fix: kubescape

2023-03-12 01:20:58 +01:00 · 2023-03-12 01:20:58 +01:00 · e930ccb55c
commit e930ccb55c
parent 62f01aa710
14 changed files with 119 additions and 29 deletions
--- a/.github/kubescape-controls-inputs.json
+++ b/.github/kubescape-controls-inputs.json
@ -56,12 +56,8 @@
    "registry.hub.docker.com"
  ],
  "recommendedLabels": [
-    "app",
-    "tier",
-    "phase",
-    "version",
-    "owner",
-    "env"
+    "app.kubernetes.io/name",
+    "app.kubernetes.io/instance"
  ],
  "sensitiveInterfaces": [
    "nifi",
--- a/.github/kubescape-exceptions.json
+++ b/.github/kubescape-exceptions.json
@ -1,22 +0,0 @@
-[
-  {
-    "name": "exclude-default-namespace-control",
-    "policyType": "postureExceptionPolicy",
-    "actions": [
-      "alertOnly"
-    ],
-    "resources": [
-      {
-        "designatorType": "Attributes",
-        "attributes": {
-          "kind": ".*"
-        }
-      }
-    ],
-    "posturePolicies": [
-      {
-        "controlID": "CIS-5.7.4"
-      }
-    ]
-  }
-]
--- a/.github/workflows/chart.yaml
+++ b/.github/workflows/chart.yaml
@ -78,7 +78,7 @@ jobs:
          version: v3.7.1

      - name: Scan helm 
-        run: helm template ./charts/well-known --generate-name --dry-run | kubescape scan --controls-config .github/kubescape-controls-inputs.json --exceptions .github/kubescape-exceptions.json -v --fail-threshold 5 -
+        run: helm template ./charts/well-known -f ./charts/well-known/ci/pluto-values.yaml | kubescape scan --controls-config .github/kubescape-controls-inputs.json -v --fail-threshold 5 -

  pluto-scan:
    runs-on: ubuntu-latest
--- a/charts/well-known/ci/pluto-values.yaml
+++ b/charts/well-known/ci/pluto-values.yaml
@ -3,3 +3,7 @@ ingress:

 autoscaling:
  enabled: true
+
+networkpolicies:
+  enabled: true
+  kubeApiServerCIDR: 1.2.3.4/32
--- a/charts/well-known/templates/configmap.yaml
+++ b/charts/well-known/templates/configmap.yaml
@ -2,6 +2,7 @@ kind: ConfigMap
 apiVersion: v1
 metadata:
  name: {{ include "well-known.fullname" . }}
+  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "well-known.labels" . | nindent 4 }}
 data:
--- a/charts/well-known/templates/deployment.yaml
+++ b/charts/well-known/templates/deployment.yaml
@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: {{ include "well-known.fullname" . }}
+  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "well-known.labels" . | nindent 4 }}
 spec:
@ -25,6 +26,7 @@ spec:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      serviceAccountName: {{ include "well-known.serviceAccountName" . }}
+      automountServiceAccountToken: true
      securityContext:
        {{- toYaml .Values.podSecurityContext | nindent 8 }}
      containers:
--- a/charts/well-known/templates/hpa.yaml
+++ b/charts/well-known/templates/hpa.yaml
@ -7,6 +7,7 @@ apiVersion: autoscaling/v2beta1
 kind: HorizontalPodAutoscaler
 metadata:
  name: {{ include "well-known.fullname" . }}
+  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "well-known.labels" . | nindent 4 }}
 spec:
--- a/charts/well-known/templates/ingress.yaml
+++ b/charts/well-known/templates/ingress.yaml
@ -16,6 +16,7 @@ apiVersion: extensions/v1beta1
 kind: Ingress
 metadata:
  name: {{ $fullName }}
+  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "well-known.labels" . | nindent 4 }}
  {{- with .Values.ingress.annotations }}
--- a/charts/well-known/templates/networkpolicy.yaml
+++ b/charts/well-known/templates/networkpolicy.yaml
@ -0,0 +1,98 @@
+{{- if .Values.networkpolicies.enabled -}}
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "well-known.fullname" . }}-deny-ingress
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "well-known.labels" . | nindent 4 }}
+spec:
+  podSelector:
+    matchLabels:
+	    {{- include "well-known.selectorLabels" . | nindent 6 }}
+  policyTypes:
+  - Ingress
+  ingress: []
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "well-known.fullname" . }}-allow-ingress-webserver
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "well-known.labels" . | nindent 4 }}
+spec:
+  podSelector:
+    matchLabels:
+	    {{- include "well-known.selectorLabels" . | nindent 6 }}
+  policyTypes:
+  - Ingress
+  ingress:
+  - ports:
+    - port: 8080
+      protocol: TCP
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "well-known.fullname" . }}-deny-egress
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "well-known.labels" . | nindent 4 }}
+spec:
+  podSelector:
+    matchLabels:
+	    {{- include "well-known.selectorLabels" . | nindent 6 }}
+  policyTypes:
+  - Egress
+  egress: []
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "well-known.fullname" . }}-allow-egress-dns
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "well-known.labels" . | nindent 4 }}
+spec:
+  policyTypes:
+  - Egress
+  podSelector:
+    matchLabels:
+	    {{- include "well-known.selectorLabels" . | nindent 6 }}
+  egress:
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: kube-system
+      podSelector:
+        matchLabels:
+          k8s-app: kube-dns
+    ports:
+    - port: 53
+      protocol: UDP
+    - port: 53
+      protocol: TCP
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "well-known.fullname" . }}-allow-egress-apiserver
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "well-known.labels" . | nindent 4 }}
+spec:
+  policyTypes:
+  - Egress
+  podSelector:
+    matchLabels:
+	    {{- include "well-known.selectorLabels" . | nindent 6 }}
+  egress:
+  - to:
+    - ipBlock:
+        cidr: {{ .Values.networkpolicies.kubeApiServerCIDR }}
+    ports:
+    - port: 443
+      protocol: TCP
+{{- end -}}
--- a/charts/well-known/templates/role.yaml
+++ b/charts/well-known/templates/role.yaml
@ -2,6 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: {{ include "well-known.fullname" . }}
+  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "well-known.labels" . | nindent 4 }}
 rules:
--- a/charts/well-known/templates/rolebinding.yaml
+++ b/charts/well-known/templates/rolebinding.yaml
@ -2,6 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: {{ include "well-known.fullname" . }}
+  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "well-known.labels" . | nindent 4 }}
 roleRef:
--- a/charts/well-known/templates/service.yaml
+++ b/charts/well-known/templates/service.yaml
@ -2,6 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
  name: {{ include "well-known.fullname" . }}
+  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "well-known.labels" . | nindent 4 }}
 spec:
--- a/charts/well-known/templates/serviceaccount.yaml
+++ b/charts/well-known/templates/serviceaccount.yaml
@ -3,10 +3,12 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: {{ include "well-known.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "well-known.labels" . | nindent 4 }}
  {{- with .Values.serviceAccount.annotations }}
  annotations:
    {{- toYaml . | nindent 4 }}
  {{- end }}
+automountServiceAccountToken: false
 {{- end }}
--- a/charts/well-known/values.yaml
+++ b/charts/well-known/values.yaml
@ -86,6 +86,10 @@ autoscaling:
  targetCPUUtilizationPercentage: 80
  # targetMemoryUtilizationPercentage: 80

+networkpolicies:
+  enabled: false
+  kubeApiServerCIDR: "<IP>/32" # kubectl get svc -n default kubernetes
+
 nodeSelector: {}

 tolerations: []