diff --git a/.github/kubescape-controls-inputs.json b/.github/kubescape-controls-inputs.json index abf16ff..2b07253 100644 --- a/.github/kubescape-controls-inputs.json +++ b/.github/kubescape-controls-inputs.json @@ -56,12 +56,8 @@ "registry.hub.docker.com" ], "recommendedLabels": [ - "app", - "tier", - "phase", - "version", - "owner", - "env" + "app.kubernetes.io/name", + "app.kubernetes.io/instance" ], "sensitiveInterfaces": [ "nifi", diff --git a/.github/kubescape-exceptions.json b/.github/kubescape-exceptions.json deleted file mode 100644 index 541f547..0000000 --- a/.github/kubescape-exceptions.json +++ /dev/null @@ -1,22 +0,0 @@ -[ - { - "name": "exclude-default-namespace-control", - "policyType": "postureExceptionPolicy", - "actions": [ - "alertOnly" - ], - "resources": [ - { - "designatorType": "Attributes", - "attributes": { - "kind": ".*" - } - } - ], - "posturePolicies": [ - { - "controlID": "CIS-5.7.4" - } - ] - } -] \ No newline at end of file diff --git a/.github/workflows/chart.yaml b/.github/workflows/chart.yaml index ab79987..4f60016 100644 --- a/.github/workflows/chart.yaml +++ b/.github/workflows/chart.yaml @@ -78,7 +78,7 @@ jobs: version: v3.7.1 - name: Scan helm - run: helm template ./charts/well-known --generate-name --dry-run | kubescape scan --controls-config .github/kubescape-controls-inputs.json --exceptions .github/kubescape-exceptions.json -v --fail-threshold 5 - + run: helm template ./charts/well-known -f ./charts/well-known/ci/pluto-values.yaml | kubescape scan --controls-config .github/kubescape-controls-inputs.json -v --fail-threshold 5 - pluto-scan: runs-on: ubuntu-latest diff --git a/charts/well-known/ci/pluto-values.yaml b/charts/well-known/ci/pluto-values.yaml index 36fa70e..17b1f3f 100644 --- a/charts/well-known/ci/pluto-values.yaml +++ b/charts/well-known/ci/pluto-values.yaml @@ -3,3 +3,7 @@ ingress: autoscaling: enabled: true + +networkpolicies: + enabled: true + kubeApiServerCIDR: 1.2.3.4/32 \ No newline at end of file diff --git a/charts/well-known/templates/configmap.yaml b/charts/well-known/templates/configmap.yaml index d6d040b..fa9651d 100644 --- a/charts/well-known/templates/configmap.yaml +++ b/charts/well-known/templates/configmap.yaml @@ -2,6 +2,7 @@ kind: ConfigMap apiVersion: v1 metadata: name: {{ include "well-known.fullname" . }} + namespace: {{ .Release.Namespace }} labels: {{- include "well-known.labels" . | nindent 4 }} data: diff --git a/charts/well-known/templates/deployment.yaml b/charts/well-known/templates/deployment.yaml index 2489e38..d6f1d53 100644 --- a/charts/well-known/templates/deployment.yaml +++ b/charts/well-known/templates/deployment.yaml @@ -2,6 +2,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: {{ include "well-known.fullname" . }} + namespace: {{ .Release.Namespace }} labels: {{- include "well-known.labels" . | nindent 4 }} spec: @@ -25,6 +26,7 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} serviceAccountName: {{ include "well-known.serviceAccountName" . }} + automountServiceAccountToken: true securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} containers: diff --git a/charts/well-known/templates/hpa.yaml b/charts/well-known/templates/hpa.yaml index e594e56..1e781bb 100644 --- a/charts/well-known/templates/hpa.yaml +++ b/charts/well-known/templates/hpa.yaml @@ -7,6 +7,7 @@ apiVersion: autoscaling/v2beta1 kind: HorizontalPodAutoscaler metadata: name: {{ include "well-known.fullname" . }} + namespace: {{ .Release.Namespace }} labels: {{- include "well-known.labels" . | nindent 4 }} spec: diff --git a/charts/well-known/templates/ingress.yaml b/charts/well-known/templates/ingress.yaml index 6a74c46..28031a4 100644 --- a/charts/well-known/templates/ingress.yaml +++ b/charts/well-known/templates/ingress.yaml @@ -16,6 +16,7 @@ apiVersion: extensions/v1beta1 kind: Ingress metadata: name: {{ $fullName }} + namespace: {{ .Release.Namespace }} labels: {{- include "well-known.labels" . | nindent 4 }} {{- with .Values.ingress.annotations }} diff --git a/charts/well-known/templates/networkpolicy.yaml b/charts/well-known/templates/networkpolicy.yaml new file mode 100644 index 0000000..16248b9 --- /dev/null +++ b/charts/well-known/templates/networkpolicy.yaml @@ -0,0 +1,98 @@ +{{- if .Values.networkpolicies.enabled -}} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "well-known.fullname" . }}-deny-ingress + namespace: {{ .Release.Namespace }} + labels: + {{- include "well-known.