From 9d1714d07d7002af7e54d3f403591f1eae006270 Mon Sep 17 00:00:00 2001 From: Atman Dhol Date: Mon, 20 Nov 2023 17:00:08 -0500 Subject: [PATCH] fix: securityContext on regular samples. Create new ones for TKGs and Openshift (#384) --- .../resources/tekton-pipeline-java.yaml | 10 ---- .../tekton-pipeline-java.yaml | 10 ---- .../tekton-pipeline-golang.yaml | 10 ---- .../tekton-pipeline-java.yaml | 10 ---- .../tekton-pipeline-nodejs.yaml | 10 ---- .../tekton-pipeline-golang.yaml | 10 ---- .../tekton-pipeline-java.yaml | 10 ---- .../tekton-pipeline-nodejs.yaml | 10 ---- .../scanpolicy-grype.yaml | 45 +++++++++++++++ .../tekton-pipeline-java.yaml | 47 +++++++++++++++ .../scanpolicy-grype.yaml | 45 +++++++++++++++ .../tekton-pipeline-java.yaml | 57 +++++++++++++++++++ .../tekton-pipeline-java.yaml | 10 ---- .../tekton-pipeline-java.yaml | 10 ---- 14 files changed, 194 insertions(+), 100 deletions(-) create mode 100644 ns-provisioner-samples/testing-scanning-supplychain-tkgs-openshift/scanpolicy-grype.yaml create mode 100644 ns-provisioner-samples/testing-scanning-supplychain-tkgs-openshift/tekton-pipeline-java.yaml create mode 100644 ns-provisioner-samples/testing-scanning-supplychain-tkgs/scanpolicy-grype.yaml create mode 100644 ns-provisioner-samples/testing-scanning-supplychain-tkgs/tekton-pipeline-java.yaml diff --git a/ns-provisioner-samples/gitops-airgap/resources/tekton-pipeline-java.yaml b/ns-provisioner-samples/gitops-airgap/resources/tekton-pipeline-java.yaml index 1cbc22e98..07d3c2323 100644 --- a/ns-provisioner-samples/gitops-airgap/resources/tekton-pipeline-java.yaml +++ b/ns-provisioner-samples/gitops-airgap/resources/tekton-pipeline-java.yaml @@ -28,16 +28,6 @@ spec: params: - name: source-url - name: source-revision - stepTemplate: - securityContext: - allowPrivilegeEscalation: false - runAsUser: 1000 - runAsNonRoot: true - capabilities: - drop: - - ALL - seccompProfile: - type: RuntimeDefault steps: - name: test image: gradle diff --git a/ns-provisioner-samples/testing-scanning-supplychain-multiple-scanners/tekton-pipeline-java.yaml b/ns-provisioner-samples/testing-scanning-supplychain-multiple-scanners/tekton-pipeline-java.yaml index 1cbc22e98..07d3c2323 100644 --- a/ns-provisioner-samples/testing-scanning-supplychain-multiple-scanners/tekton-pipeline-java.yaml +++ b/ns-provisioner-samples/testing-scanning-supplychain-multiple-scanners/tekton-pipeline-java.yaml @@ -28,16 +28,6 @@ spec: params: - name: source-url - name: source-revision - stepTemplate: - securityContext: - allowPrivilegeEscalation: false - runAsUser: 1000 - runAsNonRoot: true - capabilities: - drop: - - ALL - seccompProfile: - type: RuntimeDefault steps: - name: test image: gradle diff --git a/ns-provisioner-samples/testing-scanning-supplychain-parameterized/tekton-pipeline-golang.yaml b/ns-provisioner-samples/testing-scanning-supplychain-parameterized/tekton-pipeline-golang.yaml index dc2b8660e..d26d1d84e 100644 --- a/ns-provisioner-samples/testing-scanning-supplychain-parameterized/tekton-pipeline-golang.yaml +++ b/ns-provisioner-samples/testing-scanning-supplychain-parameterized/tekton-pipeline-golang.yaml @@ -29,16 +29,6 @@ spec: params: - name: source-url - name: source-revision - stepTemplate: - securityContext: - allowPrivilegeEscalation: false - runAsUser: 1000 - runAsNonRoot: true - capabilities: - drop: - - ALL - seccompProfile: - type: RuntimeDefault steps: - name: test image: golang diff --git a/ns-provisioner-samples/testing-scanning-supplychain-parameterized/tekton-pipeline-java.yaml b/ns-provisioner-samples/testing-scanning-supplychain-parameterized/tekton-pipeline-java.yaml index 2b5fdede2..528bb44f3 100644 --- a/ns-provisioner-samples/testing-scanning-supplychain-parameterized/tekton-pipeline-java.yaml +++ b/ns-provisioner-samples/testing-scanning-supplychain-parameterized/tekton-pipeline-java.yaml @@ -29,16 +29,6 @@ spec: params: - name: source-url - name: source-revision - stepTemplate: - securityContext: - allowPrivilegeEscalation: false - runAsUser: 1000 - runAsNonRoot: true - capabilities: - drop: - - ALL - seccompProfile: - type: RuntimeDefault steps: - name: test image: gradle diff --git a/ns-provisioner-samples/testing-scanning-supplychain-parameterized/tekton-pipeline-nodejs.yaml b/ns-provisioner-samples/testing-scanning-supplychain-parameterized/tekton-pipeline-nodejs.yaml index 84712368f..2b820580b 100644 --- a/ns-provisioner-samples/testing-scanning-supplychain-parameterized/tekton-pipeline-nodejs.yaml +++ b/ns-provisioner-samples/testing-scanning-supplychain-parameterized/tekton-pipeline-nodejs.yaml @@ -29,16 +29,6 @@ spec: params: - name: source-url - name: source-revision - stepTemplate: - securityContext: - allowPrivilegeEscalation: false - runAsUser: 1000 - runAsNonRoot: true - capabilities: - drop: - - ALL - seccompProfile: - type: RuntimeDefault steps: - name: test image: nodejs diff --git a/ns-provisioner-samples/testing-scanning-supplychain-polyglot/tekton-pipeline-golang.yaml b/ns-provisioner-samples/testing-scanning-supplychain-polyglot/tekton-pipeline-golang.yaml index eaa50aa49..03a30b3c0 100644 --- a/ns-provisioner-samples/testing-scanning-supplychain-polyglot/tekton-pipeline-golang.yaml +++ b/ns-provisioner-samples/testing-scanning-supplychain-polyglot/tekton-pipeline-golang.yaml @@ -28,16 +28,6 @@ spec: params: - name: source-url - name: source-revision - stepTemplate: - securityContext: - allowPrivilegeEscalation: false - runAsUser: 1000 - runAsNonRoot: true - capabilities: - drop: - - ALL - seccompProfile: - type: RuntimeDefault steps: - name: test image: golang diff --git a/ns-provisioner-samples/testing-scanning-supplychain-polyglot/tekton-pipeline-java.yaml b/ns-provisioner-samples/testing-scanning-supplychain-polyglot/tekton-pipeline-java.yaml index be95feb65..213257d6b 100644 --- a/ns-provisioner-samples/testing-scanning-supplychain-polyglot/tekton-pipeline-java.yaml +++ b/ns-provisioner-samples/testing-scanning-supplychain-polyglot/tekton-pipeline-java.yaml @@ -28,16 +28,6 @@ spec: params: - name: source-url - name: source-revision - stepTemplate: - securityContext: - allowPrivilegeEscalation: false - runAsUser: 1000 - runAsNonRoot: true - capabilities: - drop: - - ALL - seccompProfile: - type: RuntimeDefault steps: - name: test image: gradle diff --git a/ns-provisioner-samples/testing-scanning-supplychain-polyglot/tekton-pipeline-nodejs.yaml b/ns-provisioner-samples/testing-scanning-supplychain-polyglot/tekton-pipeline-nodejs.yaml index 5ac837d04..50c0b24f4 100644 --- a/ns-provisioner-samples/testing-scanning-supplychain-polyglot/tekton-pipeline-nodejs.yaml +++ b/ns-provisioner-samples/testing-scanning-supplychain-polyglot/tekton-pipeline-nodejs.yaml @@ -28,16 +28,6 @@ spec: params: - name: source-url - name: source-revision - stepTemplate: - securityContext: - allowPrivilegeEscalation: false - runAsUser: 1000 - runAsNonRoot: true - capabilities: - drop: - - ALL - seccompProfile: - type: RuntimeDefault steps: - name: test image: nodejs diff --git a/ns-provisioner-samples/testing-scanning-supplychain-tkgs-openshift/scanpolicy-grype.yaml b/ns-provisioner-samples/testing-scanning-supplychain-tkgs-openshift/scanpolicy-grype.yaml new file mode 100644 index 000000000..0e04e7700 --- /dev/null +++ b/ns-provisioner-samples/testing-scanning-supplychain-tkgs-openshift/scanpolicy-grype.yaml @@ -0,0 +1,45 @@ +#! This file contains a Grype Scan policy which blocks the supply chain if your workload has Critical, High or UnknownSeverity CVEs +#! in your source code or image. +#@ load("@ytt:data", "data") +#@ def in_list(key, list): +#@ return hasattr(data.values.tap_values, key) and (data.values.tap_values[key] in list) +#@ end +#! This if condition ensures that this scan policy is only created if the supply chain is testing_scanning and the TAP profile used is full or build. +#@ if/end in_list('supply_chain', ['testing_scanning']) and in_list('profile', ['full', 'build']): +--- +apiVersion: scanning.apps.tanzu.vmware.com/v1beta1 +kind: ScanPolicy +metadata: + name: scan-policy + labels: + 'app.kubernetes.io/part-of': 'scan-system' +spec: + regoFile: | + package main + # Accepted Values: "Critical", "High", "Medium", "Low", "Negligible", "UnknownSeverity" + notAllowedSeverities := ["Critical", "High", "UnknownSeverity"] + ignoreCves := [] + contains(array, elem) = true { + array[_] = elem + } else = false { true } + isSafe(match) { + severities := { e | e := match.ratings.rating.severity } | { e | e := match.ratings.rating[_].severity } + some i + fails := contains(notAllowedSeverities, severities[i]) + not fails + } + isSafe(match) { + ignore := contains(ignoreCves, match.id) + ignore + } + deny[msg] { + comps := { e | e := input.bom.components.component } | { e | e := input.bom.components.component[_] } + some i + comp := comps[i] + vulns := { e | e := comp.vulnerabilities.vulnerability } | { e | e := comp.vulnerabilities.vulnerability[_] } + some j + vuln := vulns[j] + ratings := { e | e := vuln.ratings.rating.severity } | { e | e := vuln.ratings.rating[_].severity } + not isSafe(vuln) + msg = sprintf("CVE %s %s %s", [comp.name, vuln.id, ratings]) + } \ No newline at end of file diff --git a/ns-provisioner-samples/testing-scanning-supplychain-tkgs-openshift/tekton-pipeline-java.yaml b/ns-provisioner-samples/testing-scanning-supplychain-tkgs-openshift/tekton-pipeline-java.yaml new file mode 100644 index 000000000..07d3c2323 --- /dev/null +++ b/ns-provisioner-samples/testing-scanning-supplychain-tkgs-openshift/tekton-pipeline-java.yaml @@ -0,0 +1,47 @@ +#@ load("@ytt:data", "data") +#@ def in_list(key, list): +#@ return hasattr(data.values.tap_values, key) and (data.values.tap_values[key] in list) +#@ end +#! This if condition ensures that this Java Tekton pipeline is only created if the supply chain is testing or testing_scanning, and the TAP profile used is full, iterate or build. +#@ if/end in_list('supply_chain', ['testing', 'testing_scanning']) and in_list('profile', ['full', 'iterate', 'build']): +--- +apiVersion: tekton.dev/v1beta1 +kind: Pipeline +metadata: + name: tekton-pipeline-java + labels: + apps.tanzu.vmware.com/pipeline: test + annotations: + kapp.k14s.io/create-strategy: fallback-on-update +spec: + params: + - name: source-url + - name: source-revision + tasks: + - name: test + params: + - name: source-url + value: $(params.source-url) + - name: source-revision + value: $(params.source-revision) + taskSpec: + params: + - name: source-url + - name: source-revision + steps: + - name: test + image: gradle + script: |- + cd `mktemp -d` + wget -qO- $(params.source-url) | tar xvz -m + pwd + MVNW=mvnw + GRADLE="build.gradle" + if [ -f "$MVNW" ]; then + ./mvnw test + elif [ -f "$GRADLE" ]; then + gradle test --debug + else + echo "WARNING: No tests were run. This workload is not built with one of the currently supported frameworks (maven or gradle). If using another language/framework, update the image and the script sections of the 'pipeline.tekton.dev' resource in your namespace to match your language/framework." + #exit 1 + fi \ No newline at end of file diff --git a/ns-provisioner-samples/testing-scanning-supplychain-tkgs/scanpolicy-grype.yaml b/ns-provisioner-samples/testing-scanning-supplychain-tkgs/scanpolicy-grype.yaml new file mode 100644 index 000000000..0e04e7700 --- /dev/null +++ b/ns-provisioner-samples/testing-scanning-supplychain-tkgs/scanpolicy-grype.yaml @@ -0,0 +1,45 @@ +#! This file contains a Grype Scan policy which blocks the supply chain if your workload has Critical, High or UnknownSeverity CVEs +#! in your source code or image. +#@ load("@ytt:data", "data") +#@ def in_list(key, list): +#@ return hasattr(data.values.tap_values, key) and (data.values.tap_values[key] in list) +#@ end +#! This if condition ensures that this scan policy is only created if the supply chain is testing_scanning and the TAP profile used is full or build. +#@ if/end in_list('supply_chain', ['testing_scanning']) and in_list('profile', ['full', 'build']): +--- +apiVersion: scanning.apps.tanzu.vmware.com/v1beta1 +kind: ScanPolicy +metadata: + name: scan-policy + labels: + 'app.kubernetes.io/part-of': 'scan-system' +spec: + regoFile: | + package main + # Accepted Values: "Critical", "High", "Medium", "Low", "Negligible", "UnknownSeverity" + notAllowedSeverities := ["Critical", "High", "UnknownSeverity"] + ignoreCves := [] + contains(array, elem) = true { + array[_] = elem + } else = false { true } + isSafe(match) { + severities := { e | e := match.ratings.rating.severity } | { e | e := match.ratings.rating[_].severity } + some i + fails := contains(notAllowedSeverities, severities[i]) + not fails + } + isSafe(match) { + ignore := contains(ignoreCves, match.id) + ignore + } + deny[msg] { + comps := { e | e := input.bom.components.component } | { e | e := input.bom.components.component[_] } + some i + comp := comps[i] + vulns := { e | e := comp.vulnerabilities.vulnerability } | { e | e := comp.vulnerabilities.vulnerability[_] } + some j + vuln := vulns[j] + ratings := { e | e := vuln.ratings.rating.severity } | { e | e := vuln.ratings.rating[_].severity } + not isSafe(vuln) + msg = sprintf("CVE %s %s %s", [comp.name, vuln.id, ratings]) + } \ No newline at end of file diff --git a/ns-provisioner-samples/testing-scanning-supplychain-tkgs/tekton-pipeline-java.yaml b/ns-provisioner-samples/testing-scanning-supplychain-tkgs/tekton-pipeline-java.yaml new file mode 100644 index 000000000..1cbc22e98 --- /dev/null +++ b/ns-provisioner-samples/testing-scanning-supplychain-tkgs/tekton-pipeline-java.yaml @@ -0,0 +1,57 @@ +#@ load("@ytt:data", "data") +#@ def in_list(key, list): +#@ return hasattr(data.values.tap_values, key) and (data.values.tap_values[key] in list) +#@ end +#! This if condition ensures that this Java Tekton pipeline is only created if the supply chain is testing or testing_scanning, and the TAP profile used is full, iterate or build. +#@ if/end in_list('supply_chain', ['testing', 'testing_scanning']) and in_list('profile', ['full', 'iterate', 'build']): +--- +apiVersion: tekton.dev/v1beta1 +kind: Pipeline +metadata: + name: tekton-pipeline-java + labels: + apps.tanzu.vmware.com/pipeline: test + annotations: + kapp.k14s.io/create-strategy: fallback-on-update +spec: + params: + - name: source-url + - name: source-revision + tasks: + - name: test + params: + - name: source-url + value: $(params.source-url) + - name: source-revision + value: $(params.source-revision) + taskSpec: + params: + - name: source-url + - name: source-revision + stepTemplate: + securityContext: + allowPrivilegeEscalation: false + runAsUser: 1000 + runAsNonRoot: true + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + steps: + - name: test + image: gradle + script: |- + cd `mktemp -d` + wget -qO- $(params.source-url) | tar xvz -m + pwd + MVNW=mvnw + GRADLE="build.gradle" + if [ -f "$MVNW" ]; then + ./mvnw test + elif [ -f "$GRADLE" ]; then + gradle test --debug + else + echo "WARNING: No tests were run. This workload is not built with one of the currently supported frameworks (maven or gradle). If using another language/framework, update the image and the script sections of the 'pipeline.tekton.dev' resource in your namespace to match your language/framework." + #exit 1 + fi \ No newline at end of file diff --git a/ns-provisioner-samples/testing-scanning-supplychain/tekton-pipeline-java.yaml b/ns-provisioner-samples/testing-scanning-supplychain/tekton-pipeline-java.yaml index 1cbc22e98..07d3c2323 100644 --- a/ns-provisioner-samples/testing-scanning-supplychain/tekton-pipeline-java.yaml +++ b/ns-provisioner-samples/testing-scanning-supplychain/tekton-pipeline-java.yaml @@ -28,16 +28,6 @@ spec: params: - name: source-url - name: source-revision - stepTemplate: - securityContext: - allowPrivilegeEscalation: false - runAsUser: 1000 - runAsNonRoot: true - capabilities: - drop: - - ALL - seccompProfile: - type: RuntimeDefault steps: - name: test image: gradle diff --git a/ns-provisioner-samples/testing-supplychain/tekton-pipeline-java.yaml b/ns-provisioner-samples/testing-supplychain/tekton-pipeline-java.yaml index 1cbc22e98..07d3c2323 100644 --- a/ns-provisioner-samples/testing-supplychain/tekton-pipeline-java.yaml +++ b/ns-provisioner-samples/testing-supplychain/tekton-pipeline-java.yaml @@ -28,16 +28,6 @@ spec: params: - name: source-url - name: source-revision - stepTemplate: - securityContext: - allowPrivilegeEscalation: false - runAsUser: 1000 - runAsNonRoot: true - capabilities: - drop: - - ALL - seccompProfile: - type: RuntimeDefault steps: - name: test image: gradle