Permitted Activities
Product Teams are shown the allowed modifications that they are allowed to make to their app-manifests repository.
Modifications
Permitted Resources Kinds
NOTE
Resource types outside of this list will result in a deployment error.
Product Teams may create resources that fall into this list.
kind: Deployment
kind: StatefulSet
kind: Service
kind: ConfigMap
kind: Pod
kind: ServiceAccount
kind: PersistentVolumeClaim
kind: HorizontalPodAutoscaler
kind: Job
kind: CronJob
kind: ServiceEntry
Permitted Resource Limits
Every deployment.yaml
or statefulset.yaml
will be created with a 'resources block' like the following:
resources:
limits:
memory: 256Mi
requests:
cpu: 100m
memory: 64Mi
If experiencing reduced performance or responses to your application, then Product Teams may increase the limits section of the resources block.
Do not increase the requests section, as those are permanently allocated to the app even when idle. This reduces the resources that can be allocated to other customers.
Additional Information
Adding New Services
Product Teams may add a new service to your application if you meet the following requirements:
Your app is NOT in production (CTFed).
-This must be approved by Cyber and will most likely trigger a re-CTF.
The image must be Ironbank.
There must be no source code added to the image.
Any source code added to an image must be validated by our pipelines.
If Product Teams need a new repository and pipeline, then open a help desk ticket.
FAQs
My app is in production. Can I add a new service to staging only?
Product Teams may add a new service to their staging deployment, but you need to be careful not to include the new service in the base or else it will be deployed to all environments.
What storage class can I use for a PVC?
We only support the ReadWriteOnce access mode and ebs storage classes. It is recommended to not set the storage class, as it is set by default.
For example all you need to define for a PVC is this:
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
labels:
app: mongodb
name: mongodb
spec:
accessModes:
- "ReadWriteOnce"
resources:
requests:
storage: "8Gi"
I am getting an error about latest tags?
If you see this error in ArgoCD:
admission webhook "validation.gatekeeper.sh" denied the request:
[banned-image-tags] container <mongodb> has banned image tag <latest>
This is because we do not allow the use of the latest tag for docker images. Please specify a specific version and this error will resolve. Note that we only allow ironbank images to be run in the Party Bus cluster.