Viktor Barzin
669ba97078
## W1.1 — K8s API audit log shipping (LIVE)
- alloy.yaml: added control-plane toleration so Alloy DaemonSet runs on
k8s-master node. Verified alloy-7zg7t scheduled on master, tailing
/var/log/kubernetes/audit.log
- loki.tf "Security Wave 1" rule group: added K2-K9 alert rules
(skipped K1 per Q7 decision):
- K2 K8sSATokenFromUnexpectedIP
- K3 K8sSensitiveSecretReadByUnexpectedActor
- K4 K8sExecIntoSensitiveNamespace
- K5 K8sMassDelete (>5 Pod/Secret/CM in 60s by single user)
- K6 K8sAuditPolicyModified (kubeadm-config CM change)
- K7 K8sClusterRoleWildcardCreated (verbs=* + resources=*)
- K8 K8sAnonymousBindingGranted
- K9 K8sViktorFromUnexpectedIP
- All rules use source-IP regex matching the wave-1 allowlist
(10.0.20.0/22, 192.168.1.0/24, 10.10.0.0/16 pod, 10.96.0.0/12 svc,
100.64-127 tailnet) and `lane = "security"` → #security Slack route.
- Verified: kubectl-audit logs flowing in Loki query
{job="kubernetes-audit"} returns events with node=k8s-master.
- Verified: /loki/api/v1/rules lists all K2-K9 + V1-V7 + S1.
## W1.5 — require-trusted-registries Enforce (LIVE)
- security-policies.tf: flipped Audit→Enforce with explicit allowlist
built by `kubectl get pods -A -o jsonpath='{..image}'` enumeration.
- Removed `*/*` catch-all (which made Audit→Enforce a no-op).
- Pattern includes 15 explicit registries, 6 DockerHub library bare
names, 56 DockerHub user repos.
- Verified by admission dry-run:
- evilcorp.example/malware:v1 → BLOCKED with custom message
- alpine:3.20 → ALLOWED (matches `alpine*`)
- docker.io/library/alpine:3.20 → ALLOWED (matches `docker.io/*`)
## W1.6 — Calico flow logs (BLOCKED — Calico OSS limitation)
- Tried adding FelixConfiguration with flowLogsFileEnabled=true via
kubectl_manifest in stacks/calico/main.tf
- Calico OSS rejected with "strict decoding error: unknown field
spec.flowLogsFileEnabled" — these fields are Calico Enterprise/Tigera-only
- Removed the failed resource. Documented alternative paths in main.tf
comment block: GNP with action=Log (iptables NFLOG → journal), Cilium
migration, eBPF tooling, or Tigera Operator adoption.
## Docs updates
- security.md status table refreshed: W1.1/W1.2/W1.3/W1.4/W1.5 LIVE,
W1.6/W1.7 blocked
- monitoring.md: Loki marked DEPLOYED (was incorrectly NOT-DEPLOYED in
prior session before today's apply)
## Cleanup
- Removed stacks/kyverno/imports.tf (TF 1.5+ import blocks completed
their job in the 2026-05-18 apply; should not stay in tree per TF docs)
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
97 lines
3.8 KiB
HCL
97 lines
3.8 KiB
HCL
# Calico CNI
|
|
#
|
|
# Calico has underpinned this cluster's pod networking since 2024-07-30, installed
|
|
# as raw kubectl manifests (tigera-operator Deployment + CRDs + Installation CR).
|
|
# Bringing the full stack under Terraform is high-blast — the operator and its
|
|
# Deployment must never flap during node pressure or during any apply, because
|
|
# new pod scheduling breaks within ~seconds of a CNI outage.
|
|
#
|
|
# This stack (created 2026-04-18 Wave 5b) adopts the three namespaces only:
|
|
# calico-system, calico-apiserver, tigera-operator. The `tigera-operator`
|
|
# Deployment, the 20+ CRDs it manages, and the `Installation` CR itself are
|
|
# intentionally *not* adopted yet — they require a low-traffic window and a
|
|
# careful ignore_changes set to cover operator-generated defaults on the
|
|
# Installation CR. Follow-up tracked in beads code-3ad.
|
|
#
|
|
# The namespaces are safe to adopt (no networking impact — they're just label
|
|
# containers) and give TF an audit trail entry for the labels/tier Kyverno
|
|
# cares about.
|
|
|
|
resource "kubernetes_namespace" "calico_system" {
|
|
metadata {
|
|
name = "calico-system"
|
|
labels = {
|
|
name = "calico-system"
|
|
# calico-system namespace is managed by tigera-operator — auto-update is
|
|
# incompatible (operator reverts DaemonSet image from its Installation CR).
|
|
# "keel.sh/enrolled" = "true"
|
|
}
|
|
}
|
|
lifecycle {
|
|
# KYVERNO_LIFECYCLE_V1: goldilocks-vpa-auto-mode label on every namespace.
|
|
# pod-security.kubernetes.io/* labels are applied by the tigera-operator
|
|
# reconciler on calico-system + calico-apiserver for PSA 'privileged'.
|
|
ignore_changes = [
|
|
metadata[0].labels["goldilocks.fairwinds.com/vpa-update-mode"],
|
|
metadata[0].labels["pod-security.kubernetes.io/enforce"],
|
|
metadata[0].labels["pod-security.kubernetes.io/enforce-version"],
|
|
]
|
|
}
|
|
}
|
|
|
|
resource "kubernetes_namespace" "calico_apiserver" {
|
|
metadata {
|
|
name = "calico-apiserver"
|
|
labels = {
|
|
name = "calico-apiserver"
|
|
}
|
|
}
|
|
lifecycle {
|
|
# KYVERNO_LIFECYCLE_V1 + PSA labels applied by tigera-operator (see calico_system).
|
|
ignore_changes = [
|
|
metadata[0].labels["goldilocks.fairwinds.com/vpa-update-mode"],
|
|
metadata[0].labels["pod-security.kubernetes.io/enforce"],
|
|
metadata[0].labels["pod-security.kubernetes.io/enforce-version"],
|
|
]
|
|
}
|
|
}
|
|
|
|
resource "kubernetes_namespace" "tigera_operator" {
|
|
metadata {
|
|
name = "tigera-operator"
|
|
labels = {
|
|
name = "tigera-operator"
|
|
}
|
|
}
|
|
lifecycle {
|
|
# KYVERNO_LIFECYCLE_V1: goldilocks-vpa-auto-mode ClusterPolicy stamps this label on every namespace
|
|
ignore_changes = [metadata[0].labels["goldilocks.fairwinds.com/vpa-update-mode"]]
|
|
}
|
|
}
|
|
|
|
# Wave 1 W1.6 (beads code-8ywc): Calico OSS does NOT support flow-log-to-file
|
|
# export via FelixConfiguration — `flowLogsFileEnabled` and related fields are
|
|
# Calico Enterprise / Tigera Cloud features and are rejected by the OSS API
|
|
# (verified 2026-05-19: "strict decoding error: unknown field spec.flowLogsFileEnabled").
|
|
#
|
|
# Alternative observe-then-enforce paths for W1.6/W1.7:
|
|
# 1. Calico GlobalNetworkPolicy with `action: Log` on tier 3+4 — Log action
|
|
# writes to iptables NFLOG which lands in node syslog. Alloy already
|
|
# scrapes journal, but the format needs parsing.
|
|
# 2. Cilium replacement with Hubble flow observability (large migration).
|
|
# 3. Tigera Operator + Calico Enterprise (commercial).
|
|
# 4. eBPF-based flow capture (e.g. inspektor-gadget, retina) sidecar approach.
|
|
#
|
|
# Wave 1 stops at this fork. The observe phase requires further design choice
|
|
# tracked under code-8ywc as a separate W1.6/W1.7 follow-up.
|
|
|
|
# CI retrigger 2026-05-16T13:42:57+00:00 — bulk enrollment apply (pipeline #689 killed)
|
|
# CI retrigger v2 2026-05-16T13:46:35+00:00
|
|
|
|
# CI retrigger v3 2026-05-16T14:06:39Z
|
|
|
|
# CI retrigger v4 2026-05-16T14:13:59Z
|
|
|
|
# CI retrigger v5 2026-05-16T23:10:38Z
|
|
|
|
# CI retrigger v6 2026-05-16T23:18:58Z
|