Unverified Commit 88820031 authored by hadar-co's avatar hadar-co Committed by GitHub
Browse files

feat: add pass/fail yamls for nsa rules (#532)

* docs: add pass/fail yamls for nsa rules
parent 35a08d80
main 620-disable-spinner-when-detecting-runs-in-ci-to-avoid-messing-up-logs-with-spinner-etc 702-datree-not-working-in-our-air-gapped-environment 746-offline-mode-does-not-work 762-unexpected-yaml-validation-error-did-not-find-expected-indicator DAT-3878_add_--no-record_flag DAT-3879_implement_resource_quotas_custom_keys DAT-3938_bug-fixes DAT-3938_extract-skipping-annotations-policy-check-flow DAT-3958_support_no_intetnet_connection_offline_local DAT-4003-isCi-query-param DAT-4011_evluation-duration DAT-4019_datree-test-validate-yaml-command DAT-4019_datree-validate-yaml-command DAT-4060_validate-yaml-send-result-data DAT-4065-fix-offline-mode DAT-4075-yml-validation-array DAT-4105-remove-validate-yaml DAT-4132-junit-output-fix-crash-invalid-configurations DAT-4341-create-a-new-default-policy-all-rules DAT-4389-verbose-support-all-output-formats DAT-4405-remove-travis-cicd-impl DAT-4427-cli-add-save-rendered-flag ISSUE#570_support_customResourceDefinition_kind ISSUE#573_support_JUnit_output_format ISSUE#638_support_schema_validation_in_offline_mode ISSUE#799_pre-commit_permission_denied_fix add-v-tag-rc add_cluster_integration_submodule add_offline_check_in_k8s_validator add_rego_support add_tests_to_fragile_areas_of_code adjust_error_message_for_k8s_schema_not_found argoproj codeowners cverule debug_save_read_default_rules_files dima-wrong docs error-misspelling-metadataname fix-homedir fix-version-message-print-empty hadar-co-patch-1 line-err logfile metadatarule minor_changes_to_policies_yaml_validation nsa-docs offerings patch-1-resove-conflicts perf-files pre_commit_hook_with_datreeci prestoprule probe-rules refactor_datree_kustomize_test refactor_datree_kustomize_test_2 refactors_in_printers release/1.1.20 release/1.1.22 release/1.2.0 release/1.2.10 release/1.2.2 release/1.2.9 release/1.3.0 release/1.3.2 release/1.3.4 release/1.3.5 release/1.4.0 release/1.4.10 release/1.4.13 release/1.4.17 release/1.4.19 release/1.4.20 release/1.4.22 release/1.4.26 release/1.4.28 release/1.4.3 release/1.4.30 release/1.4.32 release/1.4.33 release/1.4.35 release/1.4.37 release/1.4.4 release/1.5.0 release/1.5.15 release/1.5.16 release/1.5.17 release/1.5.19 release/1.5.2 release/1.5.20 release/1.5.25 release/1.5.29 release/1.5.3 release/1.5.30 release/1.5.35 release/1.5.36 release/1.5.37 release/1.5.7 release/1.5.9 release/1.6.0 release/1.6.12 release/1.6.13 release/1.6.14 release/1.6.16 release/1.6.18 release/1.6.19 release/1.6.23 release/1.6.24 release/1.6.25 release/1.6.26 release/1.6.27 release/1.6.28 release/1.6.29 release/1.6.32 release/1.6.33 release/1.6.36 release/1.6.37 release/1.6.40 release/1.6.42 release/1.6.44 release/1.6.46 release/1.6.48 release/1.6.6 release/1.7.1 release/1.7.3 release/1.8.0 release/1.8.1 report_execution_environment resty-client sarif schemadir secretrules skip-schema-validation-flag sort_failed_rules_by_uniqe_names svg-logo test_pre_commit_hook update-architecture-img use_DI_to_get_config_home 1.8.2-rc 1.8.1 1.8.1-rc 1.8.0 