Skip to content
GitLab
Menu
Projects
Groups
Snippets
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in
Toggle navigation
Menu
Open sidebar
小 白蛋
Datree
Commits
88820031
Unverified
Commit
88820031
authored
3 years ago
by
hadar-co
Committed by
GitHub
3 years ago
Browse files
Options
Download
Email Patches
Plain Diff
feat: add pass/fail yamls for nsa rules (#532)
* docs: add pass/fail yamls for nsa rules
parent
35a08d80
Changes
19
Hide whitespace changes
Inline
Side-by-side
Showing
19 changed files
pkg/policy/nsaHardeningRules/nsaHardeningRules.yaml
+1
-1
pkg/policy/nsaHardeningRules/nsaHardeningRules.yaml
pkg/policy/nsaHardeningRules/tests/45-fail.yaml
+57
-0
pkg/policy/nsaHardeningRules/tests/45-fail.yaml
pkg/policy/nsaHardeningRules/tests/45-pass.yaml
+65
-0
pkg/policy/nsaHardeningRules/tests/45-pass.yaml
pkg/policy/nsaHardeningRules/tests/46-fail.yaml
+16
-0
pkg/policy/nsaHardeningRules/tests/46-fail.yaml
pkg/policy/nsaHardeningRules/tests/46-pass.yaml
+13
-0
pkg/policy/nsaHardeningRules/tests/46-pass.yaml
pkg/policy/nsaHardeningRules/tests/47-fail.yaml
+14
-0
pkg/policy/nsaHardeningRules/tests/47-fail.yaml
pkg/policy/nsaHardeningRules/tests/47-pass.yaml
+16
-0
pkg/policy/nsaHardeningRules/tests/47-pass.yaml
pkg/policy/nsaHardeningRules/tests/48-fail.yaml
+9
-0
pkg/policy/nsaHardeningRules/tests/48-fail.yaml
pkg/policy/nsaHardeningRules/tests/48-pass.yaml
+9
-0
pkg/policy/nsaHardeningRules/tests/48-pass.yaml
pkg/policy/nsaHardeningRules/tests/49-fail.yaml
+11
-0
pkg/policy/nsaHardeningRules/tests/49-fail.yaml
pkg/policy/nsaHardeningRules/tests/49-pass.yaml
+11
-0
pkg/policy/nsaHardeningRules/tests/49-pass.yaml
pkg/policy/nsaHardeningRules/tests/50-fail.yaml
+11
-0
pkg/policy/nsaHardeningRules/tests/50-fail.yaml
pkg/policy/nsaHardeningRules/tests/50-pass.yaml
+10
-0
pkg/policy/nsaHardeningRules/tests/50-pass.yaml
pkg/policy/nsaHardeningRules/tests/51-fail.yaml
+11
-0
pkg/policy/nsaHardeningRules/tests/51-fail.yaml
pkg/policy/nsaHardeningRules/tests/51-pass.yaml
+11
-0
pkg/policy/nsaHardeningRules/tests/51-pass.yaml
pkg/policy/nsaHardeningRules/tests/52-fail.yaml
+59
-0
pkg/policy/nsaHardeningRules/tests/52-fail.yaml
pkg/policy/nsaHardeningRules/tests/52-pass.yaml
+61
-0
pkg/policy/nsaHardeningRules/tests/52-pass.yaml
pkg/policy/nsaHardeningRules/tests/53-fail.yaml
+4
-0
pkg/policy/nsaHardeningRules/tests/53-fail.yaml
pkg/policy/nsaHardeningRules/tests/53-pass.yaml
+5
-0
pkg/policy/nsaHardeningRules/tests/53-pass.yaml
with
394 additions
and
1 deletion
+394
-1
pkg/policy/nsaHardeningRules.yaml
→
pkg/policy/nsaHardeningRules
/nsaHardeningRules
.yaml
+
1
-
1
View file @
88820031
...
...
@@ -298,7 +298,7 @@
const
:
true
required
:
-
runAsNonRoot
a
ny
Of
:
a
ll
Of
:
-
$ref
:
"
#/definitions/containerSecurityPattern"
-
$ref
:
"
#/definitions/podSecurityContextPattern"
additionalProperties
:
...
