Skip to content

Automatically patches resources on admission to meet PSA restricted requirements

License

Notifications You must be signed in to change notification settings

bryopsida/psa-restricted-patcher

Repository files navigation

psa-restricted-patcher

Quality Gate Status Coverage Security Rating Vulnerabilities Code Smells Bugs

NPM Scripts

The following scripts are available

  • lint lints the source code using eslint
  • lint:fix automatically fixes any lint errors that can be fixed automatically
  • test uses jest to run test suites
  • test:e2e runs e2e test suite, this requires an active helm:deploy
  • build compiles the typescript into js and places it in the dist folder
  • build:image builds the container image
  • build:docs builds the api docs
  • minikube:start create a minikube k8s cluster
  • minikube:stop stop minikube but do not delete
  • minikube:delete delete the minikube cluster
  • helm:addRepos adds helm repos
  • helm:deployCertManager deploy cert-manager for TLS
  • helm:deploy deploy the app to k8s using helm
  • helm:template print the k8s yaml that would be applied to k8s when using helm:deploy
  • helm:uninstall remove the app from k8s
  • helm:uninstallCertManager remove cert-manager from the k8s cluster

Deploy it

If you don't already have cert manager installed you will need to run:

helm repo add jetstack https://charts.jetstack.io && helm repo update && \
  helm upgrade --install --namespace cert-manager --create-namespace \
  cert-manager jetstack/cert-manager --set installCRDs=true --debug --wait

Add the helm repos helm repo add psa https://bryopsida.github.io/psa-restricted-patcher fetch updates helm repo update.

Verify it worked helm search repo psa and you should see something like.

NAME                                                    CHART VERSION   APP VERSION     DESCRIPTION
psa/psa-restricted-patcher...      0.1.0           0.1.0          ...

Deploy the app helm upgrade --install starter psa/psa-restricted-patcher

Verify it worked kubectl run testpod --image=busybox, this will be changed, fetch it's yaml kubectl get testpod -o yaml you will see its securityContext's have been enhanced.