herel/math-tables
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Activity
Files
60f776c56d72e6524bd5c1f578b2a4fd79781ff4
math-tables/deploy/README.md
T
herel f94dd12216 feat: Configure production deployment with math-tables namespace and ingress 
Changes made:

- Remove problematic configuration-snippet from base ingress

- Add namespace creation for math-tables

- Configure ingress with nginx class and letsencrypt-prod issuer

- Set production hostname to math-tables.cl1.parano.ch

- Reduce production replicas to 1

- Update copyright year in index.html
2025-09-03 22:06:32 +02:00

83 lines
2.7 KiB
Markdown
Raw Blame History

# Math Exercises Application - Kubernetes Deployment
This directory contains the Kubernetes deployment configuration for the Math Exercises application, with security best practices applied.
## Directory Structure
```
deploy/
├── base/ # Base kustomize configuration
│ ├── deployment.yaml # Application deployment
│ ├── service.yaml # Internal service
│ ├── ingress.yaml # External access configuration
│ ├── network-policy.yaml # Network security policies
│ ├── configmap.yaml # Application configuration
│ ├── pod-disruption-budget.yaml # High availability
│ └── kustomization.yaml # Base kustomize file
├── overlays/ # Environment-specific configurations
│ ├── development/ # Development environment
│ │ ├── deployment-patch.yaml # Dev-specific deployment settings
│ │ └── kustomization.yaml # Dev kustomize file
│ └── production/ # Production environment
│ ├── deployment-patch.yaml # Prod-specific deployment settings
│ ├── security-patch.yaml # Additional security settings
│ └── kustomization.yaml # Prod kustomize file
└── SECURITY_CHECKLIST.md # Security implementation checklist
```
## Security Features Implemented
The deployment implements the following security best practices:
1. **Pod Security**:
- Non-root user execution
- ReadOnly root filesystem
- Disabled privilege escalation
- Minimal container capabilities
- Seccomp profiles
2. **Network Security**:
- Network policies restricting traffic
- TLS-enforced ingress with security headers
- Internal service exposure only
3. **Configuration Security**:
- ConfigMaps for configuration separation
- Resource limits and requests
- Health checks with appropriate timeouts
4. **Operational Security**:
- PodDisruptionBudget for high availability
- Environment-specific configurations
- Versioned image tags
## Deployment Instructions
### Development Environment
```bash
kubectl apply -k deploy/overlays/development
```
### Production Environment
```bash
kubectl apply -k deploy/overlays/production
```
## Security Verification
To verify security settings are properly applied:
```bash
# Check security context
kubectl get deployment math-exercises-app -o jsonpath='{.spec.template.spec.containers[0].securityContext}'
# Check network policies
kubectl get networkpolicy
# Check resource limits
kubectl get deployment math-exercises-app -o jsonpath='{.spec.template.spec.containers[0].resources}'
```
See `SECURITY_CHECKLIST.md` for a comprehensive list of implemented security measures.
Reference in New Issue View Git Blame Copy Permalink