1.8.0-rc 1.7.3 1.7.3-rc 1.7.2-rc 1.7.1 1.7.1-rc 1.7.0-rc 1.6.49-rc 1.6.48 1.6.48-rc 1.6.47-rc 1.6.46 1.6.46-rc 1.6.45-rc 1.6.44 1.6.44-rc 1.6.43-rc 1.6.42 1.6.42-rc 1.6.41-rc 1.6.40 1.6.40-rc 1.6.39-rc 1.6.38-rc 1.6.37 1.6.37-rc 1.6.36 1.6.36-rc 1.6.35-rc 1.6.34-rc 1.6.33 1.6.33-rc 1.6.32 1.6.32-rc 1.6.31-rc 1.6.30-rc 1.6.29 1.6.29-rc 1.6.28 1.6.28-rc 1.6.27 1.6.27-rc 1.6.26 1.6.26-rc 1.6.25 1.6.25-rc 1.6.24 1.6.24-rc 1.6.23 1.6.23-rc 1.6.22-rc 1.6.21-rc 1.6.20-rc 1.6.19 1.6.19-rc 1.6.18 1.6.18-rc 1.6.17-rc 1.6.16 1.6.16-rc 1.6.15-rc 1.6.14 1.6.14-rc 1.6.13 1.6.13-rc 1.6.12 1.6.12-rc 1.6.11-rc 1.6.10-rc 1.6.9-rc 1.6.8-rc 1.6.7-rc 1.6.6 1.6.6-rc 1.6.5-rc 1.6.4-rc 1.6.3-rc 1.6.2-rc 1.6.1-rc 1.6.0 1.6.0-rc 1.5.38-rc 1.5.37 1.5.37-rc 1.5.36 1.5.36-rc 1.5.35 1.5.35-rc 1.5.34-rc 1.5.33-rc 1.5.32-rc 1.5.31-rc 1.5.30 1.5.30-rc 1.5.29 1.5.29-rc 1.5.28-rc 1.5.27-rc 1.5.26-rc 1.5.25 1.5.25-rc 1.5.24-rc 1.5.23-rc 1.5.22-rc 1.5.21-rc 1.5.20 1.5.20-rc 1.5.19 1.5.19-rc 1.5.18-rc 1.5.17 1.5.17-rc 1.5.16 1.5.16-rc 1.5.15 1.5.15-rc 1.5.14-rc 1.5.13-rc 1.5.12-rc 1.5.11-rc 1.5.10-rc 1.5.9 1.5.9-rc 1.5.8-rc 1.5.7 1.5.7-rc 1.5.6-rc 1.5.5-rc 1.5.4-rc 1.5.3 1.5.3-rc 1.5.2 1.5.2-rc 1.5.1-rc 1.5.0 1.5.0-rc 1.4.40-rc-dima-test 1.4.39-rc 1.4.38-rc 1.4.37 1.4.37-rc 1.4.36-rc 1.4.35 1.4.35-rc 1.4.34-rc 1.4.33 1.4.33-rc 1.4.32 1.4.32-rc 1.4.31-rc 1.4.30 1.4.30-rc 1.4.29-rc 1.4.28 1.4.28-rc 1.4.27-rc 1.4.26 1.4.26-rc 1.4.25-rc 1.4.24-rc 1.4.23-rc 1.4.22 1.4.22-rc 1.4.21-rc 1.4.20 1.4.20-rc 1.4.19 1.4.19-rc 1.4.18-rc 1.4.17 1.4.17-rc 1.4.16-rc 1.4.15-rc 1.4.14-rc 1.4.13 1.4.13-rc 1.4.12-rc 1.4.11-rc 1.4.10 1.4.10-rc 1.4.9-rc 1.4.8-rc 1.4.7-rc 1.4.6-rc 1.4.5-rc 1.4.4 1.4.4-rc 1.4.3 1.4.3-rc 1.4.2-rc 1.4.1-rc 1.4.0 1.4.0-rc 1.3.11-rc 1.3.10-rc 1.3.9-rc 1.3.8-rc 1.3.7-rc 1.3.6-rc 1.3.5 1.3.5-rc 1.3.4 1.3.4-rc 1.3.3-rc 1.3.2 1.3.2-rc 1.3.1-rc 1.3.0 1.3.0-rc 1.2.11-rc 1.2.10 1.2.10-rc 1.2.9 1.2.9-rc 1.2.8-rc 1.2.7-rc 1.2.6-rc 1.2.5-rc 1.2.4-rc 1.2.3-rc 1.2.2 1.2.2-rc 1.2.1-rc 1.2.0 1.2.0-rc 1.1.25-rc 1.1.24-rc 1.1.23-rc 1.1.22 1.1.22-rc 1.1.21-rc 1.1.20 1.1.20-rc 1.1.19-rc vv1.4.41-rc v1.8.2-rc v1.8.1 v1.8.1-rc v1.8.0 v1.8.0-rc v1.7.3 v1.7.3-rc v1.7.2-rc v1.7.1 v1.7.1-rc v1.7.0-rc v1.6.49-rc v1.6.48 v1.6.48-rc v1.6.47-rc v1.6.46 v1.6.46-rc v1.6.45-rc v1.6.44 v1.6.44-rc v1.6.43-rc v1.6.42 v1.6.42-rc v1.6.41-rc v1.6.40 v1.6.40-rc v1.6.39-rc v1.6.38-rc v1.6.37 v1.6.37-rc v1.6.36 v1.6.36-rc v1.6.35-rc v1.6.34-rc v1.6.33 v1.6.33-rc v1.6.32 v1.6.32-rc v1.6.31-rc v1.6.30-rc v1.6.29 v1.6.29-rc v1.6.28 v1.6.28-rc v1.6.27 v1.6.27-rc v1.6.26 v1.6.26-rc v1.6.25 v1.6.25-rc v1.6.24 v1.6.24-rc v1.6.23 v1.6.23-rc v1.6.22-rc v1.6.21-rc v1.6.20-rc v1.6.19 v1.6.19-rc v1.6.18 v1.6.18-rc v1.6.17-rc v1.6.16 v1.6.16-rc v1.6.15-rc v1.6.14 v1.6.14-rc v1.6.13 v1.6.13-rc v1.6.12 v1.6.12-rc v1.6.11-rc v1.6.10-rc v1.6.9-rc v1.6.8-rc v1.6.7-rc v1.6.6 v1.6.6-rc v1.6.5-rc v1.6.4-rc v1.6.3-rc v1.6.2-rc v1.6.1-rc v1.6.0 v1.6.0-rc v1.5.38-rc v1.5.37 v1.5.37-rc v1.5.36 v1.5.36-rc v1.5.35 v1.5.35-rc v1.5.34-rc v1.5.33-rc v1.5.32-rc v1.5.31-rc v1.5.30 v1.5.30-rc v1.5.29 v1.5.29-rc v1.5.28-rc v1.5.27-rc v1.5.26-rc v1.5.25 v1.5.25-rc v1.5.24-rc v1.5.23-rc v1.5.22-rc v1.5.21-rc v1.5.20 v1.5.20-rc v1.5.19 v1.5.19-rc v1.5.18-rc v1.5.17 v1.5.17-rc v1.5.16 v1.5.16-rc v1.5.15 v1.5.15-rc v1.5.14 v1.5.13 v1.5.12 v1.5.11 v1.5.10 v1.5.9 v1.5.7 v1.5.4-rc v1.5.3 v1.5.3-rc v1.5.2 v1.5.0 v1.4.43-rc v1.4.42-rc v1.4.41-rc v1.4.40-rc v1.4.40-rc-dima-test v0.0.189798_tzlil_debug v0.0.3 v0.0.2-extract_evaluation v0.0.1 v0.0.1-extract_evaluation v-extract_evaluation