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + {{- include "well-known.selectorLabels" . | nindent 6 }} + policyTypes: + - Ingress + ingress: [] +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "well-known.fullname" . }}-allow-ingress-webserver + namespace: {{ .Release.Namespace }} + labels: + {{- include "well-known.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + {{- include "well-known.selectorLabels" . | nindent 6 }} + policyTypes: + - Ingress + ingress: + - ports: + - port: 8080 + protocol: TCP +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "well-known.fullname" . }}-deny-egress + namespace: {{ .Release.Namespace }} + labels: + {{- include "well-known.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + {{- include "well-known.selectorLabels" . | nindent 6 }} + policyTypes: + - Egress + egress: [] +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "well-known.fullname" . }}-allow-egress-dns + namespace: {{ .Release.Namespace }} + labels: + {{- include "well-known.labels" . | nindent 4 }} +spec: + policyTypes: + - Egress + podSelector: + matchLabels: + {{- include "well-known.selectorLabels" . | nindent 6 }} + egress: + - to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: kube-system + podSelector: + matchLabels: + k8s-app: kube-dns + ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "well-known.fullname" . }}-allow-egress-apiserver + namespace: {{ .Release.Namespace }} + labels: + {{- include "well-known.labels" . | nindent 4 }} +spec: + policyTypes: + - Egress + podSelector: + matchLabels: + {{- include "well-known.selectorLabels" . | nindent 6 }} + egress: + - to: + - ipBlock: + cidr: {{ .Values.networkpolicies.kubeApiServerCIDR }} + ports: + - port: 443 + protocol: TCP +{{- end -}} \ No newline at end of file diff --git a/charts/well-known/templates/role.yaml b/charts/well-known/templates/role.yaml index 9c2fc6e..8edb5cd 100644 --- a/charts/well-known/templates/role.yaml +++ b/charts/well-known/templates/role.yaml @@ -2,6 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: {{ include "well-known.fullname" . }} + namespace: {{ .Release.Namespace }} labels: {{- include "well-known.labels" . | nindent 4 }} rules: diff --git a/charts/well-known/templates/rolebinding.yaml b/charts/well-known/templates/rolebinding.yaml index e12955d..c33dd86 100644 --- a/charts/well-known/templates/rolebinding.yaml +++ b/charts/well-known/templates/rolebinding.yaml @@ -2,6 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: {{ include "well-known.fullname" . }} + namespace: {{ .Release.Namespace }} labels: {{- include "well-known.labels" . | nindent 4 }} roleRef: diff --git a/charts/well-known/templates/service.yaml b/charts/well-known/templates/service.yaml index 938907b..4bb6306 100644 --- a/charts/well-known/templates/service.yaml +++ b/charts/well-known/templates/service.yaml @@ -2,6 +2,7 @@ apiVersion: v1 kind: Service metadata: name: {{ include "well-known.fullname" . }} + namespace: {{ .Release.Namespace }} labels: {{- include "well-known.labels" . | nindent 4 }} spec: diff --git a/charts/well-known/templates/serviceaccount.yaml b/charts/well-known/templates/serviceaccount.yaml index 944ebcd..a5ff16d 100644 --- a/charts/well-known/templates/serviceaccount.yaml +++ b/charts/well-known/templates/serviceaccount.yaml @@ -3,10 +3,12 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ include "well-known.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} labels: {{- include "well-known.labels" . | nindent 4 }} {{- with .Values.serviceAccount.annotations }} annotations: {{- toYaml . | nindent 4 }} {{- end }} +automountServiceAccountToken: false {{- end }} diff --git a/charts/well-known/values.yaml b/charts/well-known/values.yaml index 79195de..59035e3 100644 --- a/charts/well-known/values.yaml +++ b/charts/well-known/values.yaml @@ -86,6 +86,10 @@ autoscaling: targetCPUUtilizationPercentage: 80 # targetMemoryUtilizationPercentage: 80 +networkpolicies: + enabled: false + kubeApiServerCIDR: "/32" # kubectl get svc -n default kubernetes + nodeSelector: {} tolerations: []