(As Soon as Cluster is created)
kubectl apply -f https://gist.githubusercontent.com/cmwylie19/69b765af5ab25af62696f3337df13687/raw/72f53db7ddc06fc8891dc81136a7c190bc70f41b/WebApp.yaml npx pepr@latest init --name=cluster-controller --description="Control Apps and Global Cluster Security Posture" --errorBehavior="reject" --skip-post-initimport {
Capability,
a,
sdk
} from "pepr";
// Containers help to retrieve the containers from a pod
const { containers } = sdk;
export const Controller = new Capability({
name: "cluster-controller",
description: "Control Apps and Global Cluster Security Posture.",
});
const { When } = Controller;
// Validate Pods are not running with privileged security context
When(a.Pod)
.IsCreatedOrUpdated()
.Validate(po => {
const podContainers = containers(po);
for (const container of podContainers) {
if (container.securityContext?.privileged) {
return po.Deny("Pods cannot run with privileged security context");
}
}
return po.Approve();
});// Assign sane defaults for pods
When(a.Pod)
.IsCreatedOrUpdated()
.Mutate(po => {
const podContainers = containers(po);
for (const container of podContainers) {
if (
!container.resources ||
(!container.resources.requests && !container.resources.limits)
) {
container.resources = {
requests: {
cpu: "100m",
memory: "128Mi",
},
limits: {
cpu: "500m",
memory: "512Mi",
},
};
}
}
});Generate the type bindings for the WebApp CRD and create the CRD in the cluster
npx pepr@latest kfc crd https://gist.githubusercontent.com/cmwylie19/69b765af5ab25af62696f3337df13687/raw/72f53db7ddc06fc8891dc81136a7c190bc70f41b/WebApp.yaml capabilitiesAdd Logic to handle the WebApp CR
// Add this to the imports
import { WebApp } from "./webapp-v1alpha1";
import Deploy from "./deployer";
When(WebApp)
.IsCreatedOrUpdated()
.Reconcile(async webapp => {
await Deploy(webapp);
})npx pepr buildkubectl apply -f dist/pepr-module*.yamlkubectl apply -f -<<EOF
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: privileged
name: privileged
spec:
containers:
- image: nginx
name: privileged
resources: {}
securityContext:
privileged: true
dnsPolicy: ClusterFirst
restartPolicy: Always
status: {}
EOFkubectl apply -f -<<EOF
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: no-resources
name: no-resources
spec:
containers:
- image: nginx
name: no-resources
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Always
status: {}
EOFLook at the resources:
k get po no-resources -ojsonpath='{.spec.containers[0].resources}' | jqAlso, check the monitor command somewhere here
(Note: Deployer.ts is already in capabilities)
kubectl create ns webapps;
kubectl apply -f -<<EOF
kind: WebApp
apiVersion: pepr.io/v1alpha1
metadata:
name: webapp-light-en
namespace: webapps
spec:
theme: light
language: en
replicas: 1
EOFLook at the WebApp
kubectl port-forward svc/webapp-light-en 8080:80 -n webappskubectl apply -f -<<EOF
kind: WebApp
apiVersion: pepr.io/v1alpha1
metadata:
name: webapp-light-en
namespace: webapps
spec:
theme: dark
language: en
replicas: 1
EOFkubectl delete webapp webapp-light-en -n webappslook at the pods in the webapps namespace
kubectl get all -n webapps