# Bookstore — Part 11 ch.10 "Platform engineering": the Composition — the # RECIPE that expands ONE BookstoreEnvironment (crossplane-xrd.yaml) into the # guide's GUARDED-NAMESPACE stack. This is where "guardrails by construction" # is real: the developer's 2-field request can ONLY become this hardened/ # bounded/isolated set of objects, because the Composition is the sole producer # (the provider's ServiceAccount has least-privilege RBAC scoped to exactly # these kinds — ch.10 Hands-on step 1; Part 05 ch.01). # # WHAT IT PROVISIONS (= the guide's stack, Parts 01-08, made self-service): # - Namespace pod-security.kubernetes.io/enforce=restricted (Part 05 ch.02) # - Role + RoleBinding least-privilege in-namespace (Part 05 ch.01) # - ResourceQuota + LimitRange bounded (Part 01 ch.03 / 08 ch.04) # - NetworkPolicy default-deny ingress+egress (Part 02 ch.06) # Each is wrapped in a provider-kubernetes `Object` (kubernetes.crossplane.io) # so Crossplane reconciles it CONTINUOUSLY (operator pattern, ch.02, # generalised — delete one by hand and it is healed back; ch.10 §3). # # CROSSPLANE COMPOSITION MODEL (current, accurate): mode: Pipeline with # functionRef -> function-patch-and-transform (input kind Resources). The old # inline spec.resources/patchSets form is superseded by this function-based # pipeline (verified against the Crossplane v2 composition docs). compositeTypeRef # points at the v2 namespaced XR from crossplane-xrd.yaml. # # REQUIRES (ch.10 step 1), IN THIS ORDER — the Function AND the Provider must # be Healthy BEFORE this Composition is applied or its pipeline never runs and # the XR never reconciles (the #1 Crossplane "nothing happens" footgun): # Crossplane installed -> provider-kubernetes installed + Healthy + a # ProviderConfig `default` (InjectedIdentity) -> function-patch-and-transform # installed + Healthy (PINNED — not :latest): # kubectl apply -f - < different totals (ch.10 notes this). requests.cpu: "2" requests.memory: 2Gi limits.cpu: "4" limits.memory: 4Gi pods: "20" patches: - type: FromCompositeFieldPath fromFieldPath: spec.tenant toFieldPath: spec.forProvider.manifest.metadata.namespace transforms: - type: string string: { fmt: "bookstore-tenant-%s", type: Format } # --- 5. LimitRange (Part 01 ch.03) --- - name: limitrange base: apiVersion: kubernetes.crossplane.io/v1alpha1 kind: Object spec: providerConfigRef: { name: default } forProvider: manifest: apiVersion: v1 kind: LimitRange metadata: name: bookstore-tenant namespace: bookstore-tenant-REPLACED labels: { app.kubernetes.io/part-of: bookstore } spec: limits: - type: Container default: { cpu: 250m, memory: 128Mi } defaultRequest: { cpu: 50m, memory: 64Mi } min: { cpu: 10m, memory: 16Mi } max: { cpu: "2", memory: 1Gi } patches: - type: FromCompositeFieldPath fromFieldPath: spec.tenant toFieldPath: spec.forProvider.manifest.metadata.namespace transforms: - type: string string: { fmt: "bookstore-tenant-%s", type: Format } # --- 6. NetworkPolicy: default-deny ingress+egress (Part 02 ch.06) --- - name: networkpolicy-default-deny base: apiVersion: kubernetes.crossplane.io/v1alpha1 kind: Object spec: providerConfigRef: { name: default } forProvider: manifest: apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny namespace: bookstore-tenant-REPLACED labels: { app.kubernetes.io/part-of: bookstore } spec: # selects ALL pods; no ingress/egress rules = deny all. # A real golden path adds explicit allow policies on top # (Part 02 ch.06 default-deny + explicit-allow pattern). podSelector: {} policyTypes: ["Ingress", "Egress"] patches: - type: FromCompositeFieldPath fromFieldPath: spec.tenant toFieldPath: spec.forProvider.manifest.metadata.namespace transforms: - type: string string: { fmt: "bookstore-tenant-%s", type: Format }