feat(shields): Initial shields deployment

This patch provides an initial version of shields for the
cluster, deploying shields in a fairly locked down setup. This
includes blocking all ingress and egress traffic except of the
ingress controller, monitoring and outgoing web traffic to the
public internet.

As part of this some new shared network policies are created,
added and renamed. These aim to improve the namespace isolation
and provisioning of controlled network access.

apps/base/shields/kustomization.yaml

+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: shields
+resources:
+  - namespace.yaml
+  - monitoring.yaml
+  - ../../../shared/networkpolicies/allow-from-ingress.yaml
+  - ../../../shared/networkpolicies/allow-from-monitoring.yaml
+patchesStrategicMerge:
+  - networkpolicy.yaml

apps/base/shields/namespace.yaml

+apiVersion: v1
+kind: Namespace
+metadata:
+  name: shields
+  labels:
+    pod-security.kubernetes.io/audit: restricted
+    pod-security.kubernetes.io/enforce: baseline
+    pod-security.kubernetes.io/warn: restricted
+    pod-security.kubernetes.io/audit-version: v1.23
+    pod-security.kubernetes.io/enforce-version: v1.23
+    pod-security.kubernetes.io/warn-version: v1.23
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: flux-reconciler
+  namespace: shields
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: flux-reconciler
+  namespace: shields
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: admin
+subjects:
+  - kind: ServiceAccount
+    name: flux-reconciler
+    namespace: shields

apps/base/shields/networkpolicy.yaml

+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-from-ingress
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: shields
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-from-monitoring
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: shields

apps/base/shields/shields.yaml

+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/name: shields
+  name: shields
+  namespace: shields
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: shields
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: shields
+    spec:
+      affinity:
+        podAntiAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            - labelSelector:
+                matchLabels:
+                  app.kubernetes.io/name: shields
+              topologyKey: kubernetes.io/hostname
+      containers:
+      - image: docker.io/shieldsio/shields:next
+        name: shields
+        resources:
+          requests:
+            memory: 128Mi
+            cpu: 70m
+          limits:
+            memory: 256Mi
+            cpu: 100m
+        env:
+          - name: METRICS_PROMETHEUS_ENABLED
+            value: "true"
+          - name: METRICS_PROMETHEUS_ENDPOINT_ENABLED
+            value: "true"
+          - name: PORT
+            value: "8080"
+        ports:
+          - containerPort: 8080
+            name: http
+        securityContext:
+          runAsUser: 937
+          runAsGroup: 937
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          allowPrivilegeEscalation: false
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/name: shields
+  name: shields
+  namespace: shields
+spec:
+  ports:
+  - name: http
+    port: 80
+    protocol: TCP
+    targetPort: http
+  selector:
+    app.kubernetes.io/name: shields
+  type: ClusterIP
+---
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: shields
+  namespace: shields
+  labels:
+    app.kubernetes.io/name: shields
+spec:
+  endpoints:
+  - path: /metrics
+    port: http
+    scheme: http
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: shields
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: shields
+  namespace: shields
+  labels:
+    app.kubernetes.io/name: shields
+spec:
+  minAvailable: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: shields
\ No newline at end of file

