Unverified Commit 88820031 authored by hadar-co's avatar hadar-co Committed by GitHub
Browse files

feat: add pass/fail yamls for nsa rules (#532)

* docs: add pass/fail yamls for nsa rules
parent 35a08d80
Showing with 394 additions and 1 deletion
+394 -1
......@@ -298,7 +298,7 @@
const: true
required:
- runAsNonRoot
anyOf:
allOf:
- $ref: "#/definitions/containerSecurityPattern"
- $ref: "#/definitions/podSecurityContextPattern"
additionalProperties:
......
apiVersion: apps/v1
kind: Deployment
metadata:
name: example-depl
namespace: exmpl
labels:
environment: prod
app: web
spec:
replicas: 2
selector:
matchLabels:
app: web
template:
metadata:
namespace: exmpl
labels:
app: web
spec:
containers:
- name: front-end
image: nginx:latest
readinessProbe:
tcpSocket:
port: 8080
initialDelaySeconds: 5
periodSeconds: 10
resources:
requests:
cpu: "64m"
limits:
cpu: "500m"
ports:
- containerPort: 80
- name: rss-reader
image: datree/nginx@sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2
livenessProbe:
httpGet:
path: /healthz
port: 8080
httpHeaders:
- name: Custom-Header
value: Awesome
readinessProbe:
tcpSocket:
port: 8080
initialDelaySeconds: 5
periodSeconds: 10
resources:
requests:
cpu: "64m"
memory: "128Mi"
limits:
memory: "128Mi"
cpu: "500m"
ports:
- containerPort: 88
apiVersion: apps/v1
kind: Deployment
metadata:
name: example-depl
namespace: exmpl
labels:
environment: prod
app: web
on-call: yoda-at-datree.io
spec:
replicas: 2
selector:
matchLabels:
app: web
template:
metadata:
namespace: exmpl
labels:
app: web
spec:
restartPolicy: Always
containers:
- name: front-end
image: nginx@sha256:0a564e80a3156f2cc825d1720f303d59bd521da19bcbd01316870e1313ecbd23
securityContext:
readOnlyRootFilesystem: true
runAsUser: 810
readinessProbe:
tcpSocket:
port: 8080
initialDelaySeconds: 5
periodSeconds: 10
resources:
requests:
memory: "64Mi"
cpu: "64m"
limits:
cpu: "500m"
ports:
- containerPort: 80
- name: rss-reader
image: datree/nginx@sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2
securityContext:
readOnlyRootFilesystem: true
livenessProbe:
httpGet:
path: /healthz
port: 8080
httpHeaders:
- name: Custom-Header
value: Awesome
readinessProbe:
tcpSocket:
port: 8080
initialDelaySeconds: 5
periodSeconds: 10
resources:
requests:
cpu: "64m"
memory: "128Mi"
limits:
memory: "128Mi"
cpu: "500m"
ports:
- containerPort: 88
apiVersion: v1
kind: Pod
metadata:
name: test-pd
spec:
containers:
- image: k8s.gcr.io/test-webserver
name: test-container
volumeMounts:
- mountPath: /test-pd
name: test-volume
volumes:
- name: test-volume
hostPath:
path: /data
type: Directory
apiVersion: v1
kind: Pod
metadata:
name: test-pd
spec:
containers:
- image: k8s.gcr.io/test-webserver
name: test-container
volumeMounts:
- mountPath: /test-pd
name: test-volume
volumes:
- name: test-volume
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
spec:
selector:
matchLabels:
app: nginx
replicas: 1
template:
spec:
containers:
- name: nginx
image: nginx:latest
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
spec:
containers:
- name: nginx
image: nginx:latest
securityContext:
allowPrivilegeEscalation: false
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: pod-exec
rules:
- apiGroups: [""]
resources: ["pods/exec"]
verbs: [""]
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: pod-exec
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: [""]
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo-4
spec:
containers:
- name: sec-ctx-4
image: gcr.io/google-samples/node-hello:1.0
securityContext:
capabilities:
add: ["NET_ADMIN", "SYS_TIME"]
apiVersion: v1
kind: Pod
metadata:
name: security-context-demo-4
spec:
containers:
- name: sec-ctx-4
image: gcr.io/google-samples/node-hello:1.0
securityContext:
capabilities:
add: ["SYS_TIME"]
apiVersion: v1
kind: Pod
metadata:
name: myPod
spec:
containers:
- name: container
image: node
ports:
- containerPort: 80
hostPort: 8080
apiVersion: v1
kind: Pod
metadata:
name: myPod
spec:
containers:
- name: container
image: node
ports:
- containerPort: 80
apiVersion: v1
kind: Pod
metadata:
name: myPod
spec:
securityContext:
runAsUser: 2000
runAsGroup: 200
containers:
- name: myContainer
image: node
apiVersion: v1
kind: Pod
metadata:
name: myPod
spec:
securityContext:
runAsUser: 2000
runAsGroup: 2000
containers:
- name: myContainer
image: node
apiVersion: apps/v1
kind: Deployment
metadata:
name: example-depl
namespace: exmpl
labels:
environment: prod
app: web
spec:
replicas: 2
selector:
matchLabels:
app: web
template:
metadata:
namespace: exmpl
labels:
app: web
spec:
containers:
- name: front-end
image: nginx:latest
readinessProbe:
tcpSocket:
port: 8080
initialDelaySeconds: 5
periodSeconds: 10
resources:
requests:
cpu: "64m"
limits:
cpu: "500m"
ports:
- containerPort: 80
- name: rss-reader
image: datree/nginx@sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2
securityContext:
runAsNonRoot: true
livenessProbe:
httpGet:
path: /healthz
port: 8080
httpHeaders:
- name: Custom-Header
value: Awesome
readinessProbe:
tcpSocket:
port: 8080
initialDelaySeconds: 5
periodSeconds: 10
resources:
requests:
cpu: "64m"
memory: "128Mi"
limits:
memory: "128Mi"
cpu: "500m"
ports:
- containerPort: 88
apiVersion: apps/v1
kind: Deployment
metadata:
name: example-depl
namespace: exmpl
labels:
environment: prod
app: web
spec:
replicas: 2
selector:
matchLabels:
app: web
template:
metadata:
namespace: exmpl
labels:
app: web
spec:
containers:
- name: front-end
image: nginx:latest
securityContext:
runAsNonRoot: true
readinessProbe:
tcpSocket:
port: 8080
initialDelaySeconds: 5
periodSeconds: 10
resources:
requests:
cpu: "64m"
limits:
cpu: "500m"
ports:
- containerPort: 80
- name: rss-reader
image: datree/nginx@sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2
securityContext:
runAsNonRoot: true
livenessProbe:
httpGet:
path: /healthz
port: 8080
httpHeaders:
- name: Custom-Header
value: Awesome
readinessProbe:
tcpSocket:
port: 8080
initialDelaySeconds: 5
periodSeconds: 10
resources:
requests:
cpu: "64m"
memory: "128Mi"
limits:
memory: "128Mi"
cpu: "500m"
ports:
- containerPort: 88
apiVersion: v1
kind: ServiceAccount
metadata:
name: srvAcc
apiVersion: v1
kind: ServiceAccount
metadata:
name: srvAcc
automountServiceAccountToken: false
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment