apiVersion: v1 kind: Namespace metadata: name: app1 labels: allow-attachment-to-infra-gw: "true" --- apiVersion: apps/v1 kind: Deployment metadata: name: app1-v1 namespace: app1 labels: app: app1-v1 spec: replicas: 1 selector: matchLabels: app: app1-v1 template: metadata: labels: app: app1-v1 spec: serviceAccountName: default initContainers: # IPTables rules are updated in init container - image: public.ecr.aws/d2c6w7a3/iptables name: iptables-init securityContext: capabilities: add: - NET_ADMIN command: # Adding --uid-owner 101 here to prevent traffic from aws-sigv4-proxy proxy itself from being redirected, which prevents an infinite loop - /bin/sh - -c - > iptables -t nat -N EGRESS_PROXY; iptables -t nat -A OUTPUT -p tcp -d 169.254.171.0/24 -j EGRESS_PROXY; iptables -t nat -A EGRESS_PROXY -m owner --uid-owner 101 -j RETURN; iptables -t nat -A EGRESS_PROXY -p tcp -j REDIRECT --to-ports 8080; containers: - name: app1-v1 image: public.ecr.aws/seb-demo/http-server:v1.8 env: - name: PodName value: "Hello from app1-v1" - name: CA_ARN value: "arn:aws:acm-pca:eu-west-1:382076407153:certificate-authority/c2197927-6a82-4354-b8e9-c7e843f0a411" volumeMounts: - name: root-cert mountPath: /cert/ readOnly: true - name: sigv4proxy image: public.ecr.aws/seb-demo/aws-sigv4-proxy:1 args: [ "--unsigned-payload", "--log-failed-requests", "-v", "--log-signing-process", "--name", "vpc-lattice-svcs", "--region", "eu-west-1", "--enable-tls", "--tls-cert-file", "/cert/server.crt", "--tls-key-file", "/cert/decrypted-server.key", "--upstream-url-scheme", "http" ] ports: - containerPort: 8080 name: proxy protocol: TCP securityContext: runAsUser: 101 volumeMounts: - name: root-cert mountPath: /cert/ readOnly: true volumes: - name: root-cert configMap: name: app-root-cert --- apiVersion: v1 kind: Service metadata: name: app1-v1 namespace: app1 spec: selector: app: app1-v1 ports: - protocol: TCP port: 80 targetPort: 8090