apps/k8s01/shields/certificate.yaml

+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+    name: shields-tls
+    namespace: shields
+spec:
+    dnsNames:
+        - ENC[AES256_GCM,data:7f28/ffW5slUxv094Lv7k5ud257I3siDQvnd,iv:/sw9Q6lykDfv8ZJVS36wjSY9zjMsI2oR/56SL8dYI/Q=,tag:ixERn0tc+ru01ptWvtPsZQ==,type:str]
+    issuerRef:
+        name: letsencrypt
+        kind: ClusterIssuer
+    secretName: ingress-shields-tls
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2022-11-21T23:24:16Z"
+    mac: ENC[AES256_GCM,data:1xL3S+gHIgDSiLUpH/CSjLssgjdRbOJWkODjpI4M3r1P4RxKFpG2Mdua6+RJ15n64SThvFPueu57w0pF+wiKZYIqZK8mbPeYgFnluEJxCn99kuU6Zh0/MTGkmtN1i7d7u0xtgXXTsrtTJRmpunv0bhDfvXb1pV8SXQq8KnZG95Q=,iv:6r9d1Fi7r7hnVjmPOGx6jf6JgDOYWBe7AmxOY73bpfw=,tag:QGziqBtRte8NRFHX8cHUBA==,type:str]
+    pgp:
+        - created_at: "2022-01-21T18:13:48Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcFMA7kpg2bgzVHcAQ//U+q9DXB4HdBgO6bn7G8+MrAvTrfjyrLkuMmtzGIreuf0
+            DKUr5P3U+8c3i5zwF7vD6i6qMhfFus//Ix1MHmbOk0H2ZSDzkN6gk6KdPEyKGpG8
+            IpiMGu7qdGiR2pQ1UrwA3FDvRttkKADyjx/L+RvYlPZrRWZkWw16OCIdYwBPxfqp
+            q9uuVd41TZ1LpCRPEVCUH8iY61VLhgAx9JUx7ojX4bc45186u8jySDZMkjv/xXwN
+            bS6SqgqlD68Wq4dBiJwVbILo98WNMDyGFGia9EO3VfAdXHG4REvWr+uXPf4nDznp
+            mg1oQcrvc41s/M/Nc5QvWdc4gRDJZaXUwzjsrGtsM67s7zLzYq/diUFcA70mjmjr
+            cGzHz6FSpV4APuj3aVhxtKQGnxQRRH66O1tFs6MjOsImSXONDHXHeCw4QoYWABHS
+            6n2KOojyzmeug/ya8FUTsCyVZ3PDFd+UOxxdtKl3nzBwUocBmRfvWFeBvyo/QOfB
+            A0pNBL8Q/yA3p2XIKuibiL8OMNuxfiMF3SHei4KMGP2Zk6dKss5N13TBzQ4oYBIq
+            gqQQjYXSq8b6OkojSHja3OO77qIAzzMD7ztxUwAtq7a0/dZOU1ZXCNczfS0Y7Bun
+            Ay8ELsdhZ0IQY02RMsMxCy8f0aemEOAAGiZ+LR9LE7QS5lVL86bk8SlKUsLKbfTS
+            UQE87XjR8vATk5CDPZ357fl4rcrND1TehqrByB5p/TqJVe+9rbvE56AJgK0vEYzp
+            XKO5Sp201jBInr8WmUWTQ5paFNU9lZwhEpb1fqTvgt55Mw==
+            =64L4
+            -----END PGP MESSAGE-----
+          fp: 286791FB6648539775DB31B8FCB98C2A3EC6F601
+        - created_at: "2022-01-21T18:13:48Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA4oYbIHZIrAPAQ//XcmHPgwByh+6vS7cVnsVCt6HQDk834gW5t3MaKtqFjJW
+            GY0MPkV1eZ+PIBm9oP2SZ8sVcNWzIgbtuzGht0BhsJlssf0rxvVJJSNC+iQ6ZGsD
+            L+cp5EPmepIFMGVda5OKT18Q5N9RKYT58MTjgzIYGTfIe4rdVddmAZq3KDLG6pV/
+            SOTw6Zq5TshE/zyFPu3ndFKCS3twCb1AmPx1YMFLpPFiGYXXemdMtoOlQJE2qdRX
+            DciGW97ZLrj8WMKQl3zU35N2oQeoCcxYLVrYq0+qGhFujhRYCgOL+O3d4+XmCvEO
+            ZpZR7KWfrSn7976EDMRqRYxz++mMgD+V6RIJdbw2AmIYwX7HwkTwjwK89H0lh9R5
+            kkYhxgKaVsoGTa3NBATuf0au+qHMzlkRjSToaZ+QKCPnwxSoURQgyNAkR1aQ2Pgi
+            muTu915RrAy7f9A3Jtt8zZSYXPXkSW44YXOCjhHy7ayFh9nQ4zeklfM4eMAU1Ni/
+            hKXmN35tlCorstv+i6Zyc+bBkL8an2v4YHWZQ8BKYkqAWRJDalKErbaP+Y/i/Bwf
+            +PjS+umpm9OkZ5lPTdxhzLxRMOWuGfbhrwAwuNV+jF3iDAGvPBR2EsJ/Ga2aXdqZ
+            TGeeMKs5sozba2d2fJyPADL/6DyKHS58b9VJt6r368xy7cVOD/UCaYOm01Ygn2vU
+            ZgEJAhDyxv/+3B3ju7Y1YlyM3WwbVEH6Vq1ZkOCy9uF7r24u5L01zx2QcGufpC1L
+            +XWTKormP0iD0q8PV7n/PU9F8Feb5bCmJTzIoWfT3+9X8cYwBaGUZqA3fNWJxOAu
+            vC+njoUTFA==
+            =5FJc
+            -----END PGP MESSAGE-----
+          fp: B137EE1549DFAF960DD1E2B15147025FB9F09E07
+    encrypted_regex: ^(data|stringData|email|dnsZones?|dnsNames?|hosts?|tang|externalURL)$
+    version: 3.7.3

