pub/well-known
1
0
Fork 0
Code Releases Activity Actions

fix: kubescape

Browse source
This commit is contained in:
Dries De Peuter 2023-03-12 01:20:58 +01:00
parent 62f01aa710
commit e930ccb55c
No known key found for this signature in database
14 changed files with 119 additions and 29 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
.github/kubescape-controls-inputs.json vendored
View file

@ -56,12 +56,8 @@
"registry.hub.docker.com" "registry.hub.docker.com"
], ],
"recommendedLabels": [ "recommendedLabels": [
"app", "app.kubernetes.io/name",
"tier", "app.kubernetes.io/instance"
"phase",
"version",
"owner",
"env"
], ],
"sensitiveInterfaces": [ "sensitiveInterfaces": [
"nifi", "nifi",

22
.github/kubescape-exceptions.json vendored
View file

@ -1,22 +0,0 @@
[
{
"name": "exclude-default-namespace-control",
"policyType": "postureExceptionPolicy",
"actions": [
"alertOnly"
],
"resources": [
{
"designatorType": "Attributes",
"attributes": {
"kind": ".*"
}
}
],
"posturePolicies": [
{
"controlID": "CIS-5.7.4"
}
]
}
]

2
.github/workflows/chart.yaml vendored
View file

@ -78,7 +78,7 @@ jobs:
version: v3.7.1 version: v3.7.1
- name: Scan helm - name: Scan helm
run: helm template ./charts/well-known --generate-name --dry-run | kubescape scan --controls-config .github/kubescape-controls-inputs.json --exceptions .github/kubescape-exceptions.json -v --fail-threshold 5 - run: helm template ./charts/well-known -f ./charts/well-known/ci/pluto-values.yaml | kubescape scan --controls-config .github/kubescape-controls-inputs.json -v --fail-threshold 5 -
pluto-scan: pluto-scan:
runs-on: ubuntu-latest runs-on: ubuntu-latest

4
charts/well-known/ci/pluto-values.yaml
View file

@ -3,3 +3,7 @@ ingress:
autoscaling: autoscaling:
enabled: true enabled: true
networkpolicies:
enabled: true
kubeApiServerCIDR: 1.2.3.4/32

1
charts/well-known/templates/configmap.yaml
View file

@ -2,6 +2,7 @@ kind: ConfigMap
apiVersion: v1 apiVersion: v1
metadata: metadata:
name: {{ include "well-known.fullname" . }} name: {{ include "well-known.fullname" . }}
namespace: {{ .Release.Namespace }}
labels: labels:
{{- include "well-known.labels" . | nindent 4 }} {{- include "well-known.labels" . | nindent 4 }}
data: data:

2
charts/well-known/templates/deployment.yaml
View file

@ -2,6 +2,7 @@ apiVersion: apps/v1
kind: Deployment kind: Deployment
metadata: metadata:
name: {{ include "well-known.fullname" . }} name: {{ include "well-known.fullname" . }}
namespace: {{ .Release.Namespace }}
labels: labels:
{{- include "well-known.labels" . | nindent 4 }} {{- include "well-known.labels" . | nindent 4 }}
spec: spec:
@ -25,6 +26,7 @@ spec:
{{- toYaml . | nindent 8 }} {{- toYaml . | nindent 8 }}
{{- end }} {{- end }}
serviceAccountName: {{ include "well-known.serviceAccountName" . }} serviceAccountName: {{ include "well-known.serviceAccountName" . }}
automountServiceAccountToken: true
securityContext: securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }} {{- toYaml .Values.podSecurityContext | nindent 8 }}
containers: containers:

1
charts/well-known/templates/hpa.yaml
View file

@ -7,6 +7,7 @@ apiVersion: autoscaling/v2beta1
kind: HorizontalPodAutoscaler kind: HorizontalPodAutoscaler
metadata: metadata:
name: {{ include "well-known.fullname" . }} name: {{ include "well-known.fullname" . }}
namespace: {{ .Release.Namespace }}
labels: labels:
{{- include "well-known.labels" . | nindent 4 }} {{- include "well-known.labels" . | nindent 4 }}
spec: spec:

1
charts/well-known/templates/ingress.yaml
View file

@ -16,6 +16,7 @@ apiVersion: extensions/v1beta1
kind: Ingress kind: Ingress
metadata: metadata:
name: {{ $fullName }} name: {{ $fullName }}
namespace: {{ .Release.Namespace }}
labels: labels:
{{- include "well-known.labels" . | nindent 4 }} {{- include "well-known.labels" . | nindent 4 }}
{{- with .Values.ingress.annotations }} {{- with .Values.ingress.annotations }}