No related merge requests found
Showing with 394 additions and 1 deletion
+394 -1
......@@ -298,7 +298,7 @@
const: true
required:
- runAsNonRoot
anyOf:
allOf:
- $ref: "#/definitions/containerSecurityPattern"
- $ref: "#/definitions/podSecurityContextPattern"
additionalProperties:
......
apiVersion: apps/v1
kind: Deployment
metadata:
name: example-depl
namespace: exmpl
labels:
environment: prod
app: web
spec:
replicas: 2
selector:
matchLabels:
app: web
template:
metadata:
namespace: exmpl
labels:
app: web
spec:
containers:
- name: front-end
image: nginx:latest
readinessProbe:
tcpSocket:
port: 8080
initialDelaySeconds: 5
periodSeconds: 10
resources:
requests:
cpu: "64m"
limits:
cpu: "500m"
ports:
- containerPort: 80
- name: rss-reader
image: datree/nginx@sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2
livenessProbe:
httpGet:
path: /healthz
port: 8080
httpHeaders:
- name: Custom-Header
value: Awesome
readinessProbe:
tcpSocket:
port: 8080
initialDelaySeconds: 5
periodSeconds: 10
resources:
requests:
cpu: "64m"
memory: "128Mi"
limits:
memory: "128Mi"
cpu: "500m"
ports:
- containerPort: 88
apiVersion: apps/v1
kind: Deployment
metadata:
name: example-depl
namespace: exmpl
labels:
environment: prod
app: web
on-call: yoda-at-datree.io
spec:
replicas: 2
selector:
matchLabels:
app: web
template:
metadata:
namespace: exmpl
labels:
app: web
spec:
restartPolicy: Always
containers:
- name: front-end
image: nginx@sha256:0a564e80a3156f2cc825d1720f303d59bd521da19bcbd01316870e1313ecbd23
securityContext:
readOnlyRootFilesystem: true
runAsUser: 810
readinessProbe:
tcpSocket:
port: 8080
initialDelaySeconds: 5
periodSeconds: 10
resources:
requests:
memory: "64Mi"
cpu: "64m"
limits:
cpu: "500m"
ports:
- containerPort: 80
- name: rss-reader
image: datree/nginx@sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2
securityContext:
readOnlyRootFilesystem: true
livenessProbe:
httpGet:
path: /healthz
port: 8080
httpHeaders:
- name: Custom-Header
value: Awesome
readinessProbe:
tcpSocket:
port: 8080
initialDelaySeconds: 5
periodSeconds: 10
resources:
requests:
cpu: "64m"
memory: "128Mi"
limits:
memory: "128Mi"
cpu: "500m"
ports:
- containerPort: 88
apiVersion: v1
kind: Pod
metadata:
name: test-pd
spec:
containers:
- image: k8s.gcr.io/test-webserver
name: test-container
volumeMounts:
- mountPath: /test-pd
name: test-volume
volumes:
- name: test-volume
hostPath:
path: /data
type: Directory
apiVersion: v1
kind: Pod
metadata:
name: test-pd
spec:
containers:
- image: k8s.gcr.io/test-webserver
name: test-container
volumeMounts:
- mountPath: /test-pd
name: test-volume
volumes:
- name: test-volume
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
spec:
selector:
matchLabels:
app: nginx
replicas: 1
template:
spec:
containers:
- name: nginx
image: nginx:latest
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
spec:
containers:
- name: nginx
image: nginx:latest
