address PR comments

Signed-off-by: Luciano <[email protected]>

Author: lucianozablocki

k8s/k8s-workload-registrar/README.md

@@ -1,4 +1,3 @@
-# ServiceAccount for the SPIRE agent
 apiVersion: v1
 kind: ServiceAccount
 metadata:
@@ -7,7 +6,6 @@ metadata:
 
 ---
 
-# Required cluster role to allow spire-agent to query k8s API server
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
@@ -19,7 +17,6 @@ rules:
 
 ---
 
-# Binds above cluster role to spire-agent service account
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
@@ -55,7 +52,7 @@ data:
     plugins {
       NodeAttestor "k8s_psat" {
         plugin_data {
-          cluster = "example-cluster"
+          cluster = "demo-cluster"
         }
       }
 
@@ -106,7 +103,6 @@ spec:
       annotations:
         spiffe.io/spiffe-id: "testing/agent"
     spec:
-      # hostPID is required for K8S Workload Attestation.
       hostPID: true
       hostNetwork: true
       dnsPolicy: ClusterFirstWithHostNet

k8s/k8s-workload-registrar/mode-crd/k8s/spire-agent.yaml

@@ -12,8 +12,6 @@ kind: ClusterRole
 metadata:
   name: k8s-workload-registrar-role
 rules:
-  # allow TokenReview requests (to verify service account tokens for PSAT
-  # attestation)
 - apiGroups: ["authentication.k8s.io"]
   resources: ["tokenreviews"]
   verbs: ["get", "create"]
@@ -47,28 +45,22 @@ subjects:
 
 ---
 
-# Role for the SPIRE server
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   namespace: spire
   name: spire-server-role
 rules:
-  # allow "get" access to pods (to resolve selectors for PSAT attestation)
 - apiGroups: [""]
   resources: ["pods"]
   verbs: ["get"]
-  # allow access to "get" and "patch" the spire-bundle ConfigMap (for SPIRE
-  # agent bootstrapping, see the spire-bundle ConfigMap below)
 - apiGroups: [""]
   resources: ["configmaps"]
   resourceNames: ["spire-bundle"]
   verbs: ["get", "patch"]
 
 ---
 
-# RoleBinding granting the spire-server-role to the SPIRE server
-# service account.
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
@@ -93,7 +85,6 @@ metadata:
 
 ---
 
-# ConfigMap containing the SPIRE server configuration.
 apiVersion: v1
 kind: ConfigMap
 metadata:
@@ -128,7 +119,7 @@ data:
       NodeAttestor "k8s_psat" {
         plugin_data {
           clusters = {
-            "example-cluster" = {
+            "demo-cluster" = {
               service_account_whitelist = ["spire:spire-agent"]
             }
           }
@@ -168,7 +159,7 @@ data:
   k8s-workload-registrar.conf: |
     trust_domain = "example.org"
     server_socket_path = "/tmp/spire-server/private/api.sock"
-    cluster = "example-cluster"
+    cluster = "demo-cluster"
     mode = "crd"
     pod_annotation = "spiffe.io/spiffe-id"
     metrics_bind_addr = "0"
@@ -251,7 +242,6 @@ spec:
 
 ---
 
-# Service definition for SPIRE server defining the gRPC port.
 apiVersion: v1
 kind: Service
 metadata:

k8s/k8s-workload-registrar/mode-crd/k8s/spire-server.yaml

@@ -24,7 +24,7 @@ trap cleanup EXIT
 cleanup
 set_env
 
-NODE_SPIFFE_ID="spiffe://example.org/k8s-workload-registrar/example-cluster/node/"
+NODE_SPIFFE_ID="spiffe://example.org/k8s-workload-registrar/demo-cluster/node/"
 AGENT_SPIFFE_ID="spiffe://example.org/testing/agent"
 WORKLOAD_SPIFFE_ID="spiffe://example.org/testing/example-workload"
 

k8s/k8s-workload-registrar/mode-crd/test.sh

@@ -1,4 +1,3 @@
-# ServiceAccount for the SPIRE agent
 apiVersion: v1
 kind: ServiceAccount
 metadata:
@@ -7,7 +6,6 @@ metadata:
 
 ---
 
-# Required cluster role to allow spire-agent to query k8s API server
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
@@ -19,7 +17,6 @@ rules:
 
 ---
 
-# Binds above cluster role to spire-agent service account
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
@@ -36,9 +33,6 @@ roleRef:
 
 ---
 
-# ConfigMap for the SPIRE agent featuring:
-# 1) PSAT node attestation
-# 2) K8S Workload Attestation over the secure kubelet port
 apiVersion: v1
 kind: ConfigMap
 metadata:
@@ -59,7 +53,7 @@ data:
     plugins {
       NodeAttestor "k8s_psat" {
         plugin_data {
-          cluster = "example-cluster"
+          cluster = "demo-cluster"
         }
       }
 
@@ -108,7 +102,6 @@ spec:
         app: spire-agent
         spire-workload: agent
     spec:
-      # hostPID is required for K8S Workload Attestation.
       hostPID: true
       hostNetwork: true
       dnsPolicy: ClusterFirstWithHostNet

k8s/k8s-workload-registrar/mode-reconcile/k8s/spire-agent.yaml

@@ -1,4 +1,3 @@
-# ServiceAccount used by the SPIRE server.
 apiVersion: v1
 kind: ServiceAccount
 metadata:
@@ -7,7 +6,6 @@ metadata:
 
 ---
 
-# Required cluster role to allow spire-server to query k8s API server
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
@@ -16,15 +14,12 @@ rules:
 - apiGroups: [""]
   resources: ["pods", "nodes"]
   verbs: ["get", "list", "watch"]
-  # allow TokenReview requests (to verify service account tokens for PSAT
-  # attestation)
 - apiGroups: ["authentication.k8s.io"]
   resources: ["tokenreviews"]
   verbs: ["get", "create"]
 
 ---
 
-# Binds above cluster role to spire-server service account
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
@@ -41,19 +36,15 @@ roleRef:
 
 ---
 
-# Role for the SPIRE server
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   namespace: spire
   name: spire-server-role
 rules:
-  # allow "get" access to pods (to resolve selectors for PSAT attestation)
 - apiGroups: [""]
   resources: ["pods"]
   verbs: ["get"]
-  # allow access to "get" and "patch" the spire-bundle ConfigMap (for SPIRE
-  # agent bootstrapping, see the spire-bundle ConfigMap below)
 - apiGroups: [""]
   resources: ["configmaps"]
   resourceNames: ["spire-bundle"]
@@ -71,8 +62,6 @@ rules:
 
 ---
 
-# RoleBinding granting the spire-server-role to the SPIRE server
-# service account.
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
@@ -89,10 +78,6 @@ roleRef:
 
 ---
 
-# ConfigMap containing the latest trust bundle for the trust domain. It is
-# updated by SPIRE using the k8sbundle notifier plugin. SPIRE agents mount
-# this config map and use the certificate to bootstrap trust with the SPIRE
-# server during attestation.
 apiVersion: v1
 kind: ConfigMap
 metadata:
@@ -101,7 +86,6 @@ metadata:
 
 ---
 
-# ConfigMap containing the SPIRE server configuration.
 apiVersion: v1
 kind: ConfigMap
 metadata:
@@ -136,7 +120,7 @@ data:
       NodeAttestor "k8s_psat" {
         plugin_data {
           clusters = {
-            "example-cluster" = {
+            "demo-cluster" = {
               service_account_whitelist = ["spire:spire-agent"]
             }
           }
@@ -176,17 +160,14 @@ data:
   k8s-workload-registrar.conf: |
     trust_domain = "example.org"
     server_socket_path = "/tmp/spire-server/private/api.sock"
-    cluster = "example-cluster"
+    cluster = "demo-cluster"
     mode = "reconcile"
     pod_label = "spire-workload"
     metrics_addr = "0"
     controller_name = "k8s-workload-registrar"
 
 ---
 
-# This is the Deployment for the SPIRE server. It waits for SPIRE database to
-# initialize and uses the SPIRE healthcheck command for liveness/readiness
-# probes.
 apiVersion: apps/v1
 kind: StatefulSet
 metadata:
@@ -262,7 +243,6 @@ spec:
 
 ---
 
-# Service definition for SPIRE server defining the gRPC port.
 apiVersion: v1
 kind: Service
 metadata:

k8s/k8s-workload-registrar/mode-reconcile/k8s/spire-server.yaml

@@ -22,7 +22,7 @@ trap cleanup EXIT
 cleanup
 set_env
 
-NODE_SPIFFE_ID="spiffe://example.org/k8s-workload-registrar/example-cluster/node/"
+NODE_SPIFFE_ID="spiffe://example.org/k8s-workload-registrar/demo-cluster/node/"
 AGENT_SPIFFE_ID="spiffe://example.org/agent"
 WORKLOAD_SPIFFE_ID="spiffe://example.org/example-workload"
 

k8s/k8s-workload-registrar/mode-reconcile/test.sh

@@ -1,5 +1,3 @@
-# KubeConfig with client credentials for the API Server to use to call the
-# K8S Workload Registrar service
 apiVersion: v1
 kind: Config
 users:

k8s/k8s-workload-registrar/mode-webhook/k8s/admctrl/kubeconfig.yaml

@@ -1,4 +1,3 @@
-# Kubernetes Secret containing the K8S Workload Registrar server key
 apiVersion: v1
 kind: Secret
 metadata:

k8s/k8s-workload-registrar/mode-webhook/k8s/k8s-workload-registrar-secret.yaml

@@ -1,4 +1,3 @@
-# ServiceAccount for the SPIRE agent
 apiVersion: v1
 kind: ServiceAccount
 metadata:
@@ -7,7 +6,6 @@ metadata:
 
 ---
 
-# Required cluster role to allow spire-agent to query k8s API server
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
@@ -19,7 +17,6 @@ rules:
 
 ---
 
-# Binds above cluster role to spire-agent service account
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
@@ -35,9 +32,6 @@ roleRef:
 
 ---
 
-# ConfigMap for the SPIRE agent featuring:
-# 1) PSAT node attestation
-# 2) K8S Workload Attestation over the secure kubelet port
 apiVersion: v1
 kind: ConfigMap
 metadata:
@@ -58,7 +52,7 @@ data:
     plugins {
       NodeAttestor "k8s_psat" {
         plugin_data {
-          cluster = "example-cluster"
+          cluster = "demo-cluster"
         }
       }
 
@@ -109,7 +103,6 @@ spec:
       annotations:
         spiffe.io/spiffe-id: "testing/agent"
     spec:
-      # hostPID is required for K8S Workload Attestation.
       hostPID: true
       hostNetwork: true
       dnsPolicy: ClusterFirstWithHostNet