diff --git a/customers/customers.yaml b/customers/customers.yaml index 446e1f1..16a1bba 100644 --- a/customers/customers.yaml +++ b/customers/customers.yaml @@ -22,6 +22,7 @@ spec: ports: - port: 8080 name: http + targetPort: 8080 selector: app: customers --- @@ -36,6 +37,11 @@ spec: app: customers template: metadata: + annotations: + sidecar.istio.io/inject: "true" + readiness.status.sidecar.istio.io/applicationPorts: "8080" + readiness.status.sidecar.istio.io/initialDelaySeconds: "20" + sidecar.istio.io/rewriteAppHTTPProbers: "true" labels: app: customers version: v1 @@ -57,10 +63,14 @@ spec: # value: "jaeger-collector:14268" securityContext: runAsNonRoot: true - runAsUser: 2001 - runAsGroup: 2000 + runAsUser: 20001 + runAsGroup: 20000 allowPrivilegeEscalation: false capabilities: + # https://istio.io/latest/docs/ops/deployment/requirements/ + add: + - NET_ADMIN + - NET_RAW drop: - ALL resources: @@ -80,6 +90,8 @@ spec: - mountPath: /etc/secret name: svc-account-volume readOnly: true + #serviceAccount: app-sa + #serviceAccountName: app-sa volumes: - name: svc-account-volume secret: diff --git a/google-auth-sidecar/google-auth-sidecar.yaml b/google-auth-sidecar/google-auth-sidecar.yaml index 21df0ec..ddd4772 100644 --- a/google-auth-sidecar/google-auth-sidecar.yaml +++ b/google-auth-sidecar/google-auth-sidecar.yaml @@ -15,11 +15,6 @@ #create a secret #kubectl create secret -n apigee generic google-auth-sidecar-svc-account --from-file client_secret.json -apiVersion: v1 -kind: Namespace -metadata: - name: apps ---- apiVersion: v1 kind: Service metadata: @@ -30,6 +25,7 @@ spec: ports: - port: 8080 name: http + targetPort: 8080 selector: app: google-auth-sidecar --- @@ -44,6 +40,11 @@ spec: app: google-auth-sidecar template: metadata: + annotations: + sidecar.istio.io/inject: "true" + readiness.status.sidecar.istio.io/applicationPorts: "8080" + readiness.status.sidecar.istio.io/initialDelaySeconds: "20" + sidecar.istio.io/rewriteAppHTTPProbers: "true" labels: app: google-auth-sidecar version: v1 @@ -62,10 +63,14 @@ spec: periodSeconds: 5 securityContext: runAsNonRoot: true - runAsUser: 2001 - runAsGroup: 2000 + runAsUser: 20001 + runAsGroup: 20000 allowPrivilegeEscalation: false capabilities: + # https://istio.io/latest/docs/ops/deployment/requirements/ + add: + - NET_ADMIN + - NET_RAW drop: - ALL resources: @@ -84,6 +89,8 @@ spec: - mountPath: /etc/secret name: svc-account-volume readOnly: true + #serviceAccount: app-sa + #serviceAccountName: app-sa volumes: - name: svc-account-volume secret: diff --git a/inventory/inventory.yaml b/inventory/inventory.yaml index 5b74622..c8c0d50 100644 --- a/inventory/inventory.yaml +++ b/inventory/inventory.yaml @@ -22,6 +22,7 @@ spec: ports: - port: 8080 name: http + targetPort: 8080 selector: app: inventory --- @@ -37,9 +38,9 @@ spec: template: metadata: annotations: - # exlude health check port for envoy filter - readiness.status.sidecar.istio.io/applicationPorts: "8090" - # rewrite http probe + sidecar.istio.io/inject: "true" + readiness.status.sidecar.istio.io/applicationPorts: "8080" + readiness.status.sidecar.istio.io/initialDelaySeconds: "20" sidecar.istio.io/rewriteAppHTTPProbers: "true" labels: app: inventory @@ -63,10 +64,14 @@ spec: # value: "jaeger-collector:14268" securityContext: runAsNonRoot: true - runAsUser: 2001 - runAsGroup: 2000 + runAsUser: 20001 + runAsGroup: 20000 allowPrivilegeEscalation: false capabilities: + # https://istio.io/latest/docs/ops/deployment/requirements/ + add: + - NET_ADMIN + - NET_RAW drop: - ALL resources: @@ -86,6 +91,8 @@ spec: - mountPath: /etc/secret name: svc-account-volume readOnly: true + #serviceAccount: app-sa + #serviceAccountName: app-sa volumes: - name: svc-account-volume secret: diff --git a/orders-gql/orders-gql.yaml b/orders-gql/orders-gql.yaml index df8d608..f3a2062 100644 --- a/orders-gql/orders-gql.yaml +++ b/orders-gql/orders-gql.yaml @@ -22,6 +22,7 @@ spec: ports: - port: 8080 name: http + targetPort: 8080 selector: app: orders-gql --- @@ -36,6 +37,10 @@ spec: app: orders-gql template: metadata: + annotations: + readiness.status.sidecar.istio.io/applicationPorts: '8080' + readiness.status.sidecar.istio.io/initialDelaySeconds: '20' + sidecar.istio.io/rewriteAppHTTPProbers: 'true' labels: app: orders-gql version: v1 @@ -55,10 +60,14 @@ spec: value: "http://orders.apps.svc.cluster.local:8080" securityContext: runAsNonRoot: true - runAsUser: 2001 - runAsGroup: 2000 + runAsUser: 20001 + runAsGroup: 20000 allowPrivilegeEscalation: false capabilities: + # https://istio.io/latest/docs/ops/deployment/requirements/ + add: + - NET_ADMIN + - NET_RAW drop: - ALL resources: @@ -68,10 +77,18 @@ spec: limits: cpu: 50m memory: 128Mi + livenessProbe: + httpGet: + path: /healthz + port: 8080 + initialDelaySeconds: 20 + periodSeconds: 5 volumeMounts: - mountPath: /etc/secret name: svc-account-volume readOnly: true + #serviceAccount: app-sa + #serviceAccountName: app-sa volumes: - name: svc-account-volume secret: diff --git a/orders/orders.yaml b/orders/orders.yaml index d596f45..2480da5 100644 --- a/orders/orders.yaml +++ b/orders/orders.yaml @@ -22,6 +22,7 @@ spec: ports: - port: 8080 name: http + targetPort: 8080 selector: app: orders --- @@ -37,8 +38,10 @@ spec: template: metadata: annotations: - readiness.status.sidecar.istio.io/applicationPorts: '8090' - sidecar.istio.io/rewriteAppHTTPProbers: 'true' + sidecar.istio.io/inject: "true" + readiness.status.sidecar.istio.io/applicationPorts: "8080" + readiness.status.sidecar.istio.io/initialDelaySeconds: "20" + sidecar.istio.io/rewriteAppHTTPProbers: "true" labels: app: orders version: v1 @@ -63,10 +66,14 @@ spec: # value: "jaeger-collector:14268" securityContext: runAsNonRoot: true - runAsUser: 2001 - runAsGroup: 2000 + runAsUser: 20001 + runAsGroup: 20000 allowPrivilegeEscalation: false capabilities: + # https://istio.io/latest/docs/ops/deployment/requirements/ + add: + - NET_ADMIN + - NET_RAW drop: - ALL resources: @@ -86,6 +93,9 @@ spec: - mountPath: /etc/secret name: svc-account-volume readOnly: true + #NOTE: This is not working with Istio. If using Istio, comment these lines + #serviceAccount: app-sa + #serviceAccountName: app-sa volumes: - name: svc-account-volume secret: diff --git a/tracking/tracking-client.yaml b/tracking/tracking-client.yaml index 7c0a707..75c1d6f 100644 --- a/tracking/tracking-client.yaml +++ b/tracking/tracking-client.yaml @@ -22,6 +22,7 @@ spec: ports: - port: 8080 name: http + targetPort: 8080 selector: app: tracking-client --- @@ -37,9 +38,9 @@ spec: template: metadata: annotations: - # exlude health check port for envoy filter - readiness.status.sidecar.istio.io/applicationPorts: "8090" - # rewrite http probe + sidecar.istio.io/inject: "true" + readiness.status.sidecar.istio.io/applicationPorts: "8080" + readiness.status.sidecar.istio.io/initialDelaySeconds: "20" sidecar.istio.io/rewriteAppHTTPProbers: "true" labels: app: tracking-client @@ -65,10 +66,14 @@ spec: # value: "jaeger-collector:14268" securityContext: runAsNonRoot: true - runAsUser: 2001 - runAsGroup: 2000 + runAsUser: 20001 + runAsGroup: 20000 allowPrivilegeEscalation: false capabilities: + # https://istio.io/latest/docs/ops/deployment/requirements/ + add: + - NET_ADMIN + - NET_RAW drop: - ALL resources: @@ -88,6 +93,8 @@ spec: - mountPath: /etc/secret name: svc-account-volume readOnly: true + #serviceAccount: app-sa + #serviceAccountName: app-sa volumes: - name: svc-account-volume secret: diff --git a/tracking/tracking.yaml b/tracking/tracking.yaml index ab957f8..91413dc 100644 --- a/tracking/tracking.yaml +++ b/tracking/tracking.yaml @@ -36,6 +36,10 @@ spec: app: tracking template: metadata: + annotations: + readiness.status.sidecar.istio.io/applicationPorts: '50051' + readiness.status.sidecar.istio.io/initialDelaySeconds: '20' + sidecar.istio.io/rewriteAppHTTPProbers: 'true' labels: app: tracking version: v1 @@ -57,10 +61,14 @@ spec: # value: "jaeger-collector:14268" securityContext: runAsNonRoot: true - runAsUser: 2001 - runAsGroup: 2000 + runAsUser: 20001 + runAsGroup: 20000 allowPrivilegeEscalation: false capabilities: + # https://istio.io/latest/docs/ops/deployment/requirements/ + add: + - NET_ADMIN + - NET_RAW drop: - ALL resources: @@ -74,6 +82,8 @@ spec: - mountPath: /etc/secret name: svc-account-volume readOnly: true + #serviceAccount: app-sa + #serviceAccountName: app-sa volumes: - name: svc-account-volume secret: diff --git a/websockets/server/websockets.yaml b/websockets/server/websockets.yaml index fa554f3..f74fe66 100644 --- a/websockets/server/websockets.yaml +++ b/websockets/server/websockets.yaml @@ -22,6 +22,7 @@ spec: ports: - port: 3000 name: http + targetPort: 3000 selector: app: websockets --- @@ -37,7 +38,8 @@ spec: template: metadata: annotations: - # rewrite http probe + readiness.status.sidecar.istio.io/applicationPorts: "3000" + readiness.status.sidecar.istio.io/initialDelaySeconds: "20" sidecar.istio.io/rewriteAppHTTPProbers: "true" labels: app: websockets @@ -66,12 +68,16 @@ spec: periodSeconds: 5 securityContext: runAsNonRoot: true - runAsUser: 2001 - runAsGroup: 2000 + runAsUser: 20001 + runAsGroup: 20000 allowPrivilegeEscalation: false capabilities: - drop: - - ALL + # https://istio.io/latest/docs/ops/deployment/requirements/ + add: + - NET_ADMIN + - NET_RAW + drop: + - ALL resources: requests: cpu: 50m @@ -83,6 +89,8 @@ spec: - mountPath: /etc/secret name: svc-account-volume readOnly: true + #serviceAccount: app-sa + #serviceAccountName: app-sa volumes: - name: svc-account-volume secret: