apiVersion: v1 kind: ServiceAccount metadata: name: drone-runner-kube --- apiVersion: v1 kind: ConfigMap metadata: name: application-config data: DRONE_DEBUG: "false" DRONE_TRACE: "false" DRONE_NAMESPACE_DEFAULT: "drone-execution" DRONE_RPC_HOST: "drone.k-space.ee" DRONE_RPC_PROTO: "https" PLUGIN_MTU: "1300" DRONE_SECRET_PLUGIN_ENDPOINT: "http://secrets:3000" --- kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: drone-runner-kube namespace: "drone-execution" labels: app: drone-runner-kube rules: - apiGroups: - "" resources: - secrets verbs: - create - delete - apiGroups: - "" resources: - pods - pods/log verbs: - get - create - delete - list - watch - update --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: drone-runner-kube namespace: drone-execution labels: app: drone-runner-kube subjects: - kind: ServiceAccount name: drone-runner-kube namespace: drone-execution roleRef: kind: Role name: drone-runner-kube apiGroup: rbac.authorization.k8s.io --- apiVersion: v1 kind: Service metadata: name: drone-runner-kube labels: app: drone-runner-kube spec: type: ClusterIP ports: - port: 3000 targetPort: http protocol: TCP name: http selector: app: drone-runner-kube --- apiVersion: apps/v1 kind: Deployment metadata: name: drone-runner-kube annotations: keel.sh/policy: force keel.sh/trigger: poll keel.sh/pollSchedule: "@midnight" spec: replicas: 1 selector: matchLabels: app: drone-runner-kube template: metadata: labels: app: drone-runner-kube spec: serviceAccountName: drone-runner-kube terminationGracePeriodSeconds: 3600 containers: - name: server securityContext: {} image: drone/drone-runner-kube imagePullPolicy: Always ports: - name: http containerPort: 3000 protocol: TCP envFrom: - configMapRef: name: application-config - secretRef: name: application-secrets --- apiVersion: apps/v1 kind: Deployment metadata: name: drone-kubernetes-secrets annotations: keel.sh/policy: force keel.sh/trigger: poll keel.sh/pollSchedule: "@midnight" spec: replicas: 1 selector: matchLabels: app: drone-kubernetes-secrets template: metadata: labels: app: drone-kubernetes-secrets spec: containers: - name: secrets image: drone/kubernetes-secrets imagePullPolicy: Always ports: - containerPort: 3000 env: - name: SECRET_KEY valueFrom: secretKeyRef: name: application-secrets key: DRONE_SECRET_PLUGIN_TOKEN --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: drone-kubernetes-secrets spec: podSelector: matchLabels: app: drone-kubernetes-secrets policyTypes: - Ingress ingress: - from: - podSelector: matchLabels: app: drone-runner-kube ports: - port: 3000 --- # Following should block access to pods in other namespaces, but should permit # Git checkout, pip install, talking to Traefik via public IP etc apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: drone-runner-kube spec: podSelector: {} policyTypes: - Egress egress: - to: - ipBlock: cidr: 0.0.0.0/0