-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
🚀(project:maison): Install Presidio to anonymise data comming from n8n
Signed-off-by: Alexandre Nicolaie <[email protected]>
- Loading branch information
Showing
5 changed files
with
200 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
29 changes: 29 additions & 0 deletions
29
projects/maison/src/apps/n8n/policies/allow-egress-from-n8n-to-n8n-anonymizer.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,29 @@ | ||
| --- | ||
| apiVersion: networking.k8s.io/v1 | ||
| kind: NetworkPolicy | ||
| metadata: | ||
| annotations: | ||
| network-policy.k8s.io/description: | | ||
| This policy allows egress traffic from n8n to the anonymisation service. | ||
| **Why?** | ||
| - n8n will use the anonymisation service to anonymise data before | ||
| sending it to public services (like ChaGPT). | ||
| name: allow-egress-from-n8n-to-n8n-anonymizer | ||
| namespace: n8n | ||
| spec: | ||
| egress: | ||
| - to: | ||
| - podSelector: | ||
| matchLabels: | ||
| app.kubernetes.io/instance: n8n-anonymizer | ||
| app.kubernetes.io/name: n8n | ||
| ports: | ||
| - port: 5001 | ||
| - port: 5002 | ||
| podSelector: | ||
| matchLabels: | ||
| app.kubernetes.io/instance: n8n | ||
| app.kubernetes.io/name: n8n | ||
| policyTypes: | ||
| - Egress |
28 changes: 28 additions & 0 deletions
28
projects/maison/src/apps/n8n/policies/allow-ingress-to-n8n-anonymizer-from-traefik.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,28 @@ | ||
| --- | ||
| apiVersion: networking.k8s.io/v1 | ||
| kind: NetworkPolicy | ||
| metadata: | ||
| annotations: | ||
| network-policy.k8s.io/description: | | ||
| This policy allows the Traefik service to access the n8n anonymizer. | ||
| **Why?** | ||
| - Traefik is the gateway controller for the Kubernetes cluster | ||
| and needs to route traffic to the anonymizer service (Presidio). | ||
| name: allow-ingress-to-n8n-anonymizer-from-traefik | ||
| namespace: n8n | ||
| spec: | ||
| ingress: | ||
| - from: | ||
| - namespaceSelector: | ||
| matchLabels: | ||
| kubernetes.io/metadata.name: traefik-system | ||
| ports: | ||
| - port: 5001 | ||
| - port: 5002 | ||
| podSelector: | ||
| matchLabels: | ||
| app.kubernetes.io/instance: n8n-anonymizer | ||
| app.kubernetes.io/name: n8n | ||
| policyTypes: | ||
| - Ingress |
128 changes: 128 additions & 0 deletions
128
projects/maison/src/apps/n8n/workload.n8n-anonymizer.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,128 @@ | ||
| --- | ||
| # trunk-ignore(checkov/CKV2_K8S_6): all deployments have network ingress/egress denied by default | ||
| # trunk-ignore(checkov/CKV_K8S_23,checkov/CKV_K8S_40): mcr.microsoft.com/presidio-* are shitty built and must be runned as root | ||
| apiVersion: apps/v1 | ||
| kind: Deployment | ||
| metadata: | ||
| labels: | ||
| apps.kubernetes.io/component: anonymizer | ||
| apps.kubernetes.io/instance: n8n-anonymizer | ||
| name: n8n-anonymizer | ||
| namespace: n8n | ||
| spec: | ||
| replicas: 1 | ||
| selector: | ||
| matchLabels: | ||
| apps.kubernetes.io/instance: n8n-anonymizer | ||
| template: | ||
| metadata: | ||
| labels: | ||
| apps.kubernetes.io/component: anonymizer | ||
| apps.kubernetes.io/instance: n8n-anonymizer | ||
| spec: | ||
| automountServiceAccountToken: false | ||
| containers: | ||
| # trunk-ignore(trivy/KSV012,trivy/KSV020,trivy/KSV021): mcr.microsoft.com/presidio-* are shitty built and must be runned as root | ||
| - name: presidio-analyzer | ||
| image: mcr.microsoft.com/presidio-analyzer:latest@sha256:8e09d9f0a928e86b6c634eec9a8e668738508154cb7e683d7c7c62867ce4a514 | ||
| ports: | ||
| - name: analyzer | ||
| containerPort: 3000 | ||
| protocol: TCP | ||
| livenessProbe: | ||
| httpGet: | ||
| path: /health | ||
| port: analyzer | ||
| readinessProbe: | ||
| httpGet: | ||
| path: /health | ||
| port: analyzer | ||
| resources: | ||
| requests: | ||
| cpu: 100m | ||
| memory: 250Mi | ||
| limits: | ||
| memory: 250Mi | ||
| securityContext: | ||
| allowPrivilegeEscalation: false | ||
| capabilities: | ||
| drop: | ||
| - ALL | ||
| privileged: false | ||
| readOnlyRootFilesystem: true | ||
| runAsNonRoot: false | ||
| seccompProfile: | ||
| type: RuntimeDefault | ||
| volumeMounts: | ||
| - mountPath: /.cache/pypoetry | ||
| name: tempdir | ||
| - mountPath: /tmp | ||
| name: tempdir | ||
| subPath: analyzer | ||
| # trunk-ignore(trivy/KSV012,trivy/KSV020,trivy/KSV021): mcr.microsoft.com/presidio-* are shitty built and must be runned as root | ||
| - name: presidio-anonymizer | ||
| env: | ||
| - name: PORT | ||
| value: "3001" | ||
| image: mcr.microsoft.com/presidio-anonymizer:latest@sha256:e39a7671f51c40aa493201f0d3f71ad74efc98bbd34ccd417a4cfd3ffaa59ae4 | ||
| ports: | ||
| - name: anonymizer | ||
| containerPort: 3001 | ||
| protocol: TCP | ||
| livenessProbe: | ||
| httpGet: | ||
| path: /health | ||
| port: anonymizer | ||
| readinessProbe: | ||
| httpGet: | ||
| path: /health | ||
| port: anonymizer | ||
| resources: | ||
| requests: | ||
| cpu: 100m | ||
| memory: 250Mi | ||
| limits: | ||
| memory: 250Mi | ||
| securityContext: | ||
| allowPrivilegeEscalation: false | ||
| capabilities: | ||
| drop: | ||
| - ALL | ||
| privileged: false | ||
| readOnlyRootFilesystem: true | ||
| runAsNonRoot: false | ||
| seccompProfile: | ||
| type: RuntimeDefault | ||
| volumeMounts: | ||
| - mountPath: /.cache/pypoetry | ||
| name: tempdir | ||
| - mountPath: /tmp | ||
| name: tempdir | ||
| subPath: anonymizer | ||
| securityContext: | ||
| runAsNonRoot: false | ||
| volumes: | ||
| - name: tempdir | ||
| emptyDir: {} | ||
| --- | ||
| apiVersion: v1 | ||
| kind: Service | ||
| metadata: | ||
| labels: | ||
| apps.kubernetes.io/component: anonymizer | ||
| apps.kubernetes.io/instance: n8n-anonymizer | ||
| name: n8n-anonymizer | ||
| namespace: n8n | ||
| spec: | ||
| selector: | ||
| apps.kubernetes.io/instance: n8n-anonymizer | ||
| ports: | ||
| - name: analyzer | ||
| port: 5001 | ||
| targetPort: analyzer | ||
| protocol: TCP | ||
| - name: anonymizer | ||
| port: 5002 | ||
| targetPort: anonymizer | ||
| protocol: TCP | ||
| type: ClusterIP |