fix: binary auth rules applied to GKE cluster

- updated bastion startup script - move binary auth from project level to cluster level
csye7125-fall2023-group05 · Dec 8, 2023 · 7acdbb9 · 7acdbb9
1 parent d25ff5d
commit 7acdbb9
Show file tree

Hide file tree

Showing 3 changed files with 40 additions and 36 deletions.
diff --git a/modules/bastion/startup.sh b/modules/bastion/startup.sh
@@ -1,6 +1,9 @@
 #!/bin/bash
 
-sudo apt-get update -y
+sudo apt-get update
+sudo apt-get -y install tinyproxy
+
+sudo apt-get update
 curl -LO https://dl.k8s.io/release/v1.28.3/bin/linux/amd64/kubectl
 echo "$(cat kubectl.sha256)  kubectl" | sha256sum --check
 
@@ -15,15 +18,12 @@ chmod 700 get_helm.sh
 ./get_helm.sh
 helm version
 
-sudo apt-get update -y
-sudo apt-get install apt-transport-https ca-certificates gnupg curl sudo -y
+sudo apt-get update
+sudo apt-get -y install apt-transport-https ca-certificates gnupg curl sudo
 curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo gpg --dearmor -o /usr/share/keyrings/cloud.google.gpg
 echo \
   "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] https://packages.cloud.google.com/apt cloud-sdk main" |
   sudo tee -a /etc/apt/sources.list.d/google-cloud-sdk.list
 sudo apt-get update
-sudo apt-get install google-cloud-cli -y
-sudo apt-get install google-cloud-sdk-gke-gcloud-auth-plugin -y
-
-sudo apt-get update -y
-sudo apt-get install tinyproxy -y
+sudo apt-get install google-cloud-cli
+sudo apt-get install google-cloud-sdk-gke-gcloud-auth-plugin
diff --git a/modules/k8s/main.tf b/modules/k8s/main.tf
@@ -25,10 +25,16 @@ resource "google_container_cluster" "pwncorp_cluster" {
   initial_node_count       = var.initial_node_count
   network                  = var.vpc_name
   subnetwork               = var.subnet_name
-  logging_service          = "logging.googleapis.com/kubernetes"
-  monitoring_service       = "monitoring.googleapis.com/kubernetes"
+  logging_service          = "none" # logging.googleapis.com/kubernetes
+  monitoring_service       = "none" # monitoring.googleapis.com/kubernetes
   networking_mode          = "VPC_NATIVE"
 
+  addons_config {
+    horizontal_pod_autoscaling {
+      disabled = false
+    }
+  }
+
   release_channel {
     channel = "REGULAR"
   }
@@ -81,8 +87,8 @@ resource "google_container_node_pool" "gke_linux_node_pool" {
   node_count     = 1
 
   autoscaling {
-    max_node_count = var.max_node_count # change to 6
-    min_node_count = var.min_node_count # change to 3
+    max_node_count = var.max_node_count
+    min_node_count = var.min_node_count
   }
 
   management {
@@ -111,3 +117,25 @@ resource "google_container_node_pool" "gke_linux_node_pool" {
     ]
   }
 }
+
+resource "google_binary_authorization_policy" "binary_auth_policy" {
+  admission_whitelist_patterns {
+    name_pattern = "docker.io/bitnami/*"
+  }
+
+  admission_whitelist_patterns {
+    name_pattern = "docker.io/istio/*"
+  }
+
+  admission_whitelist_patterns {
+    name_pattern = "quay.io/pwncorp/*"
+  }
+
+  default_admission_rule {
+    evaluation_mode  = "ALWAYS_DENY"
+    enforcement_mode = "ENFORCED_BLOCK_AND_AUDIT_LOG"
+  }
+
+  global_policy_evaluation_mode = "ENABLE"
+  project                       = var.project_id
+}
diff --git a/modules/projects/main.tf b/modules/projects/main.tf
@@ -13,27 +13,3 @@ resource "google_organization_policy" "default_network_policy" {
     enforced = true
   }
 }
-
-resource "google_binary_authorization_policy" "binary_auth_policy" {
-  admission_whitelist_patterns {
-    name_pattern = "docker.io/bitnami/*"
-  }
-
-  admission_whitelist_patterns {
-    name_pattern = "docker.io/istio/*"
-  }
-
-  admission_whitelist_patterns {
-    name_pattern = "quay.io/pwncorp/*"
-  }
-
-  default_admission_rule {
-    evaluation_mode  = "ALWAYS_DENY"
-    enforcement_mode = "ENFORCED_BLOCK_AND_AUDIT_LOG"
-  }
-
-  global_policy_evaluation_mode = "ENABLE"
-  project                       = var.project_id
-}
-
-