9Spokes DevSecOps Challenge

Overview

Welcome to the 9Spokes DevSecOps technical challenge! We value and appreciate the diversity and uniqueness of thought in each individual. It is our intent is to learn more about you via the code you write and your approach to solving problems.

This repo contains the instructions and the data you need to complete the 9Spokes DevSecOps Challenge. This challenge is not intended to be complex, but it is an opportunity for you to showcase your understanding and applying of good infrastructure & basic development practices. We strongly value the Infrastructure as Code approach to managing Cloud resources, hence we encourage you to think about the repeatability of your exercise using a config-driven approach to infrastructure.

You are encouraged to treat this as a real-life project. This typically means:

• Use version control effectively
• Include some basic documentation if applicable
• Use a proper naming convention that suits you

Once you are done, please share your work by submitting a public link to your repository. Include any special notes or running instructions in a README.md file of your choice.

Try not to exceed 2-3 hours on this exercise.

The Challenge

Docker

This repo contains a sample hello world application written in Go in the hello/ directory. The first phase of this challenge is to build this application into a Docker container using the supplied Dockerfile. You will need to push the resulting image to a Docker registry of your choice. The image will be used in subsequent steps.

git clone https://github.com/9spokes/devsecops-challenge .\9spokes-challenge
cd .\9spokes-challenge
docker build .\hello\ -t vincentstark/9spokes-challenge:latest
docker push vincentstark/9spokes-challenge:latest

Kubernetes

• Create a Kubernetes cluster using any method you'd like (e.g. kops, minikube, microk8s or Cloud)
• Create a new namespace called staging.

minikube start
kubectl apply -f .\manifests\ns.yml

Single Pod

• Create a new pod called hello in this staging namespace, make sure it is in a healthy state. Use the hello image from the step above for this task.

kubectl apply -f .\manifests\single-pod.yml
kubectl get pods hello -n staging
kubectl logs hello -n staging
# just to be sure
# kubectl expose pod hello --port=8080 --name=hello
# kubectl run curl --rm --attach --restart=Never --image=curlimages/curl -- -s http://hello:8080/test-path

Multi-node

• Assume you are operating a 3 node (node-1, node-2, and node-3) cluster, deploy a pod called p2 in every node of your cluster.

# As object name is unique for that type of resource it is impossible to assign exactly the same name "p2" to multiple pods, unless they are deployed in different namespaces
# Also can be achieved by using other types of workload resources (deployment, rc, rs, sts) with topologySpreadConstraints spec
kubectl apply -f .\manifests\daemon-set.yml
kubectl get ds -n staging
kubectl logs -l name=p2 -n staging

Multi-container Pod

• Create a new pod called p3 in the staging namespace. This pod contains two containers and the pod only should be created when one of these two containers has a file called /app/ready.txt. The pod should fail if that container does not have that file.

kubectl apply -f .\manifests\multi-container-pod.yml

Monitoring

• Deploy prometheus alert manager and grafana into the kube-system namespace and configure customised alerts called 9spokes-cpu-alert which is only going to be trigger when a pod has 80% of the CPU running for 60 seconds. You should send the details of this alert with your name into Microsoft Teams Channel located here.
• Deploy an ingress controller to protect prometheus and alert manager using any authentication method you'd like.

Thank you and good luck!