Orchestration Kubernetes

Orchestration & Automation

Déploiement complet d'un cluster Kubernetes haute disponibilité via Ansible et Kubespray. Mise en place de l'Ingress Controller et du cert-manager pour la gestion SSL automatique.

ClientProjet Lab / Interne

RoleArchitecte DevOps

Year2024

StackAnsible, Kubernetes, Helm, Prometheus

THE CHALLENGE

Le défi majeur était d'assurer l'idempotence des scripts d'installation pour garantir que l'infrastructure puisse être redéployée à l'identique en cas de désastre (Disaster Recovery).

playbook-hardening.yml

---
- name: 🔒 Production Server Hardening
  hosts: prod_servers
  become: true
  tasks:
    - name: Secure SSH Configuration
      lineinfile:
        path: /etc/ssh/sshd_config
        regexp: "{{ item.regexp }}"
        line: "{{ item.line }}"
        validate: '/usr/sbin/sshd -t -f %s'
      loop:
        - { regexp: '^PermitRootLogin', line: 'PermitRootLogin no' }
        - { regexp: '^PasswordAuthentication', line: 'PasswordAuthentication no' }
      notify: Restart SSH
 
    - name: 🛡️ AUDIT - Verify Firewall
      command: ufw status
      register: ufw_status
      failed_when: "'Status: active' not in ufw_status.stdout"

Explore More

1	`---`
2	`- name: 🔒 Production Server Hardening`
3	`hosts: prod_servers`
4	`become: true`
5	`tasks:`
6	`- name: Secure SSH Configuration`
7	`lineinfile:`
8	`path: /etc/ssh/sshd_config`
9	`regexp: "{{ item.regexp }}"`
10	`line: "{{ item.line }}"`
11	`validate: '/usr/sbin/sshd -t -f %s'`
12	`loop:`
13	`- { regexp: '^PermitRootLogin', line: 'PermitRootLogin no' }`
14	`- { regexp: '^PasswordAuthentication', line: 'PasswordAuthentication no' }`
15	`notify: Restart SSH`
16
17	`- name: 🛡️ AUDIT - Verify Firewall`
18	`command: ufw status`
19	`register: ufw_status`
20	`failed_when: "'Status: active' not in ufw_status.stdout"`

Orchestration Kubernetes

Orchestration & Automation

THE CHALLENGE

All Projects