From 94b0df31122402c53b0aa335b03659f3adb1eaec Mon Sep 17 00:00:00 2001 From: yogeshbidari Date: Tue, 8 Oct 2019 23:32:45 -0400 Subject: [PATCH] adding files for image hardening --- arangodb.yaml | 99 ++++++++++++++++++++++ cassandra.yaml | 166 +++++++++++++++++++++++++++++++++++++ couchbase-master.yaml | 178 ++++++++++++++++++++++++++++++++++++++++ couchbase-worker-1.yaml | 178 ++++++++++++++++++++++++++++++++++++++++ couchbase-worker-2.yaml | 178 ++++++++++++++++++++++++++++++++++++++++ nifi-reg.yaml | 63 ++++++++++++++ nifi.yaml | 63 ++++++++++++++ 7 files changed, 925 insertions(+) create mode 100644 arangodb.yaml create mode 100644 cassandra.yaml create mode 100644 couchbase-master.yaml create mode 100644 couchbase-worker-1.yaml create mode 100644 couchbase-worker-2.yaml create mode 100644 nifi-reg.yaml create mode 100644 nifi.yaml diff --git a/arangodb.yaml b/arangodb.yaml new file mode 100644 index 0000000..17e0fff --- /dev/null +++ b/arangodb.yaml @@ -0,0 +1,99 @@ +apiVersion: v1 +kind: Service +metadata: + name: arango + namespace: dev + labels: + service: arango + env: dev +spec: + clusterIP: None + ports: + - name: arango + port: 8529 + targetPort: arango + publishNotReadyAddresses: true + selector: + service: arango + env: dev + type: ClusterIP +--- +apiVersion: v1 +kind: Service +metadata: + name: arango-ui + namespace: dev + annotations: + cloud.google.com/load-balancer-type: "Internal" + labels: + service: arango + env: dev +spec: + externalTrafficPolicy: Cluster + ports: + - name: arango + nodePort: 30200 + port: 9300 + targetPort: arango + selector: + service: arango + env: dev + type: LoadBalancer + loadBalancerIP: "10.131.0.16" + loadBalancerSourceRanges: + - 10.0.0.0/8 +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: arango + namespace: dev + labels: + service: arango + env: dev +spec: + serviceName: arango + replicas: 1 + updateStrategy: + type: RollingUpdate + selector: + matchLabels: + service: arango + env: dev + template: + metadata: + labels: + service: arango + env: dev + spec: + terminationGracePeriodSeconds: 180 + containers: + - name: arango + image: arangodb:3.3.8 + imagePullPolicy: Always + securityContext: + privileged: false + ports: + - containerPort: 8529 + name: arango + env: + - name: ARANGO_ROOT_PASSWORD + value: "admin@123" + - name: ARANGO_STORAGE_ENGINE + value: "rocksdb" + resources: + requests: + memory: "2G" + cpu: "300m" + limits: + memory: "3G" + cpu: "600m" + # volumeMounts: + # - name: arango-data + #mountPath: /var/lib/arangodb3 + #volumeClaimTemplates: + #- metadata: + # name: arango-data + #spec: + #accessModes: + #- ReadWriteOnce diff --git a/cassandra.yaml b/cassandra.yaml new file mode 100644 index 0000000..66d99ad --- /dev/null +++ b/cassandra.yaml @@ -0,0 +1,166 @@ +apiVersion: v1 +kind: Service +metadata: + name: cassandra + namespace: dev + labels: + service: cassandra + env: dev +spec: + clusterIP: None + ports: + - name: intra + port: 7000 + targetPort: intra + - name: tls + port: 7001 + targetPort: tls + - name: jmx + port: 7199 + targetPort: jmx + - name: cql + port: 9042 + targetPort: cql + - name: thrift + port: 9160 + targetPort: thrift + publishNotReadyAddresses: true + selector: + service: cassandra + env: dev + type: ClusterIP +--- +apiVersion: v1 +kind: Service +metadata: + name: cassandra-ui + namespace: dev + annotations: + cloud.google.com/load-balancer-type: "Internal" + labels: + service: cassandra + env: dev +spec: + externalTrafficPolicy: Cluster + ports: + - name: cql + nodePort: 30412 + port: 9042 + targetPort: cql + - name: thrift + nodePort: 30413 + port: 9160 + targetPort: thrift + selector: + service: cassandra + env: dev + type: LoadBalancer + loadBalancerIP: "10.131.0.8" + loadBalancerSourceRanges: + - 10.0.0.0/8 +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: cassandra + namespace: dev + labels: + service: cassandra + env: dev +spec: + serviceName: cassandra + replicas: 3 + updateStrategy: + type: OnDelete + selector: + matchLabels: + service: cassandra + env: dev + template: + metadata: + labels: + service: cassandra + env: dev + spec: + terminationGracePeriodSeconds: 120 + containers: + - name: cassandra + image: bitnami/cassandra:3.11.3 + imagePullPolicy: Always + securityContext: + privileged: false + ports: + - name: intra + containerPort: 7000 + - name: tls + containerPort: 7001 + - name: jmx + containerPort: 7199 + - name: cql + containerPort: 9042 + - name: thrift + containerPort: 9160 + env: + - name: CASSANDRA_CLUSTER_NAME + value: cassandra + - name: CASSANDRA_SEEDS + value: cassandra-0.cassandra.dev.svc.cluster.local,cassandra-1.cassandra.dev.svc.cluster.local,cassandra-2.cassandra.dev.svc.cluster.local + - name: CASSANDRA_PASSWORD + value: admin@123 + - name: POD_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: CASSANDRA_NUM_TOKENS + value: "256" + - name: CASSANDRA_DATACENTER + value: dc1 + - name: CASSANDRA_ENDPOINT_SNITCH + value: SimpleSnitch + - name: CASSANDRA_RACK + value: rack1 + - name: CASSANDRA_ENABLE_RPC + value: "true" + livenessProbe: + exec: + command: + - /bin/sh + - -c + - nodetool status + failureThreshold: 5 + initialDelaySeconds: 60 + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + exec: + command: + - /bin/sh + - -c + - nodetool status | grep -E "^UN\s+${POD_IP}" + failureThreshold: 5 + initialDelaySeconds: 60 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + resources: + requests: + memory: "2G" + cpu: "200m" + limits: + memory: "3G" + cpu: "400m" + command: + - bash + - -ec + - | + if [[ $HOSTNAME =~ (.*)-0$ ]]; then + export CASSANDRA_PASSWORD_SEEDER=yes + else + export CASSANDRA_IGNORE_INITDB_SCRIPTS=1 + fi + /app-entrypoint.sh /run.sh + # volumeMounts: + #- name: cassandra-data + #mountPath: /bitnami/cassandra diff --git a/couchbase-master.yaml b/couchbase-master.yaml new file mode 100644 index 0000000..c4a1fd2 --- /dev/null +++ b/couchbase-master.yaml @@ -0,0 +1,178 @@ +apiVersion: v1 +kind: Service +metadata: + name: couchbase-master + namespace: dev + labels: + service: couchbase-master + env: dev +spec: + clusterIP: None + ports: + - name: http + port: 8091 + targetPort: http + - name: views + port: 8092 + targetPort: views + - name: query + port: 8093 + targetPort: query + - name: search + port: 8094 + targetPort: search + - name: eventing + port: 8096 + targetPort: eventing + - name: data-service + port: 11210 + targetPort: data-service + - name: epmd + port: 4369 + targetPort: epmd + - name: indexer + port: 9100 + targetPort: indexer + - name: indexer1 + port: 9101 + targetPort: indexer1 + - name: indexer2 + port: 9102 + targetPort: indexer2 + - name: indexer3 + port: 9103 + targetPort: indexer3 + - name: indexer4 + port: 9104 + targetPort: indexer4 + - name: indexer5 + port: 9105 + targetPort: indexer5 + - name: xdcr + port: 9998 + targetPort: xdcr + - name: node-data + port: 21101 + targetPort: node-data + - name: indexer6 + port: 9999 + targetPort: indexer6 + publishNotReadyAddresses: true + selector: + service: couchbase-master + env: dev + type: ClusterIP +--- +apiVersion: v1 +kind: Service +metadata: + name: couchbase-master-ui + namespace: dev + annotations: + service.beta.kubernetes.io/load-balancer-source-ranges: "10.0.0.0/8, 155.201.0.0/16, 167.14.0.0/16" + labels: + service: couchbase-master + env: dev +spec: + externalTrafficPolicy: Cluster + ports: + - name: http + nodePort: 30560 + port: 8091 + targetPort: http + - name: views + nodePort: 30561 + port: 8092 + targetPort: views + - name: query + nodePort: 30562 + port: 8093 + targetPort: query + - name: search + nodePort: 30563 + port: 8094 + targetPort: search + - name: data-service + nodePort: 30565 + port: 11210 + targetPort: data-service + selector: + service: couchbase-master + env: dev + type: LoadBalancer + loadBalancerIP: "35.231.29.33" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: couchbase-master + namespace: dev + labels: + service: couchbase-master +spec: + serviceName: couchbase-master + replicas: 1 + updateStrategy: + type: RollingUpdate + selector: + matchLabels: + service: couchbase-master + env: dev + template: + metadata: + labels: + service: couchbase-master + env: dev + spec: + terminationGracePeriodSeconds: 120 + containers: + - name: couchbase-master + image: couchbase:6.0.0 + imagePullPolicy: Always + securityContext: + privileged: false + env: + - name: TYPE + value: MASTER + - name: COUCHBASE_MASTER + value: couchbase-master + ports: + - name: http + containerPort: 8091 + - name: views + containerPort: 8092 + - name: query + containerPort: 8093 + - name: search + containerPort: 8094 + - name: eventing + containerPort: 8096 + - name: data-service + containerPort: 11210 + - name: epmd + containerPort: 4369 + - name: indexer + containerPort: 9100 + - name: indexer1 + containerPort: 9101 + - name: indexer2 + containerPort: 9102 + - name: indexer3 + containerPort: 9103 + - name: indexer4 + containerPort: 9104 + - name: indexer5 + containerPort: 9105 + - name: xdcr + containerPort: 9998 + - name: node-data + containerPort: 21101 + - name: indexer6 + containerPort: 9999 + resources: + requests: + memory: "1G" + cpu: "500m" + limits: + memory: "2G" + cpu: "1" diff --git a/couchbase-worker-1.yaml b/couchbase-worker-1.yaml new file mode 100644 index 0000000..2874561 --- /dev/null +++ b/couchbase-worker-1.yaml @@ -0,0 +1,178 @@ +apiVersion: v1 +kind: Service +metadata: + name: couchbase-worker1 + namespace: dev + labels: + service: couchbase-worker1 + env: dev +spec: + clusterIP: None + ports: + - name: http + port: 8091 + targetPort: http + - name: views + port: 8092 + targetPort: views + - name: query + port: 8093 + targetPort: query + - name: search + port: 8094 + targetPort: search + - name: eventing + port: 8096 + targetPort: eventing + - name: data-service + port: 11210 + targetPort: data-service + - name: epmd + port: 4369 + targetPort: epmd + - name: indexer + port: 9100 + targetPort: indexer + - name: indexer1 + port: 9101 + targetPort: indexer1 + - name: indexer2 + port: 9102 + targetPort: indexer2 + - name: indexer3 + port: 9103 + targetPort: indexer3 + - name: indexer4 + port: 9104 + targetPort: indexer4 + - name: indexer5 + port: 9105 + targetPort: indexer5 + - name: xdcr + port: 9998 + targetPort: xdcr + - name: node-data + port: 21101 + targetPort: node-data + - name: indexer6 + port: 9999 + targetPort: indexer6 + publishNotReadyAddresses: true + selector: + service: couchbase-worker1 + env: dev + type: ClusterIP +--- +apiVersion: v1 +kind: Service +metadata: + name: couchbase-worker1-ui + namespace: dev + annotations: + service.beta.kubernetes.io/load-balancer-source-ranges: "10.0.0.0/8, 155.201.0.0/16, 167.14.0.0/16" + labels: + service: couchbase-worker1 + env: dev +spec: + externalTrafficPolicy: Cluster + ports: + - name: http + nodePort: 30660 + port: 8091 + targetPort: http + - name: views + nodePort: 30661 + port: 8092 + targetPort: views + - name: query + nodePort: 30662 + port: 8093 + targetPort: query + - name: search + nodePort: 30663 + port: 8094 + targetPort: search + - name: data-service + nodePort: 30665 + port: 11210 + targetPort: data-service + selector: + service: couchbase-worker1 + env: dev + type: LoadBalancer + loadBalancerIP: "35.237.11.224" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: couchbase-worker1 + namespace: dev + labels: + service: couchbase-worker1 +spec: + serviceName: couchbase-worker1 + replicas: 1 + updateStrategy: + type: RollingUpdate + selector: + matchLabels: + service: couchbase-worker1 + env: dev + template: + metadata: + labels: + service: couchbase-worker1 + env: dev + spec: + terminationGracePeriodSeconds: 120 + containers: + - name: couchbase-worker1 + image: couchbase:6.0.0 + imagePullPolicy: Always + securityContext: + privileged: false + ports: + - name: http + containerPort: 8091 + - name: views + containerPort: 8092 + - name: query + containerPort: 8093 + - name: search + containerPort: 8094 + - name: eventing + containerPort: 8096 + - name: data-service + containerPort: 11210 + - name: epmd + containerPort: 4369 + - name: indexer + containerPort: 9100 + - name: indexer1 + containerPort: 9101 + - name: indexer2 + containerPort: 9102 + - name: indexer3 + containerPort: 9103 + - name: indexer4 + containerPort: 9104 + - name: indexer5 + containerPort: 9105 + - name: xdcr + containerPort: 9998 + - name: node-data + containerPort: 21101 + - name: indexer6 + containerPort: 9999 + env: + - name: TYPE + value: WORKER + - name: COUCHBASE_MASTER + value: couchbase-master + resources: + requests: + memory: "500m" + cpu: "500m" + limits: + memory: "1G" + cpu: "1" diff --git a/couchbase-worker-2.yaml b/couchbase-worker-2.yaml new file mode 100644 index 0000000..81a8d7a --- /dev/null +++ b/couchbase-worker-2.yaml @@ -0,0 +1,178 @@ +apiVersion: v1 +kind: Service +metadata: + name: couchbase-worker2 + namespace: dev + labels: + service: couchbase-worker2 + env: dev +spec: + clusterIP: None + ports: + - name: http + port: 8091 + targetPort: http + - name: views + port: 8092 + targetPort: views + - name: query + port: 8093 + targetPort: query + - name: search + port: 8094 + targetPort: search + - name: eventing + port: 8096 + targetPort: eventing + - name: data-service + port: 11210 + targetPort: data-service + - name: epmd + port: 4369 + targetPort: epmd + - name: indexer + port: 9100 + targetPort: indexer + - name: indexer1 + port: 9101 + targetPort: indexer1 + - name: indexer2 + port: 9102 + targetPort: indexer2 + - name: indexer3 + port: 9103 + targetPort: indexer3 + - name: indexer4 + port: 9104 + targetPort: indexer4 + - name: indexer5 + port: 9105 + targetPort: indexer5 + - name: xdcr + port: 9998 + targetPort: xdcr + - name: node-data + port: 21101 + targetPort: node-data + - name: indexer6 + port: 9999 + targetPort: indexer6 + publishNotReadyAddresses: true + selector: + service: couchbase-worker2 + env: dev + type: ClusterIP +--- +apiVersion: v1 +kind: Service +metadata: + name: couchbase-worker2-ui + namespace: dev + annotations: + service.beta.kubernetes.io/load-balancer-source-ranges: "10.0.0.0/8, 155.201.0.0/16, 167.14.0.0/16" + labels: + service: couchbase-worker2 + env: dev +spec: + externalTrafficPolicy: Cluster + ports: + - name: http + nodePort: 30760 + port: 8091 + targetPort: http + - name: views + nodePort: 30761 + port: 8092 + targetPort: views + - name: query + nodePort: 30762 + port: 8093 + targetPort: query + - name: search + nodePort: 30763 + port: 8094 + targetPort: search + - name: data-service + nodePort: 30765 + port: 11210 + targetPort: data-service + selector: + service: couchbase-worker2 + env: dev + type: LoadBalancer + loadBalancerIP: "35.196.201.120" +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: couchbase-worker2 + namespace: dev + labels: + service: couchbase-worker2 +spec: + serviceName: couchbase-worker2 + replicas: 1 + updateStrategy: + type: RollingUpdate + selector: + matchLabels: + service: couchbase-worker2 + env: dev + template: + metadata: + labels: + service: couchbase-worker2 + env: dev + spec: + terminationGracePeriodSeconds: 120 + containers: + - name: couchbase-worker2 + image: couchbase:6.0.0 + imagePullPolicy: Always + securityContext: + privileged: false + ports: + - name: http + containerPort: 8091 + - name: views + containerPort: 8092 + - name: query + containerPort: 8093 + - name: search + containerPort: 8094 + - name: eventing + containerPort: 8096 + - name: data-service + containerPort: 11210 + - name: epmd + containerPort: 4369 + - name: indexer + containerPort: 9100 + - name: indexer1 + containerPort: 9101 + - name: indexer2 + containerPort: 9102 + - name: indexer3 + containerPort: 9103 + - name: indexer4 + containerPort: 9104 + - name: indexer5 + containerPort: 9105 + - name: xdcr + containerPort: 9998 + - name: node-data + containerPort: 21101 + - name: indexer6 + containerPort: 9999 + env: + - name: TYPE + value: WORKER + - name: COUCHBASE_MASTER + value: couchbase-master + resources: + requests: + memory: "500m" + cpu: "200m" + limits: + memory: "1G" + cpu: "1" diff --git a/nifi-reg.yaml b/nifi-reg.yaml new file mode 100644 index 0000000..b4c53b3 --- /dev/null +++ b/nifi-reg.yaml @@ -0,0 +1,63 @@ +apiVersion: v1 +kind: Service +metadata: + name: nifi-registry + namespace: dev + annotations: + cloud.google.com/load-balancer-type: "Internal" + labels: + service: nifi-registry + env: dev +spec: + ports: + - name: nifi-registry + port: 18080 + targetPort: 18080 + selector: + service: nifi-registry + env: dev + type: LoadBalancer + loadBalancerIP: "10.131.0.23" + loadBalancerSourceRanges: + - 10.0.0.0/8 +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: nifi-registry + namespace: dev + labels: + service: nifi-registry + env: dev +spec: + serviceName: nifi-registry + replicas: 1 + updateStrategy: + type: RollingUpdate + selector: + matchLabels: + service: nifi-registry + env: dev + template: + metadata: + labels: + service: nifi-registry + env: dev + spec: + terminationGracePeriodSeconds: 40 + containers: + - name: nifi-registry + image: apache/nifi-registry:0.4.0 + imagePullPolicy: Always + securityContext: + privileged: false + ports: + - name: nifi-registry + containerPort: 18080 + resources: + requests: + memory: "500m" + cpu: "100m" + limits: + memory: "1G" + cpu: "200m" diff --git a/nifi.yaml b/nifi.yaml new file mode 100644 index 0000000..5dffb47 --- /dev/null +++ b/nifi.yaml @@ -0,0 +1,63 @@ +apiVersion: v1 +kind: Service +metadata: + name: nifi + namespace: dev + annotations: + cloud.google.com/load-balancer-type: "Internal" + labels: + service: nifi + env: dev +spec: + ports: + - name: nifi + port: 8079 + targetPort: 8080 + selector: + service: nifi + env: dev + type: LoadBalancer + loadBalancerIP: "10.131.0.22" + loadBalancerSourceRanges: + - 10.0.0.0/8 +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: nifi + namespace: dev + labels: + service: nifi + env: dev +spec: + serviceName: nifi + replicas: 1 + updateStrategy: + type: RollingUpdate + selector: + matchLabels: + service: nifi + env: dev + template: + metadata: + labels: + service: nifi + env: dev + spec: + terminationGracePeriodSeconds: 40 + containers: + - name: nifi + image: apache/nifi:1.9.2 + imagePullPolicy: Always + securityContext: + privileged: false + ports: + - name: nifi + containerPort: 8080 + resources: + requests: + memory: "500m" + cpu: "200m" + limits: + memory: "1G" + cpu: "300m"