apps/k8s01/shields/egress-policy.yaml

+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-to-public-web
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: shields
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-to-kubedns
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: shields
\ No newline at end of file

apps/k8s01/shields/ingress.yaml

+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+    name: shields
+    namespace: shields
+    labels:
+        app.kubernetes.io/name: shields
+spec:
+    rules:
+        - host: ENC[AES256_GCM,data:Ls6Wg25JUEowgV8YTOfGp1daaimJC5yFg8uq,iv:khJiOaFri7CCjdilB7R7FSUanMAwAP7X9ETn5XXi2ZA=,tag:cSPvZNtTkMX4jXuXXbIaEw==,type:str]
+          http:
+            paths:
+                - backend:
+                    service:
+                        name: shields
+                        port:
+                            name: http
+                  path: /
+                  pathType: Prefix
+    tls:
+        - hosts:
+            - ENC[AES256_GCM,data:TrW9Zg/zjwIVzqCAeVX72ye5ZEeWgD6mypRH,iv:VTiUhXKSPBy+lH3EpjipQyxYI/+kRPbot9X4xiVft8A=,tag:ZhPJ6DfKnSmWbNnrf1ABHA==,type:str]
+          secretName: ingress-shields-tls
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2022-11-21T23:23:18Z"
+    mac: ENC[AES256_GCM,data:x+8H6dF5IcvYPur32fIXoMUjpd31bRzrSRW3w0q1Af9qcskKjxYGTdy5QgpFXRxs07tdV8ALYha4z3y/QNLAFvxEYYPLOI3Qw9FFIfMIWe1cUVrInO8JpogwIbIMyXg3KYGXREPXhmNn6lxA9NrLqo6cHrNqX6V5ZT9yY4FqreI=,iv:mOQdfZk8joW/vZTzUYrYDfwYihCT136zOJz5n6qBjaE=,tag:8wJdEIaShlgTFpxiWEPA0w==,type:str]
+    pgp:
+        - created_at: "2022-11-21T23:23:18Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcFMA7kpg2bgzVHcAQ//Qv9uHg5XLGXazE73KPUoH4fqOH9uO85CwtJvizNN8fyR
+            7j9BgCfjEze/OTzy9h+Zmd6W9WV47/I61j3tkzkq+UE7mFsSmZrzsWgHcNJ8qg3w
+            dXezL9GzMv/B/p7DlZjUtwCLHLVcSKFZh01rO0r3q4v8hXpl4UO38gNOoZg1R5rp
+            KP+eE3JVvBw5QqZaWUS3EGM4Vy3drNmz1vlEYnh6xfd9TaHaNk+xzIgarpUlVKd9
+            38lxwTxZJRjQp3b2CkKJ09RWkxhyJV+YjOcsCsZW4slWlV9RLRqWqHcy3BPAPRN5
+            WLBzx57dEENX3Hi1WU2yFfBnN0h3rujv6SBJL77UTgjjUEMJNXkwfk5BuQHVWrMd
+            yCa5J6oXAAV5ii2UNnfW+UTSlsSpO0QreP6KmzNBGOmb/C6BlV3znYX+jPsDyl7l
+            4toIhjSSAFjlSBLa6DZZAiTtEcSPHrELvBmFvQSkoXd4ZcXN16VUGN1bh2REYdzO
+            H7NNFAToxFT3Z5Y6CU2rCb7kQYtY2JIYzfLRt56HReTDlfNSN+/PFmGHZWq/M8bq
+            Cjm6sViN3GajWqITgrt9QAUvb8BDg7QlaChN1Z1U2yHtYN6ndPHyisgsNVTE2V+3
+            A8iRJE0NDPNs+UpW2+VQS2vh0US0gjdZUIorkcDZ0LFouP7i09H+pyZ+ZBrPym/S
+            UQFTiGiV4NO5SA/2tbmuoJho91+F8uL+ieOIxkS+yzrene3wj911gnkwsPOmy6/Q
+            4YzqYyNKWA60xo/jEPaIVYyBDH+PBJsQ9SyUcHEcukoVlw==
+            =5/Nx
+            -----END PGP MESSAGE-----
+          fp: 286791FB6648539775DB31B8FCB98C2A3EC6F601
+        - created_at: "2022-11-21T23:23:18Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA4oYbIHZIrAPAQ//WqQj3zETMqQoFyeM00Q6VwIu8aZDwSsEWR07twfLk6is
+            hlRAWdmOdSiItYxxGgAEbK6DiBmqoyw56EfvJbOfAAF+BXnl+pgV0ozeJdl+LJar
+            xVfQNwxIaP7LnqbmHXINDln0+0AfckNhXUcjP+HhwCr+aRz/pdiJkHsr7VTLH8nM
+            bf+Z2nKFhzdTbOjxC3O/yxh9baPBSRAq2fNx2SQk1JPzqBCIsqGkArF3shjtDzKc
+            MkU4BiRv+8fqX31bZXU00+TBZnMIkZT8OM4Kk4gWDCgVtWO3b+tl2xA4nO389/FP
+            nRWpeUHZU2BPIstW41FEIv/ID62s6D8WZZ5Ewh7NpLb7Xb29ABKh3wMOxe4lUEMx
+            b95XjT7jPwwcTNkea4v3nlQRkcsVzn1wr2zwZtr8FX4m8KHMc8OYCZoAS+C0FQbn
+            te35wyN7CBV3G9Xg+PijI+OxXXZR7wtrwtVMMAF7bNO6ySWOChuLzzkARUIF1SYc
+            soB5FShuNcwUFB9BnI5QpjOWT1tMiMYlXC7LgMbkh2pMjs8pnFxmjbx8g+WezdVF
+            eDiKP2rLLWeewA5+wGow2b1jlWpzveZXghFkKPHt0EvpjwFj9yk+f3E8SCqE6BFJ
+            LvhI41HtckenpQxvHa6I35RrP67ANGOahV4X4zTT8lu50hLOgFE4A3GD0yOlTczU
+            ZgEJAhATTbyPPq6mLTW9dBlVcO8NYYUdNzWBRVUeISx3A69AU185TUBMVYfJVXSg
+            0poGps/+ASmRFsuTDfNd7FXF8feEHzFafEC0uJ0xeZGrgPRyVC+5WH6vdLuqyyKU
+            iJ9te6Wzmw==
+            =1rfI
+            -----END PGP MESSAGE-----
+          fp: B137EE1549DFAF960DD1E2B15147025FB9F09E07
+    encrypted_regex: ^(data|stringData|email|dnsZones?|dnsNames?|.*(H|h)osts?|tang|externalURL|.*-secret|.*-url|.*Secrets?|.*-domain|password|subjects|node|apiURL|.*(S|s)erverNames?|.*SecretKey|externalName)$
+    version: 3.7.3

