init

Author: BretFisher

.github/FUNDING.yml

@@ -0,0 +1 @@
+patreon: bretfisher

.github/dependabot.yml

@@ -0,0 +1,7 @@
+version: 2
+updates:
+  # Maintain dependencies for GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "monthly"

.github/linters/.markdown-lint.yml

@@ -0,0 +1,9 @@
+# MD013/line-length - Line length
+MD013:
+  # Number of characters, default is 80
+  # I'm OK with long lines. All editors now have wordwrap
+  line_length: 9999
+  # Number of characters for headings
+  heading_line_length: 100
+  # check code blocks?
+  code_blocks: false

.github/linters/.yaml-lint.yml

@@ -0,0 +1,53 @@
+---
+###########################################
+# These are the rules used for            #
+# linting all the yaml files in the stack #
+# NOTE:                                   #
+# You can disable line with:              #
+# # yamllint disable-line                 #
+###########################################
+rules:
+  braces:
+    level: warning
+    min-spaces-inside: 0
+    max-spaces-inside: 0
+    min-spaces-inside-empty: 0
+    max-spaces-inside-empty: 5
+  brackets:
+    level: warning
+    min-spaces-inside: 0
+    max-spaces-inside: 0
+    min-spaces-inside-empty: 0
+    max-spaces-inside-empty: 5
+  colons:
+    level: warning
+    max-spaces-before: 0
+    max-spaces-after: 1
+  commas:
+    level: warning
+    max-spaces-before: 0
+    min-spaces-after: 1
+    max-spaces-after: 1
+  comments: disable
+  comments-indentation: disable
+  document-end: disable
+  document-start: disable
+  empty-lines:
+    level: warning
+    max: 2
+    max-start: 0
+    max-end: 0
+  hyphens:
+    level: warning
+    max-spaces-after: 1
+  indentation:
+    level: warning
+    spaces: consistent
+    indent-sequences: true
+    check-multi-line-strings: false
+  key-duplicates: enable
+  line-length: disable
+  new-line-at-end-of-file: disable
+  new-lines:
+    type: unix
+  trailing-spaces: disable

.github/workflows/call-super-linter.yaml

@@ -0,0 +1,37 @@
+---
+# template source: https://github.com/bretfisher/super-linter-workflow/blob/main/templates/call-super-linter.yaml
+name: Lint Code Base
+
+on:
+  
+  push:
+    branches: [main]
+  
+  pull_request:
+
+jobs:
+  call-super-linter:
+
+    name: Call Super-Linter
+    
+    permissions:
+      contents: read # clone the repo to lint
+      statuses: write #read/write to repo custom statuses
+
+    ### use Reusable Workflows to call my workflow remotely
+    ### https://docs.github.com/en/actions/learn-github-actions/reusing-workflows
+    ### you can also call workflows from inside the same repo via file path
+
+    #FIXME: customize uri to point to your own linter repository
+    uses: bretfisher/super-linter-workflow/.github/workflows/reusable-super-linter.yaml@main
+    
+    ### Optional settings examples
+    
+    # with:
+      ### For a DevOps-focused repository. Prevents some code-language linters from running
+      ### defaults to false
+      # devops-only: false
+      
+      ### A regex to exclude files from linting
+      ### defaults to empty
+      # filter-regex-exclude: html/.*

.gitignore

@@ -0,0 +1,2 @@
+.dccache
+.DS_Store

README.md

@@ -1,2 +1,6 @@
-# podspec
-Kubernetes Pod Specification Good Defaults
+# Kubernetes Pod Specification Good Defaults
+
+The Pod spec for your apps can be the most complex part of your Kubernetes manifest design, and needs many features enabled to be a save and reasonably secure default
+
+This single-file repo is meant to be a starting point for your Pod specs, to add to Deployments, DaemonSets, StatefulSets, initContainers, etc.
+

pod.yaml

@@ -0,0 +1,54 @@
+# generic pod spec that's usable inside a deployment or other higher level k8s spec
+# via https://github.com/BretFisher/podspec
+
+apiVersion: v1
+kind: Pod
+metadata:
+  name: mypod
+
+spec:
+
+  containers:
+
+      # basic container details
+    - name: my-container-name
+      # never use reusable tags like latest or stable
+      image: my-image:tag
+      # hardcode the listening port if Dockerfile isn't set with EXPOSE
+      ports:
+        - containerPort: 8080
+          protocol: TCP
+
+      readinessProbe:        # only needed if your pod has a service and listening port
+        httpGet:             # Lots of timeout values with defaults, be sure they are ideal for your workload
+          path: /ready
+          port: 8080
+      livenessProbe:         # only needed if your app becomes unresponsive or you don't have a readinessProbe, but this is up for debate.
+        httpGet:             # Lots of timeout values with defaults, be sure they are ideal for your workload
+          path: /ready
+          port: 8080
+
+      resources:             # Because if limits = requests then QoS is set to "Guaranteed"
+        limits:
+          memory: "500Mi"    # If container uses over 500MB it is killed (OOM)
+          cpu: "2"           # If container uses over 2 vCPU it is throttled
+        requests:
+          memory: "500Mi"    # Scheduler finds a node where 500MB is available
+          cpu: "1"           # Scheduler finds a node where 1 vCPU is available
+
+      # per-container security context
+      # lock down privileges inside the container
+      securityContext:
+        allowPrivilegeEscalation: false # prevent sudo, etc.
+        privileged: false               # prevent acting like host root
+
+  # per-pod security context
+  # enable seccomp and force non-root user
+  securityContext:
+
+    seccompProfile:
+      type: RuntimeDefault   # enable seccomp and the runtimes default profile
+
+    runAsUser: 1001          # hardcode user to non-root if not set in Dockerfile
+    runAsGroup: 1001         # hardcode group to non-root if not set in Dockerfile
+    runAsNonRoot: true       # hardcode to non-root. Redundant to above if Dockerfile is set USER 1000