Initial commit: add .gitignore and README

2026-02-09 21:51:46 -08:00
commit b970b4fc51
52 changed files with 3362 additions and 0 deletions
--- a/kubernetes/shared-cluster/ingress-controller.yaml
+++ b/kubernetes/shared-cluster/ingress-controller.yaml
@@ -0,0 +1,82 @@
+# NGINX Ingress Controller Configuration
+
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: ingress-nginx
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: ingress-nginx
+  template:
+    metadata:
+      labels:
+        app: ingress-nginx
+    spec:
+      serviceAccountName: ingress-nginx
+      containers:
+        - name: controller
+          image: registry.k8s.io/ingress-nginx/controller:v1.9.0
+          args:
+            - /nginx-ingress-controller
+            - --configmap=$(POD_NAMESPACE)/nginx-configuration
+            - --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services
+            - --udp-services-configmap=$(POD_NAMESPACE)/udp-services
+            - --annotations-prefix=nginx.ingress.kubernetes.io
+          ports:
+            - name: http
+              containerPort: 80
+            - name: https
+              containerPort: 443
+          resources:
+            requests:
+              memory: "256Mi"
+              cpu: "100m"
+            limits:
+              memory: "512Mi"
+              cpu: "500m"
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: ingress-nginx
+  namespace: ingress-nginx
+spec:
+  type: LoadBalancer
+  ports:
+    - port: 80
+      targetPort: 80
+      protocol: TCP
+      name: http
+    - port: 443
+      targetPort: 443
+      protocol: TCP
+      name: https
+  selector:
+    app: ingress-nginx
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: nginx-configuration
+  namespace: ingress-nginx
+data:
+  enable-cors: "true"
+  cors-allow-origin: "*"
+  cors-allow-methods: "GET, POST, PUT, DELETE, OPTIONS"
+  cors-allow-headers: "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization"
+  ssl-protocols: "TLSv1.2 TLSv1.3"
+
--- a/kubernetes/shared-cluster/namespace-isolation.yaml
+++ b/kubernetes/shared-cluster/namespace-isolation.yaml
@@ -0,0 +1,63 @@
+# Namespace Isolation Configuration
+# Network Policies and RBAC for shared clusters
+
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: shared-services
+  labels:
+    name: shared-services
+    type: shared
+---
+# Network Policy: Allow ingress from shared-services namespace
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-from-shared-services
+  namespace: default
+spec:
+  podSelector: {}
+  policyTypes:
+    - Ingress
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              name: shared-services
+---
+# RBAC: Service Account for shared services
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: shared-services-sa
+  namespace: shared-services
+---
+# Role: Limited permissions for shared services
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: shared-services-role
+  namespace: shared-services
+rules:
+  - apiGroups: [""]
+    resources: ["pods", "services"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["apps"]
+    resources: ["deployments"]
+    verbs: ["get", "list", "watch"]
+---
+# RoleBinding: Bind role to service account
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: shared-services-binding
+  namespace: shared-services
+subjects:
+  - kind: ServiceAccount
+    name: shared-services-sa
+    namespace: shared-services
+roleRef:
+  kind: Role
+  name: shared-services-role
+  apiGroup: rbac.authorization.k8s.io
+
--- a/kubernetes/shared-cluster/setup.sh
+++ b/kubernetes/shared-cluster/setup.sh
@@ -0,0 +1,27 @@
+#!/bin/bash
+# Setup shared Kubernetes cluster configuration
+
+set -e
+
+echo "☸️  Setting up shared Kubernetes cluster configuration..."
+
+# Check prerequisites
+command -v kubectl >/dev/null 2>&1 || { echo "❌ kubectl not found"; exit 1; }
+
+# Apply namespace isolation
+echo "🔒 Applying namespace isolation..."
+kubectl apply -f namespace-isolation.yaml
+
+# Apply ingress controller
+echo "🚪 Setting up ingress controller..."
+kubectl apply -f ingress-controller.yaml
+
+# Wait for ingress controller
+echo "⏳ Waiting for ingress controller to be ready..."
+kubectl wait --for=condition=available --timeout=300s deployment/ingress-nginx-controller -n ingress-nginx
+
+echo "✅ Shared Kubernetes cluster configuration complete!"
+echo ""
+echo "📝 Ingress controller is ready"
+echo "   Get external IP: kubectl get svc -n ingress-nginx ingress-nginx"
+