apps/k8s01/shields/kustomization.yaml

+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: shields
+resources:
+  - ../../base/shields
+  - ../../../shared/resourcequotas/default.yaml
+  - egress-policy.yaml
+  - certificate.yaml
+  - ingress.yaml
+  - ../../../shared/networkpolicies/deny-by-default-ingress.yaml
+  - ../../../shared/networkpolicies/deny-by-default-egress.yaml
+  - ../../../shared/networkpolicies/allow-to-kubedns.yaml
+  - ../../../shared/networkpolicies/allow-to-web.yaml
+patchesStrategicMerge:
+  - networkpolicy.yaml
\ No newline at end of file

infrastructure/drivers/kustomization.yaml

@@ -4,4 +4,4 @@ namespace: drivers-system
 resources:
   - namespace.yaml
   - amd-gpu.yaml
-  - ../../shared/networkpolicies/deny-by-default.yaml
+  - ../../shared/networkpolicies/deny-by-default-ingress.yaml

shared/networkpolicies/allow-to-kubedns.yaml

+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-to-kubedns
+spec:
+  egress:
+    - to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: kube-system
+          podSelector:
+            matchLabels:
+              k8s-app: kube-dns
+      ports:
+        - port: 53
+          protocol: UDP
+        - port: 53
+          protocol: TCP
+  policyTypes:
+    - Egress
\ No newline at end of file

shared/networkpolicies/allow-to-public-web.yaml

+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-to-public-web
+spec:
+  egress:
+  - to:
+    - ipBlock:
+        except:
+          - "192.168.0.0/16"
+          - "172.16.0.0/12"
+          - "10.0.0.0/8"
+          - "169.254.0.0/16"
+          - "100.64.0.0/10"
+        cidr: 0.0.0.0/0
+    ports:
+      - protocol: TCP
+        port: 80
+      - protocol: TCP
+        port: 443
+  policyTypes:
+  - Egress
\ No newline at end of file

shared/networkpolicies/deny-by-default-egress.yaml

+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny-egress
+spec:
+  podSelector: {}
+  policyTypes:
+  - Egress