-
Notifications
You must be signed in to change notification settings - Fork 178
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix: securityContext on regular samples. Create new ones for TKGs and…
… Openshift (#384)
- Loading branch information
Showing
14 changed files
with
194 additions
and
100 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
45 changes: 45 additions & 0 deletions
45
ns-provisioner-samples/testing-scanning-supplychain-tkgs-openshift/scanpolicy-grype.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,45 @@ | ||
| #! This file contains a Grype Scan policy which blocks the supply chain if your workload has Critical, High or UnknownSeverity CVEs | ||
| #! in your source code or image. | ||
| #@ load("@ytt:data", "data") | ||
| #@ def in_list(key, list): | ||
| #@ return hasattr(data.values.tap_values, key) and (data.values.tap_values[key] in list) | ||
| #@ end | ||
| #! This if condition ensures that this scan policy is only created if the supply chain is testing_scanning and the TAP profile used is full or build. | ||
| #@ if/end in_list('supply_chain', ['testing_scanning']) and in_list('profile', ['full', 'build']): | ||
| --- | ||
| apiVersion: scanning.apps.tanzu.vmware.com/v1beta1 | ||
| kind: ScanPolicy | ||
| metadata: | ||
| name: scan-policy | ||
| labels: | ||
| 'app.kubernetes.io/part-of': 'scan-system' | ||
| spec: | ||
| regoFile: | | ||
| package main | ||
| # Accepted Values: "Critical", "High", "Medium", "Low", "Negligible", "UnknownSeverity" | ||
| notAllowedSeverities := ["Critical", "High", "UnknownSeverity"] | ||
| ignoreCves := [] | ||
| contains(array, elem) = true { | ||
| array[_] = elem | ||
| } else = false { true } | ||
| isSafe(match) { | ||
| severities := { e | e := match.ratings.rating.severity } | { e | e := match.ratings.rating[_].severity } | ||
| some i | ||
| fails := contains(notAllowedSeverities, severities[i]) | ||
| not fails | ||
| } | ||
| isSafe(match) { | ||
| ignore := contains(ignoreCves, match.id) | ||
| ignore | ||
| } | ||
| deny[msg] { | ||
| comps := { e | e := input.bom.components.component } | { e | e := input.bom.components.component[_] } | ||
| some i | ||
| comp := comps[i] | ||
| vulns := { e | e := comp.vulnerabilities.vulnerability } | { e | e := comp.vulnerabilities.vulnerability[_] } | ||
| some j | ||
| vuln := vulns[j] | ||
| ratings := { e | e := vuln.ratings.rating.severity } | { e | e := vuln.ratings.rating[_].severity } | ||
| not isSafe(vuln) | ||
| msg = sprintf("CVE %s %s %s", [comp.name, vuln.id, ratings]) | ||
| } |
47 changes: 47 additions & 0 deletions
47
ns-provisioner-samples/testing-scanning-supplychain-tkgs-openshift/tekton-pipeline-java.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,47 @@ | ||
| #@ load("@ytt:data", "data") | ||
| #@ def in_list(key, list): | ||
| #@ return hasattr(data.values.tap_values, key) and (data.values.tap_values[key] in list) | ||
| #@ end | ||
| #! This if condition ensures that this Java Tekton pipeline is only created if the supply chain is testing or testing_scanning, and the TAP profile used is full, iterate or build. | ||
| #@ if/end in_list('supply_chain', ['testing', 'testing_scanning']) and in_list('profile', ['full', 'iterate', 'build']): | ||
| --- | ||
| apiVersion: tekton.dev/v1beta1 | ||
| kind: Pipeline | ||
| metadata: | ||
| name: tekton-pipeline-java | ||
| labels: | ||
| apps.tanzu.vmware.com/pipeline: test | ||
| annotations: | ||
| kapp.k14s.io/create-strategy: fallback-on-update | ||
| spec: | ||
| params: | ||
| - name: source-url | ||
| - name: source-revision | ||
| tasks: | ||
| - name: test | ||
| params: | ||
| - name: source-url | ||
| value: $(params.source-url) | ||
| - name: source-revision | ||
| value: $(params.source-revision) | ||
| taskSpec: | ||
| params: | ||
| - name: source-url | ||
| - name: source-revision | ||
| steps: | ||
| - name: test | ||
| image: gradle | ||
| script: |- | ||
| cd `mktemp -d` | ||
| wget -qO- $(params.source-url) | tar xvz -m | ||
| pwd | ||
| MVNW=mvnw | ||
| GRADLE="build.gradle" | ||
| if [ -f "$MVNW" ]; then | ||
| ./mvnw test | ||
| elif [ -f "$GRADLE" ]; then | ||
| gradle test --debug | ||
| else | ||
| echo "WARNING: No tests were run. This workload is not built with one of the currently supported frameworks (maven or gradle). If using another language/framework, update the image and the script sections of the 'pipeline.tekton.dev' resource in your namespace to match your language/framework." | ||
| #exit 1 | ||
| fi |
45 changes: 45 additions & 0 deletions
45
ns-provisioner-samples/testing-scanning-supplychain-tkgs/scanpolicy-grype.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,45 @@ | ||
| #! This file contains a Grype Scan policy which blocks the supply chain if your workload has Critical, High or UnknownSeverity CVEs | ||
| #! in your source code or image. | ||
| #@ load("@ytt:data", "data") | ||
| #@ def in_list(key, list): | ||
| #@ return hasattr(data.values.tap_values, key) and (data.values.tap_values[key] in list) | ||
| #@ end | ||
| #! This if condition ensures that this scan policy is only created if the supply chain is testing_scanning and the TAP profile used is full or build. | ||
| #@ if/end in_list('supply_chain', ['testing_scanning']) and in_list('profile', ['full', 'build']): | ||
| --- | ||
| apiVersion: scanning.apps.tanzu.vmware.com/v1beta1 | ||
| kind: ScanPolicy | ||
| metadata: | ||
| name: scan-policy | ||
| labels: | ||
| 'app.kubernetes.io/part-of': 'scan-system' | ||
| spec: | ||
| regoFile: | | ||
| package main | ||
| # Accepted Values: "Critical", "High", "Medium", "Low", "Negligible", "UnknownSeverity" | ||
| notAllowedSeverities := ["Critical", "High", "UnknownSeverity"] | ||
| ignoreCves := [] | ||
| contains(array, elem) = true { | ||
| array[_] = elem | ||
| } else = false { true } | ||
| isSafe(match) { | ||
| severities := { e | e := match.ratings.rating.severity } | { e | e := match.ratings.rating[_].severity } | ||
| some i | ||
| fails := contains(notAllowedSeverities, severities[i]) | ||
| not fails | ||
| } | ||
| isSafe(match) { | ||
| ignore := contains(ignoreCves, match.id) | ||
| ignore | ||
| } | ||
| deny[msg] { | ||
| comps := { e | e := input.bom.components.component } | { e | e := input.bom.components.component[_] } | ||
| some i | ||
| comp := comps[i] | ||
| vulns := { e | e := comp.vulnerabilities.vulnerability } | { e | e := comp.vulnerabilities.vulnerability[_] } | ||
| some j | ||
| vuln := vulns[j] | ||
| ratings := { e | e := vuln.ratings.rating.severity } | { e | e := vuln.ratings.rating[_].severity } | ||
| not isSafe(vuln) | ||
| msg = sprintf("CVE %s %s %s", [comp.name, vuln.id, ratings]) | ||
| } |
57 changes: 57 additions & 0 deletions
57
ns-provisioner-samples/testing-scanning-supplychain-tkgs/tekton-pipeline-java.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,57 @@ | ||
| #@ load("@ytt:data", "data") | ||
| #@ def in_list(key, list): | ||
| #@ return hasattr(data.values.tap_values, key) and (data.values.tap_values[key] in list) | ||
| #@ end | ||
| #! This if condition ensures that this Java Tekton pipeline is only created if the supply chain is testing or testing_scanning, and the TAP profile used is full, iterate or build. | ||
| #@ if/end in_list('supply_chain', ['testing', 'testing_scanning']) and in_list('profile', ['full', 'iterate', 'build']): | ||
| --- | ||
| apiVersion: tekton.dev/v1beta1 | ||
| kind: Pipeline | ||
| metadata: | ||
| name: tekton-pipeline-java | ||
| labels: | ||
| apps.tanzu.vmware.com/pipeline: test | ||
| annotations: | ||
| kapp.k14s.io/create-strategy: fallback-on-update | ||
| spec: | ||
| params: | ||
| - name: source-url | ||
| - name: source-revision | ||
| tasks: | ||
| - name: test | ||
| params: | ||
| - name: source-url | ||
| value: $(params.source-url) | ||
| - name: source-revision | ||
| value: $(params.source-revision) | ||
| taskSpec: | ||
| params: | ||
| - name: source-url | ||
| - name: source-revision | ||
| stepTemplate: | ||
| securityContext: | ||
| allowPrivilegeEscalation: false | ||
| runAsUser: 1000 | ||
| runAsNonRoot: true | ||
| capabilities: | ||
| drop: | ||
| - ALL | ||
| seccompProfile: | ||
| type: RuntimeDefault | ||
| steps: | ||
| - name: test | ||
| image: gradle | ||
| script: |- | ||
| cd `mktemp -d` | ||
| wget -qO- $(params.source-url) | tar xvz -m | ||
| pwd | ||
| MVNW=mvnw | ||
| GRADLE="build.gradle" | ||
| if [ -f "$MVNW" ]; then | ||
| ./mvnw test | ||
| elif [ -f "$GRADLE" ]; then | ||
| gradle test --debug | ||
| else | ||
| echo "WARNING: No tests were run. This workload is not built with one of the currently supported frameworks (maven or gradle). If using another language/framework, update the image and the script sections of the 'pipeline.tekton.dev' resource in your namespace to match your language/framework." | ||
| #exit 1 | ||
| fi |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters