0e28b9
Commit 4a0e28b9 authored Mar 05, 2020 by root
Hide whitespace changes
Inline Side-by-side

Showing with 37 additions and 19 deletions

.gitlab-ci.yml .gitlab-ci.yml +6 -0

app-nako-scanner.tpl.yml app-nako-scanner.tpl.yml +30 -0

app.tpl.yml app.tpl.yml +1 -19

No files found.
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -55,9 +55,15 @@ build_prod:
 deploy_to_test:
  stage: deploy_to_test
  script:
+#    - sed 's|_IMAGE_NAME_|'"${CI_REGISTRY_IMAGE}/prod"'|g; s|_VERSION_|'"${CI_PIPELINE_ID}"'|g' app-dst-client.tpl.yml > app-dst-client.yml; cat app-dst-client.yml
+    - sed 's|_IMAGE_NAME_|'"${CI_REGISTRY_IMAGE}/prod"'|g; s|_VERSION_|'"${CI_PIPELINE_ID}"'|g' app-nako-scanner.tpl.yml > app-nako-scanner.yml; cat app-nako-scanner.yml
    - sed 's|_IMAGE_NAME_|'"${CI_REGISTRY_IMAGE}/test"'|g; s|_VERSION_|'"${CI_PIPELINE_ID}"'|g' app.tpl.yml > app.yml; cat app.yml
    - wget https://storage.googleapis.com/kubernetes-release/release/v1.13.3/bin/linux/amd64/kubectl && chmod +x ./kubectl
    - wget https://github.com/garethr/kubeval/releases/download/0.7.3/kubeval-linux-amd64.tar.gz && tar xvf kubeval-linux-amd64.tar.gz && ./kubeval app.yml
+#    - ./kubeval app-dst-client.yml
+    - ./kubeval app-nako-scanner.yml
+#    - ./kubectl apply -f app-dst-client.yml
+    - ./kubectl apply -f app-nako-scanner.yml
    - ./kubectl apply -f app.yml
  environment:
    name: ${CI_COMMIT_REF_NAME}

--- a/app-nako-scanner.tpl.yml
+++ b/app-nako-scanner.tpl.yml
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: node-scanner-deny-traffic-except-platform
+  namespace: test
+spec:
+  podSelector:
+    matchLabels:
+      app: node-scanner
+  policyTypes:
+  - Ingress
+  - Egress
+  ingress:
+  - from:
+    - ipBlock:
+        cidr: 10.233.0.0/17
+    ports:
+    - protocol: TCP
+      port: 56833
+      port: 5000
+  egress:
+  - to:
+    - ipBlock:
+        cidr: 10.233.0.0/17
+    ports:
+    - protocol: TCP
+      port: 56833
+      port: 5000
 ---
 apiVersion: apps/v1
 kind: Deployment

--- a/app.tpl.yml
+++ b/app.tpl.yml
@@ -15,9 +15,6 @@ spec:
  - from:
    - ipBlock:
        cidr: 10.233.0.0/17
-  - from:
-    - ipBlock:
-        cidr: 151.101.112.249/32
    ports:
    - protocol: TCP
      port: 56833
@@ -25,9 +22,6 @@ spec:
  - to:
    - ipBlock:
        cidr: 10.233.0.0/17
-  - to:
-    - ipBlock:
-        cidr: 151.101.112.249/32
    ports:
    - protocol: TCP
      port: 56833
@@ -49,9 +43,6 @@ spec:
  - from:
    - ipBlock:
        cidr: 10.233.0.0/17
-  - from:
-    - ipBlock:
-        cidr: 151.101.112.249/32
    ports:
    - protocol: TCP
      port: 56833
@@ -59,9 +50,6 @@ spec:
  - to:
    - ipBlock:
        cidr: 10.233.0.0/17
-  - to:
-    - ipBlock:
-        cidr: 151.101.112.249/32
    ports:
    - protocol: TCP
      port: 56833
@@ -83,9 +71,6 @@ spec:
  - from:
    - ipBlock:
        cidr: 10.233.0.0/17
-  - from:
-    - ipBlock:
-        cidr: 151.101.112.249/32
    ports:
    - protocol: TCP
      port: 56833
@@ -93,9 +78,6 @@ spec:
  - to:
    - ipBlock:
        cidr: 10.233.0.0/17
-  - to:
-    - ipBlock:
-        cidr: 151.101.112.249/32
    ports:
    - protocol: TCP
      port: 56833
@@ -377,4 +359,4 @@ spec:
      volumes:
      - name: pv-node3
        persistentVolumeClaim:
          claimName: pv-node3-claim
\ No newline at end of file