From 045fbc3c06887bcb94b3685d86009b5a4689faf4 Mon Sep 17 00:00:00 2001 From: Sheogorath <sheogorath@shivering-isles.com> Date: Wed, 26 Jul 2023 01:16:49 +0200 Subject: [PATCH] feat(tor): Add initial tor deployment --- apps/k8s01/tor/deployment.yaml | 51 +++++++++++++++++++++++++++++++ apps/k8s01/tor/egress-policy.yaml | 18 +++++++++++ apps/k8s01/tor/kustomization.yaml | 15 +++++++++ apps/k8s01/tor/namespace.yaml | 11 +++++++ apps/k8s01/tor/networkpolicy.yaml | 25 +++++++++++++++ apps/k8s01/tor/service.yaml | 17 +++++++++++ 6 files changed, 137 insertions(+) create mode 100644 apps/k8s01/tor/deployment.yaml create mode 100644 apps/k8s01/tor/egress-policy.yaml create mode 100644 apps/k8s01/tor/kustomization.yaml create mode 100644 apps/k8s01/tor/namespace.yaml create mode 100644 apps/k8s01/tor/networkpolicy.yaml create mode 100644 apps/k8s01/tor/service.yaml diff --git a/apps/k8s01/tor/deployment.yaml b/apps/k8s01/tor/deployment.yaml new file mode 100644 index 000000000..361bf3f03 --- /dev/null +++ b/apps/k8s01/tor/deployment.yaml @@ -0,0 +1,51 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/name: tor + name: tor +spec: + replicas: 2 + selector: + matchLabels: + app.kubernetes.io/name: tor + template: + metadata: + labels: + app.kubernetes.io/name: tor + spec: + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: DoNotSchedule + labelSelector: + matchLabels: + app.kubernetes.io/name: tor + matchLabelKeys: + - pod-template-hash + containers: + - image: thetorproject/obfs4-bridge:latest + name: torproxy + command: + - tor + args: + - --SOCKSPort + - 0.0.0.0:9050 + ports: + - name: socks + containerPort: 9050 + protocol: tcp + resources: + requests: + cpu: 100m + memory: 256Mi + limits: + cpu: "1" + memory: 512Mi + securityContext: + runAsUser: 994 + runAsGroup: 994 + readOnlyRootFilesystem: true + runAsNonRoot: true + allowPrivilegeEscalation: false + diff --git a/apps/k8s01/tor/egress-policy.yaml b/apps/k8s01/tor/egress-policy.yaml new file mode 100644 index 000000000..e144d9b97 --- /dev/null +++ b/apps/k8s01/tor/egress-policy.yaml @@ -0,0 +1,18 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-to-public-web +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: tor +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-to-kubedns +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: tor \ No newline at end of file diff --git a/apps/k8s01/tor/kustomization.yaml b/apps/k8s01/tor/kustomization.yaml new file mode 100644 index 000000000..c1b1b075e --- /dev/null +++ b/apps/k8s01/tor/kustomization.yaml @@ -0,0 +1,15 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: tor +resources: + - namespace.yaml + - deployment.yaml + - service.yaml + - networkpolicy.yaml + - ../../../shared/networkpolicies/deny-by-default-ingress.yaml + - ../../../shared/networkpolicies/allow-to-kubedns.yaml + - ../../../shared/networkpolicies/allow-to-public-web.yaml + - ../../../shared/networkpolicies/deny-by-default-egress.yaml + - ../../../shared/resourcequotas/default.yaml +patchesStrategicMerge: + - egress-policy.yaml \ No newline at end of file diff --git a/apps/k8s01/tor/namespace.yaml b/apps/k8s01/tor/namespace.yaml new file mode 100644 index 000000000..ab20cae9e --- /dev/null +++ b/apps/k8s01/tor/namespace.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: syncthing + labels: + pod-security.kubernetes.io/audit: restricted + pod-security.kubernetes.io/enforce: baseline + pod-security.kubernetes.io/warn: restricted + pod-security.kubernetes.io/audit-version: v1.26 + pod-security.kubernetes.io/enforce-version: v1.23 + pod-security.kubernetes.io/warn-version: v1.26 diff --git a/apps/k8s01/tor/networkpolicy.yaml b/apps/k8s01/tor/networkpolicy.yaml new file mode 100644 index 000000000..75dc56694 --- /dev/null +++ b/apps/k8s01/tor/networkpolicy.yaml @@ -0,0 +1,25 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-from-tor-enabled + namespace: tor + labels: + app.kubernetes.io/name: tor +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: tor + ingress: + - from: + - namespaceSelector: + matchLabels: + tor.shivering-isles.com/egress-enabled: "true" + podSelector: + matchLabels: + tor.shivering-isles.com/egress-enabled: "true" + ports: + - port: 9050 + protocol: TCP + policyTypes: + - Ingress \ No newline at end of file diff --git a/apps/k8s01/tor/service.yaml b/apps/k8s01/tor/service.yaml new file mode 100644 index 000000000..8a2b3b99c --- /dev/null +++ b/apps/k8s01/tor/service.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/name: tor + name: tor + namespace: tor +spec: + ports: + - name: socks + port: 9050 + protocol: TCP + targetPort: socks + selector: + app.kubernetes.io/name: tor + type: ClusterIP \ No newline at end of file -- GitLab