...
This diff is collapsed.
Click to expand it.
pkg/policy/nsaHardeningRules/tests/45-fail.yaml
0 → 100644
+
57
-
0
View file @
88820031
apiVersion
:
apps/v1
kind
:
Deployment
metadata
:
name
:
example-depl
namespace
:
exmpl
labels
:
environment
:
prod
app
:
web
spec
:
replicas
:
2
selector
:
matchLabels
:
app
:
web
template
:
metadata
:
namespace
:
exmpl
labels
:
app
:
web
spec
:
containers
:
-
name
:
front-end
image
:
nginx:latest
readinessProbe
:
tcpSocket
:
port
:
8080
initialDelaySeconds
:
5
periodSeconds
:
10
resources
:
requests
:
cpu
:
"
64m"
limits
:
cpu
:
"
500m"
ports
:
-
containerPort
:
80
-
name
:
rss-reader
image
:
datree/nginx@sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2
livenessProbe
:
httpGet
:
path
:
/healthz
port
:
8080
httpHeaders
:
-
name
:
Custom-Header
value
:
Awesome
readinessProbe
:
tcpSocket
:
port
:
8080
initialDelaySeconds
:
5
periodSeconds
:
10
resources
:
requests
:
cpu
:
"
64m"
memory
:
"
128Mi"
limits
:
memory
:
"
128Mi"
cpu
:
"
500m"
ports
:
-
containerPort
:
88
This diff is collapsed.
Click to expand it.
pkg/policy/nsaHardeningRules/tests/45-pass.yaml
0 → 100644
+
65
-
0
View file @
88820031
apiVersion
:
apps/v1
kind
:
Deployment
metadata
:
name
:
example-depl
namespace
:
exmpl
labels
:
environment
:
prod
app
:
web
on-call
:
yoda-at-datree.io
spec
:
replicas
:
2
selector
:
matchLabels
:
app
:
web
template
:
metadata
:
namespace
:
exmpl
labels
:
app
:
web
spec
:
restartPolicy
:
Always
containers
:
-
name
:
front-end
image
:
nginx@sha256:0a564e80a3156f2cc825d1720f303d59bd521da19bcbd01316870e1313ecbd23
securityContext
:
readOnlyRootFilesystem
:
true
runAsUser
:
810
readinessProbe
:
tcpSocket
:
port
:
8080
initialDelaySeconds
:
5
periodSeconds
:
10
resources
:
requests
:
memory
:
"
64Mi"
cpu
:
"
64m"
limits
:
cpu
:
"
500m"
ports
:
-
containerPort
:
80
-
name
:
rss-reader
image
:
datree/nginx@sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2
securityContext
:
readOnlyRootFilesystem
:
true
livenessProbe
:
httpGet
:
path
:
/healthz
port
:
8080
httpHeaders
:
-
name
:
Custom-Header
value
:
Awesome
readinessProbe
:
tcpSocket
:
port
:
8080
initialDelaySeconds
:
5
periodSeconds
:
10
resources
:
requests
:
cpu
:
"
64m"
memory
:
"
128Mi"
limits
:
memory
:
"
128Mi"
cpu
:
"
500m"
ports
:
-
containerPort
:
88
This diff is collapsed.
Click to expand it.
pkg/policy/nsaHardeningRules/tests/46-fail.yaml
0 → 100644
+
16
-
0
View file @
88820031
apiVersion
:
v1
kind
:
Pod
metadata
:
name
:
test-pd
spec
:
containers
:
-
image
:
k8s.gcr.io/test-webserver
name
:
test-container
volumeMounts
:
-
mountPath
:
/test-pd
name
:
test-volume
volumes
:
-
name
:
test-volume
hostPath
:
path
:
/data
type
:
Directory
This diff is collapsed.
Click to expand it.
pkg/policy/nsaHardeningRules/tests/46-pass.yaml
0 → 100644
+
13
-
0
View file @
88820031
apiVersion
:
v1
kind
:
Pod
metadata
:
name
:
test-pd
spec
:
containers
:
-
image
:
k8s.gcr.io/test-webserver
name
:
test-container
volumeMounts
:
-
mountPath
:
/test-pd
name
:
test-volume
volumes
:
-
name
:
test-volume
This diff is collapsed.
