feat(tor): Add initial tor deployment

apps/k8s01/tor/deployment.yaml

+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/name: tor
+  name: tor
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: tor
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: tor
+    spec:
+      topologySpreadConstraints:
+        - maxSkew: 1
+          topologyKey: kubernetes.io/hostname
+          whenUnsatisfiable: DoNotSchedule
+          labelSelector:
+            matchLabels:
+              app.kubernetes.io/name: tor
+          matchLabelKeys:
+            - pod-template-hash
+      containers:
+      - image: thetorproject/obfs4-bridge:latest
+        name: torproxy
+        command:
+          - tor
+        args:
+          - --SOCKSPort
+          - 0.0.0.0:9050
+        ports:
+          - name: socks
+            containerPort: 9050
+            protocol: tcp
+        resources:
+          requests:
+            cpu: 100m
+            memory: 256Mi
+          limits:
+            cpu: "1"
+            memory: 512Mi
+        securityContext:
+          runAsUser: 994
+          runAsGroup: 994
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          allowPrivilegeEscalation: false
+

apps/k8s01/tor/egress-policy.yaml

+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-to-public-web
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: tor
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-to-kubedns
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: tor
\ No newline at end of file

apps/k8s01/tor/kustomization.yaml

+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: tor
+resources:
+  - namespace.yaml
+  - deployment.yaml
+  - service.yaml
+  - networkpolicy.yaml
+  - ../../../shared/networkpolicies/deny-by-default-ingress.yaml
+  - ../../../shared/networkpolicies/allow-to-kubedns.yaml
+  - ../../../shared/networkpolicies/allow-to-public-web.yaml
+  - ../../../shared/networkpolicies/deny-by-default-egress.yaml
+  - ../../../shared/resourcequotas/default.yaml
+patchesStrategicMerge:
+  - egress-policy.yaml
\ No newline at end of file

apps/k8s01/tor/namespace.yaml

+apiVersion: v1
+kind: Namespace
+metadata:
+  name: syncthing
+  labels:
+    pod-security.kubernetes.io/audit: restricted
+    pod-security.kubernetes.io/enforce: baseline
+    pod-security.kubernetes.io/warn: restricted
+    pod-security.kubernetes.io/audit-version: v1.26
+    pod-security.kubernetes.io/enforce-version: v1.23
+    pod-security.kubernetes.io/warn-version: v1.26

apps/k8s01/tor/networkpolicy.yaml

+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-from-tor-enabled
+  namespace: tor
+  labels:
+    app.kubernetes.io/name: tor
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: tor
+  ingress:
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          tor.shivering-isles.com/egress-enabled: "true"
+      podSelector:
+        matchLabels:
+          tor.shivering-isles.com/egress-enabled: "true"
+  ports:
+    - port: 9050
+      protocol: TCP
+  policyTypes:
+  - Ingress
\ No newline at end of file

apps/k8s01/tor/service.yaml

+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/name: tor
+  name: tor
+  namespace: tor
+spec:
+  ports:
+  - name: socks
+    port: 9050
+    protocol: TCP
+    targetPort: socks
+  selector:
+    app.kubernetes.io/name: tor
+  type: ClusterIP
\ No newline at end of file