Skip to content

zero: add kustomize #4

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

zero: add kustomize #4

wants to merge 3 commits into from

Conversation

@wasaga
Copy link
Contributor

@wasaga wasaga commented Oct 25, 2024

Summary

Adds Kustomization manifests that may be used to install Pomerium Zero directly via kubectl like:

kubectl apply -k github.com/pomerium/install/zero/kustomize

Related issues

Checklist

  • reference any related issues
  • add appropriate tag (improvement / bug / etc)
  • ready for review

@wasaga wasaga requested a review from a team as a code owner October 25, 2024 22:37
@wasaga wasaga requested a review from kralicky October 25, 2024 22:37
desimone
desimone reviewed Oct 25, 2024
View reviewed changes
zero/kustomize/deployment/volumes.yaml
- name: pomerium
env:
- name: TMPDIR
value: "/tmp/pomerium"
Copy link
Contributor

@desimone desimone Oct 25, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you add a comment explaining the purpose of each tmp folder? Having multiple makes the structure unclear.

Copy link
Contributor Author

@wasaga wasaga Oct 31, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

various parts of stdlib and other libraries we use make use of TMPDIR and XDG_CACHE

zero/kustomize/deployment/no-root.yaml
runAsGroup: 1000
runAsUser: 1000
sysctls:
- name: net.ipv4.ip_unprivileged_port_start
Copy link
Contributor

@desimone desimone Oct 25, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would it make sense to include port 443 here as well? Consider adding a comment explaining why certain ports are prioritized.

zero/kustomize/deployment/resources.yaml
spec:
containers:
- name: pomerium
resources:
Copy link
Contributor

@desimone desimone Oct 25, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you provide additional context on these resources? A comment explaining their purpose and how they’re used here and why they are the defaults would be helpful.

zero/kustomize/deployment/readonly-root-fs.yaml
containers:
- name: pomerium
securityContext:
readOnlyRootFilesystem: true
Copy link
Contributor

@desimone desimone Oct 25, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider adding a comment explaining why this is important for security

zero/kustomize/deployment/ports.yaml
containerPort: 80
protocol: TCP
- name: metrics
containerPort: 9090
Copy link
Contributor

@desimone desimone Oct 25, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

consider explaining what each port is for (especially 80 and 9090 being for redirect and metrics)

zero/kustomize/deployment/base.yaml
automountServiceAccountToken: true
serviceAccountName: pomerium-zero
containers:
- name: pomerium
Copy link
Contributor

@desimone desimone Oct 25, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- name: pomerium
- name: pomerium
readinessProbe:
httpGet:
path: /healthz
port: 80
initialDelaySeconds: 10
periodSeconds: 5
livenessProbe:
httpGet:
path: /healthz
port: 80
initialDelaySeconds: 15
periodSeconds: 10

Not sure this maps to true readyness /live however....

wasaga and others added 2 commits October 31, 2024 10:53
@wasaga @desimone
imagePullPolicy
8e71afd 
Co-authored-by: bobby <[email protected]>
@wasaga @desimone
emptyDir limit
8a524b9 
Co-authored-by: bobby <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@desimone desimone desimone left review comments

@kralicky kralicky Awaiting requested review from kralicky kralicky is a code owner automatically assigned from pomerium/dev-backend

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@wasaga @desimone