Click to expand it.
pkg/policy/nsaHardeningRules/tests/47-fail.yaml
0 → 100644
+
14
-
0
View file @
88820031
apiVersion
:
apps/v1
kind
:
Deployment
metadata
:
name
:
nginx-deployment
spec
:
selector
:
matchLabels
:
app
:
nginx
replicas
:
1
template
:
spec
:
containers
:
-
name
:
nginx
image
:
nginx:latest
This diff is collapsed.
Click to expand it.
pkg/policy/nsaHardeningRules/tests/47-pass.yaml
0 → 100644
+
16
-
0
View file @
88820031
apiVersion
:
apps/v1
kind
:
Deployment
metadata
:
name
:
nginx-deployment
spec
:
replicas
:
1
selector
:
matchLabels
:
app
:
nginx
template
:
spec
:
containers
:
-
name
:
nginx
image
:
nginx:latest
securityContext
:
allowPrivilegeEscalation
:
false
This diff is collapsed.
Click to expand it.
pkg/policy/nsaHardeningRules/tests/48-fail.yaml
0 → 100644
+
9
-
0
View file @
88820031
kind
:
Role
apiVersion
:
rbac.authorization.k8s.io/v1
metadata
:
namespace
:
default
name
:
pod-exec
rules
:
-
apiGroups
:
[
"
"
]
resources
:
[
"
pods/exec"
]
verbs
:
[
"
"
]
This diff is collapsed.
Click to expand it.
pkg/policy/nsaHardeningRules/tests/48-pass.yaml
0 → 100644
+
9
-
0
View file @
88820031
kind
:
Role
apiVersion
:
rbac.authorization.k8s.io/v1
metadata
:
namespace
:
default
name
:
pod-exec
rules
:
-
apiGroups
:
[
"
"
]
resources
:
[
"
pods"
]
verbs
:
[
"
"
]
This diff is collapsed.
Click to expand it.
pkg/policy/nsaHardeningRules/tests/49-fail.yaml
0 → 100644
+
11
-
0
View file @
88820031
apiVersion
:
v1
kind
:
Pod
metadata
:
name
:
security-context-demo-4
spec
:
containers
:
-
name
:
sec-ctx-4
image
:
gcr.io/google-samples/node-hello:1.0
securityContext
:
capabilities
:
add
:
[
"
NET_ADMIN"
,
"
SYS_TIME"
]
This diff is collapsed.
Click to expand it.
pkg/policy/nsaHardeningRules/tests/49-pass.yaml
0 → 100644
+
11
-
0
View file @
88820031
apiVersion
:
v1
kind
:
Pod
metadata
:
name
:
security-context-demo-4
spec
:
containers
:
-
name
:
sec-ctx-4
image
:
gcr.io/google-samples/node-hello:1.0
securityContext
:
capabilities
:
add
:
[
"
SYS_TIME"
]
This diff is collapsed.
Click to expand it.
pkg/policy/nsaHardeningRules/tests/50-fail.yaml
0 → 100644
+
11
-
0
View file @
88820031
apiVersion
:
v1
kind
:
Pod
metadata
:
name
:
myPod
spec
:
containers
:
-
name
:
container
image
:
node
ports
:
-
containerPort
:
80
hostPort
:
8080
This diff is collapsed.
Click to expand it.
pkg/policy/nsaHardeningRules/tests/50-pass.yaml
0 → 100644
+
10
-
0
View file @
88820031
apiVersion
:
v1
kind
:
Pod
metadata
:
name
:
myPod
spec
:
containers
:
-
name
:
container
image
:
node
ports
:
-
containerPort
:
80
This diff is collapsed.
Click to expand it.
pkg/policy/nsaHardeningRules/tests/51-fail.yaml
0 → 100644
+
11
-
0
View file @
88820031
apiVersion
:
v1
kind
:
Pod
metadata
:
name
:
myPod
spec
:
securityContext
:
runAsUser
:
2000
runAsGroup
:
200
containers
:
-
name
:
myContainer
image
:
node
This diff is collapsed.