securityContext:
allowPrivilegeEscalation: false
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: pod-exec
rules:
- apiGroups: [""]
resources: ["pods/exec"]
verbs: [""]
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: pod-exec
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: [""]
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo-4
spec:
containers:
- name: sec-ctx-4
image: gcr.io/google-samples/node-hello:1.0
securityContext:
capabilities:
add: ["NET_ADMIN", "SYS_TIME"]
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo-4
spec:
containers:
- name: sec-ctx-4
image: gcr.io/google-samples/node-hello:1.0
securityContext:
capabilities:
add: ["SYS_TIME"]
apiVersion: v1
kind: Pod
metadata:
name: myPod
spec:
containers:
- name: container
image: node
ports:
- containerPort: 80
hostPort: 8080
apiVersion: v1
kind: Pod
metadata:
name: myPod
spec:
containers:
- name: container
image: node
ports:
- containerPort: 80
apiVersion: v1
kind: Pod
metadata:
name: myPod
spec:
securityContext:
runAsUser: 2000
runAsGroup: 200
containers:
- name: myContainer
image: node
apiVersion: v1
kind: Pod
metadata:
name: myPod
spec:
securityContext:
runAsUser: 2000
runAsGroup: 2000
containers:
- name: myContainer
image: node
apiVersion: apps/v1
kind: Deployment
metadata:
name: example-depl
namespace: exmpl
labels:
environment: prod
app: web
spec:
replicas: 2
selector:
matchLabels:
app: web
template:
metadata:
namespace: exmpl
labels:
app: web
spec:
containers:
- name: front-end
image: nginx:latest
readinessProbe:
tcpSocket:
port: 8080
initialDelaySeconds: 5
periodSeconds: 10
resources:
requests:
cpu: "64m"
limits:
cpu: "500m"
ports:
- containerPort: 80
- name: rss-reader
image: datree/nginx@sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2
securityContext:
runAsNonRoot: true
livenessProbe:
httpGet:
path: /healthz
port: 8080
httpHeaders:
- name: Custom-Header
value: Awesome
readinessProbe:
tcpSocket:
port: 8080
initialDelaySeconds: 5
periodSeconds: 10
resources:
requests:
cpu: "64m"
memory: "128Mi"
limits:
memory: "128Mi"
cpu: "500m"
ports:
- containerPort: 88
apiVersion: apps/v1
kind: Deployment
metadata:
name: example-depl
namespace: exmpl
labels:
environment: prod
app: web
spec:
replicas: 2
selector:
matchLabels:
app: web
template:
metadata:
namespace: exmpl
labels:
app: web
spec:
containers:
- name: front-end
image: nginx:latest
securityContext:
runAsNonRoot: true
readinessProbe:
tcpSocket:
port: 8080
initialDelaySeconds: 5
periodSeconds: 10
resources:
requests:
cpu: "64m"
limits:
cpu: "500m"
ports:
- containerPort: 80
- name: rss-reader
image: datree/nginx@sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2
securityContext:
runAsNonRoot: true
livenessProbe:
httpGet:
path: /healthz
port: 8080
httpHeaders:
- name: Custom-Header
value: Awesome
readinessProbe:
tcpSocket:
port: 8080
initialDelaySeconds: 5
periodSeconds: 10
resources:
requests:
cpu: "64m"
memory: "128Mi"
limits:
memory: "128Mi"
cpu: "500m"
ports:
- containerPort: 88
apiVersion: v1
kind: ServiceAccount
metadata:
name: srvAcc
apiVersion: v1
kind: ServiceAccount
metadata:
name: srvAcc
automountServiceAccountToken: false
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment