vfarcic · March 27, 2021 00:23 · Mar 27, 2021
diff --git a/68-opa-gatekeeper.sh b/68-opa-gatekeeper.sh
@@ -0,0 +1,121 @@
+##########################################
+# Gatekeeper                             #
+# Open Policy Agent (OPA) For Kubernetes #
+# https://youtu.be/14lGc7xMAe4           #
+##########################################
+
+# Referenced videos:
+# - How to run local multi-node Kubernetes clusters using kind: https://youtu.be/C0v5gJSWuSo
+# - Kustomize - How to Simplify Kubernetes Configuration Management: https://youtu.be/Twtbg6LFnAg
+
+#########
+# Setup #
+#########
+
+git clone https://github.com/vfarcic/opa-gatekeeper-demo.git
+
+cd opa-gatekeeper-demo
+
+export KUBECONFIG=$PWD/kubeconfig.yaml
+
+# Feel free to use any other Kubernetes cluster
+# You might want to watch https://youtu.be/C0v5gJSWuSo if you are not familiar with kind
+kind create cluster
+
+kubectl apply \
+    --filename https://raw.githubusercontent.com/open-policy-agent/gatekeeper/release-3.3/deploy/gatekeeper.yaml
+
+# You might want to watch https://youtu.be/Twtbg6LFnAg if you are not familiar with Kustomize
+kustomize build \
+    github.com/open-policy-agent/gatekeeper-library/library \
+    | kubectl apply --filename -
+
+kubectl apply --filename opa
+
+# Repeat the previous command if the output states that it has `no matches for kind`.
+
+cp app/orig.yaml app/app.yaml
+
+kubectl create namespace production
+
+#####################
+# Disallow NodePort #
+#####################
+
+cat app/app.yaml
+
+kubectl apply --filename app/app.yaml
+
+cat opa/block-node-port.yaml
+
+echo https://github.com/open-policy-agent/gatekeeper-library
+
+# Open it
+
+# Open `app/app.yaml` and change Service `spec.type` to `ClusterIP`
+
+kubectl apply --filename app/app.yaml
+
+###########################
+# Require resource limits #
+###########################
+
+kubectl get pods
+
+kubectl get deployments
+
+kubectl describe deployment \
+    devops-toolkit
+
+kubectl get replicasets
+
+# Replace `[...]` with the ReplicaSet name
+kubectl describe replicaset
+
+# Open `app/app.yaml` and add `spec.template.spec.containers[].resources` with limits set to `10000m` CPU and `10Gi` memory.
+
+kubectl apply --filename app/app.yaml
+
+kubectl get replicasets
+
+# Replace `[...]` with the ReplicaSet name
+kubectl describe replicaset [...]
+
+cat opa/container-must-have-limits.yaml
+
+# Open `app/app.yaml` and change `spec.template.spec.containers[].resources.limits` to `500m` CPU and `512Mi` memory.
+
+kubectl apply --filename app/app.yaml
+
+kubectl get pods
+
+#######################
+# Disallow latest tag #
+#######################
+
+kubectl --namespace production apply \
+    --filename app/app.yaml
+
+kubectl --namespace production get pods
+
+kubectl --namespace production \
+    get replicasets
+
+# Replace `[...]` with the ReplicaSet name
+kubectl --namespace production \
+    describe replicaset
+
+cat opa/image-not-latest.yaml
+
+# Open `app/app.yaml` and change `spec.template.spec.containers[].image` to `vfarcic/devops-toolkit-series:2.7.0`
+
+kubectl --namespace production apply \
+    --filename app/app.yaml
+
+kubectl --namespace production get pods
+
+###########
+# Destroy #
+###########
+
+kind delete cluster