diff --git a/k8s/infra/vpn/netbird/agent/agent-setup-key.yaml b/k8s/infra/vpn/netbird/agent/agent-setup-key.yaml new file mode 100644 index 0000000..10f925b --- /dev/null +++ b/k8s/infra/vpn/netbird/agent/agent-setup-key.yaml @@ -0,0 +1,13 @@ +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + name: agent-setup-key + namespace: netbird +spec: + encryptedData: + setupKey: AgBN0mKmHvesRgAxn3DDYxFqZbsBtHl1pK7NKSaZtD1HDsNAjV7BzqvL/ahgNfHVuVNyXfj8yGB1vJCcaC0QW8FnORRxSP/NRrWL3Qfh1g0LjrNyYvTc38TGlIMCPZ7YUEsyTIWxahNAGtLU2oQ7px8Nl0ysJXxbueIiP+OEEMJzeurzyKzR1NCSgXCUOo9AaDsuLT9l0isIMdAfQVrbK8WYC9ttiyghf9SfwuiEZ9WjRduazPFtYaQ5yAyER/Pqw1RV0qyNrRht+3S3pWiOBYY37F8Ge+Hzr/w/eVVmGeP7LN5qF5NPf82mu6dgf494lf0eWYwixJyLYO0KwdGgXT9gL5pzyr3h2MCcoHGunqgHy+votXdC23tSPFcCJSAaDonQlRSIa+gJLp/+BjVPHMu/ESmKKOuZkCoJUt7pEJZTyHVIHfnqV94qfKe+4urXSVC1rNtxN+ElKJPzyyUNhGQKa/UkhvIEb0XViSkS2qOhThwOV9jj/rvYsHCiQDZzs3Mci/Lzmeb8VgTnFzHKksh3TBlUTqMbUq8kbqqSrgn32/0675/cNTuQ0XfdgqUXcL70dbx10qSkjEbz99oRJyOTStmN9iopGgG99V39wVzH/xLHHEGGvAON9rccUG3ViAXrZUdnPi9b+Vhls8k2n9CZrTtbWZANA4f9GVXcIIFOPMw7FVDR+e8o/YpSSBaFMyKUfeCYQS9dC6jNQJbCmSnSbTWqi5/br3CSSe/qovSs/ndgMTk= + template: + metadata: + name: agent-setup-key + namespace: netbird + type: Opaque diff --git a/k8s/infra/vpn/netbird/agent/daemon-set.yaml b/k8s/infra/vpn/netbird/agent/daemon-set.yaml new file mode 100644 index 0000000..73a3db3 --- /dev/null +++ b/k8s/infra/vpn/netbird/agent/daemon-set.yaml @@ -0,0 +1,41 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: netbird-agent + namespace: netbird +spec: + selector: + matchLabels: + app: netbird + template: + metadata: + labels: + app: netbird + spec: + securityContext: + seccompProfile: + type: RuntimeDefault + containers: + - name: netbird + image: netbirdio/netbird:0.28.7 # renovate: docker=netbirdio/netbird + imagePullPolicy: IfNotPresent + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + add: [ NET_ADMIN, PERFMON, BPF ] + envFrom: + - configMapRef: + name: agent-config + env: + - name: NB_SETUP_KEY + valueFrom: + secretKeyRef: + name: agent-setup-key + key: setupKey + volumeMounts: + - name: config + mountPath: /config + volumes: + - name: config + emptyDir: { } diff --git a/k8s/infra/vpn/netbird/agent/kustomization.yaml b/k8s/infra/vpn/netbird/agent/kustomization.yaml new file mode 100644 index 0000000..81d05ac --- /dev/null +++ b/k8s/infra/vpn/netbird/agent/kustomization.yaml @@ -0,0 +1,16 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +configMapGenerator: + - name: agent-config + namespace: netbird + literals: + - NB_HOSTNAME="talos-router" + - NB_LOG_LEVEL="warn" + - NB_MANAGEMENT_URL="https://netbird.stonegarden.dev" + - NB_ADMIN_URL="https://netbird.stonegarden.dev" + - NB_CONFIG="/config/config.json" + +resources: + - agent-setup-key.yaml + - daemon-set.yaml diff --git a/k8s/infra/vpn/netbird/kustomization.yaml b/k8s/infra/vpn/netbird/kustomization.yaml index 1ed4af0..2496003 100644 --- a/k8s/infra/vpn/netbird/kustomization.yaml +++ b/k8s/infra/vpn/netbird/kustomization.yaml @@ -7,3 +7,4 @@ resources: - http-route.yaml - backend - dashboard + - agent diff --git a/k8s/infra/vpn/netbird/ns.yaml b/k8s/infra/vpn/netbird/ns.yaml index db05a13..1973cf3 100644 --- a/k8s/infra/vpn/netbird/ns.yaml +++ b/k8s/infra/vpn/netbird/ns.yaml @@ -2,3 +2,7 @@ apiVersion: v1 kind: Namespace metadata: name: netbird + labels: + pod-security.kubernetes.io/audit: baseline + pod-security.kubernetes.io/enforce: privileged + pod-security.kubernetes.io/warn: baseline