98
charts/well-known/templates/networkpolicy.yaml Normal file
View file

@ -0,0 +1,98 @@
{{- if .Values.networkpolicies.enabled -}}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ include "well-known.fullname" . }}-deny-ingress
namespace: {{ .Release.Namespace }}
labels:
{{- include "well-known.labels" . | nindent 4 }}
spec:
podSelector:
matchLabels:
{{- include "well-known.selectorLabels" . | nindent 6 }}
policyTypes:
- Ingress
ingress: []
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ include "well-known.fullname" . }}-allow-ingress-webserver
namespace: {{ .Release.Namespace }}
labels:
{{- include "well-known.labels" . | nindent 4 }}
spec:
podSelector:
matchLabels:
{{- include "well-known.selectorLabels" . | nindent 6 }}
policyTypes:
- Ingress
ingress:
- ports:
- port: 8080
protocol: TCP
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ include "well-known.fullname" . }}-deny-egress
namespace: {{ .Release.Namespace }}
labels:
{{- include "well-known.labels" . | nindent 4 }}
spec:
podSelector:
matchLabels:
{{- include "well-known.selectorLabels" . | nindent 6 }}
policyTypes:
- Egress
egress: []
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ include "well-known.fullname" . }}-allow-egress-dns
namespace: {{ .Release.Namespace }}
labels:
{{- include "well-known.labels" . | nindent 4 }}
spec:
policyTypes:
- Egress
podSelector:
matchLabels:
{{- include "well-known.selectorLabels" . | nindent 6 }}
egress:
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
podSelector:
matchLabels:
k8s-app: kube-dns
ports:
- port: 53
protocol: UDP
- port: 53
protocol: TCP
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ include "well-known.fullname" . }}-allow-egress-apiserver
namespace: {{ .Release.Namespace }}
labels:
{{- include "well-known.labels" . | nindent 4 }}
spec:
policyTypes:
- Egress
podSelector:
matchLabels:
{{- include "well-known.selectorLabels" . | nindent 6 }}
egress:
- to:
- ipBlock:
cidr: {{ .Values.networkpolicies.kubeApiServerCIDR }}
ports:
- port: 443
protocol: TCP
{{- end -}}

1
charts/well-known/templates/role.yaml
View file

@ -2,6 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: Role kind: Role
metadata: metadata:
name: {{ include "well-known.fullname" . }} name: {{ include "well-known.fullname" . }}
namespace: {{ .Release.Namespace }}
labels: labels:
{{- include "well-known.labels" . | nindent 4 }} {{- include "well-known.labels" . | nindent 4 }}
rules: rules:

1
charts/well-known/templates/rolebinding.yaml
View file

@ -2,6 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding kind: RoleBinding
metadata: metadata:
name: {{ include "well-known.fullname" . }} name: {{ include "well-known.fullname" . }}
namespace: {{ .Release.Namespace }}
labels: labels:
{{- include "well-known.labels" . | nindent 4 }} {{- include "well-known.labels" . | nindent 4 }}
roleRef: roleRef:

1
charts/well-known/templates/service.yaml
View file

@ -2,6 +2,7 @@ apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: {{ include "well-known.fullname" . }} name: {{ include "well-known.fullname" . }}
namespace: {{ .Release.Namespace }}
labels: labels:
{{- include "well-known.labels" . | nindent 4 }} {{- include "well-known.labels" . | nindent 4 }}
spec: spec:

2
charts/well-known/templates/serviceaccount.yaml
View file

@ -3,10 +3,12 @@ apiVersion: v1
kind: ServiceAccount kind: ServiceAccount
metadata: metadata:
name: {{ include "well-known.serviceAccountName" . }} name: {{ include "well-known.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
labels: labels:
{{- include "well-known.labels" . | nindent 4 }} {{- include "well-known.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.annotations }} {{- with .Values.serviceAccount.annotations }}
annotations: annotations:
{{- toYaml . | nindent 4 }} {{- toYaml . | nindent 4 }}
{{- end }} {{- end }}
automountServiceAccountToken: false
{{- end }} {{- end }}

4
charts/well-known/values.yaml
View file

@ -86,6 +86,10 @@ autoscaling:
targetCPUUtilizationPercentage: 80 targetCPUUtilizationPercentage: 80
# targetMemoryUtilizationPercentage: 80 # targetMemoryUtilizationPercentage: 80
networkpolicies:
enabled: false
kubeApiServerCIDR: "<IP>/32" # kubectl get svc -n default kubernetes
nodeSelector: {} nodeSelector: {}
tolerations: [] tolerations: []