From e7baeac2e5c6e55924bdd750778ebefc0ed57aa7 Mon Sep 17 00:00:00 2001 From: Robert Brennan Date: Fri, 3 Jan 2020 18:32:29 +0000 Subject: [PATCH] add script for generating deploy files --- CONTRIBUTING.md | 5 +- deploy/dashboard.yaml | 137 +++++++++++++++++++++------ deploy/webhook.yaml | 137 +++++++++++++++++++++------ scripts/generate-deployment-files.sh | 17 ++++ 4 files changed, 231 insertions(+), 65 deletions(-) create mode 100755 scripts/generate-deployment-files.sh diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index c99d6e47e..39ff47038 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -94,9 +94,8 @@ The steps are: 2. Bump the version number in: 1. main.go 2. README.md - 3. Regenerate the deployment files. Assuming you've cloned the charts repo to `./charts`: - 1. `helm template ./charts/stable/polaris/ --name polaris --namespace polaris --set templateOnly=true > deploy/dashboard.yaml` - 2. `helm template ./charts/stable/polaris/ --name polaris --namespace polaris --set templateOnly=true --set webhook.enable=true --set dashboard.enable=false > deploy/webhook.yaml` + 3. Regenerate the deployment files. Assuming you've cloned the charts repo to `~/git/charts`: + 1. `CHARTS_DIR=~/git/charts ./scripts/generate-deployment-files.sh` 4. Update CHANGELOG.md 5. Merge your PR 3. Tag the latest branch for this repo diff --git a/deploy/dashboard.yaml b/deploy/dashboard.yaml index 2af9813c6..ee514972f 100644 --- a/deploy/dashboard.yaml +++ b/deploy/dashboard.yaml @@ -14,56 +14,131 @@ metadata: labels: app: polaris data: - config.yaml: | - resources: + config.yaml: |- + checks: + # resources cpuRequestsMissing: warning cpuLimitsMissing: warning memoryRequestsMissing: warning memoryLimitsMissing: warning - images: + # images tagNotSpecified: error - healthChecks: + pullPolicyNotAlways: ignore + # healthChecks readinessProbeMissing: warning livenessProbeMissing: warning - networking: + # networking hostNetworkSet: warning hostPortSet: warning - security: + # security hostIPCSet: error hostPIDSet: error notReadOnlyRootFileSystem: warning privilegeEscalationAllowed: error runAsRootAllowed: warning runAsPrivileged: error - capabilities: - error: - ifAnyAdded: - - SYS_ADMIN - - NET_ADMIN - - ALL - warning: - ifAnyAddedBeyond: - - CHOWN - - DAC_OVERRIDE - - FSETID - - FOWNER - - MKNOD - - NET_RAW - - SETGID - - SETUID - - SETFCAP - - SETPCAP - - NET_BIND_SERVICE - - SYS_CHROOT - - KILL - - AUDIT_WRITE - controllers_to_scan: + dangerousCapabilities: error + insecureCapabilities: warning + controllersToScan: - Deployments - StatefulSets - DaemonSets - - Jobs - CronJobs + - Jobs - ReplicationControllers + exemptions: + - controllerNames: + - dns-controller + - datadog-datadog + - kube-flannel-ds + - kube2iam + - aws-iam-authenticator + - datadog + - kube2iam + rules: + - hostNetworkSet + - controllerNames: + - aws-iam-authenticator + - aws-cluster-autoscaler + - kube-state-metrics + - dns-controller + - external-dns + - dnsmasq + - autoscaler + - kubernetes-dashboard + - install-cni + - kube2iam + rules: + - readinessProbeMissing + - livenessProbeMissing + - controllerNames: + - aws-iam-authenticator + - nginx-ingress-controller + - nginx-ingress-default-backend + - aws-cluster-autoscaler + - kube-state-metrics + - dns-controller + - external-dns + - kubedns + - dnsmasq + - autoscaler + - tiller + - kube2iam + rules: + - runAsRootAllowed + - controllerNames: + - aws-iam-authenticator + - nginx-ingress-controller + - nginx-ingress-default-backend + - aws-cluster-autoscaler + - kube-state-metrics + - dns-controller + - external-dns + - kubedns + - dnsmasq + - autoscaler + - tiller + - kube2iam + rules: + - notReadOnlyRootFileSystem + - controllerNames: + - cert-manager + - dns-controller + - kubedns + - dnsmasq + - autoscaler + - insights-agent-goldilocks-vpa-install + rules: + - cpuRequestsMissing + - cpuLimitsMissing + - memoryRequestsMissing + - memoryLimitsMissing + - controllerNames: + - kube2iam + - kube-flannel-ds + rules: + - runAsPrivileged + - controllerNames: + - kube-hunter + rules: + - hostPIDSet + - controllerNames: + - polaris + - kube-hunter + - goldilocks + - insights-agent-goldilocks-vpa-install + rules: + - notReadOnlyRootFileSystem + - controllerNames: + - insights-agent-goldilocks-controller + rules: + - livenessProbeMissing + - readinessProbeMissing + - controllerNames: + - insights-agent-goldilocks-vpa-install + - kube-hunter + rules: + - runAsRootAllowed --- # Source: polaris/templates/dashboard.rbac.yaml @@ -164,7 +239,7 @@ spec: template: metadata: annotations: - checksum/config: '8aa5a565fba7a2db98d46752087de8c1dcc83b70cd762c5829d5ba01270d54a2' + checksum/config: 'eb6d6b194c6786d62400fc0578dd5ea5158212b5b29d93d3cde3fa14da8ac501' labels: app: polaris component: dashboard diff --git a/deploy/webhook.yaml b/deploy/webhook.yaml index 8bc52f2d0..f288d9585 100644 --- a/deploy/webhook.yaml +++ b/deploy/webhook.yaml @@ -27,56 +27,131 @@ metadata: labels: app: polaris data: - config.yaml: | - resources: + config.yaml: |- + checks: + # resources cpuRequestsMissing: warning cpuLimitsMissing: warning memoryRequestsMissing: warning memoryLimitsMissing: warning - images: + # images tagNotSpecified: error - healthChecks: + pullPolicyNotAlways: ignore + # healthChecks readinessProbeMissing: warning livenessProbeMissing: warning - networking: + # networking hostNetworkSet: warning hostPortSet: warning - security: + # security hostIPCSet: error hostPIDSet: error notReadOnlyRootFileSystem: warning privilegeEscalationAllowed: error runAsRootAllowed: warning runAsPrivileged: error - capabilities: - error: - ifAnyAdded: - - SYS_ADMIN - - NET_ADMIN - - ALL - warning: - ifAnyAddedBeyond: - - CHOWN - - DAC_OVERRIDE - - FSETID - - FOWNER - - MKNOD - - NET_RAW - - SETGID - - SETUID - - SETFCAP - - SETPCAP - - NET_BIND_SERVICE - - SYS_CHROOT - - KILL - - AUDIT_WRITE - controllers_to_scan: + dangerousCapabilities: error + insecureCapabilities: warning + controllersToScan: - Deployments - StatefulSets - DaemonSets - - Jobs - CronJobs + - Jobs - ReplicationControllers + exemptions: + - controllerNames: + - dns-controller + - datadog-datadog + - kube-flannel-ds + - kube2iam + - aws-iam-authenticator + - datadog + - kube2iam + rules: + - hostNetworkSet + - controllerNames: + - aws-iam-authenticator + - aws-cluster-autoscaler + - kube-state-metrics + - dns-controller + - external-dns + - dnsmasq + - autoscaler + - kubernetes-dashboard + - install-cni + - kube2iam + rules: + - readinessProbeMissing + - livenessProbeMissing + - controllerNames: + - aws-iam-authenticator + - nginx-ingress-controller + - nginx-ingress-default-backend + - aws-cluster-autoscaler + - kube-state-metrics + - dns-controller + - external-dns + - kubedns + - dnsmasq + - autoscaler + - tiller + - kube2iam + rules: + - runAsRootAllowed + - controllerNames: + - aws-iam-authenticator + - nginx-ingress-controller + - nginx-ingress-default-backend + - aws-cluster-autoscaler + - kube-state-metrics + - dns-controller + - external-dns + - kubedns + - dnsmasq + - autoscaler + - tiller + - kube2iam + rules: + - notReadOnlyRootFileSystem + - controllerNames: + - cert-manager + - dns-controller + - kubedns + - dnsmasq + - autoscaler + - insights-agent-goldilocks-vpa-install + rules: + - cpuRequestsMissing + - cpuLimitsMissing + - memoryRequestsMissing + - memoryLimitsMissing + - controllerNames: + - kube2iam + - kube-flannel-ds + rules: + - runAsPrivileged + - controllerNames: + - kube-hunter + rules: + - hostPIDSet + - controllerNames: + - polaris + - kube-hunter + - goldilocks + - insights-agent-goldilocks-vpa-install + rules: + - notReadOnlyRootFileSystem + - controllerNames: + - insights-agent-goldilocks-controller + rules: + - livenessProbeMissing + - readinessProbeMissing + - controllerNames: + - insights-agent-goldilocks-vpa-install + - kube-hunter + rules: + - runAsRootAllowed --- # Source: polaris/templates/webhook.rbac.yaml @@ -227,7 +302,7 @@ spec: template: metadata: annotations: - checksum/config: '8aa5a565fba7a2db98d46752087de8c1dcc83b70cd762c5829d5ba01270d54a2' + checksum/config: 'eb6d6b194c6786d62400fc0578dd5ea5158212b5b29d93d3cde3fa14da8ac501' labels: app: polaris component: webhook diff --git a/scripts/generate-deployment-files.sh b/scripts/generate-deployment-files.sh new file mode 100755 index 000000000..252f412d9 --- /dev/null +++ b/scripts/generate-deployment-files.sh @@ -0,0 +1,17 @@ +# /bin/bash + +set -eo pipefail + +helm template $CHARTS_DIR/stable/polaris/ \ + --name polaris --namespace polaris \ + --set templateOnly=true \ + --set config="$(cat ./examples/config.yaml)" \ + > deploy/dashboard.yaml + +helm template $CHARTS_DIR/stable/polaris/ \ + --name polaris --namespace polaris \ + --set templateOnly=true \ + --set webhook.enable=true \ + --set dashboard.enable=false \ + --set config="$(cat ./examples/config.yaml)" \ + > deploy/webhook.yaml