Click to expand it.
pkg/policy/nsaHardeningRules/tests/51-pass.yaml
0 → 100644
+
11
-
0
View file @
88820031
apiVersion
:
v1
kind
:
Pod
metadata
:
name
:
myPod
spec
:
securityContext
:
runAsUser
:
2000
runAsGroup
:
2000
containers
:
-
name
:
myContainer
image
:
node
This diff is collapsed.
Click to expand it.
pkg/policy/nsaHardeningRules/tests/52-fail.yaml
0 → 100644
+
59
-
0
View file @
88820031
apiVersion
:
apps/v1
kind
:
Deployment
metadata
:
name
:
example-depl
namespace
:
exmpl
labels
:
environment
:
prod
app
:
web
spec
:
replicas
:
2
selector
:
matchLabels
:
app
:
web
template
:
metadata
:
namespace
:
exmpl
labels
:
app
:
web
spec
:
containers
:
-
name
:
front-end
image
:
nginx:latest
readinessProbe
:
tcpSocket
:
port
:
8080
initialDelaySeconds
:
5
periodSeconds
:
10
resources
:
requests
:
cpu
:
"
64m"
limits
:
cpu
:
"
500m"
ports
:
-
containerPort
:
80
-
name
:
rss-reader
image
:
datree/nginx@sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2
securityContext
:
runAsNonRoot
:
true
livenessProbe
:
httpGet
:
path
:
/healthz
port
:
8080
httpHeaders
:
-
name
:
Custom-Header
value
:
Awesome
readinessProbe
:
tcpSocket
:
port
:
8080
initialDelaySeconds
:
5
periodSeconds
:
10
resources
:
requests
:
cpu
:
"
64m"
memory
:
"
128Mi"
limits
:
memory
:
"
128Mi"
cpu
:
"
500m"
ports
:
-
containerPort
:
88
This diff is collapsed.
Click to expand it.
pkg/policy/nsaHardeningRules/tests/52-pass.yaml
0 → 100644
+
61
-
0
View file @
88820031
apiVersion
:
apps/v1
kind
:
Deployment
metadata
:
name
:
example-depl
namespace
:
exmpl
labels
:
environment
:
prod
app
:
web
spec
:
replicas
:
2
selector
:
matchLabels
:
app
:
web
template
:
metadata
:
namespace
:
exmpl
labels
:
app
:
web
spec
:
containers
:
-
name
:
front-end
image
:
nginx:latest
securityContext
:
runAsNonRoot
:
true
readinessProbe
:
tcpSocket
:
port
:
8080
initialDelaySeconds
:
5
periodSeconds
:
10
resources
:
requests
:
cpu
:
"
64m"
limits
:
cpu
:
"
500m"
ports
:
-
containerPort
:
80
-
name
:
rss-reader
image
:
datree/nginx@sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2
securityContext
:
runAsNonRoot
:
true
livenessProbe
:
httpGet
:
path
:
/healthz
port
:
8080
httpHeaders
:
-
name
:
Custom-Header
value
:
Awesome
readinessProbe
:
tcpSocket
:
port
:
8080
initialDelaySeconds
:
5
periodSeconds
:
10
resources
:
requests
:
cpu
:
"
64m"
memory
:
"
128Mi"
limits
:
memory
:
"
128Mi"
cpu
:
"
500m"
ports
:
-
containerPort
:
88
This diff is collapsed.
Click to expand it.
pkg/policy/nsaHardeningRules/tests/53-fail.yaml
0 → 100644
+
4
-
0
View file @
88820031
apiVersion
:
v1
kind
:
ServiceAccount
metadata
:
name
:
srvAcc
This diff is collapsed.
Click to expand it.
pkg/policy/nsaHardeningRules/tests/53-pass.yaml
0 → 100644
+
5
-
0
View file @
88820031
apiVersion
:
v1
kind
:
ServiceAccount
metadata
:
name
:
srvAcc
automountServiceAccountToken
:
false
This diff is collapsed.
Click to expand it.
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment