From 8d7152d8d2d98fce4741405e333c74f17dee6a53 Mon Sep 17 00:00:00 2001 From: Damian Badura Date: Fri, 22 Nov 2024 11:59:59 +0100 Subject: [PATCH 01/31] ingress works --- backend/Makefile | 21 ++++++++++++------- backend/index.js | 1 + resources/base/backend/deployment.yaml | 8 ++++++- .../{ingress.tpl.yaml => ingress.yaml} | 15 +++++++------ 4 files changed, 29 insertions(+), 16 deletions(-) rename resources/ingress/{ingress.tpl.yaml => ingress.yaml} (79%) diff --git a/backend/Makefile b/backend/Makefile index fe9ee86c7f..5128dca89a 100644 --- a/backend/Makefile +++ b/backend/Makefile @@ -1,12 +1,19 @@ APP_NAME = busola-backend -IMG_NAME := $(DOCKER_PUSH_REPOSITORY)$(DOCKER_PUSH_DIRECTORY)/$(APP_NAME) -TAG := $(DOCKER_TAG) +##@ General +.DEFAULT_GOAL=help +.PHONY: help +.PHONY: help +help: ## Display this help. + @awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n make \033[36m\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf " \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST) -build-image: + +build-image: ## Build busola backend image docker build -t $(APP_NAME) -f Dockerfile . -push-image: - docker tag $(APP_NAME):latest $(IMG_NAME):$(TAG) - docker push $(IMG_NAME):$(TAG) -release: build-image push-image +install-busola-backend: build-image ## Build busola backend image and install it on local k3d cluster + $(eval HASH_TAG=$(shell docker images $(APP_NAME):latest --quiet)) + docker tag $(APP_NAME) $(APP_NAME):$(HASH_TAG) + + k3d image import $(APP_NAME):$(HASH_TAG) -c kyma + kubectl set image deployment backend backend=$(APP_NAME):$(HASH_TAG) diff --git a/backend/index.js b/backend/index.js index 8c2b4e3e2c..092717bd21 100644 --- a/backend/index.js +++ b/backend/index.js @@ -51,6 +51,7 @@ if (gzipEnabled) ); if (process.env.NODE_ENV === 'development') { + console.log('Use development settings of cors'); app.use(cors({ origin: '*' })); } diff --git a/resources/base/backend/deployment.yaml b/resources/base/backend/deployment.yaml index a017c42574..95065b7111 100644 --- a/resources/base/backend/deployment.yaml +++ b/resources/base/backend/deployment.yaml @@ -21,7 +21,7 @@ spec: containers: - name: backend image: busola-backend - imagePullPolicy: Always + imagePullPolicy: IfNotPresent resources: limits: cpu: 1 @@ -41,6 +41,12 @@ spec: env: - name: ADDRESS value: 0.0.0.0 + - name: NODE_ENV + valueFrom: + configMapKeyRef: + optional: true + key: NODE_ENV + name: busola-backend-config volumeMounts: - name: config mountPath: /app/config diff --git a/resources/ingress/ingress.tpl.yaml b/resources/ingress/ingress.yaml similarity index 79% rename from resources/ingress/ingress.tpl.yaml rename to resources/ingress/ingress.yaml index afda2cee0a..10b84f9ae2 100644 --- a/resources/ingress/ingress.tpl.yaml +++ b/resources/ingress/ingress.yaml @@ -8,22 +8,21 @@ metadata: nginx.ingress.kubernetes.io/server-snippet: 'server_tokens off;' # hide nginx version nginx.ingress.kubernetes.io/enable-cors: 'false' spec: - ingressClassName: nginx rules: - - host: $DOMAIN - http: + - http: paths: - - backend: + - path: / + pathType: Prefix + backend: service: name: web port: number: 8080 - path: /(.*) + + - path: /backend pathType: Prefix - - backend: + backend: service: name: backend port: number: 3001 - path: /backend(?:/|$)(.*) - pathType: Prefix From 4fc041e235f1b4eddd56c0c9f1114119f7afb8a9 Mon Sep 17 00:00:00 2001 From: Damian Badura Date: Wed, 18 Dec 2024 13:45:25 +0100 Subject: [PATCH 02/31] wip --- README.md | 16 ++++++++++++++++ resources/base/web/deployment.yaml | 2 ++ src/shared/utils/getClusterConfig.js | 15 --------------- src/state/types.ts | 1 + src/state/utils/getBackendInfo.ts | 6 ++++++ vite.config.mts | 3 ++- 6 files changed, 27 insertions(+), 16 deletions(-) delete mode 100644 src/shared/utils/getClusterConfig.js diff --git a/README.md b/README.md index cd398ab3de..0fe376717b 100644 --- a/README.md +++ b/README.md @@ -178,6 +178,22 @@ For the information on how to run tests and configure them, go to the [`tests`]( docker run --rm -it -p 3001:3001 -v :/app/core-ui/environments/ --env ENVIRONMENT={your-env} --pid=host --name busola europe-docker.pkg.dev/kyma-project/prod/busola:latest ``` +## Busola installed in Kubernetes cluster + +You can install busola on kubernetes cluster in 3 flavours: + +- normal +- with ingress +- with Istio configuration + +To install Busola in kubernetes + +### K3d + +### Port-forward + +### Istio-ingress gateway + ## Troubleshooting > **TIP:** To solve most of the problems with Busola development, clear the browser cache or do a hard refresh of the website. diff --git a/resources/base/web/deployment.yaml b/resources/base/web/deployment.yaml index a8a8b1eb5e..09783e0dd9 100644 --- a/resources/base/web/deployment.yaml +++ b/resources/base/web/deployment.yaml @@ -25,6 +25,8 @@ spec: optional: true key: ENVIRONMENT name: environment + - name: BACKEND_URL + value: backend resources: requests: cpu: 100m diff --git a/src/shared/utils/getClusterConfig.js b/src/shared/utils/getClusterConfig.js deleted file mode 100644 index c4bf6398fa..0000000000 --- a/src/shared/utils/getClusterConfig.js +++ /dev/null @@ -1,15 +0,0 @@ -const domain = window.location.hostname; - -function getBackendAddress() { - // dev busola - if (window.location.hostname.startsWith('localhost')) { - return 'http://localhost:3001/backend'; - // on cluster - } else { - return '/backend'; - } -} -export const getClusterConfig = () => ({ - domain, - backendAddress: getBackendAddress(), -}); diff --git a/src/state/types.ts b/src/state/types.ts index db9e7a62d3..87b2d93024 100644 --- a/src/state/types.ts +++ b/src/state/types.ts @@ -25,6 +25,7 @@ export const configFeaturesNames = { EXTENSIBILITY_CUSTOM_COMPONENTS: 'EXTENSIBILITY_CUSTOM_COMPONENTS', EXTENSIBILITY_WIZARD: 'EXTENSIBILITY_WIZARD', TRACKING: 'TRACKING', + BACKEND_URL: 'BACKEND_URL', PROTECTED_RESOURCES: 'PROTECTED_RESOURCES', EXTERNAL_NODES: 'EXTERNAL_NODES', GARDENER_LOGIN: 'GARDENER_LOGIN', diff --git a/src/state/utils/getBackendInfo.ts b/src/state/utils/getBackendInfo.ts index d5ee6e5fec..52c4ff5cde 100644 --- a/src/state/utils/getBackendInfo.ts +++ b/src/state/utils/getBackendInfo.ts @@ -2,6 +2,12 @@ const domain = window.location.hostname; const getBackendAddress = () => { // local busola - needed for e2e tests to work locally + console.log(process.env); + const backendUrlFeat = process.env.BACKEND_URL; + if (backendUrlFeat) { + return backendUrlFeat; + } + if ( window.location.hostname.startsWith('localhost') && window.location.port === '8080' && diff --git a/vite.config.mts b/vite.config.mts index 0e88a8863e..70d9c27bdf 100644 --- a/vite.config.mts +++ b/vite.config.mts @@ -60,13 +60,14 @@ export default defineConfig({ }, }, include: [ - '@openapi-contrib/openapi-schema-to-json-schema', + '@openapi-contrib/openapi-schema-to-json-schema', '@stoplight/json-ref-resolver', 'monaco-yaml/yaml.worker.js' ] }, define: { 'process.env.IS_DOCKER': JSON.stringify(process.env.IS_DOCKER || false), + 'process.env.BACKEND_URL': JSON.stringify(process.env.BACKEND_URL), }, }); From c34619e4b70d0a7599497c079d08a9accb374780 Mon Sep 17 00:00:00 2001 From: Damian Badura Date: Mon, 25 Nov 2024 13:16:27 +0100 Subject: [PATCH 03/31] first version od tests adjustement --- .github/scripts/deploy_busola.sh | 38 +++++++++++++++++++ .github/scripts/prepare_kubeconfig.sh | 13 +++++++ .../workflows/pull-kyma-integration-tests.yml | 12 +++--- resources/base/backend/deployment.yaml | 6 --- resources/base/backend/kustomization.yaml | 4 ++ resources/base/web/deployment.yaml | 2 +- resources/base/web/kustomization.yaml | 4 ++ resources/ingress/ingress.yaml | 5 --- resources/ingress/ingressClass.yaml | 10 ----- 9 files changed, 67 insertions(+), 27 deletions(-) create mode 100755 .github/scripts/deploy_busola.sh create mode 100755 .github/scripts/prepare_kubeconfig.sh delete mode 100644 resources/ingress/ingressClass.yaml diff --git a/.github/scripts/deploy_busola.sh b/.github/scripts/deploy_busola.sh new file mode 100755 index 0000000000..70c64aecac --- /dev/null +++ b/.github/scripts/deploy_busola.sh @@ -0,0 +1,38 @@ +#!/bin/bash + +# This script install busola on k8s + +# standard bash error handling +set -o nounset # treat unset variables as an error and exit immediately. +set -o errexit # exit immediately when a command fails. +set -E # needs to be set if we want the ERR trap +set -o pipefail # prevents errors in a pipeline from being masked + +IMG_TAG=$1 + +#kubectl create configmap ENV #TODO: Fix it + +echo "### Deploying busola from: ${IMG_TAG}" + +cd resources +(cd base/web && kustomize edit set image busola-web=europe-docker.pkg.dev/kyma-project/prod/busola-web:"${IMG_TAG}") +(cd base/backend && kustomize edit set image busola-backend=europe-docker.pkg.dev/kyma-project/prod/busola-backend:"${IMG_TAG}") +kustomize build base/ | kubectl apply -f- + +kubectl apply -f ingress/ingress.yaml + +# WAIT FOR busola to be deployed +kubectl wait --for=condition=Available deployment/web +kubectl wait --for=condition=Available deployment/backend + +# return ip address busola and save it to output +IP=$(kubectl get ingress ingress-busola -ojson | jq .status.loadBalancer.ingress[].ip | tr -d '/"') + +echo "IP address: ${IP}" + +# check if busola is available with curl +curl --fail "${IP}" + +if [[ ! -z "${GITHUB_OUTPUT:-}" ]]; then + echo "IP=${IP}}" > "${GITHUB_OUTPUT}" + fi; \ No newline at end of file diff --git a/.github/scripts/prepare_kubeconfig.sh b/.github/scripts/prepare_kubeconfig.sh new file mode 100755 index 0000000000..54eb856fba --- /dev/null +++ b/.github/scripts/prepare_kubeconfig.sh @@ -0,0 +1,13 @@ +#!/bin/bash + +# standard bash error handling +set -o nounset # treat unset variables as an error and exit immediately. +set -o errexit # exit immediately when a command fails. +set -E # needs to be set if we want the ERR trap +set -o pipefail # prevents errors in a pipeline from being masked + +IP=${1} +k3d kubeconfig get kyma > tests/integration/fixtures/kubeconfig.yaml + +#To access kubernetes inside the cluster change the api server addrees available inside the cluster +yq --inplace '.clusters[].cluster.server = "https://kubernetes.default.svc:443"' tests/integration/fixtures/kubeconfig.yaml diff --git a/.github/workflows/pull-kyma-integration-tests.yml b/.github/workflows/pull-kyma-integration-tests.yml index 60fc82f6bc..678b9dc2a1 100644 --- a/.github/workflows/pull-kyma-integration-tests.yml +++ b/.github/workflows/pull-kyma-integration-tests.yml @@ -32,18 +32,20 @@ jobs: - uses: actions/setup-node@v4 with: node-version: 20 - - name: setup_busola + - name: deploy_busola shell: bash + run: | - ./.github/scripts/setup-busola.sh | tee busola-build.log + ./.github/scripts/deploy_busola.sh | tee busola-deploy.log env: ENV: dev + - name: prepare_kubeconfig + run: | + prepare_kubeconfig.sh - name: run_tests shell: bash run: | - k3d kubeconfig get kyma > tests/integration/fixtures/kubeconfig.yaml - export CYPRESS_DOMAIN=http://localhost:3001 - + export CYPRESS_DOMAIN=http://${{steps.deploy_busola.IP}} cd tests/integration npm ci && npm run "test:kyma-e2e" - name: Uploads artifacts diff --git a/resources/base/backend/deployment.yaml b/resources/base/backend/deployment.yaml index 95065b7111..5dbed86d25 100644 --- a/resources/base/backend/deployment.yaml +++ b/resources/base/backend/deployment.yaml @@ -41,12 +41,6 @@ spec: env: - name: ADDRESS value: 0.0.0.0 - - name: NODE_ENV - valueFrom: - configMapKeyRef: - optional: true - key: NODE_ENV - name: busola-backend-config volumeMounts: - name: config mountPath: /app/config diff --git a/resources/base/backend/kustomization.yaml b/resources/base/backend/kustomization.yaml index 6a0888caff..3aeb31e423 100644 --- a/resources/base/backend/kustomization.yaml +++ b/resources/base/backend/kustomization.yaml @@ -4,3 +4,7 @@ resources: - deployment.yaml - hpa.yaml - service.yaml +images: + - name: busola-backend + newName: europe-docker.pkg.dev/kyma-project/prod/busola-backend + newTag: v0.0.1 diff --git a/resources/base/web/deployment.yaml b/resources/base/web/deployment.yaml index 09783e0dd9..774cb9449b 100644 --- a/resources/base/web/deployment.yaml +++ b/resources/base/web/deployment.yaml @@ -17,7 +17,7 @@ spec: containers: - name: busola image: busola-web - imagePullPolicy: Always + imagePullPolicy: IfNotPresent env: - name: ENVIRONMENT valueFrom: diff --git a/resources/base/web/kustomization.yaml b/resources/base/web/kustomization.yaml index 8c9f6e654b..861e940d80 100644 --- a/resources/base/web/kustomization.yaml +++ b/resources/base/web/kustomization.yaml @@ -5,3 +5,7 @@ resources: - deployment.yaml - hpa.yaml - service.yaml +images: + - name: busola-web + newName: europe-docker.pkg.dev/kyma-project/prod/busola-web + newTag: v0.0.1 diff --git a/resources/ingress/ingress.yaml b/resources/ingress/ingress.yaml index 10b84f9ae2..a64b0e2bb0 100644 --- a/resources/ingress/ingress.yaml +++ b/resources/ingress/ingress.yaml @@ -2,11 +2,6 @@ kind: Ingress apiVersion: networking.k8s.io/v1 metadata: name: ingress-busola - annotations: - nginx.ingress.kubernetes.io/rewrite-target: /$1 - nginx.ingress.kubernetes.io/force-ssl-redirect: 'true' - nginx.ingress.kubernetes.io/server-snippet: 'server_tokens off;' # hide nginx version - nginx.ingress.kubernetes.io/enable-cors: 'false' spec: rules: - http: diff --git a/resources/ingress/ingressClass.yaml b/resources/ingress/ingressClass.yaml deleted file mode 100644 index a5feb7a495..0000000000 --- a/resources/ingress/ingressClass.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: IngressClass -metadata: - labels: - app.kubernetes.io/component: controller - name: nginx - annotations: - ingressclass.kubernetes.io/is-default-class: 'true' -spec: - controller: k8s.io/ingress-nginx From 13f372102224e72aa00dad1565c8f859df7aa7f0 Mon Sep 17 00:00:00 2001 From: Damian Badura Date: Wed, 18 Dec 2024 13:48:39 +0100 Subject: [PATCH 04/31] revert changes related to ci --- .github/scripts/deploy_busola.sh | 38 ------------------- .github/scripts/prepare_kubeconfig.sh | 13 ------- .../workflows/pull-kyma-integration-tests.yml | 12 +++--- 3 files changed, 5 insertions(+), 58 deletions(-) delete mode 100755 .github/scripts/deploy_busola.sh delete mode 100755 .github/scripts/prepare_kubeconfig.sh diff --git a/.github/scripts/deploy_busola.sh b/.github/scripts/deploy_busola.sh deleted file mode 100755 index 70c64aecac..0000000000 --- a/.github/scripts/deploy_busola.sh +++ /dev/null @@ -1,38 +0,0 @@ -#!/bin/bash - -# This script install busola on k8s - -# standard bash error handling -set -o nounset # treat unset variables as an error and exit immediately. -set -o errexit # exit immediately when a command fails. -set -E # needs to be set if we want the ERR trap -set -o pipefail # prevents errors in a pipeline from being masked - -IMG_TAG=$1 - -#kubectl create configmap ENV #TODO: Fix it - -echo "### Deploying busola from: ${IMG_TAG}" - -cd resources -(cd base/web && kustomize edit set image busola-web=europe-docker.pkg.dev/kyma-project/prod/busola-web:"${IMG_TAG}") -(cd base/backend && kustomize edit set image busola-backend=europe-docker.pkg.dev/kyma-project/prod/busola-backend:"${IMG_TAG}") -kustomize build base/ | kubectl apply -f- - -kubectl apply -f ingress/ingress.yaml - -# WAIT FOR busola to be deployed -kubectl wait --for=condition=Available deployment/web -kubectl wait --for=condition=Available deployment/backend - -# return ip address busola and save it to output -IP=$(kubectl get ingress ingress-busola -ojson | jq .status.loadBalancer.ingress[].ip | tr -d '/"') - -echo "IP address: ${IP}" - -# check if busola is available with curl -curl --fail "${IP}" - -if [[ ! -z "${GITHUB_OUTPUT:-}" ]]; then - echo "IP=${IP}}" > "${GITHUB_OUTPUT}" - fi; \ No newline at end of file diff --git a/.github/scripts/prepare_kubeconfig.sh b/.github/scripts/prepare_kubeconfig.sh deleted file mode 100755 index 54eb856fba..0000000000 --- a/.github/scripts/prepare_kubeconfig.sh +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/bash - -# standard bash error handling -set -o nounset # treat unset variables as an error and exit immediately. -set -o errexit # exit immediately when a command fails. -set -E # needs to be set if we want the ERR trap -set -o pipefail # prevents errors in a pipeline from being masked - -IP=${1} -k3d kubeconfig get kyma > tests/integration/fixtures/kubeconfig.yaml - -#To access kubernetes inside the cluster change the api server addrees available inside the cluster -yq --inplace '.clusters[].cluster.server = "https://kubernetes.default.svc:443"' tests/integration/fixtures/kubeconfig.yaml diff --git a/.github/workflows/pull-kyma-integration-tests.yml b/.github/workflows/pull-kyma-integration-tests.yml index 678b9dc2a1..60fc82f6bc 100644 --- a/.github/workflows/pull-kyma-integration-tests.yml +++ b/.github/workflows/pull-kyma-integration-tests.yml @@ -32,20 +32,18 @@ jobs: - uses: actions/setup-node@v4 with: node-version: 20 - - name: deploy_busola + - name: setup_busola shell: bash - run: | - ./.github/scripts/deploy_busola.sh | tee busola-deploy.log + ./.github/scripts/setup-busola.sh | tee busola-build.log env: ENV: dev - - name: prepare_kubeconfig - run: | - prepare_kubeconfig.sh - name: run_tests shell: bash run: | - export CYPRESS_DOMAIN=http://${{steps.deploy_busola.IP}} + k3d kubeconfig get kyma > tests/integration/fixtures/kubeconfig.yaml + export CYPRESS_DOMAIN=http://localhost:3001 + cd tests/integration npm ci && npm run "test:kyma-e2e" - name: Uploads artifacts From c8ae7816fa7ba9127c3b7c7c9eba81049c2b1ff0 Mon Sep 17 00:00:00 2001 From: Damian Badura Date: Fri, 20 Dec 2024 17:26:50 +0100 Subject: [PATCH 05/31] wip --- Makefile | 37 +++-------- README.md | 35 +++++++++-- backend/index.js | 1 - resources/base/backend/kustomization.yaml | 2 +- resources/base/web/configmap.yaml | 61 ------------------- resources/base/web/deployment.yaml | 16 ++--- resources/base/web/kustomization.yaml | 3 +- resources/ingress/configmap.yaml | 6 ++ .../Gardener/useGardenerLoginFunction.tsx | 4 +- src/shared/hooks/BackendAPI/useFetch.ts | 4 +- src/shared/utils/env.ts | 32 ++++++++-- src/state/configuration/configurationAtom.ts | 2 +- src/state/navigation/extensionsAtom.ts | 2 +- src/state/types.ts | 1 - src/state/utils/getBackendInfo.ts | 27 ++++---- start_nginx.sh | 1 + start_node.sh | 1 + vite.config.mts | 1 - 18 files changed, 104 insertions(+), 132 deletions(-) delete mode 100644 resources/base/web/configmap.yaml create mode 100644 resources/ingress/configmap.yaml diff --git a/Makefile b/Makefile index bb245f942f..e5a417e3d2 100644 --- a/Makefile +++ b/Makefile @@ -1,3 +1,4 @@ +APP_NAME = busola-web IMG_NAME = busola-web LOCAL_IMG_NAME = busola IMG = $(DOCKER_PUSH_REPOSITORY)$(DOCKER_PUSH_DIRECTORY)/$(IMG_NAME) @@ -21,30 +22,12 @@ release: build-image push-image release-local: build-image-local push-image-local -build-image: - docker build -t $(IMG_NAME) -f Dockerfile . - -build-image-local: - docker build -t $(LOCAL_IMG_NAME) -f Dockerfile.local . - -push-image: - docker tag $(IMG_NAME) $(IMG):$(TAG) - docker push $(IMG):$(TAG) -ifeq ($(JOB_TYPE), postsubmit) - @echo "Sign image with Cosign" - cosign version - cosign sign -key ${KMS_KEY_URL} $(REPO)$(IMG):$(TAG) -else - @echo "Image signing skipped" -endif - -push-image-local: - docker tag $(LOCAL_IMG_NAME) $(LOCAL_IMG):$(TAG) - docker push $(LOCAL_IMG):$(TAG) -ifeq ($(JOB_TYPE), postsubmit) - @echo "Tag image with latest" - docker tag $(LOCAL_IMG_NAME) $(LOCAL_IMG):latest - docker push $(LOCAL_IMG):latest -else - @echo "Image tagging with latest skipped" -endif +build-image: ## Build busola backend image + docker build -t $(APP_NAME) -f Dockerfile.web . + +install-busola-web: build-image ## Build busola web image and install it on local k3d cluster + $(eval HASH_TAG=$(shell docker images $(APP_NAME):latest --quiet)) + docker tag $(APP_NAME) $(APP_NAME):$(HASH_TAG) + + k3d image import $(APP_NAME):$(HASH_TAG) -c kyma + kubectl set image deployment web busola=$(APP_NAME):$(HASH_TAG) diff --git a/README.md b/README.md index 0fe376717b..8b0cb7d4ad 100644 --- a/README.md +++ b/README.md @@ -178,18 +178,41 @@ For the information on how to run tests and configure them, go to the [`tests`]( docker run --rm -it -p 3001:3001 -v :/app/core-ui/environments/ --env ENVIRONMENT={your-env} --pid=host --name busola europe-docker.pkg.dev/kyma-project/prod/busola:latest ``` -## Busola installed in Kubernetes cluster +## Deploy busola in Kubernetes Cluster -You can install busola on kubernetes cluster in 3 flavours: +To install busola on k8s cluster go to `resources` directory and run: -- normal -- with ingress -- with Istio configuration +```shell +kustomize build base/ | kubectl apply -f- +``` + +To install busola with istio gateway please prepare `DOMAIN`, go to `resources` and run: + +```shell +./apply-resources-istio.sh ${YOUR_DOMAIN} +``` + +### Access busola installed on Kubernetes -To install Busola in kubernetes +You can access busola installed on Kubernetes in several ways, depends on how it's installed: ### K3d +Use port-forward + +```shell +kubectl port-forward services/web 8080:8080 +kubectl port-forward services/backend 3001:3001 +``` + +Install ingress by runing: + +```shell +(cd resources && kubectl apply -f ingress/ingress.yaml) +``` + +Then go to `localhost` + ### Port-forward ### Istio-ingress gateway diff --git a/backend/index.js b/backend/index.js index 092717bd21..8c2b4e3e2c 100644 --- a/backend/index.js +++ b/backend/index.js @@ -51,7 +51,6 @@ if (gzipEnabled) ); if (process.env.NODE_ENV === 'development') { - console.log('Use development settings of cors'); app.use(cors({ origin: '*' })); } diff --git a/resources/base/backend/kustomization.yaml b/resources/base/backend/kustomization.yaml index 3aeb31e423..bf609e1f6a 100644 --- a/resources/base/backend/kustomization.yaml +++ b/resources/base/backend/kustomization.yaml @@ -7,4 +7,4 @@ resources: images: - name: busola-backend newName: europe-docker.pkg.dev/kyma-project/prod/busola-backend - newTag: v0.0.1 + newTag: latest diff --git a/resources/base/web/configmap.yaml b/resources/base/web/configmap.yaml deleted file mode 100644 index 94677f8b59..0000000000 --- a/resources/base/web/configmap.yaml +++ /dev/null @@ -1,61 +0,0 @@ -kind: ConfigMap -apiVersion: v1 -metadata: - name: busola-config -data: - config: > - { - "config": { - "storage": "localStorage", - "features": { - "LEGAL_LINKS": { - "config": { - "legal-disclosure": { - "default": "https://www.sap.com/corporate/en/legal/impressum.html", - "de": "https://www.sap.com/corporate/de/legal/impressum.html" - }, - "privacy": { - "default": - "https://help.sap.com/viewer/82bdf2271c6041f79387c122147cf774/Cloud/en-US" - }, - "copyright": { - "default": "https://www.sap.com/corporate/en/legal/copyright.html", - "de": "https://www.sap.com/corporate/de/legal/copyright.html" - }, - "trademark": { - "default": "https://www.sap.com/corporate/en/legal/trademark.html", - "de": "https://www.sap.com/corporate/de/legal/trademark.html" - } - } - }, - "GET_HELP_LINKS": { - "config": { - "kyma-project-io": { - "default": "https://kyma-project.io" - }, - "help-sap-com": { - "default": "https://help.sap.com" - } - } - }, - "SENTRY": { - "isEnabled": true, - "selectors": [], - "config": { - "dsn": "" - } - }, - "KUBECONFIG_ID": { - "config": { - "kubeconfigUrl": "/kubeconfig" - } - }, - "GZIP": { - "isEnabled": true - }, - "VISUAL_RESOURCES": { - "isEnabled": true - } - } - } - } diff --git a/resources/base/web/deployment.yaml b/resources/base/web/deployment.yaml index 774cb9449b..e93b1479d8 100644 --- a/resources/base/web/deployment.yaml +++ b/resources/base/web/deployment.yaml @@ -26,20 +26,14 @@ spec: key: ENVIRONMENT name: environment - name: BACKEND_URL - value: backend + valueFrom: + configMapKeyRef: + optional: true + key: BACKEND_URL + name: busola-config resources: requests: cpu: 100m memory: 21Mi ports: - containerPort: 8080 - volumeMounts: - - name: config - mountPath: /app/core-ui/config - volumes: - - name: config - configMap: - name: busola-config - items: - - key: config - path: config.yaml diff --git a/resources/base/web/kustomization.yaml b/resources/base/web/kustomization.yaml index 861e940d80..c89fd2c3ff 100644 --- a/resources/base/web/kustomization.yaml +++ b/resources/base/web/kustomization.yaml @@ -1,11 +1,10 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - configmap.yaml - deployment.yaml - hpa.yaml - service.yaml images: - name: busola-web newName: europe-docker.pkg.dev/kyma-project/prod/busola-web - newTag: v0.0.1 + newTag: latest diff --git a/resources/ingress/configmap.yaml b/resources/ingress/configmap.yaml new file mode 100644 index 0000000000..66e979bafa --- /dev/null +++ b/resources/ingress/configmap.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: busola-config +data: + BACKEND_URL: 'http://localhost/backend' diff --git a/src/components/Gardener/useGardenerLoginFunction.tsx b/src/components/Gardener/useGardenerLoginFunction.tsx index e7a18cff84..52e2fad648 100644 --- a/src/components/Gardener/useGardenerLoginFunction.tsx +++ b/src/components/Gardener/useGardenerLoginFunction.tsx @@ -21,12 +21,12 @@ async function failFastFetch( } export function useGardenerLogin(setReport: (report: string) => void) { - const { backendAddress } = getClusterConfig(); const clustersInfo = useClustersInfo(); const getAvailableProjects = async ( fetchHeaders: HeadersInit, ): Promise => { + const { backendAddress } = await getClusterConfig(); type SSRResult = { status: { resourceRules: PermissionSet[] }; }; @@ -63,6 +63,8 @@ export function useGardenerLogin(setReport: (report: string) => void) { fetchHeaders: HeadersInit, availableProjects: string[], ) => { + const { backendAddress } = await getClusterConfig(); + type ShootsResult = { items: K8sResource[]; }; diff --git a/src/shared/hooks/BackendAPI/useFetch.ts b/src/shared/hooks/BackendAPI/useFetch.ts index 5acc7f7e9a..9fe50f7291 100644 --- a/src/shared/hooks/BackendAPI/useFetch.ts +++ b/src/shared/hooks/BackendAPI/useFetch.ts @@ -5,7 +5,7 @@ import { throwHttpError } from 'shared/hooks/BackendAPI/config'; import { authDataState, AuthDataState } from '../../../state/authDataAtom'; import { getClusterConfig } from '../../../state/utils/getBackendInfo'; -import { clusterState, ActiveClusterState } from '../../../state/clusterAtom'; +import { ActiveClusterState, clusterState } from '../../../state/clusterAtom'; export type FetchFn = ({ relativeUrl, @@ -40,7 +40,7 @@ export const createFetchFn = ({ }, signal: abortController?.signal, }; - const { backendAddress } = getClusterConfig(); + const { backendAddress } = await getClusterConfig(); try { const response = await fetch(backendAddress + relativeUrl, init); diff --git a/src/shared/utils/env.ts b/src/shared/utils/env.ts index 55bbe3fc38..0ba7927c02 100644 --- a/src/shared/utils/env.ts +++ b/src/shared/utils/env.ts @@ -1,15 +1,37 @@ import joinPaths from './path'; -export default async function getConfigDir(): Promise { +export enum Envs { + BACKEND_URL = 'BACKEND_URL', + ENVIRONMENT = 'ENVIRONMENT', +} + +export default async function getEnv(env: Envs): Promise { const input = await fetchActiveEnv(); - const envVar = input.trim().split('='); - if (envVar?.length === 2 && envVar[1]) { - const envDir = envVar[1].trim(); - return joinPaths('environments', envDir); + const envs = readEnv(input); + const desiredEnv = envs.get(env); + return desiredEnv ? desiredEnv : ''; +} + +export async function getConfigDir(): Promise { + const environment = await getEnv(Envs.ENVIRONMENT); + if (environment) { + return joinPaths('environments', environment); } return ''; } +function readEnv(input: string): Map { + return new Map( + input.split('\n').map(value => { + const envVar = value.trim().split('='); + if (envVar?.length === 2 && envVar[1]) { + return [envVar[0], envVar[1]]; + } + return ['', '']; + }), + ); +} + async function fetchActiveEnv(): Promise { const envResponse = await fetch('/active.env'); return envResponse.text(); diff --git a/src/state/configuration/configurationAtom.ts b/src/state/configuration/configurationAtom.ts index c36844b15c..bc4cfbc0c6 100644 --- a/src/state/configuration/configurationAtom.ts +++ b/src/state/configuration/configurationAtom.ts @@ -10,7 +10,7 @@ import { ConfigFeatureList } from '../types'; import { apiGroupState } from '../discoverability/apiGroupsSelector'; import { getFeatures } from './getFeatures'; import { FetchFn } from 'shared/hooks/BackendAPI/useFetch'; -import getConfigDir from 'shared/utils/env'; +import { getConfigDir } from 'shared/utils/env'; type Configuration = { features?: ConfigFeatureList; diff --git a/src/state/navigation/extensionsAtom.ts b/src/state/navigation/extensionsAtom.ts index 426102e79e..c165796253 100644 --- a/src/state/navigation/extensionsAtom.ts +++ b/src/state/navigation/extensionsAtom.ts @@ -26,7 +26,7 @@ import pluralize from 'pluralize'; import { useGet } from 'shared/hooks/BackendAPI/useGet'; import { CustomResourceDefinition } from 'command-pallette/CommandPalletteUI/handlers/crHandler'; import { createPostFn } from 'shared/hooks/BackendAPI/usePost'; -import getConfigDir from 'shared/utils/env'; +import { getConfigDir } from 'shared/utils/env'; /* the order of the overwrting extensions diff --git a/src/state/types.ts b/src/state/types.ts index 87b2d93024..db9e7a62d3 100644 --- a/src/state/types.ts +++ b/src/state/types.ts @@ -25,7 +25,6 @@ export const configFeaturesNames = { EXTENSIBILITY_CUSTOM_COMPONENTS: 'EXTENSIBILITY_CUSTOM_COMPONENTS', EXTENSIBILITY_WIZARD: 'EXTENSIBILITY_WIZARD', TRACKING: 'TRACKING', - BACKEND_URL: 'BACKEND_URL', PROTECTED_RESOURCES: 'PROTECTED_RESOURCES', EXTERNAL_NODES: 'EXTERNAL_NODES', GARDENER_LOGIN: 'GARDENER_LOGIN', diff --git a/src/state/utils/getBackendInfo.ts b/src/state/utils/getBackendInfo.ts index 52c4ff5cde..18141b177c 100644 --- a/src/state/utils/getBackendInfo.ts +++ b/src/state/utils/getBackendInfo.ts @@ -1,13 +1,15 @@ +import getEnv, { Envs } from '../../shared/utils/env'; + const domain = window.location.hostname; -const getBackendAddress = () => { - // local busola - needed for e2e tests to work locally - console.log(process.env); - const backendUrlFeat = process.env.BACKEND_URL; - if (backendUrlFeat) { - return backendUrlFeat; +async function getBackendAddress() { + const backendUrl = await getEnv(Envs.BACKEND_URL); + console.log(backendUrl); + if (backendUrl) { + return backendUrl; } + // local busola - needed for e2e tests to work locally if ( window.location.hostname.startsWith('localhost') && window.location.port === '8080' && @@ -21,8 +23,11 @@ const getBackendAddress = () => { } else { return '/backend'; } -}; -export const getClusterConfig = () => ({ - domain, - backendAddress: getBackendAddress(), -}); +} + +export async function getClusterConfig() { + return { + domain, + backendAddress: await getBackendAddress(), + }; +} diff --git a/start_nginx.sh b/start_nginx.sh index 07f41bb29e..520d28f40d 100755 --- a/start_nginx.sh +++ b/start_nginx.sh @@ -1,3 +1,4 @@ #!/bin/sh echo ENVIRONMENT="${ENVIRONMENT}" > /app/core-ui/active.env +echo BACKEND_URL="${BACKEND_URL}" >> /app/core-ui/active.env nginx -g 'daemon off;' diff --git a/start_node.sh b/start_node.sh index e0c5625b2c..115b30817a 100755 --- a/start_node.sh +++ b/start_node.sh @@ -1,3 +1,4 @@ #!/bin/sh echo ENVIRONMENT="${ENVIRONMENT}" > /app/core-ui/active.env +echo BACKEND_URL="${BACKEND_URL}" >> /app/core-ui/active.env node backend-production.js diff --git a/vite.config.mts b/vite.config.mts index 70d9c27bdf..b0c46a9dd4 100644 --- a/vite.config.mts +++ b/vite.config.mts @@ -67,7 +67,6 @@ export default defineConfig({ }, define: { 'process.env.IS_DOCKER': JSON.stringify(process.env.IS_DOCKER || false), - 'process.env.BACKEND_URL': JSON.stringify(process.env.BACKEND_URL), }, }); From 6e305b4de21689b09071bab275226d597713dc00 Mon Sep 17 00:00:00 2001 From: Damian Badura Date: Mon, 30 Dec 2024 16:29:48 +0100 Subject: [PATCH 06/31] adjust k8s resources to use single image --- resources/base/backend/deployment.yaml | 53 - resources/base/backend/hpa.yaml | 26 - resources/base/backend/kustomization.yaml | 10 - resources/base/backend/service.yaml | 14 - .../base/{web => busola}/deployment.yaml | 22 +- resources/base/{web => busola}/hpa.yaml | 2 +- .../base/{web => busola}/kustomization.yaml | 4 - resources/base/{web => busola}/service.yaml | 8 +- ...builtin-resource-extensions.configmap.yaml | 9 - .../base/extensions-patch/kustomization.yaml | 14 - .../web-deployment.patch.yaml | 14 - resources/base/kustomization.yaml | 10 +- .../rule-sets/datree/rules.yaml | 3898 ----------------- .../rule-sets/default/policies.yaml | 66 - .../policies.yaml | 55 - .../rules.yaml | 679 --- .../resource-validation/rulesetSchema.json | 85 - start_nginx.sh | 1 - 18 files changed, 21 insertions(+), 4949 deletions(-) delete mode 100644 resources/base/backend/deployment.yaml delete mode 100644 resources/base/backend/hpa.yaml delete mode 100644 resources/base/backend/kustomization.yaml delete mode 100644 resources/base/backend/service.yaml rename resources/base/{web => busola}/deployment.yaml (64%) rename resources/base/{web => busola}/hpa.yaml (97%) rename resources/base/{web => busola}/kustomization.yaml (52%) rename resources/base/{web => busola}/service.yaml (57%) delete mode 100644 resources/base/extensions-patch/builtin-resource-extensions.configmap.yaml delete mode 100644 resources/base/extensions-patch/kustomization.yaml delete mode 100644 resources/base/extensions-patch/web-deployment.patch.yaml delete mode 100644 resources/base/resource-validation/rule-sets/datree/rules.yaml delete mode 100644 resources/base/resource-validation/rule-sets/default/policies.yaml delete mode 100644 resources/base/resource-validation/rule-sets/kubernetes-pod-security-standards/policies.yaml delete mode 100644 resources/base/resource-validation/rule-sets/kubernetes-pod-security-standards/rules.yaml delete mode 100644 resources/base/resource-validation/rulesetSchema.json diff --git a/resources/base/backend/deployment.yaml b/resources/base/backend/deployment.yaml deleted file mode 100644 index 5dbed86d25..0000000000 --- a/resources/base/backend/deployment.yaml +++ /dev/null @@ -1,53 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: backend - labels: - app: backend -spec: - replicas: 1 - selector: - matchLabels: - app: backend - strategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: 0 - template: - metadata: - labels: - app: backend - spec: - containers: - - name: backend - image: busola-backend - imagePullPolicy: IfNotPresent - resources: - limits: - cpu: 1 - memory: 1Gi - requests: - cpu: 200m - memory: 128M - securityContext: - allowPrivilegeEscalation: false - privileged: false - ports: - - containerPort: 3001 - name: http-backend - protocol: TCP - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - env: - - name: ADDRESS - value: 0.0.0.0 - volumeMounts: - - name: config - mountPath: /app/config - volumes: - - name: config - configMap: - name: busola-config - items: - - key: config - path: config.yaml diff --git a/resources/base/backend/hpa.yaml b/resources/base/backend/hpa.yaml deleted file mode 100644 index 6b010cd9e1..0000000000 --- a/resources/base/backend/hpa.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: autoscaling/v2 -kind: HorizontalPodAutoscaler -metadata: - name: backend - labels: - app: busola -spec: - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: backend - minReplicas: 1 - maxReplicas: 11 - metrics: - - type: Resource - resource: - name: cpu - target: - type: Utilization - averageUtilization: 125 - - type: Resource - resource: - name: memory - target: - type: Utilization - averageUtilization: 125 diff --git a/resources/base/backend/kustomization.yaml b/resources/base/backend/kustomization.yaml deleted file mode 100644 index bf609e1f6a..0000000000 --- a/resources/base/backend/kustomization.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - deployment.yaml - - hpa.yaml - - service.yaml -images: - - name: busola-backend - newName: europe-docker.pkg.dev/kyma-project/prod/busola-backend - newTag: latest diff --git a/resources/base/backend/service.yaml b/resources/base/backend/service.yaml deleted file mode 100644 index 41b9205d85..0000000000 --- a/resources/base/backend/service.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: backend - labels: - app: backend -spec: - ports: - - port: 3001 - targetPort: 3001 - protocol: TCP - name: http - selector: - app: backend diff --git a/resources/base/web/deployment.yaml b/resources/base/busola/deployment.yaml similarity index 64% rename from resources/base/web/deployment.yaml rename to resources/base/busola/deployment.yaml index e93b1479d8..7136c300c4 100644 --- a/resources/base/web/deployment.yaml +++ b/resources/base/busola/deployment.yaml @@ -1,7 +1,7 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: web + name: busola labels: app: busola spec: @@ -16,7 +16,7 @@ spec: spec: containers: - name: busola - image: busola-web + image: busola imagePullPolicy: IfNotPresent env: - name: ENVIRONMENT @@ -25,15 +25,19 @@ spec: optional: true key: ENVIRONMENT name: environment - - name: BACKEND_URL - valueFrom: - configMapKeyRef: - optional: true - key: BACKEND_URL - name: busola-config + volumeMounts: + - name: config + mountPath: /app/config resources: requests: cpu: 100m memory: 21Mi ports: - - containerPort: 8080 + - containerPort: 3001 + volumes: + - name: config + configMap: + name: busola-config + items: + - key: config + path: config.yaml diff --git a/resources/base/web/hpa.yaml b/resources/base/busola/hpa.yaml similarity index 97% rename from resources/base/web/hpa.yaml rename to resources/base/busola/hpa.yaml index d65e500215..681445e712 100644 --- a/resources/base/web/hpa.yaml +++ b/resources/base/busola/hpa.yaml @@ -1,7 +1,7 @@ apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: - name: web + name: busola labels: app: busola spec: diff --git a/resources/base/web/kustomization.yaml b/resources/base/busola/kustomization.yaml similarity index 52% rename from resources/base/web/kustomization.yaml rename to resources/base/busola/kustomization.yaml index c89fd2c3ff..6a0888caff 100644 --- a/resources/base/web/kustomization.yaml +++ b/resources/base/busola/kustomization.yaml @@ -4,7 +4,3 @@ resources: - deployment.yaml - hpa.yaml - service.yaml -images: - - name: busola-web - newName: europe-docker.pkg.dev/kyma-project/prod/busola-web - newTag: latest diff --git a/resources/base/web/service.yaml b/resources/base/busola/service.yaml similarity index 57% rename from resources/base/web/service.yaml rename to resources/base/busola/service.yaml index 95fcfd898e..0168f1c4a2 100644 --- a/resources/base/web/service.yaml +++ b/resources/base/busola/service.yaml @@ -1,13 +1,13 @@ apiVersion: v1 kind: Service metadata: - name: web + name: busola labels: app: busola spec: ports: - - port: 8080 - name: http-web - targetPort: 8080 + - port: 3001 + name: http-busola + targetPort: 3001 selector: app: busola diff --git a/resources/base/extensions-patch/builtin-resource-extensions.configmap.yaml b/resources/base/extensions-patch/builtin-resource-extensions.configmap.yaml deleted file mode 100644 index 7058c48da1..0000000000 --- a/resources/base/extensions-patch/builtin-resource-extensions.configmap.yaml +++ /dev/null @@ -1,9 +0,0 @@ -kind: ConfigMap -apiVersion: v1 -metadata: - name: busola-builtin-resource-extensions - labels: - app.kubernetes.io/name: busola-builtin-resource-extensions - busola.io/extension: builtin-resources -data: - extensions.yaml: [] diff --git a/resources/base/extensions-patch/kustomization.yaml b/resources/base/extensions-patch/kustomization.yaml deleted file mode 100644 index 3a5d82821b..0000000000 --- a/resources/base/extensions-patch/kustomization.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - builtin-resource-extensions.configmap.yaml -patchesJson6902: - - target: - group: apps - version: v1 - kind: Deployment - name: web - path: web-deployment.patch.yaml - -bases: - - ../web diff --git a/resources/base/extensions-patch/web-deployment.patch.yaml b/resources/base/extensions-patch/web-deployment.patch.yaml deleted file mode 100644 index e90f94506b..0000000000 --- a/resources/base/extensions-patch/web-deployment.patch.yaml +++ /dev/null @@ -1,14 +0,0 @@ -- op: add - path: /spec/template/spec/containers/0/volumeMounts/1 - value: - name: extensions - mountPath: /app/core/assets/extensions -- op: add - path: /spec/template/spec/volumes/1 - value: - name: extensions - configMap: - name: busola-builtin-resource-extensions - items: - - key: extensions.yaml - path: extensions.yaml diff --git a/resources/base/kustomization.yaml b/resources/base/kustomization.yaml index 446976a60d..c325f63b5c 100644 --- a/resources/base/kustomization.yaml +++ b/resources/base/kustomization.yaml @@ -1,12 +1,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - backend - - web + - busola images: - - name: busola-web - newName: europe-docker.pkg.dev/kyma-project/prod/busola-web - newTag: latest - - name: busola-backend - newName: europe-docker.pkg.dev/kyma-project/prod/busola-backend + - name: busola + newName: europe-docker.pkg.dev/kyma-project/prod/busola newTag: latest diff --git a/resources/base/resource-validation/rule-sets/datree/rules.yaml b/resources/base/resource-validation/rule-sets/datree/rules.yaml deleted file mode 100644 index d2d5520996..0000000000 --- a/resources/base/resource-validation/rule-sets/datree/rules.yaml +++ /dev/null @@ -1,3898 +0,0 @@ -# This file contains parts from the project datreeio https://github.com/datreeio/datree/blob/main/pkg/defaultRules/defaultRules.yaml available under Appache License 2.0 -# Copyright (c) Original author(s) @ https://github.com/datreeio/datree Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to you under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. Modifications Copyright (c) 2022 SAP SE or an SAP affiliate company. All rights reserved. - -# for autocompletion in VS Code -apiVersion: v1 -aliases: - - &standardKinds - properties: - kind: - enum: - - Deployment - - Pod - - DaemonSet - - StatefulSet - - ReplicaSet - - CronJob - - Job - - ¬KindSecret - properties: - kind: - not: - enum: - - Secret - # The following alias is used to prohibit a string from matching a given regex anywhere in the manifest - # make sure to use the $ref "#/definitions/regexes" in the schema definition to populate the regexes variable - - &recursiveDontAllowValue - type: object - additionalProperties: - if: - type: object - then: - '$ref': '#' - else: - if: - type: array - then: - items: - if: - type: object - then: - '$ref': '#' - else: - if: - type: string - then: - not: - '$ref': '#/definitions/regexes' - else: - if: - type: string - then: - not: - '$ref': '#/definitions/regexes' -rules: - - id: 1 - name: Ensure each container image has a pinned (tag) version - uniqueName: CONTAINERS_MISSING_IMAGE_VALUE_VERSION - enabledByDefault: true - documentationUrl: 'https://hub.datree.io/built-in-rules/ensure-image-pinned-version' - messageOnFailure: Incorrect value for key `image` - specify an image version to avoid unpleasant "version surprises" in the future - categories: - - cdk8s - complexity: easy - impact: When the version tag is missing, every time that the image is pulled it pulls the latest version which may break your code - schema: - definitions: - imageValuePattern: - if: *standardKinds - then: - properties: - spec: - properties: - containers: - type: array - items: - properties: - image: - # catch all strings with image tag version - pattern: "\\@sha.*|:(\\w|\\.|\\-)+$" - not: - # ignore `latest` as image tag version - pattern: '.*:(latest|LATEST)$' - allOf: - - $ref: '#/definitions/imageValuePattern' - additionalProperties: - $ref: '#' - items: - $ref: '#' - - id: 2 - name: Ensure each container has a configured memory request - uniqueName: CONTAINERS_MISSING_MEMORY_REQUEST_KEY - enabledByDefault: true - documentationUrl: 'https://hub.datree.io/built-in-rules/ensure-memory-request' - messageOnFailure: 'Missing property object `requests.memory` - value should be within the accepted boundaries recommended by the organization' - categories: - - Resources - complexity: hard - impact: Memory requests allow you to use memory resources efficiently and allocate a guaranteed minimum of computing resources for the pods running in your cluster - schema: - definitions: - memoryRequestPattern: - if: *standardKinds - then: - properties: - spec: - properties: - containers: - type: array - items: - properties: - resources: - properties: - requests: - type: object - properties: - memory: - type: - - string - - number - required: - - memory - required: - - requests - required: - - resources - allOf: - - $ref: '#/definitions/memoryRequestPattern' - additionalProperties: - $ref: '#' - items: - $ref: '#' - - id: 3 - name: Ensure each container has a configured CPU request - uniqueName: CONTAINERS_MISSING_CPU_REQUEST_KEY - enabledByDefault: true - documentationUrl: 'https://hub.datree.io/built-in-rules/ensure-cpu-request' - messageOnFailure: 'Missing property object `requests.cpu` - value should be within the accepted boundaries recommended by the organization' - categories: - - Resources - complexity: hard - impact: CPU requests allow you to use CPU resources efficiently and to allocate a guaranteed minimum of computing resources for the pods running in your cluster - schema: - definitions: - cpuRequestPattern: - if: *standardKinds - then: - properties: - spec: - properties: - containers: - type: array - items: - properties: - resources: - properties: - requests: - type: object - properties: - cpu: - type: - - string - - number - required: - - cpu - required: - - requests - required: - - resources - allOf: - - $ref: '#/definitions/cpuRequestPattern' - additionalProperties: - $ref: '#' - items: - $ref: '#' - - id: 4 - name: Ensure each container has a configured memory limit - uniqueName: CONTAINERS_MISSING_MEMORY_LIMIT_KEY - enabledByDefault: true - documentationUrl: 'https://hub.datree.io/built-in-rules/ensure-memory-limit' - messageOnFailure: 'Missing property object `limits.memory` - value should be within the accepted boundaries recommended by the organization' - categories: - - Resources - complexity: hard - impact: Without memory limits, the pods running in your cluster will not have a restriction on the max amount of memory consumption, which may result with OOM failures - schema: - definitions: - memoryLimitPattern: - if: *standardKinds - then: - properties: - spec: - properties: - containers: - type: array - items: - properties: - resources: - properties: - limits: - type: object - properties: - memory: - type: - - string - - number - required: - - memory - required: - - limits - required: - - resources - allOf: - - $ref: '#/definitions/memoryLimitPattern' - additionalProperties: - $ref: '#' - items: - $ref: '#' - - id: 5 - name: Ensure each container has a configured CPU limit - uniqueName: CONTAINERS_MISSING_CPU_LIMIT_KEY - enabledByDefault: true - documentationUrl: 'https://hub.datree.io/built-in-rules/ensure-cpu-limit' - messageOnFailure: 'Missing property object `limits.cpu` - value should be within the accepted boundaries recommended by the organization' - categories: - - Resources - complexity: hard - impact: Without CPU limits, the pods running in your cluster will not have a restriction on the max amount of CPU consumption, which may cause starvation of other pods in the same node - schema: - definitions: - cpuLimitPattern: - if: *standardKinds - then: - properties: - spec: - properties: - containers: - type: array - items: - properties: - resources: - properties: - limits: - type: object - properties: - cpu: - type: - - string - - number - required: - - cpu - required: - - limits - required: - - resources - allOf: - - $ref: '#/definitions/cpuLimitPattern' - additionalProperties: - $ref: '#' - items: - $ref: '#' - - id: 6 - name: 'Prevent Ingress from forwarding all traffic to a single container' - uniqueName: 'INGRESS_INCORRECT_HOST_VALUE_PERMISSIVE' - enabledByDefault: true - documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-ingress-forwarding-traffic-to-single-container' - messageOnFailure: 'Incorrect value for key `host` - specify host instead of using a wildcard character ("*")' - categories: - - cdk8s - complexity: medium - impact: Misconfiguring the ingress host can cause all traffic to be forwarded to a single pod instead of leveraging load-balancing capabilities - schema: - if: - properties: - kind: - enum: - - Ingress - then: - properties: - spec: - properties: - rules: - type: array - items: - properties: - host: - type: string - not: - enum: - - '*' - - id: 7 - name: Prevent Service from exposing node port - uniqueName: SERVICE_INCORRECT_TYPE_VALUE_NODEPORT - enabledByDefault: true - documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-node-port' - messageOnFailure: 'Incorrect value for key `type` - `NodePort` will open a port on all nodes where it can be reached by the network external to the cluster' - categories: - - Other - complexity: easy - impact: Exposing a NodePort will open a network port on all nodes to be reached by the cluster's external network, which poses a security threat - schema: - if: - properties: - kind: - enum: - - Service - then: - properties: - spec: - properties: - type: - type: string - not: - enum: - - 'NodePort' - - id: 8 - name: Ensure CronJob scheduler is valid - uniqueName: CRONJOB_INVALID_SCHEDULE_VALUE - enabledByDefault: true - documentationUrl: 'https://hub.datree.io/built-in-rules/ensure-cronjob-scheduler-valid' - messageOnFailure: 'Incorrect value for key `schedule` - the (cron) schedule expressions is not valid and, therefore, will not work as expected' - categories: - - cdk8s - complexity: easy - impact: An invalid cron schedule expression will prevent your jobs from being executed - schema: - if: - properties: - kind: - enum: - - 'CronJob' - then: - properties: - spec: - properties: - schedule: - # use cases to test the regex - https://regex101.com/r/K4d7Ju/1 - pattern: (^((\*\/)?([0-5]?[0-9])((\,|\-|\/)([0-5]?[0-9]))*|\*)\s+((\*\/)?((2[0-3]|1[0-9]|[0-9]|00))((\,|\-|\/)(2[0-3]|1[0-9]|[0-9]|00))*|\*)\s+((\*\/)?([1-9]|[12][0-9]|3[01])((\,|\-|\/)([1-9]|[12][0-9]|3[01]))*|\*)\s+((\*\/)?([1-9]|1[0-2])((\,|\-|\/)([1-9]|1[0-2]))*|\*|(jan|feb|mar|apr|may|jun|jul|aug|sep|oct|nov|des))\s+((\*\/)?[0-6]((\,|\-|\/)[0-6])*|\*|00|(sun|mon|tue|wed|thu|fri|sat))\s*$)|@(annually|yearly|monthly|weekly|daily|hourly|reboot) - - id: 9 - name: Ensure workload has valid label values - uniqueName: WORKLOAD_INVALID_LABELS_VALUE - enabledByDefault: true - documentationUrl: 'https://hub.datree.io/built-in-rules/ensure-labels-value-valid' - messageOnFailure: "Incorrect value for key(s) under `labels` - the value's syntax is not valid so the Kubernetes engine will not accept it" - categories: - - cdk8s - complexity: easy - impact: If an object's labels do not follow Kubernetes label syntax requirements, it will not be applied properly - schema: - if: *standardKinds - then: - properties: - metadata: - properties: - labels: - patternProperties: - ^.*$: - format: hostname - additionalProperties: false - - id: 10 - name: 'Ensure deployment-like resource is using a valid restart policy' - uniqueName: 'WORKLOAD_INCORRECT_RESTARTPOLICY_VALUE_ALWAYS' - enabledByDefault: true - documentationUrl: 'https://hub.datree.io/built-in-rules/ensure-valid-restart-policy' - messageOnFailure: 'Incorrect value for key `restartPolicy` - any other value than `Always` is not supported by this resource' - categories: - - cdk8s - complexity: easy - impact: A workload with a 'restartPolicy' value other than 'Always' is invalid and will not be applied properly - schema: - if: - properties: - kind: - enum: - - Deployment - - ReplicaSet - - DaemonSet - - ReplicationController - then: - properties: - spec: - properties: - template: - properties: - spec: - properties: - restartPolicy: - enum: - - 'Always' - - id: 11 - name: Ensure each container has a configured liveness probe - uniqueName: CONTAINERS_MISSING_LIVENESSPROBE_KEY - enabledByDefault: true - documentationUrl: 'https://hub.datree.io/built-in-rules/ensure-liveness-probe' - messageOnFailure: 'Missing property object `livenessProbe` - add a properly configured livenessProbe to catch possible deadlocks' - categories: - - Probes - complexity: hard - impact: When liveness probes aren't set, Kubernetes can't determine when a pod should be restarted, which can result with an unavailable application - schema: - definitions: - specContainers: - if: *standardKinds - then: - properties: - spec: - properties: - containers: - items: - required: - - livenessProbe - allOf: - - $ref: '#/definitions/specContainers' - additionalProperties: - $ref: '#' - items: - $ref: '#' - - id: 12 - name: Ensure each container has a configured readiness probe - uniqueName: CONTAINERS_MISSING_READINESSPROBE_KEY - enabledByDefault: true - documentationUrl: 'https://hub.datree.io/built-in-rules/ensure-readiness-probe' - messageOnFailure: 'Missing property object `readinessProbe` - add a properly configured readinessProbe to notify kubelet your Pods are ready for traffic' - categories: - - Probes - complexity: hard - impact: Readiness probes allow Kubernetes to determine when a pod is ready to accept traffic. This ensures that client requests will not be routed to pods that are unable to process them - schema: - definitions: - specContainers: - if: *standardKinds - then: - properties: - spec: - properties: - containers: - items: - required: - - readinessProbe - allOf: - - $ref: '#/definitions/specContainers' - additionalProperties: - $ref: '#' - items: - $ref: '#' - - id: 13 - name: Ensure HPA has minimum replicas configured - uniqueName: HPA_MISSING_MINREPLICAS_KEY - enabledByDefault: true - documentationUrl: 'https://hub.datree.io/built-in-rules/ensure-hpa-minimum-replicas' - messageOnFailure: 'Missing property object `minReplicas` - the value should be within the accepted boundaries recommended by the organization' - categories: - - Other - complexity: medium - impact: The minimum replicas range must be set to prevent unintended scaling down scenarios - schema: - if: - properties: - kind: - enum: - - HorizontalPodAutoscaler - then: - properties: - spec: - required: - - minReplicas - - id: 14 - name: Ensure HPA has maximum replicas configured - uniqueName: HPA_MISSING_MAXREPLICAS_KEY - enabledByDefault: false - documentationUrl: 'https://hub.datree.io/built-in-rules/ensure-hpa-maximum-replicas' - messageOnFailure: 'Missing property object `maxReplicas` - the value should be within the accepted boundaries recommended by the organization' - categories: - - Other - complexity: medium - impact: The maximum replicas range must be set to prevent unintended scaling up scenarios - schema: - if: - properties: - kind: - enum: - - HorizontalPodAutoscaler - then: - properties: - spec: - required: - - maxReplicas - - id: 15 - name: Prevent workload from using the default namespace - uniqueName: WORKLOAD_INCORRECT_NAMESPACE_VALUE_DEFAULT - enabledByDefault: true - documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-deafult-namespce' - messageOnFailure: Incorrect value for key `namespace` - use an explicit namespace instead of the default one (`default`) - categories: - - cdk8s - - CIS - complexity: medium - impact: All objects that do not specify an explicit namespace will be applied to the 'default' namespace. This can cause a messy cluster with configuration overlaps - schema: - if: *standardKinds - then: - properties: - metadata: - properties: - namespace: - not: - enum: - - 'default' - - id: 16 - name: 'Ensure Deployment has more than one replica configured' - uniqueName: 'DEPLOYMENT_INCORRECT_REPLICAS_VALUE' - enabledByDefault: true - documentationUrl: 'https://hub.datree.io/built-in-rules/ensure-minimum-two-replicas' - messageOnFailure: 'Incorrect value for key `replicas` - running 2 or more replicas will increase the availability of the service' - categories: - - cdk8s - complexity: medium - impact: When running two or more replicas per service, you are increasing the availability of the containerized service by not relying on a single pod to do all of the work - schema: - if: - properties: - kind: - enum: - - Deployment - then: - properties: - spec: - properties: - replicas: - minimum: 2 - - id: 17 - name: 'Ensure CronJob has a configured deadline' - uniqueName: 'CRONJOB_MISSING_STARTINGDEADLINESECOND_KEY' - enabledByDefault: true - documentationUrl: 'https://hub.datree.io/built-in-rules/ensure-cronjob-deadline' - messageOnFailure: 'Missing property object `startingDeadlineSeconds` - set a time limit to the cron execution to allow killing it if exceeded' - categories: - - Other - complexity: medium - impact: Setting a deadline can reduce the number of missed schedules needed to mark a CronJob as a failure while also increasing its reliability - schema: - if: - properties: - kind: - enum: - - CronJob - then: - properties: - spec: - properties: - startingDeadlineSeconds: - type: number - required: - - startingDeadlineSeconds - - id: 18 - name: 'Prevent deprecated APIs in Kubernetes v1.16' - uniqueName: 'K8S_DEPRECATED_APIVERSION_1.16' - enabledByDefault: true - documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-deprecated-k8s-api-116' - messageOnFailure: 'Incorrect value for key `apiVersion` - the version you are trying to use is not supported by the Kubernetes cluster version (>=1.16)' - categories: - - Deprecation - complexity: easy - impact: Deploying a resource with a deprecated API version will cause Kubernetes to reject it - schema: - allOf: - - if: - properties: - apiVersion: - enum: - - apiextensions.k8s.io/v1beta1 - then: - properties: - kind: - not: - enum: - - CustomResourceDefinition - - if: - properties: - apiVersion: - enum: - - admissionregistration.k8s.io/v1beta1 - then: - properties: - kind: - not: - enum: - - MutatingWebhookConfiguration - - ValidatingWebhookConfiguration - - id: 19 - name: 'Prevent deprecated APIs in Kubernetes v1.17' - uniqueName: 'K8S_DEPRECATED_APIVERSION_1.17' - enabledByDefault: true - documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-deprecated-k8s-api-117' - messageOnFailure: 'Incorrect value for key `apiVersion` - the version you are trying to use is not supported by the Kubernetes cluster version (>=1.17)' - categories: - - Deprecation - complexity: easy - impact: Deploying a resource with a deprecated API version will cause Kubernetes to reject it - schema: - allOf: - - if: - properties: - apiVersion: - enum: - - rbac.authorization.k8s.io/v1alpha1 - then: - properties: - kind: - not: - enum: - - ClusterRoleBinding - - ClusterRole - - ClusterRoleBindingList - - ClusterRoleList - - Role - - RoleBinding - - RoleList - - RoleBindingList - - if: - properties: - apiVersion: - enum: - - rbac.authorization.k8s.io/v1beta1 - then: - properties: - kind: - not: - enum: - - ClusterRoleBinding - - ClusterRole - - ClusterRoleBindingList - - ClusterRoleList - - Role - - RoleBinding - - RoleList - - RoleBindingList - - if: - properties: - apiVersion: - enum: - - storage.k8s.io/v1beta1 - then: - properties: - kind: - not: - enum: - - CSINode - - id: 20 - name: 'Prevent containers from having root access capabilities' - uniqueName: 'CONTAINERS_INCORRECT_PRIVILEGED_VALUE_TRUE' - enabledByDefault: true - documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-privileged-containers' - messageOnFailure: 'Incorrect value for key `privileged` - this mode will allow the container the same access as processes running on the host' - categories: - - CIS - complexity: easy - impact: Processes running in privileged containers have access to host-level resources such as the file system. These containers are much more secure when their access is limited to the pod level - schema: - definitions: - specContainers: - if: *standardKinds - then: - properties: - spec: - properties: - containers: - type: array - items: - properties: - securityContext: - properties: - privileged: - not: - enum: - - true - - 'true' - allOf: - - $ref: '#/definitions/specContainers' - additionalProperties: - $ref: '#' - items: - $ref: '#' - - id: 21 - name: Ensure workload has a configured `owner` label - uniqueName: WORKLOAD_MISSING_LABEL_OWNER_VALUE - enabledByDefault: false - documentationUrl: 'https://hub.datree.io/built-in-rules/ensure-owner-label' - messageOnFailure: 'Missing label object `owner` - add a proper owner label to know which person/team to ping when needed' - categories: - - Other - complexity: easy - impact: An owner label is great for financial and operational ownership, and makes it easier to alert the relevant team or team member when necessary - schema: - if: *standardKinds - then: - properties: - metadata: - properties: - labels: - required: - - owner - - id: 22 - name: Ensure Deployment has a configured `env` label - uniqueName: DEPLOYMENT_MISSING_LABEL_ENV_VALUE - enabledByDefault: false - documentationUrl: 'https://hub.datree.io/built-in-rules/ensure-env-label' - messageOnFailure: 'Missing label object `env` - add a proper environment description (e.g. "prod", "testing", etc.) to the Deployment config' - categories: - - Other - complexity: easy - impact: Having an env label is useful for performing bulk operations in specific environments or for filtering Deployments according to their stage - schema: - if: - properties: - kind: - enum: - - Deployment - then: - properties: - metadata: - properties: - labels: - required: - - env - required: - - labels - required: - - metadata - - id: 23 - name: Ensure each container image has a digest tag - uniqueName: CONTAINERS_MISSING_IMAGE_VALUE_DIGEST - enabledByDefault: false - documentationUrl: 'https://hub.datree.io/built-in-rules/ensure-digest-tag' - messageOnFailure: 'Incorrect value for key `image` - add a digest tag (starts with `@sha256:`) to represent an immutable version of the image' - categories: - - Other - complexity: medium - impact: The digest uniquely identifies a specific version sha of the image, so it will never be tampered - schema: - definitions: - imageValuePattern: - if: *standardKinds - then: - properties: - spec: - properties: - containers: - type: array - items: - properties: - image: - pattern: .*\@sha256\:\S{64}$ - allOf: - - $ref: '#/definitions/imageValuePattern' - additionalProperties: - $ref: '#' - items: - $ref: '#' - - id: 24 - name: 'Prevent CronJob from executing jobs concurrently' - uniqueName: 'CRONJOB_MISSING_CONCURRENCYPOLICY_KEY' - enabledByDefault: true - documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-cronjob-concurrency' - messageOnFailure: Missing property object `concurrencyPolicy` - the behavior will be more deterministic if jobs won't run concurrently - categories: - - Other - complexity: easy - impact: Preventing your CronJobs from running concurrently will cause their behavior to be more deterministic and avoid race conditions - schema: - if: - properties: - kind: - enum: - - CronJob - then: - properties: - spec: - properties: - concurrencyPolicy: - enum: - - 'Forbid' - - 'Replace' - required: - - concurrencyPolicy - - id: 25 - name: 'Prevent deploying naked pods' - uniqueName: 'K8S_INCORRECT_KIND_VALUE_POD' - enabledByDefault: false - documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-naked-pods' - messageOnFailure: Incorrect value for key `kind` - raw pod won't be rescheduled in the event of a node failure - categories: - - cdk8s - complexity: medium - impact: Pods not created by workload controllers such as Deployments have no self-healing or scaling abilities and are unsuitable for production - schema: - properties: - kind: - type: string - not: - enum: - - 'Pod' - - id: 26 - name: Prevent containers from sharing the host's PID namespace - uniqueName: 'CONTAINERS_INCORRECT_HOSTPID_VALUE_TRUE' - enabledByDefault: false - documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-using-host-pid' - messageOnFailure: Incorrect value for key `hostPID` - running on the host's PID namespace enables access to sensitive information from processes running outside the container - categories: - - CIS - complexity: easy - impact: When a container is allowed to share its hosts PID namespace, it can see and may even kill processes running on the host outside of the container - schema: - definitions: - specContainers: - if: *standardKinds - then: - properties: - spec: - properties: - hostPID: - not: - enum: - - true - - 'true' - allOf: - - $ref: '#/definitions/specContainers' - additionalProperties: - $ref: '#' - items: - $ref: '#' - - id: 27 - name: 'Prevent containers from sharing the host`s IPC namespace' - uniqueName: 'CONTAINERS_INCORRECT_HOSTIPC_VALUE_TRUE' - enabledByDefault: false - documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-using-host-ipc' - messageOnFailure: 'Incorrect value for key `hostIPC` - running on the host`s IPC namespace can be (maliciously) used to interact with other processes running outside the container' - categories: - - CIS - complexity: easy - impact: When a container is allowed to share its host's IPC namespace, it has access to other processes running outside of the container - schema: - definitions: - specContainers: - if: *standardKinds - then: - properties: - spec: - properties: - hostIPC: - not: - enum: - - true - - 'true' - allOf: - - $ref: '#/definitions/specContainers' - additionalProperties: - $ref: '#' - items: - $ref: '#' - - id: 28 - name: Prevent containers from sharing the host's network namespace - uniqueName: 'CONTAINERS_INCORRECT_HOSTNETWORK_VALUE_TRUE' - enabledByDefault: false - documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-using-host-network' - messageOnFailure: Incorrect value for key `hostNetwork` - running on the host's network namespace can allow a compromised container to sniff network traffic - categories: - - CIS - complexity: easy - impact: When a container is allowed to share its host's network namespace, it can leverage the host's local network to do malicious stuff - schema: - definitions: - specContainers: - if: *standardKinds - then: - properties: - spec: - properties: - hostNetwork: - not: - enum: - - true - - 'true' - allOf: - - $ref: '#/definitions/specContainers' - additionalProperties: - $ref: '#' - items: - $ref: '#' - - id: 29 - name: 'Prevent containers from accessing host files by using high UIDs' - uniqueName: 'CONTAINERS_INCORRECT_RUNASUSER_VALUE_LOWUID' - enabledByDefault: false - documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-uid-conflicts' - messageOnFailure: 'Incorrect value for key `runAsUser` - value should be above 9999 to reduce the likelihood that the UID is already taken' - categories: - - NSA - complexity: medium - impact: With a high UID number, a container is blocked from accessing host-based files even if it manages to gain access to a host's file system - schema: - definitions: - specContainers: - if: *standardKinds - then: - properties: - spec: - properties: - containers: - type: array - items: - properties: - securityContext: - properties: - runAsUser: - minimum: 10000 - allOf: - - $ref: '#/definitions/specContainers' - additionalProperties: - $ref: '#' - items: - $ref: '#' - - id: 30 - name: 'Prevent containers from mounting Docker socket' - uniqueName: 'CONTAINERS_INCORRECT_PATH_VALUE_DOCKERSOCKET' - enabledByDefault: false - documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-mounting-docker-socket' - messageOnFailure: 'Incorrect value for key `path` - avoid mounting the docker.socket because it can allow container breakout' - categories: - - Other - complexity: medium - impact: When a container has access to the Docker socket, it can effectively manage other containers on the host - schema: - definitions: - specContainers: - if: *standardKinds - then: - properties: - spec: - properties: - containers: - type: array - items: - properties: - volumeMounts: - type: array - items: - properties: - mountPath: - not: - enum: - - '/var/run/docker.sock' - specVolumes: - if: *standardKinds - then: - properties: - spec: - properties: - volumes: - type: array - items: - properties: - hostPath: - properties: - path: - not: - enum: - - '/var/run/docker.sock' - allOf: - - $ref: '#/definitions/specContainers' - - $ref: '#/definitions/specVolumes' - additionalProperties: - $ref: '#' - items: - $ref: '#' - - id: 31 - name: 'Prevent ConfigMap security vulnerability (CVE-2021-25742)' - uniqueName: 'CONFIGMAP_CVE2021_25742_INCORRECT_SNIPPET_ANNOTATIONS_VALUE' - enabledByDefault: false - documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-configmap-security-vulnerability-cve-2021-25742' - messageOnFailure: Missing property object `allow-snippet-annotations` - set it to "false" to override default behaviour - categories: - - CVE - complexity: easy - impact: Users with the ability to create or update NGINX ingress objects can use the custom snippets feature to obtain secrets in the cluster - schema: - if: - properties: - kind: - enum: - - ConfigMap - metadata: - anyOf: - - properties: - name: - enum: - - nginx-config - - nginx-conf - - ingress-nginx-controller - required: - - name - - properties: - namespace: - enum: - - ingress-nginx - - nginx-ingress - required: - - namespace - then: - properties: - data: - properties: - allow-snippet-annotations: - enum: - - 'false' - required: - - allow-snippet-annotations - required: - - data - - id: 32 - name: 'Prevent Ingress security vulnerability (CVE-2021-25742)' - uniqueName: 'INGRESS_CVE2021_25742_INCORRECT_SERVER_SNIPPET_KEY' - enabledByDefault: false - documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-ingress-security-vulnerability-cve-2021-25742' - messageOnFailure: Forbidden property object `server-snippet` - ingress-nginx custom snippets are not allowed - categories: - - CVE - complexity: easy - impact: A vulnerability has been found that when exploited, attackers can use the custom snippets feature to obtain all secrets in the cluster - schema: - if: - properties: - kind: - enum: - - Ingress - then: - properties: - metadata: - properties: - annotations: - propertyNames: - not: - pattern: ^.*server-snippet$ - - id: 33 - name: 'Prevent container security vulnerability (CVE-2021-25741)' - uniqueName: 'CONTAINER_CVE2021_25741_INCORRECT_SUBPATH_KEY' - enabledByDefault: false - documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-container-security-vulnerability-cve-2021-25741' - messageOnFailure: Forbidden property object `subPath` - malicious users can gain access to files & directories outside of the volume - categories: - - CVE - complexity: hard - impact: A vulnerability has been found that when exploited, attackers can gain access to the host filesystem and compromise the cluster - schema: - definitions: - subPathPattern: - properties: - spec: - properties: - containers: - type: array - items: - properties: - volumeMounts: - type: array - items: - propertyNames: - not: - pattern: ^subPath$ - allOf: - - $ref: '#/definitions/subPathPattern' - additionalProperties: - $ref: '#' - items: - $ref: '#' - - id: 34 - name: 'Prevent EndpointSlice security vulnerability (CVE-2021-25737)' - uniqueName: 'ENDPOINTSLICE_CVE2021_25373_INCORRECT_ADDRESSES_VALUE' - enabledByDefault: false - documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-endpointslice-validation-from-enabling-host-network-hijack-cve-2021-25737' - messageOnFailure: Incorrect value for key `addresses` - IP address is within vulnerable ranges (127.0.0.0/8 and 169.254.0.0/16) - categories: - - CVE - complexity: hard - impact: A vulnerability has been found that when exploited, attackers can hijack your cluster’s network traffic, potentially leading to sensitive data leaks - schema: - if: - properties: - kind: - enum: - - EndpointSlice - then: - properties: - endpoints: - type: array - items: - properties: - addresses: - type: array - items: - not: - anyOf: - - pattern: ^(169\.254\.) - - pattern: ^(127\.) - - id: 35 - name: 'Ensure Workflow DAG fail-fast on node failure' - uniqueName: 'ARGO_WORKFLOW_INCORRECT_FAILFAST_VALUE_FALSE' - enabledByDefault: false - documentationUrl: https://hub.datree.io/built-in-rules/ensure-workflow-dag-fail-fast-on-node-failure - messageOnFailure: Incorrect value for key `failFast` - value should be `true` to prevent DAG from running on all branches, regardless of the failed outcomes of the DAG branches - categories: - - Argo - complexity: easy - impact: When failFast is set to false, it will allow a DAG to run all branches of the DAG to completion, regardless of the failed outcomes of branches in the DAG - schema: - if: - properties: - kind: - enum: - - Workflow - spec: - properties: - templates: - type: array - items: - properties: - dag: - properties: - failFast: - required: - - failFast - then: - properties: - spec: - properties: - templates: - type: array - items: - properties: - dag: - properties: - failFast: - const: true - - id: 36 - name: 'Prevent Workflow pods from using the default service account' - uniqueName: 'ARGO_WORKFLOW_INCORRECT_SERVICE_ACCOUNT_NAME_VALUE_DEFAULT' - enabledByDefault: false - documentationUrl: https://hub.datree.io/built-in-rules/prevent-workflow-pods-from-using-the-default-service-account - messageOnFailure: Incorrect value for key `serviceAccountName` - when set to `default` container is exposed to possible attacks - categories: - - Argo - complexity: hard - impact: When serviceAccount is set to default, the workflow is able to interact with the Kubernetes API server, which creates a great way for attackers with access to a single container to abuse K8s - schema: - if: - properties: - kind: - enum: - - WorkflowTemplate - - Workflow - then: - properties: - spec: - properties: - serviceAccountName: - type: string - not: - const: default - required: - - serviceAccountName - - id: 37 - name: 'Ensure ConfigMap is recognized by ArgoCD' - uniqueName: 'ARGO_CONFIGMAP_MISSING_PART_OF_LABEL_VALUE_ARGOCD' - enabledByDefault: false - documentationUrl: https://hub.datree.io/built-in-rules/ensure-configmap-is-recognized-by-argocd - messageOnFailure: Incorrect value for annotation `app.kubernetes.io/part-of` - value should be `argocd`, or ArgoCD won't recognize this resource - categories: - - Argo - complexity: easy - impact: 'A relevant ConfigMap resource that isn’t labeled with app.kubernetes.io/part-of: argocd will not be used by Argo CD' - schema: - if: - properties: - kind: - enum: - - ConfigMap - metadata: - properties: - name: - enum: - - argocd-tls-certs-cm - - argocd-rbac-cm - - argocd-ssh-known-hosts-cm - - argocd-cmd-params-cm - - argocd-cm - then: - properties: - metadata: - properties: - labels: - properties: - app.kubernetes.io/part-of: - type: string - const: argocd - required: - - app.kubernetes.io/part-of - - id: 38 - name: 'Ensure Rollout pause step has a configured duration' - uniqueName: 'ARGO_ROLLOUT_MISSING_PAUSE_DURATION' - enabledByDefault: false - documentationUrl: https://hub.datree.io/built-in-rules/ensure-rollout-pause-step-has-a-configured-duration - messageOnFailure: Missing the key `duration` - prevent the rollout from waiting indefinitely for the pause condition - categories: - - Argo - complexity: easy - impact: If the duration field within the pause struct isn't set, the rollout will wait indefinitely until that Pause condition is removed - schema: - if: - properties: - kind: - enum: - - Rollout - then: - properties: - spec: - properties: - strategy: - properties: - canary: - type: object - properties: - steps: - type: array - items: - properties: - pause: - type: object - properties: - duration: - type: string - required: - - duration - - id: 39 - name: 'Ensure Application and AppProject are part of the argocd namespace' - uniqueName: 'ARGO_APP_PROJECT_INCORRECT_NAMESPACE_VALUE' - enabledByDefault: false - documentationUrl: https://hub.datree.io/built-in-rules/ensure-application-and-appproject-are-part-of-the-argocd-namespace - messageOnFailure: Incorrect value for property `namespace` - Application and AppProject have to be installed on the argocd namespace - categories: - - Argo - complexity: easy - impact: Application and AppProject instances, must be installed in the same namespace where argo was installed to be recognized by Argo - schema: - if: - properties: - kind: - enum: - - Application - - AppProject - then: - properties: - metadata: - properties: - namespace: - type: string - const: argocd - required: - - namespace - - id: 40 - name: 'Prevent Workflow from having an empty retry strategy' - uniqueName: 'ARGO_WORKFLOW_INCORRECT_RETRY_STRATEGY_VALUE_EMPTY' - enabledByDefault: false - documentationUrl: https://hub.datree.io/built-in-rules/prevent-workflow-from-having-an-empty-retry-strategy - messageOnFailure: Incorrect value for key `retryStrategy` - empty value (`{}`) can cause failed/errored steps to keep retrying, which can result in OOM issues - categories: - - Argo - complexity: medium - impact: Empty retryStrategy will cause a container to retry until completion and eventually cause OOM issues - schema: - if: - properties: - kind: - enum: - - Workflow - then: - properties: - spec: - properties: - templates: - items: - properties: - retryStrategy: - type: object - minProperties: 1 - - id: 41 - name: 'Ensure Rollout has revision history set' - uniqueName: 'ARGO_WORKFLOW_INCORRECT_REVISION_HISTORY_LIMIT_VALUE_0' - enabledByDefault: false - documentationUrl: https://hub.datree.io/built-in-rules/ensure-rollout-has-revision-history-set - messageOnFailure: Incorrect value for key `revisionHistoryLimit` - value above 0 is required to enable rolling back from a failed deployment - categories: - - Argo - complexity: medium - impact: A new Deployment rollout cannot be undone, since its revision history is cleaned up - schema: - if: - properties: - kind: - enum: - - Rollout - then: - properties: - spec: - properties: - revisionHistoryLimit: - minimum: 1 - required: - - revisionHistoryLimit - - id: 42 - name: 'Ensure Rollout allows broadcasting IP table changes' - uniqueName: 'ARGO_ROLLOUT_INCORRECT_SCALE_DOWN_DELAY_VALUE_BELOW_30' - enabledByDefault: false - documentationUrl: https://hub.datree.io/built-in-rules/ensure-rollout-allows-broadcasting-ip-table-changes - messageOnFailure: Incorrect value for key `scaleDownDelaySeconds` - value should be at least 30 to prevent packets from being sent to a node that killed the pod - categories: - - Argo - complexity: easy - impact: A minimum of 30 seconds is recommended to prevent packets from being sent to a node that killed an old pod - schema: - if: - properties: - kind: - enum: - - Rollout - then: - properties: - spec: - properties: - strategy: - properties: - blueGreen: - type: object - properties: - scaleDownDelaySeconds: - type: integer - minimum: 30 - required: - - scaleDownDelaySeconds - - id: 43 - name: 'Ensure Rollout that is marked as degraded scales down ReplicaSet' - uniqueName: 'ARGO_ROLLOUT_INCORRECT_PROGRESS_DEADLINE_ABORT_VALUE_FALSE' - enabledByDefault: false - documentationUrl: https://hub.datree.io/built-in-rules/ensure-rollout-that-is-marked-as-degraded-scales-down-replicaset - messageOnFailure: Incorrect value for key `progressDeadlineAbort` - value should be `true` to prevent the rollout pod from retrying indefinitely - categories: - - Argo - complexity: medium - impact: Prevent pods from indefinitely retrying to rollout, when the pod is stuck on error state - schema: - if: - properties: - kind: - enum: - - Rollout - spec: - properties: - allOf: - properties: - progressDeadlineSeconds: - type: integer - then: - properties: - spec: - properties: - progressDeadlineAbort: - const: true - required: - - progressDeadlineAbort - - id: 44 - name: Ensure Workflow retry policy catches relevant errors only - uniqueName: 'ARGO_WORKFLOW_ENSURE_RETRY_ON_BOTH_ERROR_AND_TRANSIENT_ERROR' - enabledByDefault: false - documentationUrl: https://hub.datree.io/built-in-rules/ensure-workflow-retry-policy-catches-relevant-errors-only - messageOnFailure: Incorrect value for key `retryPolicy` - the expression should include retry on steps that failed either on transient or Argo controller errors - categories: - - Argo - complexity: medium - impact: When setting Argo's `retryPolicy` to Always, you should also set a proper expression to filter out unnecessary errors - schema: - if: - allOf: - - properties: - kind: - enum: - - Workflow - - properties: - spec: - properties: - templates: - type: array - contains: - properties: - retryStrategy: - properties: - retryPolicy: - const: Always - then: - properties: - spec: - properties: - templates: - type: array - contains: - properties: - retryStrategy: - properties: - retryPolicy: - const: Always - expression: - const: lastRetry.status == "Error" or (lastRetry.status == "Failed" and asInt(lastRetry.exitCode) not in [0]) - required: - - retryPolicy - - expression - - id: 45 - name: Ensure each container has a read-only root filesystem - uniqueName: CONTAINERS_INCORRECT_READONLYROOTFILESYSTEM_VALUE - enabledByDefault: false - documentationUrl: 'https://hub.datree.io/built-in-rules/ensure-read-only-filesystem' - messageOnFailure: Incorrect value for key `readOnlyRootFilesystem` - set to 'true' to protect filesystem from potential attacks - categories: - - NSA - - cdk8s - - EKS - complexity: easy - impact: An immutable root filesystem prevents attackers from being able to tamper with the filesystem or write foreign executables to disk - schema: - definitions: - containerSecurityPattern: - properties: - spec: - properties: - containers: - type: array - items: - properties: - securityContext: - properties: - readOnlyRootFilesystem: - const: true - required: - - readOnlyRootFilesystem - required: - - securityContext - allOf: - - $ref: '#/definitions/containerSecurityPattern' - additionalProperties: - $ref: '#' - items: - $ref: '#' - - id: 46 - name: Prevent containers from accessing underlying host - uniqueName: CONTAINERS_INCORRECT_KEY_HOSTPATH - enabledByDefault: false - documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-accessing-underlying-host' - messageOnFailure: Invalid key `hostPath` - refrain from using this mount to prevent an attack on the underlying host - categories: - - NSA - - cdk8s - - CIS - complexity: easy - impact: Using a hostPath mount can enable attackers to break from the container and gain access to the underlying host - schema: - definitions: - specVolumePattern: - properties: - spec: - properties: - volumes: - type: array - items: - not: - required: - - hostPath - allOf: - - $ref: '#/definitions/specVolumePattern' - additionalProperties: - $ref: '#' - items: - $ref: '#' - - id: 47 - name: Prevent containers from escalating privileges - uniqueName: CONTAINERS_MISSING_KEY_ALLOWPRIVILEGEESCALATION - enabledByDefault: false - documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-escalating-privileges' - messageOnFailure: Missing key `allowPrivilegeEscalation` - set to false to prevent attackers from exploiting escalated container privileges - categories: - - NSA - - cdk8s - - EKS - - CIS - complexity: easy - impact: In their default state, containers allow privilege escalation. Attackers may use this to manipulate the application and to gain more permissions than they should have - schema: - definitions: - specContainerPattern: - properties: - spec: - properties: - containers: - type: array - items: - properties: - securityContext: - properties: - allowPrivilegeEscalation: - const: false - required: - - allowPrivilegeEscalation - required: - - securityContext - allOf: - - $ref: '#/definitions/specContainerPattern' - additionalProperties: - $ref: '#' - items: - $ref: '#' - - id: 48 - name: Prevent containers from allowing command execution - uniqueName: CONTAINERS_INCORRECT_RESOURCES_VERBS_VALUE - enabledByDefault: false - documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-allowing-command-execution' - messageOnFailure: 'Incorrect value for key `resources` and/or `verbs` - allowing containers to run the exec command can be exploited by attackers' - categories: - - NSA - complexity: easy - impact: "'kubectl exec' allows a user to execute a command in a container. Attackers with permissions could run 'kubectl exec' to execute malicious code and compromise resources within a cluster" - schema: - if: - properties: - kind: - enum: - - Role - - ClusterRole - then: - properties: - rules: - type: array - items: - properties: - resources: - type: array - not: - items: - enum: - - '*' - - 'pods/exec' - verbs: - type: array - not: - items: - enum: - - 'create' - - '*' - - id: 49 - name: Prevent containers from having insecure capabilities - uniqueName: CONTAINERS_INVALID_CAPABILITIES_VALUE - enabledByDefault: false - documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-insecure-capabilities' - messageOnFailure: 'Incorrect value for key `add` - refrain from using insecure capabilities to prevent access to sensitive components' - categories: - - NSA - - CIS - complexity: easy - impact: Giving containers unnecessary capabilities may compromise them and allow attackers access to sensitive components - schema: - definitions: - specContainerPattern: - properties: - spec: - properties: - containers: - type: array - items: - properties: - securityContext: - properties: - capabilities: - properties: - add: - type: array - items: - not: - enum: - - 'SETPCAP' - - 'NET_ADMIN' - - 'NET_RAW' - - 'SYS_MODULE' - - 'SYS_RAWIO' - - 'SYS_PTRACE' - - 'SYS_ADMIN' - - 'SYS_BOOT' - - 'MAC_OVERRIDE' - - 'MAC_ADMIN' - - 'PERFMON' - - 'ALL' - - 'BPF' - allOf: - - $ref: '#/definitions/specContainerPattern' - additionalProperties: - $ref: '#' - items: - $ref: '#' - - id: 50 - name: Prevent containers from insecurely exposing workload - uniqueName: CONTAINERS_INCORRECT_KEY_HOSTPORT - enabledByDefault: false - documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-insecurely-exposing-workload' - messageOnFailure: 'Incorrect key `hostPort` - refrain from using this key to prevent insecurely exposing your workload' - categories: - - NSA - - cdk8s - - CIS - complexity: easy - impact: With the hostPort defined, the workloads become exposed as the node, but without the firewall rules and access control attached to the host - schema: - definitions: - specContainerPattern: - properties: - spec: - properties: - containers: - type: array - items: - properties: - ports: - type: array - items: - not: - required: - - hostPort - initContainers: - type: array - items: - properties: - ports: - type: array - items: - not: - required: - - hostPort - ephemeralContainers: - type: array - items: - properties: - ports: - type: array - items: - not: - required: - - hostPort - allOf: - - $ref: '#/definitions/specContainerPattern' - additionalProperties: - $ref: '#' - items: - $ref: '#' - - id: 51 - name: Prevent containers from accessing host files by using high GIDs - uniqueName: CONTAINERS_INCORRECT_RUNASGROUP_VALUE_LOWGID - enabledByDefault: false - documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-accessing-host-files-by-using-high-gids' - messageOnFailure: 'Invalid value for key `runAsGroup` - must be greater than 999 to ensure container is running with non-root group membership' - categories: - - NSA - complexity: medium - impact: With a high GID number, a container is blocked from accessing host-based files even if it manages to gain access to a host's file system - schema: - definitions: - specContainerPattern: - properties: - spec: - properties: - containers: - type: array - items: - properties: - securityContext: - properties: - runAsGroup: - minimum: 1000 - podSecurityContextPattern: - if: - properties: - kind: - enum: - - Pod - required: - - kind - then: - properties: - spec: - properties: - securityContext: - properties: - runAsGroup: - minimum: 1000 - - allOf: - - $ref: '#/definitions/specContainerPattern' - - $ref: '#/definitions/podSecurityContextPattern' - additionalProperties: - $ref: '#' - items: - $ref: '#' - - id: 52 - name: Prevent container from running with root privileges - uniqueName: CONTAINERS_INCORRECT_RUNASNONROOT_VALUE - enabledByDefault: false - documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-running-with-root-privileges' - messageOnFailure: 'Invalid value for key `runAsNonRoot` - must be set to `true` to prevent unnecessary privileges' - categories: - - NSA - - CIS - complexity: easy - impact: Having non-root execution integrated at build time provides better assurance that applications will function correctly without root privileges - schema: - definitions: - containerSecurityPattern: - properties: - spec: - properties: - containers: - type: array - items: - properties: - securityContext: - properties: - runAsNonRoot: - const: true - required: - - runAsNonRoot - required: - - securityContext - podSecurityContextPattern: - if: - properties: - kind: - enum: - - Pod - required: - - kind - then: - properties: - spec: - properties: - securityContext: - properties: - runAsNonRoot: - const: true - required: - - runAsNonRoot - allOf: - - $ref: '#/definitions/containerSecurityPattern' - - $ref: '#/definitions/podSecurityContextPattern' - additionalProperties: - $ref: '#' - items: - $ref: '#' - - id: 53 - name: Prevent service account token auto-mounting on pods - uniqueName: SRVACC_INCORRECT_AUTOMOUNTSERVICEACCOUNTTOKEN_VALUE - enabledByDefault: false - documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-service-account-token-auto-mount' - messageOnFailure: 'Invalid value for key `automountServiceAccountToken` - must be set to `false` to prevent granting unnecessary access to the service account' - categories: - - NSA - - EKS - - CIS - complexity: easy - impact: If an application is compromised, account tokens in Pods can be stolen and used to further compromise the cluster. When an application does not need to access the service account directly, token mounting should be disabled - schema: - definitions: - podPattern: - if: - properties: - kind: - enum: - - Pod - then: - properties: - spec: - properties: - automountServiceAccountToken: - const: false - required: - - automountServiceAccountToken - serviceAccountPattern: - if: - properties: - kind: - enum: - - ServiceAccount - then: - properties: - automountServiceAccountToken: - const: false - required: - - automountServiceAccountToken - allOf: - - $ref: '#/definitions/podPattern' - - $ref: '#/definitions/serviceAccountPattern' - - id: 54 - name: Ensure resource has a configured name - uniqueName: RESOURCE_MISSING_NAME - enabledByDefault: true - documentationUrl: 'https://hub.datree.io/built-in-rules/ensure-resource-name' - messageOnFailure: 'Missing key `name` or `generateName` - one of them must be set to apply resource to a cluster' - categories: - - cdk8s - complexity: easy - impact: Configurations that miss this property will pass k8s schema validation, but will fail when pushed into a cluster (i.e. when running kubectl apply/create) - schema: - definitions: - metadataNamePattern: - properties: - metadata: - type: object - properties: - name: - type: string - required: - - name - required: - - metadata - metadataGenerateNamePattern: - properties: - metadata: - type: object - properties: - generateName: - type: string - required: - - generateName - required: - - metadata - if: - properties: - kind: - not: - enum: - - Kustomization - then: - anyOf: - - $ref: '#/definitions/metadataNamePattern' - - $ref: '#/definitions/metadataGenerateNamePattern' - - id: 55 - name: Ensure each container probe has an initial delay configured - uniqueName: CONTAINERS_INCORRECT_INITIALDELAYSECONDS_VALUE - enabledByDefault: false - documentationUrl: 'https://hub.datree.io/built-in-rules/ensure-initial-probe-delay' - messageOnFailure: 'Incorrect value for key `initialDelaySeconds` - set explicitly to control the start time before a probe is initiated (min 0)' - categories: - - Probes - complexity: medium - impact: "`initialDelaySeconds` defines the number of seconds after the container has started before liveness or readiness probes are initiated. It's recommended to set this value explicitly and not rely on the default value (0)" - schema: - definitions: - probePattern: - if: - properties: - spec: - properties: - containers: - items: - anyOf: - - required: - - livenessProbe - - required: - - readinessProbe - - required: - - startupProbe - then: - properties: - spec: - properties: - containers: - items: - properties: - livenessProbe: - properties: - initialDelaySeconds: - minimum: 0 - required: - - initialDelaySeconds - readinessProbe: - properties: - initialDelaySeconds: - minimum: 0 - required: - - initialDelaySeconds - startupProbe: - properties: - initialDelaySeconds: - minimum: 0 - required: - - initialDelaySeconds - allOf: - - $ref: '#/definitions/probePattern' - additionalProperties: - $ref: '#' - items: - $ref: '#' - - id: 56 - name: Ensure each container probe has a configured frequency - uniqueName: CONTAINERS_INCORRECT_PERIODSECONDS_VALUE - enabledByDefault: false - documentationUrl: 'https://hub.datree.io/built-in-rules/ensure-probe-frequency' - messageOnFailure: 'Incorrect value for key `periodSeconds` - set explicitly to control how often a probe is performed (min 1)' - categories: - - Probes - complexity: medium - impact: "`periodSeconds` defines how often (in seconds) the kubelet should perform a liveness probe. It's recommended to set this value explicitly and not rely on the default value (10)" - schema: - definitions: - probePattern: - if: - properties: - spec: - properties: - containers: - items: - anyOf: - - required: - - livenessProbe - - required: - - readinessProbe - - required: - - startupProbe - then: - properties: - spec: - properties: - containers: - items: - properties: - livenessProbe: - properties: - periodSeconds: - minimum: 1 - required: - - periodSeconds - readinessProbe: - properties: - periodSeconds: - minimum: 1 - required: - - periodSeconds - startupProbe: - properties: - periodSeconds: - minimum: 1 - required: - - periodSeconds - allOf: - - $ref: '#/definitions/probePattern' - additionalProperties: - $ref: '#' - items: - $ref: '#' - - id: 57 - name: Ensure each container probe has a configured timeout - uniqueName: CONTAINERS_INCORRECT_TIMEOUTSECONDS_VALUE - enabledByDefault: false - documentationUrl: 'https://hub.datree.io/built-in-rules/ensure-probe-timeout' - messageOnFailure: 'Incorrect value for key `timeoutSeconds` - set explicitly to control when a probe times out (min 1)' - categories: - - Probes - complexity: medium - impact: "`timeoutSeconds` defines the number of seconds after which the probe times out. It's recommended to set this value explicitly and not rely on the default value (1)" - schema: - definitions: - probePattern: - if: - properties: - spec: - properties: - containers: - items: - anyOf: - - required: - - livenessProbe - - required: - - readinessProbe - - required: - - startupProbe - then: - properties: - spec: - properties: - containers: - items: - properties: - livenessProbe: - properties: - timeoutSeconds: - minimum: 1 - required: - - timeoutSeconds - readinessProbe: - properties: - timeoutSeconds: - minimum: 1 - required: - - timeoutSeconds - startupProbe: - properties: - timeoutSeconds: - minimum: 1 - required: - - timeoutSeconds - allOf: - - $ref: '#/definitions/probePattern' - additionalProperties: - $ref: '#' - items: - $ref: '#' - - id: 58 - name: Ensure each container probe has a configured minimum success threshold - uniqueName: CONTAINERS_INCORRECT_SUCCESSTHRESHOLD_VALUE - enabledByDefault: false - documentationUrl: 'https://hub.datree.io/built-in-rules/ensure-probe-min-success-threshold' - messageOnFailure: 'Incorrect value for key `successThreshold` - set explicitly to control when a probe is considered successful after having failed' - categories: - - Probes - complexity: medium - impact: "`successThreshold` defines the minimum consecutive successes required for the probe to be successful after failing. It's recommended to set this value explicitly and not rely on the default value (1)" - schema: - definitions: - probePattern: - if: - properties: - spec: - properties: - containers: - items: - anyOf: - - required: - - livenessProbe - - required: - - readinessProbe - - required: - - startupProbe - then: - properties: - spec: - properties: - containers: - items: - properties: - livenessProbe: - properties: - successThreshold: - const: 1 - required: - - successThreshold - readinessProbe: - properties: - successThreshold: - minimum: 1 - required: - - successThreshold - startupProbe: - properties: - successThreshold: - const: 1 - required: - - successThreshold - allOf: - - $ref: '#/definitions/probePattern' - additionalProperties: - $ref: '#' - items: - $ref: '#' - - id: 59 - name: Ensure each container probe has a configured failure threshold - uniqueName: CONTAINERS_INCORRECT_FAILURETHRESHOLD_VALUE - enabledByDefault: false - documentationUrl: 'https://hub.datree.io/built-in-rules/ensure-probe-failure-threshold' - messageOnFailure: 'Incorrect value for key `failureThreshold` - set explicitly to control the number of retries after a probe fails (min 1)' - categories: - - Probes - complexity: medium - impact: "`failureThreshold` defines the number of times Kubernetes will try to initialize a failed probe before giving up. It's recommended to set this value explicitly and not rely on the default value (3)" - schema: - definitions: - probePattern: - if: - properties: - spec: - properties: - containers: - items: - anyOf: - - required: - - livenessProbe - - required: - - readinessProbe - - required: - - startupProbe - then: - properties: - spec: - properties: - containers: - items: - properties: - livenessProbe: - properties: - failureThreshold: - minimum: 1 - required: - - failureThreshold - readinessProbe: - properties: - failureThreshold: - minimum: 1 - required: - - failureThreshold - startupProbe: - properties: - failureThreshold: - minimum: 1 - required: - - failureThreshold - allOf: - - $ref: '#/definitions/probePattern' - additionalProperties: - $ref: '#' - items: - $ref: '#' - - id: 60 - name: Ensure each container has a configured pre-stop hook - uniqueName: CONTAINERS_MISSING_PRESTOP_KEY - enabledByDefault: false - documentationUrl: 'https://hub.datree.io/built-in-rules/ensure-prestop' - messageOnFailure: 'Missing property object `preStop` - set to ensure graceful shutdown of the container' - categories: - - Other - complexity: hard - impact: Once Kubernetes has decided to terminate one of your pods, it will proceed to send a SIGTERM signal to it. If your application doesn't gracefully shut down when receiving a SIGTERM, this can cause undesired behavior and loss of data - schema: - definitions: - prestopPattern: - properties: - spec: - properties: - containers: - type: array - items: - properties: - lifecycle: - properties: - preStop: - type: object - required: - - preStop - required: - - lifecycle - allOf: - - $ref: '#/definitions/prestopPattern' - additionalProperties: - $ref: '#' - items: - $ref: '#' - - id: 61 - name: 'Prevent containers from having unnecessary system call privileges' - uniqueName: CONTAINERS_INCORRECT_SECCOMP_PROFILE - enabledByDefault: false - documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-system-call-privileges' - messageOnFailure: 'Incorrect value for key seccompProfile - set an explicit value to prevent malicious use of system calls within the container' - categories: - - EKS - complexity: medium - impact: Running containers/Pods with the `seccomp` profile set to `unconfined` can give attackers dangerous privileges - schema: - definitions: - seccompExplicit: - if: *standardKinds - then: - properties: - spec: - oneOf: - - $ref: '#/$defs/securityContextSeccompReq' - - $ref: '#/definitions/seccompExplicitInContainer' - seccompExplicitInContainer: - if: *standardKinds - then: - properties: - containers: - type: array - items: - $ref: '#/$defs/securityContextSeccompReq' - initContainers: - type: array - items: - $ref: '#/$defs/securityContextSeccompReq' - ephemeralContainers: - type: array - items: - $ref: '#/$defs/securityContextSeccompReq' - seccompPatternInSpec: - if: *standardKinds - then: - properties: - spec: - $ref: '#/$defs/securityContextSeccomp' - seccompPatternInContainer: - if: *standardKinds - then: - properties: - spec: - properties: - containers: - type: array - items: - $ref: '#/$defs/securityContextSeccomp' - initContainers: - type: array - items: - $ref: '#/$defs/securityContextSeccomp' - ephemeralContainers: - type: array - items: - $ref: '#/$defs/securityContextSeccomp' - allOf: - - $ref: '#/definitions/seccompExplicit' - - $ref: '#/definitions/seccompPatternInSpec' - - $ref: '#/definitions/seccompPatternInContainer' - additionalProperties: - $ref: '#' - items: - $ref: '#' - $defs: - securityContextSeccompReq: - required: - - securityContext - properties: - securityContext: - type: object - required: - - seccompProfile - properties: - seccompProfile: - type: object - required: - - type - securityContextSeccomp: - properties: - securityContext: - type: object - properties: - seccompProfile: - type: object - properties: - type: - not: - enum: - - 'unconfined' - - 'Unconfined' - - id: 62 - name: Prevent exposed BitBucket secrets in objects - uniqueName: ALL_EXPOSED_SECRET_BITBUCKET - enabledByDefault: false - documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-exposed-secrets-bitbucket' - messageOnFailure: 'Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen' - categories: - - Secrets - complexity: medium - impact: Exposing sensitive data in resource configs is risky and highly unrecommended, as it can be stolen and used maliciously - schema: - definitions: - regexes: - anyOf: - - pattern: (?:bitbucket)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$) - if: *notKindSecret - then: *recursiveDontAllowValue - - id: 63 - name: Prevent exposed Datadog secrets in objects - uniqueName: ALL_EXPOSED_SECRET_DATADOG - enabledByDefault: false - documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-exposed-secrets-datadog' - messageOnFailure: 'Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen' - categories: - - Secrets - complexity: medium - impact: Exposing sensitive data in resource configs is risky and highly unrecommended, as it can be stolen and used maliciously - schema: - definitions: - regexes: - anyOf: - - pattern: (?:datadog)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{40})(?:['|\"|\n|\r|\s|\x60|;]|$) - if: *notKindSecret - then: *recursiveDontAllowValue - - id: 64 - name: Prevent exposed GCP secrets in objects - uniqueName: ALL_EXPOSED_SECRET_GCP - enabledByDefault: false - documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-exposed-secrets-gcp' - messageOnFailure: 'Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen' - categories: - - Secrets - complexity: medium - impact: Exposing sensitive data in resource configs is risky and highly unrecommended, as it can be stolen and used maliciously - schema: - definitions: - regexes: - anyOf: - - pattern: \b(AIza[0-9A-Za-z\\-_]{35})(?:['|\"|\n|\r|\s|\x60|;]|$) - if: *notKindSecret - then: *recursiveDontAllowValue - - id: 65 - name: Prevent exposed AWS secrets in objects - uniqueName: ALL_EXPOSED_SECRET_AWS - enabledByDefault: false - documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-exposed-secrets-aws' - messageOnFailure: 'Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen' - categories: - - Secrets - complexity: medium - impact: Exposing sensitive data in resource configs is risky and highly unrecommended, as it can be stolen and used maliciously - schema: - definitions: - regexes: - anyOf: - - pattern: (A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16} - if: *notKindSecret - then: *recursiveDontAllowValue - - id: 66 - name: Prevent exposed GitHub secrets in objects - uniqueName: ALL_EXPOSED_SECRET_GITHUB - enabledByDefault: false - documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-exposed-secrets-github' - messageOnFailure: 'Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen' - categories: - - Secrets - complexity: medium - impact: Exposing sensitive data in resource configs is risky and highly unrecommended, as it can be stolen and used maliciously - schema: - definitions: - regexes: - anyOf: - - pattern: (ghu|ghs)_[0-9a-zA-Z]{36} - - pattern: gho_[0-9a-zA-Z]{36} - - pattern: ghp_[0-9a-zA-Z]{36} - - pattern: ghr_[0-9a-zA-Z]{36} - if: *notKindSecret - then: *recursiveDontAllowValue - - id: 67 - name: Prevent exposed GitLab secrets in objects - uniqueName: ALL_EXPOSED_SECRET_GITLAB - enabledByDefault: false - documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-exposed-secrets-gitlab' - messageOnFailure: 'Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen' - categories: - - Secrets - complexity: medium - impact: Exposing sensitive data in resource configs is risky and highly unrecommended, as it can be stolen and used maliciously - schema: - definitions: - regexes: - anyOf: - - pattern: glpat-[0-9a-zA-Z\-\_]{20} - if: *notKindSecret - then: *recursiveDontAllowValue - - id: 68 - name: Prevent exposed Terraform secrets in objects - uniqueName: ALL_EXPOSED_SECRET_TERRAFORM - enabledByDefault: false - documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-exposed-secrets-terraform' - messageOnFailure: 'Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen' - categories: - - Secrets - complexity: medium - impact: Exposing sensitive data in resource configs is risky and highly unrecommended, as it can be stolen and used maliciously - schema: - definitions: - regexes: - anyOf: - - pattern: '[a-z0-9]{14}\.atlasv1\.[a-z0-9\-_=]{60,70}' - if: *notKindSecret - then: *recursiveDontAllowValue - - id: 69 - name: Prevent exposed Heroku secrets in objects - uniqueName: ALL_EXPOSED_SECRET_HEROKU - enabledByDefault: false - documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-exposed-secrets-heroku' - messageOnFailure: 'Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen' - categories: - - Secrets - complexity: medium - impact: Exposing sensitive data in resource configs is risky and highly unrecommended, as it can be stolen and used maliciously - schema: - definitions: - regexes: - anyOf: - - pattern: (?:heroku)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})(?:['|\"|\n|\r|\s|\x60|;]|$) - if: *notKindSecret - then: *recursiveDontAllowValue - - id: 70 - name: Prevent exposed JWT secrets in objects - uniqueName: ALL_EXPOSED_SECRET_JWT - enabledByDefault: false - documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-exposed-secrets-jwt' - messageOnFailure: 'Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen' - categories: - - Secrets - complexity: medium - impact: Exposing sensitive data in resource configs is risky and highly unrecommended, as it can be stolen and used maliciously - schema: - definitions: - regexes: - anyOf: - - pattern: \b(ey[0-9a-z]{30,34}\.ey[0-9a-z-\/_]{30,500}\.[0-9a-zA-Z-\/_]{10,200})(?:['|\"|\n|\r|\s|\x60|;]|$) - if: *notKindSecret - then: *recursiveDontAllowValue - - id: 71 - name: Prevent exposed LaunchDarkly secrets in objects - uniqueName: ALL_EXPOSED_SECRET_LAUNCHDARKLY - enabledByDefault: false - documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-exposed-secrets-launchdarkly' - messageOnFailure: 'Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen' - categories: - - Secrets - complexity: medium - impact: Exposing sensitive data in resource configs is risky and highly unrecommended, as it can be stolen and used maliciously - schema: - definitions: - regexes: - anyOf: - - pattern: (?:launchdarkly)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9=_\-]{40})(?:['|\"|\n|\r|\s|\x60|;]|$) - if: *notKindSecret - then: *recursiveDontAllowValue - - id: 72 - name: Prevent exposed New Relic secrets in objects - uniqueName: ALL_EXPOSED_SECRET_NEWRELIC - enabledByDefault: false - documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-exposed-secrets-newrelic' - messageOnFailure: 'Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen' - categories: - - Secrets - complexity: medium - impact: Exposing sensitive data in resource configs is risky and highly unrecommended, as it can be stolen and used maliciously - schema: - definitions: - regexes: - anyOf: - - pattern: (?:new-relic|newrelic|new_relic)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}(NRJS-[a-f0-9]{19})(?:['|\"|\n|\r|\s|\x60|;]|$) - - pattern: (?:new-relic|newrelic|new_relic)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{64})(?:['|\"|\n|\r|\s|\x60|;]|$) - - pattern: (?:new-relic|newrelic|new_relic)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}(NRAK-[a-z0-9]{27})(?:['|\"|\n|\r|\s|\x60|;]|$) - if: *notKindSecret - then: *recursiveDontAllowValue - - id: 73 - name: Prevent exposed npm secrets in objects - uniqueName: ALL_EXPOSED_SECRET_NPM - enabledByDefault: false - documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-exposed-secrets-npm' - messageOnFailure: 'Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen' - categories: - - Secrets - complexity: medium - impact: Exposing sensitive data in resource configs is risky and highly unrecommended, as it can be stolen and used maliciously - schema: - definitions: - regexes: - anyOf: - - pattern: \b(npm_[a-z0-9]{36})(?:['|\"|\n|\r|\s|\x60|;]|$) - if: *notKindSecret - then: *recursiveDontAllowValue - - id: 74 - name: Prevent exposed Okta secrets in objects - uniqueName: ALL_EXPOSED_SECRET_OKTA - enabledByDefault: false - documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-exposed-secrets-okta' - messageOnFailure: 'Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen' - categories: - - Secrets - complexity: medium - impact: Exposing sensitive data in resource configs is risky and highly unrecommended, as it can be stolen and used maliciously - schema: - definitions: - regexes: - anyOf: - - pattern: (?:okta)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9=_\-]{42})(?:['|\"|\n|\r|\s|\x60|;]|$) - if: *notKindSecret - then: *recursiveDontAllowValue - - id: 75 - name: Prevent exposed Stripe secrets in objects - uniqueName: ALL_EXPOSED_SECRET_STRIPE - enabledByDefault: false - documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-exposed-secrets-stripe' - messageOnFailure: 'Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen' - categories: - - Secrets - complexity: medium - impact: Exposing sensitive data in resource configs is risky and highly unrecommended, as it can be stolen and used maliciously - schema: - definitions: - regexes: - anyOf: - - pattern: (sk|pk)_(test|live)_[0-9a-z]{10,32} - if: *notKindSecret - then: *recursiveDontAllowValue - - id: 76 - name: Prevent exposed SumoLogic secrets in objects - uniqueName: ALL_EXPOSED_SECRET_SUMOLOGIC - enabledByDefault: false - documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-exposed-secrets-sumologic' - messageOnFailure: 'Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen' - categories: - - Secrets - complexity: medium - impact: Exposing sensitive data in resource configs is risky and highly unrecommended, as it can be stolen and used maliciously - schema: - definitions: - regexes: - anyOf: - - pattern: (?:sumo)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{14})(?:['|\"|\n|\r|\s|\x60|;]|$) - - pattern: (?:sumo)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{64})(?:['|\"|\n|\r|\s|\x60|;]|$) - if: *notKindSecret - then: *recursiveDontAllowValue - - id: 77 - name: Prevent exposed Twilio secrets in objects - uniqueName: ALL_EXPOSED_SECRET_TWILIO - enabledByDefault: false - documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-exposed-secrets-twilio' - messageOnFailure: 'Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen' - categories: - - Secrets - complexity: medium - impact: Exposing sensitive data in resource configs is risky and highly unrecommended, as it can be stolen and used maliciously - schema: - definitions: - regexes: - anyOf: - - pattern: SK[0-9a-fA-F]{32} - if: *notKindSecret - then: *recursiveDontAllowValue - - id: 78 - name: Prevent exposed Vault secrets in objects - uniqueName: ALL_EXPOSED_SECRET_VAULT - enabledByDefault: false - documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-exposed-secrets-vault' - messageOnFailure: 'Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen' - categories: - - Secrets - complexity: medium - impact: Exposing sensitive data in resource configs is risky and highly unrecommended, as it can be stolen and used maliciously - schema: - definitions: - regexes: - anyOf: - - pattern: \b(hvb\.[a-z0-9_-]{138,212})(?:['|\"|\n|\r|\s|\x60|;]|$) - - pattern: \b(hvs\.[a-z0-9_-]{90,100})(?:['|\"|\n|\r|\s|\x60|;]|$) - if: *notKindSecret - then: *recursiveDontAllowValue - - id: 79 - name: Prevent exposed private keys in objects - uniqueName: ALL_EXPOSED_SECRET_PRIVATEKEY - enabledByDefault: false - documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-exposed-secrets-privatekey' - messageOnFailure: 'Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen' - categories: - - Secrets - complexity: medium - impact: Exposing sensitive data in resource configs is risky and highly unrecommended, as it can be stolen and used maliciously - schema: - definitions: - regexes: - anyOf: - - pattern: (?i)-----BEGIN[ A-Z0-9_-]{0,100}PRIVATE KEY-----[\s\S-]*KEY---- - if: *notKindSecret - then: *recursiveDontAllowValue - - id: 80 - name: Ensure each container fully utilizes CPU with no limitations - uniqueName: EKS_INVALID_CPU_LIMIT - enabledByDefault: false - documentationUrl: 'https://hub.datree.io/built-in-rules/ensure-no-cpu-limit' - messageOnFailure: 'Invalid key `limits.cpu` - refrain from setting a CPU limit to better utilize the CPU and prevent starvation' - categories: - - EKS - complexity: easy - impact: Setting a CPU limit may cause starvation and sub-optimal utilization of the CPU - schema: - definitions: - cpuLimitPattern: - properties: - spec: - properties: - containers: - type: array - items: - properties: - resources: - properties: - limits: - type: object - not: - required: - - cpu - allOf: - - $ref: '#/definitions/cpuLimitPattern' - additionalProperties: - $ref: '#' - items: - $ref: '#' - - id: 81 - name: Ensure container memory request and memory limit are equal - uniqueName: EKS_INVALID_MEMORY_REQUEST_LIMIT - enabledByDefault: false - documentationUrl: 'https://hub.datree.io/built-in-rules/ensure-memory-request-limit-equal' - messageOnFailure: 'Invalid value for memory request and/or memory limit - ensure they are equal to prevent unpredictable behavior' - categories: - - EKS - complexity: easy - impact: Setting memory request and limit to different values may cause unpredictable behavior - schema: - definitions: - containerResourcesPattern: - properties: - spec: - properties: - containers: - items: - properties: - resources: - customKeyRule81: - type: string - allOf: - - $ref: '#/definitions/containerResourcesPattern' - additionalProperties: - $ref: '#' - items: - $ref: '#' - - id: 82 - name: Ensure containers have limited capabilities - uniqueName: EKS_INVALID_CAPABILITIES_EKS - enabledByDefault: false - documentationUrl: 'https://hub.datree.io/built-in-rules/ensure-containers-limited-capabilities' - messageOnFailure: 'Incorrect value for key `add` - refrain from using insecure capabilities to prevent access to sensitive components' - categories: - - EKS - - CIS - complexity: medium - impact: Giving containers unnecessary capabilities may compromise them and allow attackers access to sensitive components - schema: - definitions: - specContainerPattern: - properties: - spec: - properties: - containers: - type: array - items: - properties: - securityContext: - properties: - capabilities: - properties: - add: - type: array - items: - enum: - - 'AUDIT_WRITE' - - 'CHOWN' - - 'DAC_OVERRIDE' - - 'FOWNER' - - 'FSETID' - - 'KILL' - - 'MKNOD' - - 'NET_BIND_SERVICE' - - 'SETFCAP' - - 'SETGID' - - 'SETPCAP' - - 'SETUID' - - 'SYS_CHROOT' - allOf: - - $ref: '#/definitions/specContainerPattern' - additionalProperties: - $ref: '#' - items: - $ref: '#' - - id: 83 - name: Ensure multiple replicas run on different nodes - uniqueName: EKS_MISSING_KEY_TOPOLOGYKEY - enabledByDefault: false - documentationUrl: 'https://hub.datree.io/built-in-rules/ensure-replicas-different-nodes' - messageOnFailure: 'Missing key `topologyKey` - add it to ensure replicas are spread across multiple nodes' - categories: - - EKS - complexity: medium - impact: Running multiple replicas on the same node may cause downtime if the node becomes unavailable - schema: - definitions: - antiAffinityPreferredPattern: - properties: - spec: - properties: - affinity: - properties: - podAntiAffinity: - properties: - preferredDuringSchedulingIgnoredDuringExecution: - type: array - items: - properties: - podAffinityTerm: - properties: - topologyKey: - type: string - required: - - topologyKey - antiAffinityRequiredPattern: - properties: - spec: - properties: - affinity: - properties: - podAntiAffinity: - properties: - requiredDuringSchedulingIgnoredDuringExecution: - type: array - items: - properties: - podAffinityTerm: - properties: - topologyKey: - type: string - required: - - topologyKey - - allOf: - - $ref: '#/definitions/antiAffinityPreferredPattern' - - $ref: '#/definitions/antiAffinityRequiredPattern' - additionalProperties: - $ref: '#' - items: - $ref: '#' - - id: 84 - name: Prevent pods from becoming unschedulable - uniqueName: EKS_INVALID_VALUE_DONOOTSCHEDULE - enabledByDefault: false - documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-pods-becoming-unschedulable' - messageOnFailure: 'Incorrect value for key `whenUnsatisfiable` - use a different value to ensure your pod does not become unschedulable' - categories: - - EKS - complexity: easy - impact: Setting `whenUnsatisfiable` to `DoNotSchedule` will cause pods to be “unschedulable” if the topology spread constraint can't be fulfilled - schema: - definitions: - specConstraintsPattern: - properties: - spec: - properties: - topologySpreadConstraints: - type: array - items: - properties: - whenUnsatisfiable: - not: - enum: - - DoNotSchedule - allOf: - - $ref: '#/definitions/specConstraintsPattern' - additionalProperties: - $ref: '#' - items: - $ref: '#' - - id: 85 - name: Prevent Windows containers from running with unnecessary privileges - uniqueName: EKS_INVALID_HOSTPROCESS_VALUE - enabledByDefault: false - documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-windows-containers-unnecessary-privileges' - messageOnFailure: "Incorrect value for key `hostProcess` - don't set or set to false to prevent unnecessary privileges" - categories: - - EKS - - CIS - complexity: easy - impact: Setting `hostProcess` to `true` will cause pods to be “unschedulable” if the topology spread constraint can't be fulfilled - schema: - definitions: - hostProcessPattern: - properties: - windowsOptions: - properties: - hostProcess: - enum: - - false - allOf: - - $ref: '#/definitions/hostProcessPattern' - additionalProperties: - $ref: '#' - items: - $ref: '#' - - id: 86 - name: Prevent SELinux containers from running with unnecessary privileges - uniqueName: EKS_INVALID_SELINUXOPTIONS_TYPE_VALUE - enabledByDefault: false - documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-selinux-containers-unnecessary-privileges' - messageOnFailure: 'Invalid value for key `type` - set to a predefined type to prevent unnecessary privileges' - categories: - - EKS - complexity: medium - impact: Using a different type than the allowed ones may grant attackers access to sensitive components - schema: - definitions: - selinuxTypePattern: - properties: - securityContext: - properties: - seLinuxOptions: - properties: - type: - enum: - - container_t - - container_init_t - - container_kvm_t - allOf: - - $ref: '#/definitions/selinuxTypePattern' - additionalProperties: - $ref: '#' - items: - $ref: '#' - - id: 87 - name: Prevent SELinux containers from setting a user - uniqueName: EKS_INVALID_SELINUXOPTIONS_USER_VALUE - enabledByDefault: false - documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-selinux-containers-user' - messageOnFailure: 'Invalid key `user` - refrain from setting this key to prevent potential access to the host filesystem' - categories: - - EKS - complexity: easy - impact: Setting an SELinux user may grant attackers access to sensitive components - schema: - definitions: - selinuxUserPattern: - properties: - securityContext: - properties: - seLinuxOptions: - not: - required: - - user - allOf: - - $ref: '#/definitions/selinuxUserPattern' - additionalProperties: - $ref: '#' - items: - $ref: '#' - - id: 88 - name: Prevent SELinux containers from setting a role - uniqueName: EKS_INVALID_SELINUXOPTIONS_ROLE_VALUE - enabledByDefault: false - documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-selinux-containers-role' - messageOnFailure: 'Invalid key `role` - refrain from setting this key to prevent potential access to the host filesystem' - categories: - - EKS - complexity: easy - impact: Setting an SELinux role may grant attackers access to sensitive components - schema: - definitions: - selinuxUserPattern: - properties: - securityContext: - properties: - seLinuxOptions: - not: - required: - - role - allOf: - - $ref: '#/definitions/selinuxUserPattern' - additionalProperties: - $ref: '#' - items: - $ref: '#' - - id: 89 - name: Ensure hostPath volume mounts are read-only - uniqueName: EKS_INVALID_HOSTPATH_MOUNT_READONLY_VALUE - enabledByDefault: false - documentationUrl: 'https://hub.datree.io/built-in-rules/ensure-hostpath-mounts-readonly' - messageOnFailure: "Invalid key `readOnly` - set to 'true' to prevent potential attacks on the host filesystem" - categories: - - EKS - complexity: easy - impact: Not setting hostPath mounts as `readOnly` may allow attackers to modify the host filesystem - schema: - definitions: - specContainers: - properties: - spec: - customKeyRule89: - type: string - allOf: - - $ref: '#/definitions/specContainers' - additionalProperties: - $ref: '#' - items: - $ref: '#' - - id: 90 - name: Prevent deprecated APIs in Kubernetes v1.19 - uniqueName: K8S_DEPRECATED_APIVERSION_1.19 - enabledByDefault: false - documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-deprecated-api-119' - messageOnFailure: 'Incorrect value for key `apiVersion` - the version of the resource you are trying to use is deprecated in k8s v1.19' - categories: - - Deprecation - complexity: easy - impact: Deploying a resource with a deprecated API version will cause Kubernetes to reject it - schema: - allOf: - - if: - properties: - apiVersion: - enum: - - networking.k8s.io/v1beta1 - then: - properties: - kind: - not: - enum: - - Ingress - - IngressClass - - if: - properties: - apiVersion: - enum: - - storage.k8s.io/v1beta1 - then: - properties: - kind: - not: - enum: - - CSIDriver - - if: - properties: - apiVersion: - enum: - - certificates.k8s.io/v1beta1 - then: - properties: - kind: - not: - enum: - - CertificateSigningRequest - - if: - properties: - apiVersion: - enum: - - events.k8s.io/v1beta1 - then: - properties: - kind: - not: - enum: - - Event - - if: - properties: - apiVersion: - enum: - - coordination.k8s.io/v1beta1 - then: - properties: - kind: - not: - enum: - - Lease - - LeaseList - - if: - properties: - apiVersion: - enum: - - apiregistration.k8s.io/v1beta1 - then: - properties: - kind: - not: - enum: - - APIService - - APIServiceList - - id: 91 - name: Prevent deprecated APIs in Kubernetes v1.21 - uniqueName: K8S_DEPRECATED_APIVERSION_1.21 - enabledByDefault: false - documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-deprecated-api-121' - messageOnFailure: 'Incorrect value for key `apiVersion` - the version of the resource you are trying to use is deprecated in k8s v1.21' - categories: - - Deprecation - complexity: easy - impact: Deploying a resource with a deprecated API version will cause Kubernetes to reject it - schema: - allOf: - - if: - properties: - apiVersion: - enum: - - policy/v1beta1 - then: - properties: - kind: - not: - enum: - - PodSecurityPolicy - - PodDisruptionBudget - - PodDisruptionBudgetList - - if: - properties: - apiVersion: - enum: - - batch/v1beta1 - then: - properties: - kind: - not: - enum: - - CronJob - - CronJobList - - if: - properties: - apiVersion: - enum: - - discovery.k8s.io/v1beta1 - then: - properties: - kind: - not: - enum: - - EndpointSlice - - if: - properties: - apiVersion: - enum: - - audit.k8s.io/v1beta1 - - audit.k8s.io/v1alpha1 - then: - properties: - kind: - not: - enum: - - Event - - EventList - - Policy - - PolicyList - - id: 92 - name: Prevent deprecated APIs in Kubernetes v1.22 - uniqueName: K8S_DEPRECATED_APIVERSION_1.22 - enabledByDefault: false - documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-deprecated-api-122' - messageOnFailure: 'Incorrect value for key `apiVersion` - the version of the resource you are trying to use is deprecated in k8s v1.22' - categories: - - Deprecation - complexity: easy - impact: Deploying a resource with a deprecated API version will cause Kubernetes to reject it - schema: - allOf: - - if: - properties: - apiVersion: - enum: - - autoscaling/v2beta1 - then: - properties: - kind: - not: - enum: - - HorizontalPodAutoscaler - - HorizontalPodAutoscalerList - - id: 93 - name: Prevent deprecated APIs in Kubernetes v1.23 - uniqueName: K8S_DEPRECATED_APIVERSION_1.23 - enabledByDefault: false - documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-deprecated-api-123' - messageOnFailure: 'Incorrect value for key `apiVersion` - the version of the resource you are trying to use is deprecated in k8s v1.23' - categories: - - Deprecation - complexity: easy - impact: Deploying a resource with a deprecated API version will cause Kubernetes to reject it - schema: - allOf: - - if: - properties: - apiVersion: - enum: - - autoscaling/v2beta2 - then: - properties: - kind: - not: - enum: - - HorizontalPodAutoscaler - - HorizontalPodAutoscalerList - - id: 94 - name: Prevent deprecated APIs in Kubernetes v1.24 - uniqueName: K8S_DEPRECATED_APIVERSION_1.24 - enabledByDefault: false - documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-deprecated-api-124' - messageOnFailure: 'Incorrect value for key `apiVersion` - the version of the resource you are trying to use is deprecated in k8s v1.24' - categories: - - Deprecation - complexity: easy - impact: Deploying a resource with a deprecated API version will cause Kubernetes to reject it - schema: - allOf: - - if: - properties: - apiVersion: - enum: - - storage.k8s.io/v1beta1 - then: - properties: - kind: - not: - enum: - - CSIStorageCapacity - - id: 95 - name: Prevent use of the `cluster-admin` role - uniqueName: CIS_INVALID_ROLE_CLUSTER_ADMIN - enabledByDefault: false - documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-cluster-admin-role' - messageOnFailure: 'Incorrect value for key `name` - the RBAC role `cluster-admin` provides wide-ranging powers over the environment and should be used only where needed' - categories: - - CIS - complexity: easy - impact: The cluster-admin allows super-user access to perform any action on any resource and may be used maliciously - schema: - if: - properties: - kind: - enum: - - ClusterRoleBinding - - RoleBinding - required: - - kind - then: - properties: - roleRef: - properties: - name: - not: - enum: - - cluster-admin - - id: 96 - name: Prevent access to secrets - uniqueName: CIS_INVALID_VERB_SECRETS - enabledByDefault: false - documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-access-to-secrets' - messageOnFailure: 'Incorrect value/s for key `verbs` - access to secrets should be restricted to the smallest possible group of users to reduce the risk of privilege escalation' - categories: - - CIS - complexity: medium - impact: Inappropriate access to cluster secrets can allow an attacker to gain access to the cluster or external resources whose credentials are stored as secrets - schema: - if: - properties: - kind: - enum: - - ClusterRole - - Role - required: - - kind - then: - properties: - rules: - type: array - items: - if: - properties: - resources: - type: array - contains: - enum: - - secrets - then: - properties: - verbs: - type: array - items: - not: - enum: - - get - - list - - watch - - id: 97 - name: Prevent use of wildcards in Roles and ClusterRoles - uniqueName: CIS_INVALID_WILDCARD_ROLE - enabledByDefault: false - documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-wildcards-role-clusterrole' - messageOnFailure: 'Incorrect value for key `apiGroups`/`resources`/`verbs` - wildcards may provide excessive rights and should only be used when necessary' - categories: - - CIS - complexity: medium - impact: The use of wildcards may allow for inadvertent access to be granted when new resources are added to the Kubernetes API - schema: - if: - properties: - kind: - enum: - - ClusterRole - - Role - required: - - kind - then: - properties: - rules: - type: array - items: - properties: - apiGroups: - type: array - items: - not: - enum: - - '*' - resources: - type: array - items: - not: - enum: - - '*' - verbs: - type: array - items: - not: - enum: - - '*' - - id: 98 - name: Prevent use of secrets as environment variables - uniqueName: CIS_INVALID_KEY_SECRETKEYREF_SECRETREF - enabledByDefault: false - documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-secrets-as-env-variables' - messageOnFailure: 'Incorrect key `secretKeyRef`/`secretRef` - mount secrets as files and not as env variables to avoid exposing sensitive data' - categories: - - CIS - complexity: hard - impact: Using secrets as environment variables is not secure and may expose sensitive data to undesired entities - schema: - definitions: - containerValueFromPattern: - properties: - spec: - properties: - containers: - type: array - items: - properties: - env: - type: array - items: - properties: - valueFrom: - not: - required: - - secretKeyRef - containerEnvFromPattern: - properties: - spec: - properties: - containers: - type: array - items: - properties: - envFrom: - type: array - items: - not: - required: - - secretRef - allOf: - - $ref: '#/definitions/containerValueFromPattern' - - $ref: '#/definitions/containerEnvFromPattern' - additionalProperties: - $ref: '#' - items: - $ref: '#' - - id: 99 - name: Ensure seccomp profile is set to docker/default or runtime/default - uniqueName: CIS_INVALID_VALUE_SECCOMP_PROFILE - enabledByDefault: false - documentationUrl: 'https://hub.datree.io/built-in-rules/ensure-seccomp-profile-default' - messageOnFailure: 'Invalid value for key `seccomp.security.alpha.kubernetes.io/pod` - set to docker/default or runtime/default to ensure restricted privileges' - categories: - - CIS - complexity: medium - impact: Using the default seccomp profile may allow risky privileges for workloads - schema: - definitions: - podAnnotationsPattern: - if: - properties: - kind: - enum: - - Pod - required: - - kind - then: - properties: - metadata: - properties: - annotations: - properties: - seccomp.security.alpha.kubernetes.io/pod: - enum: - - docker/default - - runtime/default - required: - - seccomp.security.alpha.kubernetes.io/pod - required: - - annotations - required: - - metadata - templateAnnotationsPattern: - properties: - spec: - properties: - template: - properties: - metadata: - properties: - annotations: - properties: - seccomp.security.alpha.kubernetes.io/pod: - enum: - - docker/default - - runtime/default - required: - - seccomp.security.alpha.kubernetes.io/pod - required: - - annotations - required: - - metadata - allOf: - - $ref: '#/definitions/podAnnotationsPattern' - - $ref: '#/definitions/templateAnnotationsPattern' - additionalProperties: - $ref: '#' - items: - $ref: '#' - - id: 100 - name: Ensure containers and pods have a configured security context - uniqueName: CIS_MISSING_KEY_SECURITYCONTEXT - enabledByDefault: false - documentationUrl: 'https://hub.datree.io/built-in-rules/ensure-containers-pods-security-context' - messageOnFailure: "Missing key `securityContext` - set to enforce your containers' security and stability" - categories: - - CIS - complexity: medium - impact: Omitting security contexts may cause undesired behavior when running your containers - schema: - definitions: - podSecurityContextPattern: - properties: - kind: - enum: - - Pod - spec: - required: - - securityContext - required: - - kind - - spec - containerSecurityContextPattern: - allOf: - - properties: - spec: - properties: - containers: - type: array - items: - required: - - securityContext - additionalProperties: - $ref: '#/definitions/containerSecurityContextPattern' - items: - $ref: '#/definitions/containerSecurityContextPattern' - templateSecurityContextPattern: - allOf: - - properties: - spec: - properties: - template: - properties: - spec: - required: - - securityContext - required: - - spec - required: - - template - required: - - spec - additionalProperties: - $ref: '#/definitions/templateSecurityContextPattern' - items: - $ref: '#/definitions/templateSecurityContextPattern' - anyOf: - - $ref: '#/definitions/containerSecurityContextPattern' - - $ref: '#/definitions/templateSecurityContextPattern' - - $ref: '#/definitions/podSecurityContextPattern' - - id: 101 - name: Prevent access to create pods - uniqueName: CIS_INVALID_VALUE_CREATE_POD - enabledByDefault: false - documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-access-create-pods' - messageOnFailure: 'Invalid value for key `resources`/`verbs` - prohibit creating pods to prevent undesired privilege escalation' - categories: - - CIS - complexity: medium - impact: The ability to create pods in a cluster opens up possibilities for privilege escalation - schema: - if: - properties: - kind: - enum: - - ClusterRole - - Role - required: - - kind - then: - properties: - rules: - type: array - customKeyRule101: - type: string - - id: 102 - name: Ensure that default service accounts are not actively used - uniqueName: CIS_INVALID_VALUE_AUTOMOUNTSERVICEACCOUNTTOKEN - enabledByDefault: false - documentationUrl: 'https://hub.datree.io/built-in-rules/ensure-default-service-account-not-used' - messageOnFailure: 'Invalid value for key `automountServiceAccountToken` - set to `false` to ensure rights can be more easily audited' - categories: - - CIS - complexity: easy - impact: Using default service accounts may provide undesired rights to applications - schema: - if: - properties: - kind: - enum: - - ServiceAccount - metadata: - properties: - name: - enum: - - default - required: - - kind - - metadata - then: - properties: - automountServiceAccountToken: - enum: - - false - required: - - automountServiceAccountToken - - id: 103 - name: Prevent the admission of containers with the NET_RAW capability - uniqueName: CIS_MISSING_VALUE_DROP_NET_RAW - enabledByDefault: false - documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-containers-net-raw-capability' - messageOnFailure: 'Invalid value for key `drop` - prohibit the potentially dangerous NET_RAW capability' - categories: - - CIS - complexity: easy - impact: The NET_RAW capability may be misused by malicious containers - schema: - definitions: - specContainerPattern: - properties: - spec: - properties: - containers: - type: array - items: - properties: - securityContext: - properties: - capabilities: - properties: - drop: - type: array - items: - contains: - enum: - - 'NET_RAW' - - 'ALL' - required: - - drop - required: - - capabilities - required: - - securityContext - allOf: - - $ref: '#/definitions/specContainerPattern' - additionalProperties: - $ref: '#' - items: - $ref: '#' - - id: 104 - name: Prevent use of the system:masters group - uniqueName: CIS_INVALID_VALUE_SYSTEM_MASTERS - enabledByDefault: false - documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-system-masters-group' - messageOnFailure: 'Invalid value for key `subjects.name` - do not use the system:masters group to prevent unnecessary unrestriced access to the Kubernetes API' - categories: - - CIS - complexity: medium - impact: Use of the system:masters group can allow for irrevocable cluster-admin level credentials to exist for a cluster - schema: - if: - properties: - kind: - enum: - - ClusterRoleBinding - - RoleBinding - required: - - kind - then: - properties: - subjects: - type: array - items: - properties: - name: - not: - enum: - - system:masters - - id: 105 - name: Prevent role privilege escalation - uniqueName: CIS_INVALID_VALUE_BIND_IMPERSONATE_ESCALATE - enabledByDefault: false - documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-role-privilege-escalation' - messageOnFailure: 'Invalid value for key `verbs` - do not use `bind`/`impersonate`/`escalate` to prevent privilege escalation' - categories: - - CIS - complexity: medium - impact: Use of the `bind`/`impersonate`/`escalate` permissions can allow for privilege escalation to cluster-admin level - schema: - if: - properties: - kind: - enum: - - ClusterRole - - Role - required: - - kind - then: - properties: - rules: - type: array - items: - properties: - verbs: - type: array - items: - not: - enum: - - bind - - impersonate - - escalate - - id: 106 - name: Prevent removed APIs in Kubernetes v1.22 - uniqueName: K8S_REMOVED_APIVERSION_1.22 - enabledByDefault: false - documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-removed-api-122' - messageOnFailure: 'Incorrect value for key `apiVersion` - the version of the resource you are trying to use is removed in k8s v1.22' - categories: - - Deprecation - complexity: easy - impact: Deploying a resource with a removed API version will cause Kubernetes to reject it - schema: - allOf: - - if: - properties: - apiVersion: - enum: - - admissionregistration.k8s.io/v1beta1 - then: - properties: - kind: - not: - enum: - - MutatingWebhookConfiguration - - ValidatingWebhookConfiguration - - if: - properties: - apiVersion: - enum: - - apiextensions.k8s.io/v1beta1 - then: - properties: - kind: - not: - enum: - - CustomResourceDefinition - - if: - properties: - apiVersion: - enum: - - apiregistration.k8s.io/v1beta1 - then: - properties: - kind: - not: - enum: - - APIService - - if: - properties: - apiVersion: - enum: - - authentication.k8s.io/v1beta1 - then: - properties: - kind: - not: - enum: - - TokenReview - - if: - properties: - apiVersion: - enum: - - authorization.k8s.io/v1beta1 - then: - properties: - kind: - not: - enum: - - SubjectAccessReview - - LocalSubjectAccessReview - - SelfSubjectAccessReview - - if: - properties: - apiVersion: - enum: - - certificates.k8s.io/v1beta1 - then: - properties: - kind: - not: - enum: - - CertificateSigningRequest - - if: - properties: - apiVersion: - enum: - - coordination.k8s.io/v1beta1 - then: - properties: - kind: - not: - enum: - - Lease - - if: - properties: - apiVersion: - enum: - - extensions/v1beta1 - - networking.k8s.io/v1beta1 - then: - properties: - kind: - not: - enum: - - Ingress - - if: - properties: - apiVersion: - enum: - - rbac.authorization.k8s.io/v1beta1 - then: - properties: - kind: - not: - enum: - - ClusterRole - - ClusterRoleBinding - - Role - - RoleBinding - - if: - properties: - apiVersion: - enum: - - scheduling.k8s.io/v1beta1 - then: - properties: - kind: - not: - enum: - - PriorityClass - - if: - properties: - apiVersion: - enum: - - storage.k8s.io/v1beta1 - then: - properties: - kind: - not: - enum: - - CSIDriver - - CSINode - - StorageClass - - VolumeAttachment - - id: 107 - name: Prevent removed APIs in Kubernetes v1.23 - uniqueName: K8S_REMOVED_APIVERSION_1.23 - enabledByDefault: false - documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-removed-api-123' - messageOnFailure: 'Incorrect value for key `apiVersion` - the version of the resource you are trying to use is removed in k8s v1.23' - categories: - - Deprecation - complexity: easy - impact: Deploying a resource with a removed API version will cause Kubernetes to reject it - schema: - properties: - apiVersion: - not: - enum: - - rbac.authorization.k8s.io/v1alpha1 - - scheduling.k8s.io/v1alpha1 - - id: 108 - name: Prevent removed APIs in Kubernetes v1.24 - uniqueName: K8S_REMOVED_APIVERSION_1.24 - enabledByDefault: false - documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-removed-api-124' - messageOnFailure: 'Incorrect value for key `apiVersion` - the version of the resource you are trying to use is removed in k8s v1.24' - categories: - - Deprecation - complexity: easy - impact: Deploying a resource with a removed API version will cause Kubernetes to reject it - schema: - allOf: - - if: - properties: - apiVersion: - enum: - - client.authentication.k8s.io/v1alpha1 - then: - properties: - kind: - not: - enum: - - ExecCredential - - if: - properties: - apiVersion: - enum: - - node.k8s.io/v1alpha1 - then: - properties: - kind: - not: - enum: - - RuntimeClass - - id: 109 - name: Prevent removed APIs in Kubernetes v1.25 - uniqueName: K8S_REMOVED_APIVERSION_1.25 - enabledByDefault: false - documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-removed-api-125' - messageOnFailure: 'Incorrect value for key `apiVersion` - the version of the resource you are trying to use is removed in k8s v1.25' - categories: - - Deprecation - complexity: easy - impact: Deploying a resource with a removed API version will cause Kubernetes to reject it - schema: - allOf: - - if: - properties: - apiVersion: - enum: - - batch/v1beta1 - then: - properties: - kind: - not: - enum: - - CronJob - - if: - properties: - apiVersion: - enum: - - discovery.k8s.io/v1beta1 - then: - properties: - kind: - not: - enum: - - EndpointSlice - - if: - properties: - apiVersion: - enum: - - events.k8s.io/v1beta1 - then: - properties: - kind: - not: - enum: - - Event - - if: - properties: - apiVersion: - enum: - - autoscaling/v2beta1 - then: - properties: - kind: - not: - enum: - - HorizontalPodAutoscaler - - if: - properties: - apiVersion: - enum: - - policy/v1beta1 - then: - properties: - kind: - not: - enum: - - PodDisruptionBudget - - PodSecurityPolicy - - if: - properties: - apiVersion: - enum: - - node.k8s.io/v1beta1 - then: - properties: - kind: - not: - enum: - - RuntimeClass - - id: 110 - name: Prevent removed APIs in Kubernetes v1.26 - uniqueName: K8S_REMOVED_APIVERSION_1.26 - enabledByDefault: false - documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-removed-api-126' - messageOnFailure: 'Incorrect value for key `apiVersion` - the version of the resource you are trying to use is removed in k8s v1.26' - categories: - - Deprecation - complexity: easy - impact: Deploying a resource with a removed API version will cause Kubernetes to reject it - schema: - allOf: - - if: - properties: - apiVersion: - enum: - - flowcontrol.apiserver.k8s.io/v1beta1 - then: - properties: - kind: - not: - enum: - - FlowSchema - - PriorityLevelConfiguration - - if: - properties: - apiVersion: - enum: - - autoscaling/v2beta2 - then: - properties: - kind: - not: - enum: - - HorizontalPodAutoscaler - - id: 111 - name: Prevent removed APIs in Kubernetes v1.27 - uniqueName: K8S_REMOVED_APIVERSION_1.27 - enabledByDefault: false - documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-removed-api-127' - messageOnFailure: 'Incorrect value for key `apiVersion` - the version of the resource you are trying to use is removed in k8s v1.27' - categories: - - Deprecation - complexity: easy - impact: Deploying a resource with a removed API version will cause Kubernetes to reject it - schema: - allOf: - - if: - properties: - apiVersion: - enum: - - storage.k8s.io/v1beta1 - then: - properties: - kind: - not: - enum: - - CSIStorageCapacity diff --git a/resources/base/resource-validation/rule-sets/default/policies.yaml b/resources/base/resource-validation/rule-sets/default/policies.yaml deleted file mode 100644 index abfaae53fc..0000000000 --- a/resources/base/resource-validation/rule-sets/default/policies.yaml +++ /dev/null @@ -1,66 +0,0 @@ -# yaml-language-server: $schema=../../rulesetSchema.json - -apiVersion: v1 -policies: - - name: Default - rules: - - identifier: CONTAINERS_MISSING_IMAGE_VALUE_VERSION - - identifier: CONTAINERS_MISSING_MEMORY_REQUEST_KEY - - identifier: CONTAINERS_MISSING_CPU_REQUEST_KEY - - identifier: CONTAINERS_MISSING_MEMORY_LIMIT_KEY - - identifier: CONTAINERS_MISSING_CPU_LIMIT_KEY - - identifier: INGRESS_INCORRECT_HOST_VALUE_PERMISSIVE - - identifier: SERVICE_INCORRECT_TYPE_VALUE_NODEPORT - - identifier: CRONJOB_INVALID_SCHEDULE_VALUE - - identifier: WORKLOAD_INVALID_LABELS_VALUE - - identifier: WORKLOAD_INCORRECT_RESTARTPOLICY_VALUE_ALWAYS - - identifier: CONTAINERS_MISSING_LIVENESSPROBE_KEY - - identifier: CONTAINERS_MISSING_READINESSPROBE_KEY - - identifier: HPA_MISSING_MINREPLICAS_KEY - - identifier: HPA_MISSING_MAXREPLICAS_KEY - - identifier: WORKLOAD_INCORRECT_NAMESPACE_VALUE_DEFAULT - - identifier: DEPLOYMENT_INCORRECT_REPLICAS_VALUE - - identifier: CRONJOB_MISSING_STARTINGDEADLINESECOND_KEY - - identifier: K8S_DEPRECATED_APIVERSION_1.16 - - identifier: K8S_DEPRECATED_APIVERSION_1.17 - - identifier: CONTAINERS_INCORRECT_PRIVILEGED_VALUE_TRUE - - identifier: WORKLOAD_MISSING_LABEL_OWNER_VALUE - - identifier: DEPLOYMENT_MISSING_LABEL_ENV_VALUE - - identifier: CONTAINERS_MISSING_IMAGE_VALUE_DIGEST - - identifier: CRONJOB_MISSING_CONCURRENCYPOLICY_KEY - - identifier: K8S_INCORRECT_KIND_VALUE_POD - - identifier: CONTAINERS_INCORRECT_HOSTPID_VALUE_TRUE - - identifier: CONTAINERS_INCORRECT_HOSTIPC_VALUE_TRUE - - identifier: CONTAINERS_INCORRECT_HOSTNETWORK_VALUE_TRUE - - identifier: CONTAINERS_INCORRECT_RUNASUSER_VALUE_LOWUID - - identifier: CONTAINERS_INCORRECT_PATH_VALUE_DOCKERSOCKET - - identifier: CONFIGMAP_CVE2021_25742_INCORRECT_SNIPPET_ANNOTATIONS_VALUE - - identifier: INGRESS_CVE2021_25742_INCORRECT_SERVER_SNIPPET_KEY - - identifier: CONTAINER_CVE2021_25741_INCORRECT_SUBPATH_KEY - - identifier: ENDPOINTSLICE_CVE2021_25373_INCORRECT_ADDRESSES_VALUE - - identifier: ARGO_WORKFLOW_INCORRECT_FAILFAST_VALUE_FALSE - - identifier: ARGO_WORKFLOW_INCORRECT_SERVICE_ACCOUNT_NAME_VALUE_DEFAULT - - identifier: ARGO_CONFIGMAP_MISSING_PART_OF_LABEL_VALUE_ARGOCD - - identifier: ARGO_ROLLOUT_MISSING_PAUSE_DURATION - - identifier: ARGO_APP_PROJECT_INCORRECT_NAMESPACE_VALUE - - identifier: ARGO_WORKFLOW_INCORRECT_RETRY_STRATEGY_VALUE_EMPTY - - identifier: ARGO_WORKFLOW_INCORRECT_REVISION_HISTORY_LIMIT_VALUE_0 - - identifier: ARGO_ROLLOUT_INCORRECT_SCALE_DOWN_DELAY_VALUE_BELOW_30 - - identifier: ARGO_ROLLOUT_INCORRECT_PROGRESS_DEADLINE_ABORT_VALUE_FALSE - - identifier: ARGO_WORKFLOW_ENSURE_RETRY_ON_BOTH_ERROR_AND_TRANSIENT_ERROR - - identifier: CONTAINERS_INCORRECT_READONLYROOTFILESYSTEM_VALUE - - identifier: CONTAINERS_INCORRECT_KEY_HOSTPATH - - identifier: CONTAINERS_MISSING_KEY_ALLOWPRIVILEGEESCALATION - - identifier: CONTAINERS_INCORRECT_RESOURCES_VERBS_VALUE - - identifier: CONTAINERS_INVALID_CAPABILITIES_VALUE - - identifier: CONTAINERS_INCORRECT_KEY_HOSTPORT - - identifier: CONTAINERS_INCORRECT_RUNASGROUP_VALUE_LOWGID - - identifier: CONTAINERS_INCORRECT_RUNASNONROOT_VALUE - - identifier: SRVACC_INCORRECT_AUTOMOUNTSERVICEACCOUNTTOKEN_VALUE - - identifier: RESOURCE_MISSING_NAME - - identifier: CONTAINERS_INCORRECT_INITIALDELAYSECONDS_VALUE - - identifier: CONTAINERS_INCORRECT_PERIODSECONDS_VALUE - - identifier: CONTAINERS_INCORRECT_TIMEOUTSECONDS_VALUE - - identifier: CONTAINERS_INCORRECT_SUCCESSTHRESHOLD_VALUE - - identifier: CONTAINERS_INCORRECT_FAILURETHRESHOLD_VALUE - - identifier: CONTAINERS_MISSING_PRESTOP_KEY diff --git a/resources/base/resource-validation/rule-sets/kubernetes-pod-security-standards/policies.yaml b/resources/base/resource-validation/rule-sets/kubernetes-pod-security-standards/policies.yaml deleted file mode 100644 index f7222cd9e1..0000000000 --- a/resources/base/resource-validation/rule-sets/kubernetes-pod-security-standards/policies.yaml +++ /dev/null @@ -1,55 +0,0 @@ -# yaml-language-server: $schema=../../rulesetSchema.json - -apiVersion: v1 -policies: - - name: PodSecurityStandardsBaseline - rules: - # Rules for the Kubernetes Pod Security Standards Baseline - # https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline - - # HostProcess - - 'EKS_INVALID_HOSTPROCESS_VALUE' - # Host Namespaces - - 'CONTAINERS_INCORRECT_HOSTNETWORK_VALUE_TRUE' - - 'CONTAINERS_INCORRECT_HOSTPID_VALUE_TRUE' - - 'CONTAINERS_INCORRECT_HOSTIPC_VALUE_TRUE' - # Privileged Containers - - 'CONTAINERS_INCORRECT_PRIVILEGED_VALUE_TRUE' - # Capabilities - - 'EKS_INVALID_CAPABILITIES_EKS' - # HostPath Volumes - - 'CONTAINERS_INCORRECT_KEY_HOSTPATH' - # Host Ports - - 'CONTAINERS_INCORRECT_KEY_HOSTPORT' - # AppArmor - - 'K8S_POD_SEC_APPARMOR' - # SELinux - - 'EKS_INVALID_SELINUXOPTIONS_TYPE_VALUE' - - 'EKS_INVALID_SELINUXOPTIONS_USER_VALUE' - - 'EKS_INVALID_SELINUXOPTIONS_ROLE_VALUE' - # /proc Mount Type - - 'K8S_POD_SEC_PROC_MOUNT' - # Seccomp - - 'K8S_POD_SEC_SECCOMP_PROFILE' - # Sysctls - - 'K8S_POD_SEC_SYSCTLS' - - name: PodSecurityStandardsRestricted - # Rules for the Kubernetes Pod Security Standards Restricted - # https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted - - includes: - - PodSecurityStandardsBaseline - rules: - # Volume Types - - 'K8S_POD_SEC_ALLOWED_VOLUME_TYPES' - # Privilege Escalation (or v1.25+ for linux only) - - 'K8S_POD_SEC_PRIVILEGE_ESCALATION' # CONTAINERS_MISSING_KEY_ALLOWPRIVILEGEESCALATION checks only for containers, not for initContainers and ephemeralContainers - # Running as Non-root - - 'K8S_POD_SEC_RUNNING_AS_NON_ROOT' # CONTAINERS_INCORRECT_RUNASNONROOT_VALUE checks only for containers, not for initContainers and ephemeralContainers - # Running as Non-root user (v1.23+) - - 'K8S_POD_SEC_RUNNING_AS_NON_ROOT_USER' # CONTAINERS_INCORRECT_RUNASUSER_VALUE_LOWUID also checks this partly, but only inside the container spec - # Seccomp (v1.19+) (or v1.25+ for linux only) - - 'K8S_POD_SEC_SECCOMP_PROFILE_REQUIRED' - # Capabilities (v1.22) (or v1.25+ for linux only) - - 'K8S_POD_SEC_DROP_ALL_CAPABILITIES' - - 'K8S_POD_SEC_CAPABILITIES_ADD_ONLY_NET_BIND_SERVICE' diff --git a/resources/base/resource-validation/rule-sets/kubernetes-pod-security-standards/rules.yaml b/resources/base/resource-validation/rule-sets/kubernetes-pod-security-standards/rules.yaml deleted file mode 100644 index 20860d3200..0000000000 --- a/resources/base/resource-validation/rule-sets/kubernetes-pod-security-standards/rules.yaml +++ /dev/null @@ -1,679 +0,0 @@ -# yaml-language-server: $schema=../../rulesetSchema.json - -apiVersion: v1 -aliases: - - properties: - kind: - enum: - - Deployment - - Pod - - DaemonSet - - StatefulSet - - ReplicaSet - - CronJob - - Job -rules: - - id: 10001 - name: Enforce the baseline Pod Security Standards - uniqueName: K8S_POD_SEC_ENFORCE_BASELINE - enabledByDefault: true - documentationUrl: >- - https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline - messageOnFailure: >- - Incorrect or missing value for key `pod-security.kubernetes.io/enforce` - - set it to either baseline or restricted - category: Pod Security Standards Baseline - schema: - if: - properties: - kind: - enum: - - Namespace - then: - required: [metadata] - properties: - metadata: - required: [labels] - properties: - labels: - required: [pod-security.kubernetes.io/enforce] - properties: - pod-security.kubernetes.io/enforce: - enum: - - baseline - - restricted - - id: 10002 - name: Enforce the restricted Pod Security Standards - uniqueName: K8S_POD_SEC_ENFORCE_RESTRICTED - enabledByDefault: false - documentationUrl: >- - https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted - messageOnFailure: >- - Incorrect or missing value for key `pod-security.kubernetes.io/enforce` - - set it to restricted - category: Pod Security Standards Restricted - schema: - if: - properties: - kind: - enum: - - Namespace - then: - required: - - metadata - properties: - metadata: - required: - - labels - properties: - labels: - required: - - pod-security.kubernetes.io/enforce - properties: - pod-security.kubernetes.io/enforce: - enum: - - restricted - - id: 10003 - name: Prevent Windows containers from running with unnecessary privileges - uniqueName: K8S_POD_SEC_HOST_PROCESS - enabledByDefault: true - documentationUrl: >- - https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline - messageOnFailure: >- - Incorrect value for key `hostProcess` - remove the property or set it to - false - category: Pod Security Standards Baseline - note: Dulicate to EKS_INVALID_HOSTPROCESS_VALUE - schema: - $defs: - validSecurityContext: - properties: - securityContext: - properties: - windowsOptions: - properties: - hostProcess: - enum: - - 'false' - properties: - spec: - allOf: - - $ref: '#/$defs/validSecurityContext' - - properties: - containers: - items: - $ref: '#/$defs/validSecurityContext' - initContainers: - items: - $ref: '#/$defs/validSecurityContext' - ephemeralContainers: - items: - $ref: '#/$defs/validSecurityContext' - additionalProperties: - $ref: '#' - items: - $ref: '#' - - id: 10004 - name: Prevent overriding or disabling the default AppArmor profile - uniqueName: K8S_POD_SEC_APPARMOR - enabledByDefault: true - documentationUrl: https://kubernetes.io/docs/tutorials/security/apparmor - messageOnFailure: >- - Incorrect value for key `container.apparmor.security.beta.kubernetes.io/*` - - remove the property or set it to runtime/default or localhost/* - category: Pod Security Standards Baseline - schema: - properties: - metadata: - properties: - annotations: - properties: - container.apparmor.security.beta.kubernetes.io/*: - oneOf: - - enum: - - runtime/default - - pattern: ^localhost/.*$ - additionalProperties: - $ref: '#' - items: - $ref: '#' - - id: 10005 - name: Use the default /proc mount - uniqueName: K8S_POD_SEC_PROC_MOUNT - enabledByDefault: true - documentationUrl: >- - https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline - messageOnFailure: Incorrect value for key `procMount` - remove it or set it to Default - category: Pod Security Standards Baseline - schema: - $defs: - validSecurityContext: - properties: - securityContext: - properties: - procMount: - enum: - - Default - properties: - spec: - properties: - containers: - items: - $ref: '#/$defs/validSecurityContext' - initContainers: - items: - $ref: '#/$defs/validSecurityContext' - ephemeralContainers: - items: - $ref: '#/$defs/validSecurityContext' - template: - $ref: '#' - - id: 10006 - name: Prevent setting the seccompProfile to unconfined - uniqueName: K8S_POD_SEC_SECCOMP_PROFILE - enabledByDefault: true - documentationUrl: >- - https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline - messageOnFailure: >- - Incorrect value for key `seccompProfile` - remove it or set the type to - RuntimeDefault or Localhost - category: Pod Security Standards Baseline - schema: - $defs: - validSecurityContext: - properties: - securityContext: - properties: - seccompProfile: - properties: - type: - enum: - - RuntimeDefault - - Localhost - properties: - spec: - properties: - containers: - items: - $ref: '#/$defs/validSecurityContext' - initContainers: - items: - $ref: '#/$defs/validSecurityContext' - ephemeralContainers: - items: - $ref: '#/$defs/validSecurityContext' - template: - $ref: '#' - - id: 10007 - name: Prevent disabling security mechanisms via sysctls - uniqueName: K8S_POD_SEC_SYSCTLS - enabledByDefault: true - documentationUrl: >- - https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline - messageOnFailure: >- - Incorrect value for key `sysctls[*].name` - Remove it or set it to one of - the allowed values - category: Pod Security Standards Baseline - schema: - $defs: - validSecurityContext: - properties: - securityContext: - properties: - sysctls: - items: - properties: - name: - enum: - - kernel.shm_rmid_forced - - net.ipv4.ip_local_port_range - - net.ipv4.ip_unprivileged_port_start - - net.ipv4.tcp_syncookies - - net.ipv4.ping_group_range - properties: - spec: - allOf: - - $ref: '#/$defs/validSecurityContext' - - properties: - template: - $ref: '#' - - id: 10008 - name: Use one of the allowed volume types - uniqueName: K8S_POD_SEC_ALLOWED_VOLUME_TYPES - enabledByDefault: true - documentationUrl: >- - https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted - messageOnFailure: >- - Incorrect volume entry - Each volume has to be of one of the allowed - volume types - category: Pod Security Standards Restricted - schema: - properties: - spec: - allOf: - - properties: - volumes: - items: - oneOf: - - required: - - configMap - - required: - - csi - - required: - - downwardAPI - - required: - - emptyDir - - required: - - ephemeral - - required: - - persistentVolumeClaim - - required: - - projected - - required: - - secret - - properties: - template: - $ref: '#' - - id: 10009 - name: Prevent allowing privilege escalation - uniqueName: K8S_POD_SEC_PRIVILEGE_ESCALATION - enabledByDefault: true - documentationUrl: >- - https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted - messageOnFailure: >- - Incorrect value for key `allowPrivilegeEscalation` - remove it or set it - to false - category: Pod Security Standards Restricted - schema: - $defs: - validSecurityContext: - properties: - securityContext: - properties: - allowPrivilegeEscalation: - enum: - - false - validContainers: - properties: - containers: - items: - $ref: '#/$defs/validSecurityContext' - initContainers: - items: - $ref: '#/$defs/validSecurityContext' - ephemeralContainers: - items: - $ref: '#/$defs/validSecurityContext' - properties: - spec: - allOf: - - if: - properties: - os: - properties: - not: - enum: - - windows - then: - $ref: '#/$defs/validContainers' - - properties: - template: - $ref: '#' - - id: 10010 - name: Prevent running as root - uniqueName: K8S_POD_SEC_RUNNING_AS_NON_ROOT - enabledByDefault: true - documentationUrl: >- - https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted - messageOnFailure: Incorrect value for key `runAsNonRoot` - set it to true - category: Pod Security Standards Restricted - schema: - $defs: - validSecurityContext: - required: - - securityContext - properties: - securityContext: - required: - - runAsNonRoot - properties: - runAsNonRoot: - enum: - - true - conditionallyValidSecurityContext: - properties: - securityContext: - properties: - runAsNonRoot: - enum: - - null - - null - - true - validSpec: - properties: - spec: - anyOf: - - allOf: - - $ref: '#/$defs/validSecurityContext' - - properties: - containers: - items: - $ref: '#/$defs/conditionallyValidSecurityContext' - initContainers: - items: - $ref: '#/$defs/conditionallyValidSecurityContext' - ephemeralContainers: - items: - $ref: '#/$defs/conditionallyValidSecurityContext' - - properties: - containers: - items: - $ref: '#/$defs/validSecurityContext' - initContainers: - items: - $ref: '#/$defs/validSecurityContext' - ephemeralContainers: - items: - $ref: '#/$defs/validSecurityContext' - allOf: - - if: - properties: - kind: - enum: - - Pod - then: - $ref: '#/$defs/validSpec' - - if: - properties: - kind: - enum: - - Deployment - - DaemonSet - - StatefulSet - - ReplicaSet - - CronJob - - Job - then: - properties: - spec: - properties: - template: - $ref: '#/$defs/validSpec' - - id: 10011 - name: Run as non-root user - uniqueName: K8S_POD_SEC_RUNNING_AS_NON_ROOT_USER - enabledByDefault: true - documentationUrl: >- - https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted - messageOnFailure: >- - Incorrect value for key `runAsUser` - set it to a non-zero value or remove - it - category: Pod Security Standards Restricted - schema: - $defs: - validSecurityContext: - properties: - securityContext: - properties: - runAsUser: - not: - enum: - - 0 - properties: - spec: - allOf: - - $ref: '#/$defs/validSecurityContext' - - properties: - containers: - items: - $ref: '#/$defs/validSecurityContext' - initContainers: - items: - $ref: '#/$defs/validSecurityContext' - ephemeralContainers: - items: - $ref: '#/$defs/validSecurityContext' - - properties: - template: - $ref: '#' - - id: 10012 - name: Explicitely set the seccomp profile - uniqueName: K8S_POD_SEC_SECCOMP_PROFILE_REQUIRED - enabledByDefault: true - documentationUrl: >- - https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted - messageOnFailure: >- - Incorrect or missing value for key `seccompProfile.type` - set it to - RuntimeDefault or Localhost - category: Pod Security Standards Restricted - schema: - $defs: - validSecurityContext: - required: - - securityContext - properties: - securityContext: - required: - - seccompProfile - properties: - seccompProfile: - required: - - type - properties: - type: - enum: - - RuntimeDefault - - Localhost - conditionallyValidSecurityContext: - properties: - securityContext: - properties: - seccompProfile: - properties: - type: - enum: - - null - - null - - RuntimeDefault - - Localhost - validSpec: - properties: - spec: - if: - properties: - os: - properties: - name: - not: - enum: - - windows - then: - anyOf: - - allOf: - - $ref: '#/$defs/validSecurityContext' - - properties: - containers: - items: - $ref: '#/$defs/conditionallyValidSecurityContext' - initContainers: - items: - $ref: '#/$defs/conditionallyValidSecurityContext' - ephemeralContainers: - items: - $ref: '#/$defs/conditionallyValidSecurityContext' - - allOf: - - $ref: '#/$defs/conditionallyValidSecurityContext' - - properties: - containers: - items: - $ref: '#/$defs/validSecurityContext' - initContainers: - items: - $ref: '#/$defs/validSecurityContext' - ephemeralContainers: - items: - $ref: '#/$defs/validSecurityContext' - allOf: - - if: - properties: - kind: - enum: - - Pod - then: - $ref: '#/$defs/validSpec' - - if: - properties: - kind: - enum: - - Deployment - - DaemonSet - - StatefulSet - - ReplicaSet - - CronJob - - Job - then: - properties: - spec: - properties: - template: - $ref: '#/$defs/validSpec' - - id: 10013 - name: Containers must drop all capabilities - uniqueName: K8S_POD_SEC_DROP_ALL_CAPABILITIES - enabledByDefault: true - documentationUrl: >- - https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted - messageOnFailure: Incorrect or missing values for `capabilities.drop` - must contain ALL - category: Pod Security Standards Restricted - schema: - $defs: - validSecurityContext: - required: - - securityContext - properties: - securityContext: - required: - - capabilities - properties: - capabilities: - required: - - drop - properties: - drop: - contains: - enum: - - ALL - validSpec: - properties: - spec: - if: - properties: - os: - properties: - name: - not: - enum: - - windows - then: - properties: - containers: - items: - $ref: '#/$defs/validSecurityContext' - initContainers: - items: - $ref: '#/$defs/validSecurityContext' - ephemeralContainers: - items: - $ref: '#/$defs/validSecurityContext' - allOf: - - if: - properties: - kind: - enum: - - Pod - then: - $ref: '#/$defs/validSpec' - - if: - properties: - kind: - enum: - - Deployment - - DaemonSet - - StatefulSet - - ReplicaSet - - CronJob - - Job - then: - properties: - spec: - properties: - template: - $ref: '#/$defs/validSpec' - - id: 10014 - name: Containers must only add back NET_BIND_SERVICE - uniqueName: K8S_POD_SEC_CAPABILITIES_ADD_ONLY_NET_BIND_SERVICE - enabledByDefault: true - documentationUrl: >- - https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted - messageOnFailure: >- - Incorrect value for `capabilities.add` - must only contain - NET_BIND_SERVICE - category: Pod Security Standards Restricted - schema: - $defs: - validSecurityContext: - properties: - securityContext: - properties: - capabilities: - properties: - add: - items: - enum: - - NET_BIND_SERVICE - validSpec: - properties: - spec: - if: - properties: - os: - properties: - name: - not: - enum: - - windows - then: - properties: - containers: - items: - $ref: '#/$defs/validSecurityContext' - initContainers: - items: - $ref: '#/$defs/validSecurityContext' - ephemeralContainers: - items: - $ref: '#/$defs/validSecurityContext' - allOf: - - if: - properties: - kind: - enum: - - Pod - then: - $ref: '#/$defs/validSpec' - - if: - properties: - kind: - enum: - - Deployment - - DaemonSet - - StatefulSet - - ReplicaSet - - CronJob - - Job - then: - properties: - spec: - properties: - template: - $ref: '#/$defs/validSpec' diff --git a/resources/base/resource-validation/rulesetSchema.json b/resources/base/resource-validation/rulesetSchema.json deleted file mode 100644 index 4ce6e209f9..0000000000 --- a/resources/base/resource-validation/rulesetSchema.json +++ /dev/null @@ -1,85 +0,0 @@ -{ - "$schema": "http://json-schema.org/draft-07/schema#", - "definitions": { - "uniqueRuleName": { - "type": "string", - "minLength": 1, - "pattern": "^([A-Za-z0-9_])*([0-9]+\\.?[0-9]*|\\.[0-9]+)?([A-Za-z0-9_])*$" - }, - "rule": { - "type": "object", - "properties": { - "id": { - "type": "number" - }, - "name": { - "type": "string", - "minLength": 1 - }, - "uniqueName": { - "$ref": "#/definitions/uniqueRuleName" - }, - "documentationUrl": { - "type": "string", - "minLength": 1 - }, - "messageOnFailure": { - "type": "string" - }, - "schema": { - "$ref": "http://json-schema.org/draft-07/schema#", - "description": "this is the rule logic, should be a json schema" - } - }, - "required": ["uniqueName", "messageOnFailure", "schema"] - }, - "ruleReference": { - "type": "object", - "properties": { - "identifier": { - "$ref": "#/definitions/uniqueRuleName" - } - }, - "required": ["identifier"] - }, - "policy": { - "properties": { - "name": { - "type": "string", - "minLength": 1 - }, - "rules": { - "type": "array", - "items": { - "anyOf": [ - { - "$ref": "#/definitions/uniqueRuleName" - }, - { - "$ref": "#/definitions/ruleReference" - } - ] - } - } - }, - "required": ["name", "rules"] - } - }, - "properties": { - "apiVersion": { - "type": "string" - }, - "rules": { - "type": "array", - "items": { - "$ref": "#/definitions/rule" - } - }, - "policies": { - "type": "array", - "items": { - "$ref": "#/definitions/policy" - } - } - } -} diff --git a/start_nginx.sh b/start_nginx.sh index 520d28f40d..07f41bb29e 100755 --- a/start_nginx.sh +++ b/start_nginx.sh @@ -1,4 +1,3 @@ #!/bin/sh echo ENVIRONMENT="${ENVIRONMENT}" > /app/core-ui/active.env -echo BACKEND_URL="${BACKEND_URL}" >> /app/core-ui/active.env nginx -g 'daemon off;' From b79c481bd80270322d4519fb20e5ed3e43475a30 Mon Sep 17 00:00:00 2001 From: Damian Badura Date: Mon, 30 Dec 2024 16:45:50 +0100 Subject: [PATCH 07/31] revert changes related to backend env --- Makefile | 13 +++++++---- backend/Makefile | 13 ----------- .../Gardener/useGardenerLoginFunction.tsx | 4 ++-- src/shared/hooks/BackendAPI/useFetch.ts | 2 +- src/shared/utils/env.ts | 3 +-- src/state/navigation/extensionsAtom.ts | 5 ++++- src/state/utils/getBackendInfo.ts | 22 +++++-------------- 7 files changed, 23 insertions(+), 39 deletions(-) diff --git a/Makefile b/Makefile index e5a417e3d2..e5593a881c 100644 --- a/Makefile +++ b/Makefile @@ -1,10 +1,15 @@ -APP_NAME = busola-web +APP_NAME = busola IMG_NAME = busola-web LOCAL_IMG_NAME = busola IMG = $(DOCKER_PUSH_REPOSITORY)$(DOCKER_PUSH_DIRECTORY)/$(IMG_NAME) LOCAL_IMG = $(DOCKER_PUSH_REPOSITORY)$(DOCKER_PUSH_DIRECTORY)/$(LOCAL_IMG_NAME) KYMA_DASHBOARD_IMG = $(DOCKER_PUSH_REPOSITORY)$(DOCKER_PUSH_DIRECTORY)/$(KYMA_DASHBOARD_IMG_NAME) TAG = $(DOCKER_TAG) +.DEFAULT_GOAL=help + +help: ## Display this help. + @awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n make \033[36m\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf " \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST) + .PHONY: resolve resolve: @@ -23,11 +28,11 @@ release: build-image push-image release-local: build-image-local push-image-local build-image: ## Build busola backend image - docker build -t $(APP_NAME) -f Dockerfile.web . + docker build -t $(APP_NAME) -f Dockerfile . -install-busola-web: build-image ## Build busola web image and install it on local k3d cluster +install-busola: build-image ## Build busola web image and install it on local k3d cluster $(eval HASH_TAG=$(shell docker images $(APP_NAME):latest --quiet)) docker tag $(APP_NAME) $(APP_NAME):$(HASH_TAG) k3d image import $(APP_NAME):$(HASH_TAG) -c kyma - kubectl set image deployment web busola=$(APP_NAME):$(HASH_TAG) + kubectl set image deployment busola busola=$(APP_NAME):$(HASH_TAG) diff --git a/backend/Makefile b/backend/Makefile index 5128dca89a..28e836f2e5 100644 --- a/backend/Makefile +++ b/backend/Makefile @@ -1,19 +1,6 @@ -APP_NAME = busola-backend - ##@ General .DEFAULT_GOAL=help .PHONY: help .PHONY: help help: ## Display this help. @awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n make \033[36m\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf " \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST) - - -build-image: ## Build busola backend image - docker build -t $(APP_NAME) -f Dockerfile . - -install-busola-backend: build-image ## Build busola backend image and install it on local k3d cluster - $(eval HASH_TAG=$(shell docker images $(APP_NAME):latest --quiet)) - docker tag $(APP_NAME) $(APP_NAME):$(HASH_TAG) - - k3d image import $(APP_NAME):$(HASH_TAG) -c kyma - kubectl set image deployment backend backend=$(APP_NAME):$(HASH_TAG) diff --git a/src/components/Gardener/useGardenerLoginFunction.tsx b/src/components/Gardener/useGardenerLoginFunction.tsx index 52e2fad648..5ba0bc7fe1 100644 --- a/src/components/Gardener/useGardenerLoginFunction.tsx +++ b/src/components/Gardener/useGardenerLoginFunction.tsx @@ -26,7 +26,7 @@ export function useGardenerLogin(setReport: (report: string) => void) { const getAvailableProjects = async ( fetchHeaders: HeadersInit, ): Promise => { - const { backendAddress } = await getClusterConfig(); + const { backendAddress } = getClusterConfig(); type SSRResult = { status: { resourceRules: PermissionSet[] }; }; @@ -63,7 +63,7 @@ export function useGardenerLogin(setReport: (report: string) => void) { fetchHeaders: HeadersInit, availableProjects: string[], ) => { - const { backendAddress } = await getClusterConfig(); + const { backendAddress } = getClusterConfig(); type ShootsResult = { items: K8sResource[]; diff --git a/src/shared/hooks/BackendAPI/useFetch.ts b/src/shared/hooks/BackendAPI/useFetch.ts index 9fe50f7291..bbf102fd1c 100644 --- a/src/shared/hooks/BackendAPI/useFetch.ts +++ b/src/shared/hooks/BackendAPI/useFetch.ts @@ -40,7 +40,7 @@ export const createFetchFn = ({ }, signal: abortController?.signal, }; - const { backendAddress } = await getClusterConfig(); + const { backendAddress } = getClusterConfig(); try { const response = await fetch(backendAddress + relativeUrl, init); diff --git a/src/shared/utils/env.ts b/src/shared/utils/env.ts index 0ba7927c02..ced6aaf9cc 100644 --- a/src/shared/utils/env.ts +++ b/src/shared/utils/env.ts @@ -1,11 +1,10 @@ import joinPaths from './path'; export enum Envs { - BACKEND_URL = 'BACKEND_URL', ENVIRONMENT = 'ENVIRONMENT', } -export default async function getEnv(env: Envs): Promise { +async function getEnv(env: Envs): Promise { const input = await fetchActiveEnv(); const envs = readEnv(input); const desiredEnv = envs.get(env); diff --git a/src/state/navigation/extensionsAtom.ts b/src/state/navigation/extensionsAtom.ts index c165796253..c79f55b093 100644 --- a/src/state/navigation/extensionsAtom.ts +++ b/src/state/navigation/extensionsAtom.ts @@ -435,7 +435,10 @@ export const useGetExtensions = () => { relativeUrl: url, init: options, abortController: options?.signal - ? { signal: options?.signal, abort: () => {} } + ? { + signal: options?.signal, + abort: () => {}, + } : undefined, }); } diff --git a/src/state/utils/getBackendInfo.ts b/src/state/utils/getBackendInfo.ts index 18141b177c..4fdee42a94 100644 --- a/src/state/utils/getBackendInfo.ts +++ b/src/state/utils/getBackendInfo.ts @@ -1,14 +1,6 @@ -import getEnv, { Envs } from '../../shared/utils/env'; - const domain = window.location.hostname; -async function getBackendAddress() { - const backendUrl = await getEnv(Envs.BACKEND_URL); - console.log(backendUrl); - if (backendUrl) { - return backendUrl; - } - +const getBackendAddress = () => { // local busola - needed for e2e tests to work locally if ( window.location.hostname.startsWith('localhost') && @@ -23,11 +15,9 @@ async function getBackendAddress() { } else { return '/backend'; } -} +}; -export async function getClusterConfig() { - return { - domain, - backendAddress: await getBackendAddress(), - }; -} +export const getClusterConfig = () => ({ + domain, + backendAddress: getBackendAddress(), +}); From 3f42b81f2a32bd72028d4f5d5e8b7ef9d2cee58c Mon Sep 17 00:00:00 2001 From: Damian Badura Date: Mon, 30 Dec 2024 16:59:09 +0100 Subject: [PATCH 08/31] cleanup --- Makefile | 6 ------ README.md | 17 +++++++++-------- resources/ingress/configmap.yaml | 6 ------ resources/ingress/ingress.yaml | 10 +--------- 4 files changed, 10 insertions(+), 29 deletions(-) delete mode 100644 resources/ingress/configmap.yaml diff --git a/Makefile b/Makefile index e5593a881c..4653ae08c1 100644 --- a/Makefile +++ b/Makefile @@ -1,10 +1,4 @@ APP_NAME = busola -IMG_NAME = busola-web -LOCAL_IMG_NAME = busola -IMG = $(DOCKER_PUSH_REPOSITORY)$(DOCKER_PUSH_DIRECTORY)/$(IMG_NAME) -LOCAL_IMG = $(DOCKER_PUSH_REPOSITORY)$(DOCKER_PUSH_DIRECTORY)/$(LOCAL_IMG_NAME) -KYMA_DASHBOARD_IMG = $(DOCKER_PUSH_REPOSITORY)$(DOCKER_PUSH_DIRECTORY)/$(KYMA_DASHBOARD_IMG_NAME) -TAG = $(DOCKER_TAG) .DEFAULT_GOAL=help help: ## Display this help. diff --git a/README.md b/README.md index 8b0cb7d4ad..9b2605374e 100644 --- a/README.md +++ b/README.md @@ -180,10 +180,10 @@ For the information on how to run tests and configure them, go to the [`tests`]( ## Deploy busola in Kubernetes Cluster -To install busola on k8s cluster go to `resources` directory and run: +To install busola on k8s cluster run: ```shell -kustomize build base/ | kubectl apply -f- +(cd resources && kustomize build base/ | kubectl apply -f- ) ``` To install busola with istio gateway please prepare `DOMAIN`, go to `resources` and run: @@ -196,16 +196,17 @@ To install busola with istio gateway please prepare `DOMAIN`, go to `resources` You can access busola installed on Kubernetes in several ways, depends on how it's installed: -### K3d +### Port-forward Use port-forward ```shell -kubectl port-forward services/web 8080:8080 -kubectl port-forward services/backend 3001:3001 +kubectl port-forward services/busola 3001:3001 ``` -Install ingress by runing: +### K3d + +Install ingress resources by running: ```shell (cd resources && kubectl apply -f ingress/ingress.yaml) @@ -213,10 +214,10 @@ Install ingress by runing: Then go to `localhost` -### Port-forward - ### Istio-ingress gateway +TODO: access via istio ingress + ## Troubleshooting > **TIP:** To solve most of the problems with Busola development, clear the browser cache or do a hard refresh of the website. diff --git a/resources/ingress/configmap.yaml b/resources/ingress/configmap.yaml deleted file mode 100644 index 66e979bafa..0000000000 --- a/resources/ingress/configmap.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: busola-config -data: - BACKEND_URL: 'http://localhost/backend' diff --git a/resources/ingress/ingress.yaml b/resources/ingress/ingress.yaml index a64b0e2bb0..016674bf86 100644 --- a/resources/ingress/ingress.yaml +++ b/resources/ingress/ingress.yaml @@ -10,14 +10,6 @@ spec: pathType: Prefix backend: service: - name: web - port: - number: 8080 - - - path: /backend - pathType: Prefix - backend: - service: - name: backend + name: busola port: number: 3001 From 7875c80ea394814fab86e2c770f761f52b3e604a Mon Sep 17 00:00:00 2001 From: Damian Badura Date: Mon, 30 Dec 2024 17:19:03 +0100 Subject: [PATCH 09/31] first istio steps --- README.md | 12 +++++++---- resources/apply-resources-istio.sh | 11 ++++++---- .../istio/destinationrule-busola-backend.yaml | 9 -------- resources/istio/gateway.tpl.yaml | 15 +++++++++++++ resources/istio/http_route.tpl.yaml | 18 ++++++++++++++++ resources/istio/kustomization.yaml | 3 ++- .../istio/virtualservice-busola.tpl.yaml | 21 ------------------- 7 files changed, 50 insertions(+), 39 deletions(-) delete mode 100644 resources/istio/destinationrule-busola-backend.yaml create mode 100644 resources/istio/gateway.tpl.yaml create mode 100644 resources/istio/http_route.tpl.yaml delete mode 100644 resources/istio/virtualservice-busola.tpl.yaml diff --git a/README.md b/README.md index 9b2605374e..bf070c3eb6 100644 --- a/README.md +++ b/README.md @@ -186,10 +186,10 @@ To install busola on k8s cluster run: (cd resources && kustomize build base/ | kubectl apply -f- ) ``` -To install busola with istio gateway please prepare `DOMAIN`, go to `resources` and run: +To install busola using specific environment configuration, set `ENVIRONMENT` environment variable and run: ```shell -./apply-resources-istio.sh ${YOUR_DOMAIN} +(cd resources && kustomize build environments/${ENVIRONMENT} | kubectl apply -f- ) ``` ### Access busola installed on Kubernetes @@ -214,9 +214,13 @@ Install ingress resources by running: Then go to `localhost` -### Istio-ingress gateway +### Istio -TODO: access via istio ingress +To install Istio needed resources, prepare `DOMAIN`and run: + +```shell +(cd resources && ./apply-resources-istio.sh ${YOUR_DOMAIN}) +``` ## Troubleshooting diff --git a/resources/apply-resources-istio.sh b/resources/apply-resources-istio.sh index f1c10eade5..c9ed1a7579 100755 --- a/resources/apply-resources-istio.sh +++ b/resources/apply-resources-istio.sh @@ -7,12 +7,15 @@ if [ -z "$1" ] ; then fi export DOMAIN=$1 -export NAMESPACE=${2:-busola} -export ENVIRONMENT=$3 +export NAMESPACE=${2:-default} TMP_DIR="../temp/resources" -./apply-resources.sh "$@" -envsubst < "${TMP_DIR}"/istio/virtualservice-busola.tpl.yaml > "${TMP_DIR}"/istio/virtualservice-busola.yaml +mkdir -p "${TMP_DIR}" +cp -rf . "${TMP_DIR}" +#./apply-resources.sh "$@" + +envsubst < "${TMP_DIR}"/istio/gateway.tpl.yaml > "${TMP_DIR}"/istio/gateway.yaml +envsubst < "${TMP_DIR}"/istio/http_route.tpl.yaml > "${TMP_DIR}"/istio/http_route.yaml kubectl apply -k "${TMP_DIR}"/istio --namespace=$NAMESPACE diff --git a/resources/istio/destinationrule-busola-backend.yaml b/resources/istio/destinationrule-busola-backend.yaml deleted file mode 100644 index 2314cf3e16..0000000000 --- a/resources/istio/destinationrule-busola-backend.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: networking.istio.io/v1alpha3 -kind: DestinationRule -metadata: - name: backend -spec: - host: backend - trafficPolicy: - tls: - mode: SIMPLE diff --git a/resources/istio/gateway.tpl.yaml b/resources/istio/gateway.tpl.yaml new file mode 100644 index 0000000000..81c151480b --- /dev/null +++ b/resources/istio/gateway.tpl.yaml @@ -0,0 +1,15 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + name: busola + namespace: ${NAMESPACE} +spec: + gatewayClassName: istio + listeners: + - name: http + hostname: ${DOMAIN} + port: 80 + protocol: HTTP + allowedRoutes: + namespaces: + from: Same diff --git a/resources/istio/http_route.tpl.yaml b/resources/istio/http_route.tpl.yaml new file mode 100644 index 0000000000..561356b426 --- /dev/null +++ b/resources/istio/http_route.tpl.yaml @@ -0,0 +1,18 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: httproute + namespace: ${NAMESPACE} +spec: + parentRefs: + - name: gateway + hostnames: ['${DOMAIN}'] + rules: + - matches: + - path: + type: PathPrefix + value: /headers + backendRefs: + - name: busola + namespace: ${NAMESPACE} + port: 3001 diff --git a/resources/istio/kustomization.yaml b/resources/istio/kustomization.yaml index ff3b2d8a2b..6a95032ae6 100644 --- a/resources/istio/kustomization.yaml +++ b/resources/istio/kustomization.yaml @@ -1,7 +1,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - virtualservice-busola.yaml + - gateway.yaml + - http_route.yaml # Add the destinationrule for TLS into the backend pod. # This will tell the istio sidecar to use TLS to connect to the backend service. # For this to work, you need to enable TLS in the backend. See docs/install-kyma-dashboard-manually.md for more information. diff --git a/resources/istio/virtualservice-busola.tpl.yaml b/resources/istio/virtualservice-busola.tpl.yaml deleted file mode 100644 index f771f2e728..0000000000 --- a/resources/istio/virtualservice-busola.tpl.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: busola -spec: - hosts: - - $DOMAIN - gateways: - - kyma-system/kyma-gateway - http: - - name: 'backend-route' - match: - - uri: - prefix: '/backend' - route: - - destination: - host: backend.$NAMESPACE.svc.cluster.local - - name: 'web-route' - route: - - destination: - host: web.$NAMESPACE.svc.cluster.local From a99510703385460d2bad6c597d28a454118a6291 Mon Sep 17 00:00:00 2001 From: Damian Badura Date: Tue, 31 Dec 2024 15:07:38 +0100 Subject: [PATCH 10/31] finish readme and use api rule --- README.md | 43 ++++++++++++++++++++++----- resources/apply-resources-istio.sh | 21 ------------- resources/apply-resources.sh | 22 -------------- resources/base/busola/deployment.yaml | 1 + resources/ingress/ingress.yaml | 2 +- resources/istio/apirule.yaml | 15 ++++++++++ resources/istio/gateway.tpl.yaml | 15 ---------- resources/istio/http_route.tpl.yaml | 18 ----------- resources/istio/kustomization.yaml | 7 +---- 9 files changed, 54 insertions(+), 90 deletions(-) delete mode 100755 resources/apply-resources-istio.sh delete mode 100755 resources/apply-resources.sh create mode 100644 resources/istio/apirule.yaml delete mode 100644 resources/istio/gateway.tpl.yaml delete mode 100644 resources/istio/http_route.tpl.yaml diff --git a/README.md b/README.md index bf070c3eb6..c47b5529ee 100644 --- a/README.md +++ b/README.md @@ -178,23 +178,23 @@ For the information on how to run tests and configure them, go to the [`tests`]( docker run --rm -it -p 3001:3001 -v :/app/core-ui/environments/ --env ENVIRONMENT={your-env} --pid=host --name busola europe-docker.pkg.dev/kyma-project/prod/busola:latest ``` -## Deploy busola in Kubernetes Cluster +## Deploy Busola in Kubernetes Cluster -To install busola on k8s cluster run: +To install Busola on k8s cluster run: ```shell (cd resources && kustomize build base/ | kubectl apply -f- ) ``` -To install busola using specific environment configuration, set `ENVIRONMENT` environment variable and run: +To install Busola using specific environment configuration, set `ENVIRONMENT` environment variable and run: ```shell (cd resources && kustomize build environments/${ENVIRONMENT} | kubectl apply -f- ) ``` -### Access busola installed on Kubernetes +### Access Busola installed on Kubernetes -You can access busola installed on Kubernetes in several ways, depends on how it's installed: +You can access Busola installed on Kubernetes in several ways, depends on how it's installed: ### Port-forward @@ -206,6 +206,10 @@ kubectl port-forward services/busola 3001:3001 ### K3d +Prerequisites: + +- K3d with installed Traefik, by default it's installed. + Install ingress resources by running: ```shell @@ -214,14 +218,39 @@ Install ingress resources by running: Then go to `localhost` +#### Connect to the k3d cluster where Busola is installed. + +To be able to connect to the same K3d cluster where Busola is installed download kubeconfig and change cluster server address to `https://kubernetes.default.svc:443`. + +Using shell: +Prepare name of your cluster and set `K3D_CLUSTER_NAME` shell environment variable with the name of the cluster then run: + +```shell +k3d kubeconfig get ${K3D_CLUSTER_NAME} > k3d-kubeconfig.yaml +yq --inplace '.clusters[].cluster.server = "https://kubernetes.default.svc:443"' k3d-kubeconfig.yaml +``` + ### Istio -To install Istio needed resources, prepare `DOMAIN`and run: +Prerequisites: + +- Sidecar Proxy injection enabled, see [Kyma Docs](https://kyma-project.io/#/istio/user/tutorials/01-40-enable-sidecar-injection?id=enable-istio-sidecar-proxy-injection), how to enable it. +- Api gateway module installed, see [Install docs](https://kyma-project.io/#/02-get-started/01-quick-install) + +Install Istio needed resources by running: ```shell -(cd resources && ./apply-resources-istio.sh ${YOUR_DOMAIN}) +(cd resources && kubectl apply -k istio) ``` +To get Busola address run: + +```shell +kubectl get virtualservices.networking.istio.io +``` + +and find `busola-***` virtual service. Under `HOSTS` there is address to access Busola page. + ## Troubleshooting > **TIP:** To solve most of the problems with Busola development, clear the browser cache or do a hard refresh of the website. diff --git a/resources/apply-resources-istio.sh b/resources/apply-resources-istio.sh deleted file mode 100755 index c9ed1a7579..0000000000 --- a/resources/apply-resources-istio.sh +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -set -e - -if [ -z "$1" ] ; then - echo "No domain passed as first argument, aborting." - exit 1 -fi - -export DOMAIN=$1 -export NAMESPACE=${2:-default} -TMP_DIR="../temp/resources" - - -mkdir -p "${TMP_DIR}" -cp -rf . "${TMP_DIR}" -#./apply-resources.sh "$@" - -envsubst < "${TMP_DIR}"/istio/gateway.tpl.yaml > "${TMP_DIR}"/istio/gateway.yaml -envsubst < "${TMP_DIR}"/istio/http_route.tpl.yaml > "${TMP_DIR}"/istio/http_route.yaml - -kubectl apply -k "${TMP_DIR}"/istio --namespace=$NAMESPACE diff --git a/resources/apply-resources.sh b/resources/apply-resources.sh deleted file mode 100755 index 14739fa646..0000000000 --- a/resources/apply-resources.sh +++ /dev/null @@ -1,22 +0,0 @@ -#!/bin/bash -set -e - -if [ -z "$1" ] ; then - echo "No domain passed as first argument, aborting." - exit 1 -fi - -export DOMAIN=$1 -NAMESPACE=${2:-busola} -export ENVIRONMENT=$3 -TMP_DIR="../temp/resources" - - -mkdir -p "${TMP_DIR}" -cp -rf . "${TMP_DIR}" - -kubectl create namespace "${NAMESPACE}" || true -kubectl apply -k "${TMP_DIR}/environments/${ENVIRONMENT}" --namespace="${NAMESPACE}" - -envsubst < "${TMP_DIR}"/ingress/ingress.tpl.yaml > "${TMP_DIR}"/ingress/ingress.yaml -kubectl apply -k "${TMP_DIR}"/ingress --namespace=$NAMESPACE diff --git a/resources/base/busola/deployment.yaml b/resources/base/busola/deployment.yaml index 7136c300c4..a8f7ae0a70 100644 --- a/resources/base/busola/deployment.yaml +++ b/resources/base/busola/deployment.yaml @@ -37,6 +37,7 @@ spec: volumes: - name: config configMap: + optional: true name: busola-config items: - key: config diff --git a/resources/ingress/ingress.yaml b/resources/ingress/ingress.yaml index 016674bf86..c3f74defff 100644 --- a/resources/ingress/ingress.yaml +++ b/resources/ingress/ingress.yaml @@ -1,7 +1,7 @@ kind: Ingress apiVersion: networking.k8s.io/v1 metadata: - name: ingress-busola + name: busola spec: rules: - http: diff --git a/resources/istio/apirule.yaml b/resources/istio/apirule.yaml new file mode 100644 index 0000000000..203e3a74d7 --- /dev/null +++ b/resources/istio/apirule.yaml @@ -0,0 +1,15 @@ +apiVersion: gateway.kyma-project.io/v2alpha1 +kind: APIRule +metadata: + name: busola +spec: + gateway: kyma-system/kyma-gateway + hosts: + - busola + service: + name: busola + port: 3001 + rules: + - path: /{**} + methods: ['GET'] + noAuth: true diff --git a/resources/istio/gateway.tpl.yaml b/resources/istio/gateway.tpl.yaml deleted file mode 100644 index 81c151480b..0000000000 --- a/resources/istio/gateway.tpl.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: gateway.networking.k8s.io/v1 -kind: Gateway -metadata: - name: busola - namespace: ${NAMESPACE} -spec: - gatewayClassName: istio - listeners: - - name: http - hostname: ${DOMAIN} - port: 80 - protocol: HTTP - allowedRoutes: - namespaces: - from: Same diff --git a/resources/istio/http_route.tpl.yaml b/resources/istio/http_route.tpl.yaml deleted file mode 100644 index 561356b426..0000000000 --- a/resources/istio/http_route.tpl.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: httproute - namespace: ${NAMESPACE} -spec: - parentRefs: - - name: gateway - hostnames: ['${DOMAIN}'] - rules: - - matches: - - path: - type: PathPrefix - value: /headers - backendRefs: - - name: busola - namespace: ${NAMESPACE} - port: 3001 diff --git a/resources/istio/kustomization.yaml b/resources/istio/kustomization.yaml index 6a95032ae6..579346e571 100644 --- a/resources/istio/kustomization.yaml +++ b/resources/istio/kustomization.yaml @@ -1,9 +1,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - gateway.yaml - - http_route.yaml - # Add the destinationrule for TLS into the backend pod. - # This will tell the istio sidecar to use TLS to connect to the backend service. - # For this to work, you need to enable TLS in the backend. See docs/install-kyma-dashboard-manually.md for more information. - # - destinationrule-busola-backend.yaml + - apirule.yaml From b5e436e940a2dc1b76aef737007b5608cdb7bb0f Mon Sep 17 00:00:00 2001 From: Damian Badura Date: Tue, 31 Dec 2024 15:09:23 +0100 Subject: [PATCH 11/31] improve docs --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index c47b5529ee..ac1212a5cb 100644 --- a/README.md +++ b/README.md @@ -192,9 +192,9 @@ To install Busola using specific environment configuration, set `ENVIRONMENT` en (cd resources && kustomize build environments/${ENVIRONMENT} | kubectl apply -f- ) ``` -### Access Busola installed on Kubernetes +## Access Busola installed on Kubernetes -You can access Busola installed on Kubernetes in several ways, depends on how it's installed: +You can access Busola installed on Kubernetes in several ways, depends on how cluster is configured. ### Port-forward From bfb83217e4b1d8481718c51119ec69d0326f7461 Mon Sep 17 00:00:00 2001 From: Damian Badura Date: Tue, 31 Dec 2024 15:12:28 +0100 Subject: [PATCH 12/31] remove not needed env --- start_node.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/start_node.sh b/start_node.sh index 115b30817a..e0c5625b2c 100755 --- a/start_node.sh +++ b/start_node.sh @@ -1,4 +1,3 @@ #!/bin/sh echo ENVIRONMENT="${ENVIRONMENT}" > /app/core-ui/active.env -echo BACKEND_URL="${BACKEND_URL}" >> /app/core-ui/active.env node backend-production.js From 575acccb2fceacdf7b9bdd6ae66ad650c9669773 Mon Sep 17 00:00:00 2001 From: Damian Badura Date: Thu, 2 Jan 2025 14:38:30 +0100 Subject: [PATCH 13/31] improve readme --- README.md | 25 ++++++++++++------------- 1 file changed, 12 insertions(+), 13 deletions(-) diff --git a/README.md b/README.md index ac1212a5cb..570889c6c2 100644 --- a/README.md +++ b/README.md @@ -180,13 +180,13 @@ For the information on how to run tests and configure them, go to the [`tests`]( ## Deploy Busola in Kubernetes Cluster -To install Busola on k8s cluster run: +To install Busola on Kubernetes cluster run: ```shell (cd resources && kustomize build base/ | kubectl apply -f- ) ``` -To install Busola using specific environment configuration, set `ENVIRONMENT` environment variable and run: +To install Busola using specific environment configuration, set `ENVIRONMENT` shell environment variable and run: ```shell (cd resources && kustomize build environments/${ENVIRONMENT} | kubectl apply -f- ) @@ -194,17 +194,15 @@ To install Busola using specific environment configuration, set `ENVIRONMENT` en ## Access Busola installed on Kubernetes -You can access Busola installed on Kubernetes in several ways, depends on how cluster is configured. +### Kubectl -### Port-forward - -Use port-forward +The simplest method which always works is to use capabilities of `kubectl`. ```shell kubectl port-forward services/busola 3001:3001 ``` -### K3d +### Busola installed on K3d Prerequisites: @@ -216,26 +214,27 @@ Install ingress resources by running: (cd resources && kubectl apply -f ingress/ingress.yaml) ``` -Then go to `localhost` +Go to `localhost` #### Connect to the k3d cluster where Busola is installed. -To be able to connect to the same K3d cluster where Busola is installed download kubeconfig and change cluster server address to `https://kubernetes.default.svc:443`. +To be able to connect to the same K3d cluster where Busola is installed. +Download kubeconfig and change cluster server address to `https://kubernetes.default.svc:443`. Using shell: -Prepare name of your cluster and set `K3D_CLUSTER_NAME` shell environment variable with the name of the cluster then run: +Set `K3D_CLUSTER_NAME` shell environment variable to name of your cluster. ```shell k3d kubeconfig get ${K3D_CLUSTER_NAME} > k3d-kubeconfig.yaml yq --inplace '.clusters[].cluster.server = "https://kubernetes.default.svc:443"' k3d-kubeconfig.yaml ``` -### Istio +### Kubernetes cluster with Istio installed Prerequisites: -- Sidecar Proxy injection enabled, see [Kyma Docs](https://kyma-project.io/#/istio/user/tutorials/01-40-enable-sidecar-injection?id=enable-istio-sidecar-proxy-injection), how to enable it. -- Api gateway module installed, see [Install docs](https://kyma-project.io/#/02-get-started/01-quick-install) +- Sidecar Proxy injection enabled, see [Kyma docs](https://kyma-project.io/#/istio/user/tutorials/01-40-enable-sidecar-injection?id=enable-istio-sidecar-proxy-injection), how to enable it. +- Api gateway module installed, see [install docs](https://kyma-project.io/#/02-get-started/01-quick-install) Install Istio needed resources by running: From c342b157659bc54b28c7eeb4e2384ebc6067a001 Mon Sep 17 00:00:00 2001 From: Damian Badura Date: Fri, 3 Jan 2025 11:13:28 +0100 Subject: [PATCH 14/31] revert deletion of validation schemas --- .../rule-sets/datree/rules.yaml | 3898 +++++++++++++++++ .../rule-sets/default/policies.yaml | 66 + .../policies.yaml | 55 + .../rules.yaml | 679 +++ resource-validation/rulesetSchema.json | 85 + vite.config.mts | 4 +- vitest.config.js | 1 + 7 files changed, 4786 insertions(+), 2 deletions(-) create mode 100644 resource-validation/rule-sets/datree/rules.yaml create mode 100644 resource-validation/rule-sets/default/policies.yaml create mode 100644 resource-validation/rule-sets/kubernetes-pod-security-standards/policies.yaml create mode 100644 resource-validation/rule-sets/kubernetes-pod-security-standards/rules.yaml create mode 100644 resource-validation/rulesetSchema.json diff --git a/resource-validation/rule-sets/datree/rules.yaml b/resource-validation/rule-sets/datree/rules.yaml new file mode 100644 index 0000000000..d2d5520996 --- /dev/null +++ b/resource-validation/rule-sets/datree/rules.yaml @@ -0,0 +1,3898 @@ +# This file contains parts from the project datreeio https://github.com/datreeio/datree/blob/main/pkg/defaultRules/defaultRules.yaml available under Appache License 2.0 +# Copyright (c) Original author(s) @ https://github.com/datreeio/datree Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to you under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. Modifications Copyright (c) 2022 SAP SE or an SAP affiliate company. All rights reserved. + +# for autocompletion in VS Code +apiVersion: v1 +aliases: + - &standardKinds + properties: + kind: + enum: + - Deployment + - Pod + - DaemonSet + - StatefulSet + - ReplicaSet + - CronJob + - Job + - ¬KindSecret + properties: + kind: + not: + enum: + - Secret + # The following alias is used to prohibit a string from matching a given regex anywhere in the manifest + # make sure to use the $ref "#/definitions/regexes" in the schema definition to populate the regexes variable + - &recursiveDontAllowValue + type: object + additionalProperties: + if: + type: object + then: + '$ref': '#' + else: + if: + type: array + then: + items: + if: + type: object + then: + '$ref': '#' + else: + if: + type: string + then: + not: + '$ref': '#/definitions/regexes' + else: + if: + type: string + then: + not: + '$ref': '#/definitions/regexes' +rules: + - id: 1 + name: Ensure each container image has a pinned (tag) version + uniqueName: CONTAINERS_MISSING_IMAGE_VALUE_VERSION + enabledByDefault: true + documentationUrl: 'https://hub.datree.io/built-in-rules/ensure-image-pinned-version' + messageOnFailure: Incorrect value for key `image` - specify an image version to avoid unpleasant "version surprises" in the future + categories: + - cdk8s + complexity: easy + impact: When the version tag is missing, every time that the image is pulled it pulls the latest version which may break your code + schema: + definitions: + imageValuePattern: + if: *standardKinds + then: + properties: + spec: + properties: + containers: + type: array + items: + properties: + image: + # catch all strings with image tag version + pattern: "\\@sha.*|:(\\w|\\.|\\-)+$" + not: + # ignore `latest` as image tag version + pattern: '.*:(latest|LATEST)$' + allOf: + - $ref: '#/definitions/imageValuePattern' + additionalProperties: + $ref: '#' + items: + $ref: '#' + - id: 2 + name: Ensure each container has a configured memory request + uniqueName: CONTAINERS_MISSING_MEMORY_REQUEST_KEY + enabledByDefault: true + documentationUrl: 'https://hub.datree.io/built-in-rules/ensure-memory-request' + messageOnFailure: 'Missing property object `requests.memory` - value should be within the accepted boundaries recommended by the organization' + categories: + - Resources + complexity: hard + impact: Memory requests allow you to use memory resources efficiently and allocate a guaranteed minimum of computing resources for the pods running in your cluster + schema: + definitions: + memoryRequestPattern: + if: *standardKinds + then: + properties: + spec: + properties: + containers: + type: array + items: + properties: + resources: + properties: + requests: + type: object + properties: + memory: + type: + - string + - number + required: + - memory + required: + - requests + required: + - resources + allOf: + - $ref: '#/definitions/memoryRequestPattern' + additionalProperties: + $ref: '#' + items: + $ref: '#' + - id: 3 + name: Ensure each container has a configured CPU request + uniqueName: CONTAINERS_MISSING_CPU_REQUEST_KEY + enabledByDefault: true + documentationUrl: 'https://hub.datree.io/built-in-rules/ensure-cpu-request' + messageOnFailure: 'Missing property object `requests.cpu` - value should be within the accepted boundaries recommended by the organization' + categories: + - Resources + complexity: hard + impact: CPU requests allow you to use CPU resources efficiently and to allocate a guaranteed minimum of computing resources for the pods running in your cluster + schema: + definitions: + cpuRequestPattern: + if: *standardKinds + then: + properties: + spec: + properties: + containers: + type: array + items: + properties: + resources: + properties: + requests: + type: object + properties: + cpu: + type: + - string + - number + required: + - cpu + required: + - requests + required: + - resources + allOf: + - $ref: '#/definitions/cpuRequestPattern' + additionalProperties: + $ref: '#' + items: + $ref: '#' + - id: 4 + name: Ensure each container has a configured memory limit + uniqueName: CONTAINERS_MISSING_MEMORY_LIMIT_KEY + enabledByDefault: true + documentationUrl: 'https://hub.datree.io/built-in-rules/ensure-memory-limit' + messageOnFailure: 'Missing property object `limits.memory` - value should be within the accepted boundaries recommended by the organization' + categories: + - Resources + complexity: hard + impact: Without memory limits, the pods running in your cluster will not have a restriction on the max amount of memory consumption, which may result with OOM failures + schema: + definitions: + memoryLimitPattern: + if: *standardKinds + then: + properties: + spec: + properties: + containers: + type: array + items: + properties: + resources: + properties: + limits: + type: object + properties: + memory: + type: + - string + - number + required: + - memory + required: + - limits + required: + - resources + allOf: + - $ref: '#/definitions/memoryLimitPattern' + additionalProperties: + $ref: '#' + items: + $ref: '#' + - id: 5 + name: Ensure each container has a configured CPU limit + uniqueName: CONTAINERS_MISSING_CPU_LIMIT_KEY + enabledByDefault: true + documentationUrl: 'https://hub.datree.io/built-in-rules/ensure-cpu-limit' + messageOnFailure: 'Missing property object `limits.cpu` - value should be within the accepted boundaries recommended by the organization' + categories: + - Resources + complexity: hard + impact: Without CPU limits, the pods running in your cluster will not have a restriction on the max amount of CPU consumption, which may cause starvation of other pods in the same node + schema: + definitions: + cpuLimitPattern: + if: *standardKinds + then: + properties: + spec: + properties: + containers: + type: array + items: + properties: + resources: + properties: + limits: + type: object + properties: + cpu: + type: + - string + - number + required: + - cpu + required: + - limits + required: + - resources + allOf: + - $ref: '#/definitions/cpuLimitPattern' + additionalProperties: + $ref: '#' + items: + $ref: '#' + - id: 6 + name: 'Prevent Ingress from forwarding all traffic to a single container' + uniqueName: 'INGRESS_INCORRECT_HOST_VALUE_PERMISSIVE' + enabledByDefault: true + documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-ingress-forwarding-traffic-to-single-container' + messageOnFailure: 'Incorrect value for key `host` - specify host instead of using a wildcard character ("*")' + categories: + - cdk8s + complexity: medium + impact: Misconfiguring the ingress host can cause all traffic to be forwarded to a single pod instead of leveraging load-balancing capabilities + schema: + if: + properties: + kind: + enum: + - Ingress + then: + properties: + spec: + properties: + rules: + type: array + items: + properties: + host: + type: string + not: + enum: + - '*' + - id: 7 + name: Prevent Service from exposing node port + uniqueName: SERVICE_INCORRECT_TYPE_VALUE_NODEPORT + enabledByDefault: true + documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-node-port' + messageOnFailure: 'Incorrect value for key `type` - `NodePort` will open a port on all nodes where it can be reached by the network external to the cluster' + categories: + - Other + complexity: easy + impact: Exposing a NodePort will open a network port on all nodes to be reached by the cluster's external network, which poses a security threat + schema: + if: + properties: + kind: + enum: + - Service + then: + properties: + spec: + properties: + type: + type: string + not: + enum: + - 'NodePort' + - id: 8 + name: Ensure CronJob scheduler is valid + uniqueName: CRONJOB_INVALID_SCHEDULE_VALUE + enabledByDefault: true + documentationUrl: 'https://hub.datree.io/built-in-rules/ensure-cronjob-scheduler-valid' + messageOnFailure: 'Incorrect value for key `schedule` - the (cron) schedule expressions is not valid and, therefore, will not work as expected' + categories: + - cdk8s + complexity: easy + impact: An invalid cron schedule expression will prevent your jobs from being executed + schema: + if: + properties: + kind: + enum: + - 'CronJob' + then: + properties: + spec: + properties: + schedule: + # use cases to test the regex - https://regex101.com/r/K4d7Ju/1 + pattern: (^((\*\/)?([0-5]?[0-9])((\,|\-|\/)([0-5]?[0-9]))*|\*)\s+((\*\/)?((2[0-3]|1[0-9]|[0-9]|00))((\,|\-|\/)(2[0-3]|1[0-9]|[0-9]|00))*|\*)\s+((\*\/)?([1-9]|[12][0-9]|3[01])((\,|\-|\/)([1-9]|[12][0-9]|3[01]))*|\*)\s+((\*\/)?([1-9]|1[0-2])((\,|\-|\/)([1-9]|1[0-2]))*|\*|(jan|feb|mar|apr|may|jun|jul|aug|sep|oct|nov|des))\s+((\*\/)?[0-6]((\,|\-|\/)[0-6])*|\*|00|(sun|mon|tue|wed|thu|fri|sat))\s*$)|@(annually|yearly|monthly|weekly|daily|hourly|reboot) + - id: 9 + name: Ensure workload has valid label values + uniqueName: WORKLOAD_INVALID_LABELS_VALUE + enabledByDefault: true + documentationUrl: 'https://hub.datree.io/built-in-rules/ensure-labels-value-valid' + messageOnFailure: "Incorrect value for key(s) under `labels` - the value's syntax is not valid so the Kubernetes engine will not accept it" + categories: + - cdk8s + complexity: easy + impact: If an object's labels do not follow Kubernetes label syntax requirements, it will not be applied properly + schema: + if: *standardKinds + then: + properties: + metadata: + properties: + labels: + patternProperties: + ^.*$: + format: hostname + additionalProperties: false + - id: 10 + name: 'Ensure deployment-like resource is using a valid restart policy' + uniqueName: 'WORKLOAD_INCORRECT_RESTARTPOLICY_VALUE_ALWAYS' + enabledByDefault: true + documentationUrl: 'https://hub.datree.io/built-in-rules/ensure-valid-restart-policy' + messageOnFailure: 'Incorrect value for key `restartPolicy` - any other value than `Always` is not supported by this resource' + categories: + - cdk8s + complexity: easy + impact: A workload with a 'restartPolicy' value other than 'Always' is invalid and will not be applied properly + schema: + if: + properties: + kind: + enum: + - Deployment + - ReplicaSet + - DaemonSet + - ReplicationController + then: + properties: + spec: + properties: + template: + properties: + spec: + properties: + restartPolicy: + enum: + - 'Always' + - id: 11 + name: Ensure each container has a configured liveness probe + uniqueName: CONTAINERS_MISSING_LIVENESSPROBE_KEY + enabledByDefault: true + documentationUrl: 'https://hub.datree.io/built-in-rules/ensure-liveness-probe' + messageOnFailure: 'Missing property object `livenessProbe` - add a properly configured livenessProbe to catch possible deadlocks' + categories: + - Probes + complexity: hard + impact: When liveness probes aren't set, Kubernetes can't determine when a pod should be restarted, which can result with an unavailable application + schema: + definitions: + specContainers: + if: *standardKinds + then: + properties: + spec: + properties: + containers: + items: + required: + - livenessProbe + allOf: + - $ref: '#/definitions/specContainers' + additionalProperties: + $ref: '#' + items: + $ref: '#' + - id: 12 + name: Ensure each container has a configured readiness probe + uniqueName: CONTAINERS_MISSING_READINESSPROBE_KEY + enabledByDefault: true + documentationUrl: 'https://hub.datree.io/built-in-rules/ensure-readiness-probe' + messageOnFailure: 'Missing property object `readinessProbe` - add a properly configured readinessProbe to notify kubelet your Pods are ready for traffic' + categories: + - Probes + complexity: hard + impact: Readiness probes allow Kubernetes to determine when a pod is ready to accept traffic. This ensures that client requests will not be routed to pods that are unable to process them + schema: + definitions: + specContainers: + if: *standardKinds + then: + properties: + spec: + properties: + containers: + items: + required: + - readinessProbe + allOf: + - $ref: '#/definitions/specContainers' + additionalProperties: + $ref: '#' + items: + $ref: '#' + - id: 13 + name: Ensure HPA has minimum replicas configured + uniqueName: HPA_MISSING_MINREPLICAS_KEY + enabledByDefault: true + documentationUrl: 'https://hub.datree.io/built-in-rules/ensure-hpa-minimum-replicas' + messageOnFailure: 'Missing property object `minReplicas` - the value should be within the accepted boundaries recommended by the organization' + categories: + - Other + complexity: medium + impact: The minimum replicas range must be set to prevent unintended scaling down scenarios + schema: + if: + properties: + kind: + enum: + - HorizontalPodAutoscaler + then: + properties: + spec: + required: + - minReplicas + - id: 14 + name: Ensure HPA has maximum replicas configured + uniqueName: HPA_MISSING_MAXREPLICAS_KEY + enabledByDefault: false + documentationUrl: 'https://hub.datree.io/built-in-rules/ensure-hpa-maximum-replicas' + messageOnFailure: 'Missing property object `maxReplicas` - the value should be within the accepted boundaries recommended by the organization' + categories: + - Other + complexity: medium + impact: The maximum replicas range must be set to prevent unintended scaling up scenarios + schema: + if: + properties: + kind: + enum: + - HorizontalPodAutoscaler + then: + properties: + spec: + required: + - maxReplicas + - id: 15 + name: Prevent workload from using the default namespace + uniqueName: WORKLOAD_INCORRECT_NAMESPACE_VALUE_DEFAULT + enabledByDefault: true + documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-deafult-namespce' + messageOnFailure: Incorrect value for key `namespace` - use an explicit namespace instead of the default one (`default`) + categories: + - cdk8s + - CIS + complexity: medium + impact: All objects that do not specify an explicit namespace will be applied to the 'default' namespace. This can cause a messy cluster with configuration overlaps + schema: + if: *standardKinds + then: + properties: + metadata: + properties: + namespace: + not: + enum: + - 'default' + - id: 16 + name: 'Ensure Deployment has more than one replica configured' + uniqueName: 'DEPLOYMENT_INCORRECT_REPLICAS_VALUE' + enabledByDefault: true + documentationUrl: 'https://hub.datree.io/built-in-rules/ensure-minimum-two-replicas' + messageOnFailure: 'Incorrect value for key `replicas` - running 2 or more replicas will increase the availability of the service' + categories: + - cdk8s + complexity: medium + impact: When running two or more replicas per service, you are increasing the availability of the containerized service by not relying on a single pod to do all of the work + schema: + if: + properties: + kind: + enum: + - Deployment + then: + properties: + spec: + properties: + replicas: + minimum: 2 + - id: 17 + name: 'Ensure CronJob has a configured deadline' + uniqueName: 'CRONJOB_MISSING_STARTINGDEADLINESECOND_KEY' + enabledByDefault: true + documentationUrl: 'https://hub.datree.io/built-in-rules/ensure-cronjob-deadline' + messageOnFailure: 'Missing property object `startingDeadlineSeconds` - set a time limit to the cron execution to allow killing it if exceeded' + categories: + - Other + complexity: medium + impact: Setting a deadline can reduce the number of missed schedules needed to mark a CronJob as a failure while also increasing its reliability + schema: + if: + properties: + kind: + enum: + - CronJob + then: + properties: + spec: + properties: + startingDeadlineSeconds: + type: number + required: + - startingDeadlineSeconds + - id: 18 + name: 'Prevent deprecated APIs in Kubernetes v1.16' + uniqueName: 'K8S_DEPRECATED_APIVERSION_1.16' + enabledByDefault: true + documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-deprecated-k8s-api-116' + messageOnFailure: 'Incorrect value for key `apiVersion` - the version you are trying to use is not supported by the Kubernetes cluster version (>=1.16)' + categories: + - Deprecation + complexity: easy + impact: Deploying a resource with a deprecated API version will cause Kubernetes to reject it + schema: + allOf: + - if: + properties: + apiVersion: + enum: + - apiextensions.k8s.io/v1beta1 + then: + properties: + kind: + not: + enum: + - CustomResourceDefinition + - if: + properties: + apiVersion: + enum: + - admissionregistration.k8s.io/v1beta1 + then: + properties: + kind: + not: + enum: + - MutatingWebhookConfiguration + - ValidatingWebhookConfiguration + - id: 19 + name: 'Prevent deprecated APIs in Kubernetes v1.17' + uniqueName: 'K8S_DEPRECATED_APIVERSION_1.17' + enabledByDefault: true + documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-deprecated-k8s-api-117' + messageOnFailure: 'Incorrect value for key `apiVersion` - the version you are trying to use is not supported by the Kubernetes cluster version (>=1.17)' + categories: + - Deprecation + complexity: easy + impact: Deploying a resource with a deprecated API version will cause Kubernetes to reject it + schema: + allOf: + - if: + properties: + apiVersion: + enum: + - rbac.authorization.k8s.io/v1alpha1 + then: + properties: + kind: + not: + enum: + - ClusterRoleBinding + - ClusterRole + - ClusterRoleBindingList + - ClusterRoleList + - Role + - RoleBinding + - RoleList + - RoleBindingList + - if: + properties: + apiVersion: + enum: + - rbac.authorization.k8s.io/v1beta1 + then: + properties: + kind: + not: + enum: + - ClusterRoleBinding + - ClusterRole + - ClusterRoleBindingList + - ClusterRoleList + - Role + - RoleBinding + - RoleList + - RoleBindingList + - if: + properties: + apiVersion: + enum: + - storage.k8s.io/v1beta1 + then: + properties: + kind: + not: + enum: + - CSINode + - id: 20 + name: 'Prevent containers from having root access capabilities' + uniqueName: 'CONTAINERS_INCORRECT_PRIVILEGED_VALUE_TRUE' + enabledByDefault: true + documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-privileged-containers' + messageOnFailure: 'Incorrect value for key `privileged` - this mode will allow the container the same access as processes running on the host' + categories: + - CIS + complexity: easy + impact: Processes running in privileged containers have access to host-level resources such as the file system. These containers are much more secure when their access is limited to the pod level + schema: + definitions: + specContainers: + if: *standardKinds + then: + properties: + spec: + properties: + containers: + type: array + items: + properties: + securityContext: + properties: + privileged: + not: + enum: + - true + - 'true' + allOf: + - $ref: '#/definitions/specContainers' + additionalProperties: + $ref: '#' + items: + $ref: '#' + - id: 21 + name: Ensure workload has a configured `owner` label + uniqueName: WORKLOAD_MISSING_LABEL_OWNER_VALUE + enabledByDefault: false + documentationUrl: 'https://hub.datree.io/built-in-rules/ensure-owner-label' + messageOnFailure: 'Missing label object `owner` - add a proper owner label to know which person/team to ping when needed' + categories: + - Other + complexity: easy + impact: An owner label is great for financial and operational ownership, and makes it easier to alert the relevant team or team member when necessary + schema: + if: *standardKinds + then: + properties: + metadata: + properties: + labels: + required: + - owner + - id: 22 + name: Ensure Deployment has a configured `env` label + uniqueName: DEPLOYMENT_MISSING_LABEL_ENV_VALUE + enabledByDefault: false + documentationUrl: 'https://hub.datree.io/built-in-rules/ensure-env-label' + messageOnFailure: 'Missing label object `env` - add a proper environment description (e.g. "prod", "testing", etc.) to the Deployment config' + categories: + - Other + complexity: easy + impact: Having an env label is useful for performing bulk operations in specific environments or for filtering Deployments according to their stage + schema: + if: + properties: + kind: + enum: + - Deployment + then: + properties: + metadata: + properties: + labels: + required: + - env + required: + - labels + required: + - metadata + - id: 23 + name: Ensure each container image has a digest tag + uniqueName: CONTAINERS_MISSING_IMAGE_VALUE_DIGEST + enabledByDefault: false + documentationUrl: 'https://hub.datree.io/built-in-rules/ensure-digest-tag' + messageOnFailure: 'Incorrect value for key `image` - add a digest tag (starts with `@sha256:`) to represent an immutable version of the image' + categories: + - Other + complexity: medium + impact: The digest uniquely identifies a specific version sha of the image, so it will never be tampered + schema: + definitions: + imageValuePattern: + if: *standardKinds + then: + properties: + spec: + properties: + containers: + type: array + items: + properties: + image: + pattern: .*\@sha256\:\S{64}$ + allOf: + - $ref: '#/definitions/imageValuePattern' + additionalProperties: + $ref: '#' + items: + $ref: '#' + - id: 24 + name: 'Prevent CronJob from executing jobs concurrently' + uniqueName: 'CRONJOB_MISSING_CONCURRENCYPOLICY_KEY' + enabledByDefault: true + documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-cronjob-concurrency' + messageOnFailure: Missing property object `concurrencyPolicy` - the behavior will be more deterministic if jobs won't run concurrently + categories: + - Other + complexity: easy + impact: Preventing your CronJobs from running concurrently will cause their behavior to be more deterministic and avoid race conditions + schema: + if: + properties: + kind: + enum: + - CronJob + then: + properties: + spec: + properties: + concurrencyPolicy: + enum: + - 'Forbid' + - 'Replace' + required: + - concurrencyPolicy + - id: 25 + name: 'Prevent deploying naked pods' + uniqueName: 'K8S_INCORRECT_KIND_VALUE_POD' + enabledByDefault: false + documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-naked-pods' + messageOnFailure: Incorrect value for key `kind` - raw pod won't be rescheduled in the event of a node failure + categories: + - cdk8s + complexity: medium + impact: Pods not created by workload controllers such as Deployments have no self-healing or scaling abilities and are unsuitable for production + schema: + properties: + kind: + type: string + not: + enum: + - 'Pod' + - id: 26 + name: Prevent containers from sharing the host's PID namespace + uniqueName: 'CONTAINERS_INCORRECT_HOSTPID_VALUE_TRUE' + enabledByDefault: false + documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-using-host-pid' + messageOnFailure: Incorrect value for key `hostPID` - running on the host's PID namespace enables access to sensitive information from processes running outside the container + categories: + - CIS + complexity: easy + impact: When a container is allowed to share its hosts PID namespace, it can see and may even kill processes running on the host outside of the container + schema: + definitions: + specContainers: + if: *standardKinds + then: + properties: + spec: + properties: + hostPID: + not: + enum: + - true + - 'true' + allOf: + - $ref: '#/definitions/specContainers' + additionalProperties: + $ref: '#' + items: + $ref: '#' + - id: 27 + name: 'Prevent containers from sharing the host`s IPC namespace' + uniqueName: 'CONTAINERS_INCORRECT_HOSTIPC_VALUE_TRUE' + enabledByDefault: false + documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-using-host-ipc' + messageOnFailure: 'Incorrect value for key `hostIPC` - running on the host`s IPC namespace can be (maliciously) used to interact with other processes running outside the container' + categories: + - CIS + complexity: easy + impact: When a container is allowed to share its host's IPC namespace, it has access to other processes running outside of the container + schema: + definitions: + specContainers: + if: *standardKinds + then: + properties: + spec: + properties: + hostIPC: + not: + enum: + - true + - 'true' + allOf: + - $ref: '#/definitions/specContainers' + additionalProperties: + $ref: '#' + items: + $ref: '#' + - id: 28 + name: Prevent containers from sharing the host's network namespace + uniqueName: 'CONTAINERS_INCORRECT_HOSTNETWORK_VALUE_TRUE' + enabledByDefault: false + documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-using-host-network' + messageOnFailure: Incorrect value for key `hostNetwork` - running on the host's network namespace can allow a compromised container to sniff network traffic + categories: + - CIS + complexity: easy + impact: When a container is allowed to share its host's network namespace, it can leverage the host's local network to do malicious stuff + schema: + definitions: + specContainers: + if: *standardKinds + then: + properties: + spec: + properties: + hostNetwork: + not: + enum: + - true + - 'true' + allOf: + - $ref: '#/definitions/specContainers' + additionalProperties: + $ref: '#' + items: + $ref: '#' + - id: 29 + name: 'Prevent containers from accessing host files by using high UIDs' + uniqueName: 'CONTAINERS_INCORRECT_RUNASUSER_VALUE_LOWUID' + enabledByDefault: false + documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-uid-conflicts' + messageOnFailure: 'Incorrect value for key `runAsUser` - value should be above 9999 to reduce the likelihood that the UID is already taken' + categories: + - NSA + complexity: medium + impact: With a high UID number, a container is blocked from accessing host-based files even if it manages to gain access to a host's file system + schema: + definitions: + specContainers: + if: *standardKinds + then: + properties: + spec: + properties: + containers: + type: array + items: + properties: + securityContext: + properties: + runAsUser: + minimum: 10000 + allOf: + - $ref: '#/definitions/specContainers' + additionalProperties: + $ref: '#' + items: + $ref: '#' + - id: 30 + name: 'Prevent containers from mounting Docker socket' + uniqueName: 'CONTAINERS_INCORRECT_PATH_VALUE_DOCKERSOCKET' + enabledByDefault: false + documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-mounting-docker-socket' + messageOnFailure: 'Incorrect value for key `path` - avoid mounting the docker.socket because it can allow container breakout' + categories: + - Other + complexity: medium + impact: When a container has access to the Docker socket, it can effectively manage other containers on the host + schema: + definitions: + specContainers: + if: *standardKinds + then: + properties: + spec: + properties: + containers: + type: array + items: + properties: + volumeMounts: + type: array + items: + properties: + mountPath: + not: + enum: + - '/var/run/docker.sock' + specVolumes: + if: *standardKinds + then: + properties: + spec: + properties: + volumes: + type: array + items: + properties: + hostPath: + properties: + path: + not: + enum: + - '/var/run/docker.sock' + allOf: + - $ref: '#/definitions/specContainers' + - $ref: '#/definitions/specVolumes' + additionalProperties: + $ref: '#' + items: + $ref: '#' + - id: 31 + name: 'Prevent ConfigMap security vulnerability (CVE-2021-25742)' + uniqueName: 'CONFIGMAP_CVE2021_25742_INCORRECT_SNIPPET_ANNOTATIONS_VALUE' + enabledByDefault: false + documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-configmap-security-vulnerability-cve-2021-25742' + messageOnFailure: Missing property object `allow-snippet-annotations` - set it to "false" to override default behaviour + categories: + - CVE + complexity: easy + impact: Users with the ability to create or update NGINX ingress objects can use the custom snippets feature to obtain secrets in the cluster + schema: + if: + properties: + kind: + enum: + - ConfigMap + metadata: + anyOf: + - properties: + name: + enum: + - nginx-config + - nginx-conf + - ingress-nginx-controller + required: + - name + - properties: + namespace: + enum: + - ingress-nginx + - nginx-ingress + required: + - namespace + then: + properties: + data: + properties: + allow-snippet-annotations: + enum: + - 'false' + required: + - allow-snippet-annotations + required: + - data + - id: 32 + name: 'Prevent Ingress security vulnerability (CVE-2021-25742)' + uniqueName: 'INGRESS_CVE2021_25742_INCORRECT_SERVER_SNIPPET_KEY' + enabledByDefault: false + documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-ingress-security-vulnerability-cve-2021-25742' + messageOnFailure: Forbidden property object `server-snippet` - ingress-nginx custom snippets are not allowed + categories: + - CVE + complexity: easy + impact: A vulnerability has been found that when exploited, attackers can use the custom snippets feature to obtain all secrets in the cluster + schema: + if: + properties: + kind: + enum: + - Ingress + then: + properties: + metadata: + properties: + annotations: + propertyNames: + not: + pattern: ^.*server-snippet$ + - id: 33 + name: 'Prevent container security vulnerability (CVE-2021-25741)' + uniqueName: 'CONTAINER_CVE2021_25741_INCORRECT_SUBPATH_KEY' + enabledByDefault: false + documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-container-security-vulnerability-cve-2021-25741' + messageOnFailure: Forbidden property object `subPath` - malicious users can gain access to files & directories outside of the volume + categories: + - CVE + complexity: hard + impact: A vulnerability has been found that when exploited, attackers can gain access to the host filesystem and compromise the cluster + schema: + definitions: + subPathPattern: + properties: + spec: + properties: + containers: + type: array + items: + properties: + volumeMounts: + type: array + items: + propertyNames: + not: + pattern: ^subPath$ + allOf: + - $ref: '#/definitions/subPathPattern' + additionalProperties: + $ref: '#' + items: + $ref: '#' + - id: 34 + name: 'Prevent EndpointSlice security vulnerability (CVE-2021-25737)' + uniqueName: 'ENDPOINTSLICE_CVE2021_25373_INCORRECT_ADDRESSES_VALUE' + enabledByDefault: false + documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-endpointslice-validation-from-enabling-host-network-hijack-cve-2021-25737' + messageOnFailure: Incorrect value for key `addresses` - IP address is within vulnerable ranges (127.0.0.0/8 and 169.254.0.0/16) + categories: + - CVE + complexity: hard + impact: A vulnerability has been found that when exploited, attackers can hijack your cluster’s network traffic, potentially leading to sensitive data leaks + schema: + if: + properties: + kind: + enum: + - EndpointSlice + then: + properties: + endpoints: + type: array + items: + properties: + addresses: + type: array + items: + not: + anyOf: + - pattern: ^(169\.254\.) + - pattern: ^(127\.) + - id: 35 + name: 'Ensure Workflow DAG fail-fast on node failure' + uniqueName: 'ARGO_WORKFLOW_INCORRECT_FAILFAST_VALUE_FALSE' + enabledByDefault: false + documentationUrl: https://hub.datree.io/built-in-rules/ensure-workflow-dag-fail-fast-on-node-failure + messageOnFailure: Incorrect value for key `failFast` - value should be `true` to prevent DAG from running on all branches, regardless of the failed outcomes of the DAG branches + categories: + - Argo + complexity: easy + impact: When failFast is set to false, it will allow a DAG to run all branches of the DAG to completion, regardless of the failed outcomes of branches in the DAG + schema: + if: + properties: + kind: + enum: + - Workflow + spec: + properties: + templates: + type: array + items: + properties: + dag: + properties: + failFast: + required: + - failFast + then: + properties: + spec: + properties: + templates: + type: array + items: + properties: + dag: + properties: + failFast: + const: true + - id: 36 + name: 'Prevent Workflow pods from using the default service account' + uniqueName: 'ARGO_WORKFLOW_INCORRECT_SERVICE_ACCOUNT_NAME_VALUE_DEFAULT' + enabledByDefault: false + documentationUrl: https://hub.datree.io/built-in-rules/prevent-workflow-pods-from-using-the-default-service-account + messageOnFailure: Incorrect value for key `serviceAccountName` - when set to `default` container is exposed to possible attacks + categories: + - Argo + complexity: hard + impact: When serviceAccount is set to default, the workflow is able to interact with the Kubernetes API server, which creates a great way for attackers with access to a single container to abuse K8s + schema: + if: + properties: + kind: + enum: + - WorkflowTemplate + - Workflow + then: + properties: + spec: + properties: + serviceAccountName: + type: string + not: + const: default + required: + - serviceAccountName + - id: 37 + name: 'Ensure ConfigMap is recognized by ArgoCD' + uniqueName: 'ARGO_CONFIGMAP_MISSING_PART_OF_LABEL_VALUE_ARGOCD' + enabledByDefault: false + documentationUrl: https://hub.datree.io/built-in-rules/ensure-configmap-is-recognized-by-argocd + messageOnFailure: Incorrect value for annotation `app.kubernetes.io/part-of` - value should be `argocd`, or ArgoCD won't recognize this resource + categories: + - Argo + complexity: easy + impact: 'A relevant ConfigMap resource that isn’t labeled with app.kubernetes.io/part-of: argocd will not be used by Argo CD' + schema: + if: + properties: + kind: + enum: + - ConfigMap + metadata: + properties: + name: + enum: + - argocd-tls-certs-cm + - argocd-rbac-cm + - argocd-ssh-known-hosts-cm + - argocd-cmd-params-cm + - argocd-cm + then: + properties: + metadata: + properties: + labels: + properties: + app.kubernetes.io/part-of: + type: string + const: argocd + required: + - app.kubernetes.io/part-of + - id: 38 + name: 'Ensure Rollout pause step has a configured duration' + uniqueName: 'ARGO_ROLLOUT_MISSING_PAUSE_DURATION' + enabledByDefault: false + documentationUrl: https://hub.datree.io/built-in-rules/ensure-rollout-pause-step-has-a-configured-duration + messageOnFailure: Missing the key `duration` - prevent the rollout from waiting indefinitely for the pause condition + categories: + - Argo + complexity: easy + impact: If the duration field within the pause struct isn't set, the rollout will wait indefinitely until that Pause condition is removed + schema: + if: + properties: + kind: + enum: + - Rollout + then: + properties: + spec: + properties: + strategy: + properties: + canary: + type: object + properties: + steps: + type: array + items: + properties: + pause: + type: object + properties: + duration: + type: string + required: + - duration + - id: 39 + name: 'Ensure Application and AppProject are part of the argocd namespace' + uniqueName: 'ARGO_APP_PROJECT_INCORRECT_NAMESPACE_VALUE' + enabledByDefault: false + documentationUrl: https://hub.datree.io/built-in-rules/ensure-application-and-appproject-are-part-of-the-argocd-namespace + messageOnFailure: Incorrect value for property `namespace` - Application and AppProject have to be installed on the argocd namespace + categories: + - Argo + complexity: easy + impact: Application and AppProject instances, must be installed in the same namespace where argo was installed to be recognized by Argo + schema: + if: + properties: + kind: + enum: + - Application + - AppProject + then: + properties: + metadata: + properties: + namespace: + type: string + const: argocd + required: + - namespace + - id: 40 + name: 'Prevent Workflow from having an empty retry strategy' + uniqueName: 'ARGO_WORKFLOW_INCORRECT_RETRY_STRATEGY_VALUE_EMPTY' + enabledByDefault: false + documentationUrl: https://hub.datree.io/built-in-rules/prevent-workflow-from-having-an-empty-retry-strategy + messageOnFailure: Incorrect value for key `retryStrategy` - empty value (`{}`) can cause failed/errored steps to keep retrying, which can result in OOM issues + categories: + - Argo + complexity: medium + impact: Empty retryStrategy will cause a container to retry until completion and eventually cause OOM issues + schema: + if: + properties: + kind: + enum: + - Workflow + then: + properties: + spec: + properties: + templates: + items: + properties: + retryStrategy: + type: object + minProperties: 1 + - id: 41 + name: 'Ensure Rollout has revision history set' + uniqueName: 'ARGO_WORKFLOW_INCORRECT_REVISION_HISTORY_LIMIT_VALUE_0' + enabledByDefault: false + documentationUrl: https://hub.datree.io/built-in-rules/ensure-rollout-has-revision-history-set + messageOnFailure: Incorrect value for key `revisionHistoryLimit` - value above 0 is required to enable rolling back from a failed deployment + categories: + - Argo + complexity: medium + impact: A new Deployment rollout cannot be undone, since its revision history is cleaned up + schema: + if: + properties: + kind: + enum: + - Rollout + then: + properties: + spec: + properties: + revisionHistoryLimit: + minimum: 1 + required: + - revisionHistoryLimit + - id: 42 + name: 'Ensure Rollout allows broadcasting IP table changes' + uniqueName: 'ARGO_ROLLOUT_INCORRECT_SCALE_DOWN_DELAY_VALUE_BELOW_30' + enabledByDefault: false + documentationUrl: https://hub.datree.io/built-in-rules/ensure-rollout-allows-broadcasting-ip-table-changes + messageOnFailure: Incorrect value for key `scaleDownDelaySeconds` - value should be at least 30 to prevent packets from being sent to a node that killed the pod + categories: + - Argo + complexity: easy + impact: A minimum of 30 seconds is recommended to prevent packets from being sent to a node that killed an old pod + schema: + if: + properties: + kind: + enum: + - Rollout + then: + properties: + spec: + properties: + strategy: + properties: + blueGreen: + type: object + properties: + scaleDownDelaySeconds: + type: integer + minimum: 30 + required: + - scaleDownDelaySeconds + - id: 43 + name: 'Ensure Rollout that is marked as degraded scales down ReplicaSet' + uniqueName: 'ARGO_ROLLOUT_INCORRECT_PROGRESS_DEADLINE_ABORT_VALUE_FALSE' + enabledByDefault: false + documentationUrl: https://hub.datree.io/built-in-rules/ensure-rollout-that-is-marked-as-degraded-scales-down-replicaset + messageOnFailure: Incorrect value for key `progressDeadlineAbort` - value should be `true` to prevent the rollout pod from retrying indefinitely + categories: + - Argo + complexity: medium + impact: Prevent pods from indefinitely retrying to rollout, when the pod is stuck on error state + schema: + if: + properties: + kind: + enum: + - Rollout + spec: + properties: + allOf: + properties: + progressDeadlineSeconds: + type: integer + then: + properties: + spec: + properties: + progressDeadlineAbort: + const: true + required: + - progressDeadlineAbort + - id: 44 + name: Ensure Workflow retry policy catches relevant errors only + uniqueName: 'ARGO_WORKFLOW_ENSURE_RETRY_ON_BOTH_ERROR_AND_TRANSIENT_ERROR' + enabledByDefault: false + documentationUrl: https://hub.datree.io/built-in-rules/ensure-workflow-retry-policy-catches-relevant-errors-only + messageOnFailure: Incorrect value for key `retryPolicy` - the expression should include retry on steps that failed either on transient or Argo controller errors + categories: + - Argo + complexity: medium + impact: When setting Argo's `retryPolicy` to Always, you should also set a proper expression to filter out unnecessary errors + schema: + if: + allOf: + - properties: + kind: + enum: + - Workflow + - properties: + spec: + properties: + templates: + type: array + contains: + properties: + retryStrategy: + properties: + retryPolicy: + const: Always + then: + properties: + spec: + properties: + templates: + type: array + contains: + properties: + retryStrategy: + properties: + retryPolicy: + const: Always + expression: + const: lastRetry.status == "Error" or (lastRetry.status == "Failed" and asInt(lastRetry.exitCode) not in [0]) + required: + - retryPolicy + - expression + - id: 45 + name: Ensure each container has a read-only root filesystem + uniqueName: CONTAINERS_INCORRECT_READONLYROOTFILESYSTEM_VALUE + enabledByDefault: false + documentationUrl: 'https://hub.datree.io/built-in-rules/ensure-read-only-filesystem' + messageOnFailure: Incorrect value for key `readOnlyRootFilesystem` - set to 'true' to protect filesystem from potential attacks + categories: + - NSA + - cdk8s + - EKS + complexity: easy + impact: An immutable root filesystem prevents attackers from being able to tamper with the filesystem or write foreign executables to disk + schema: + definitions: + containerSecurityPattern: + properties: + spec: + properties: + containers: + type: array + items: + properties: + securityContext: + properties: + readOnlyRootFilesystem: + const: true + required: + - readOnlyRootFilesystem + required: + - securityContext + allOf: + - $ref: '#/definitions/containerSecurityPattern' + additionalProperties: + $ref: '#' + items: + $ref: '#' + - id: 46 + name: Prevent containers from accessing underlying host + uniqueName: CONTAINERS_INCORRECT_KEY_HOSTPATH + enabledByDefault: false + documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-accessing-underlying-host' + messageOnFailure: Invalid key `hostPath` - refrain from using this mount to prevent an attack on the underlying host + categories: + - NSA + - cdk8s + - CIS + complexity: easy + impact: Using a hostPath mount can enable attackers to break from the container and gain access to the underlying host + schema: + definitions: + specVolumePattern: + properties: + spec: + properties: + volumes: + type: array + items: + not: + required: + - hostPath + allOf: + - $ref: '#/definitions/specVolumePattern' + additionalProperties: + $ref: '#' + items: + $ref: '#' + - id: 47 + name: Prevent containers from escalating privileges + uniqueName: CONTAINERS_MISSING_KEY_ALLOWPRIVILEGEESCALATION + enabledByDefault: false + documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-escalating-privileges' + messageOnFailure: Missing key `allowPrivilegeEscalation` - set to false to prevent attackers from exploiting escalated container privileges + categories: + - NSA + - cdk8s + - EKS + - CIS + complexity: easy + impact: In their default state, containers allow privilege escalation. Attackers may use this to manipulate the application and to gain more permissions than they should have + schema: + definitions: + specContainerPattern: + properties: + spec: + properties: + containers: + type: array + items: + properties: + securityContext: + properties: + allowPrivilegeEscalation: + const: false + required: + - allowPrivilegeEscalation + required: + - securityContext + allOf: + - $ref: '#/definitions/specContainerPattern' + additionalProperties: + $ref: '#' + items: + $ref: '#' + - id: 48 + name: Prevent containers from allowing command execution + uniqueName: CONTAINERS_INCORRECT_RESOURCES_VERBS_VALUE + enabledByDefault: false + documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-allowing-command-execution' + messageOnFailure: 'Incorrect value for key `resources` and/or `verbs` - allowing containers to run the exec command can be exploited by attackers' + categories: + - NSA + complexity: easy + impact: "'kubectl exec' allows a user to execute a command in a container. Attackers with permissions could run 'kubectl exec' to execute malicious code and compromise resources within a cluster" + schema: + if: + properties: + kind: + enum: + - Role + - ClusterRole + then: + properties: + rules: + type: array + items: + properties: + resources: + type: array + not: + items: + enum: + - '*' + - 'pods/exec' + verbs: + type: array + not: + items: + enum: + - 'create' + - '*' + - id: 49 + name: Prevent containers from having insecure capabilities + uniqueName: CONTAINERS_INVALID_CAPABILITIES_VALUE + enabledByDefault: false + documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-insecure-capabilities' + messageOnFailure: 'Incorrect value for key `add` - refrain from using insecure capabilities to prevent access to sensitive components' + categories: + - NSA + - CIS + complexity: easy + impact: Giving containers unnecessary capabilities may compromise them and allow attackers access to sensitive components + schema: + definitions: + specContainerPattern: + properties: + spec: + properties: + containers: + type: array + items: + properties: + securityContext: + properties: + capabilities: + properties: + add: + type: array + items: + not: + enum: + - 'SETPCAP' + - 'NET_ADMIN' + - 'NET_RAW' + - 'SYS_MODULE' + - 'SYS_RAWIO' + - 'SYS_PTRACE' + - 'SYS_ADMIN' + - 'SYS_BOOT' + - 'MAC_OVERRIDE' + - 'MAC_ADMIN' + - 'PERFMON' + - 'ALL' + - 'BPF' + allOf: + - $ref: '#/definitions/specContainerPattern' + additionalProperties: + $ref: '#' + items: + $ref: '#' + - id: 50 + name: Prevent containers from insecurely exposing workload + uniqueName: CONTAINERS_INCORRECT_KEY_HOSTPORT + enabledByDefault: false + documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-insecurely-exposing-workload' + messageOnFailure: 'Incorrect key `hostPort` - refrain from using this key to prevent insecurely exposing your workload' + categories: + - NSA + - cdk8s + - CIS + complexity: easy + impact: With the hostPort defined, the workloads become exposed as the node, but without the firewall rules and access control attached to the host + schema: + definitions: + specContainerPattern: + properties: + spec: + properties: + containers: + type: array + items: + properties: + ports: + type: array + items: + not: + required: + - hostPort + initContainers: + type: array + items: + properties: + ports: + type: array + items: + not: + required: + - hostPort + ephemeralContainers: + type: array + items: + properties: + ports: + type: array + items: + not: + required: + - hostPort + allOf: + - $ref: '#/definitions/specContainerPattern' + additionalProperties: + $ref: '#' + items: + $ref: '#' + - id: 51 + name: Prevent containers from accessing host files by using high GIDs + uniqueName: CONTAINERS_INCORRECT_RUNASGROUP_VALUE_LOWGID + enabledByDefault: false + documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-accessing-host-files-by-using-high-gids' + messageOnFailure: 'Invalid value for key `runAsGroup` - must be greater than 999 to ensure container is running with non-root group membership' + categories: + - NSA + complexity: medium + impact: With a high GID number, a container is blocked from accessing host-based files even if it manages to gain access to a host's file system + schema: + definitions: + specContainerPattern: + properties: + spec: + properties: + containers: + type: array + items: + properties: + securityContext: + properties: + runAsGroup: + minimum: 1000 + podSecurityContextPattern: + if: + properties: + kind: + enum: + - Pod + required: + - kind + then: + properties: + spec: + properties: + securityContext: + properties: + runAsGroup: + minimum: 1000 + + allOf: + - $ref: '#/definitions/specContainerPattern' + - $ref: '#/definitions/podSecurityContextPattern' + additionalProperties: + $ref: '#' + items: + $ref: '#' + - id: 52 + name: Prevent container from running with root privileges + uniqueName: CONTAINERS_INCORRECT_RUNASNONROOT_VALUE + enabledByDefault: false + documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-running-with-root-privileges' + messageOnFailure: 'Invalid value for key `runAsNonRoot` - must be set to `true` to prevent unnecessary privileges' + categories: + - NSA + - CIS + complexity: easy + impact: Having non-root execution integrated at build time provides better assurance that applications will function correctly without root privileges + schema: + definitions: + containerSecurityPattern: + properties: + spec: + properties: + containers: + type: array + items: + properties: + securityContext: + properties: + runAsNonRoot: + const: true + required: + - runAsNonRoot + required: + - securityContext + podSecurityContextPattern: + if: + properties: + kind: + enum: + - Pod + required: + - kind + then: + properties: + spec: + properties: + securityContext: + properties: + runAsNonRoot: + const: true + required: + - runAsNonRoot + allOf: + - $ref: '#/definitions/containerSecurityPattern' + - $ref: '#/definitions/podSecurityContextPattern' + additionalProperties: + $ref: '#' + items: + $ref: '#' + - id: 53 + name: Prevent service account token auto-mounting on pods + uniqueName: SRVACC_INCORRECT_AUTOMOUNTSERVICEACCOUNTTOKEN_VALUE + enabledByDefault: false + documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-service-account-token-auto-mount' + messageOnFailure: 'Invalid value for key `automountServiceAccountToken` - must be set to `false` to prevent granting unnecessary access to the service account' + categories: + - NSA + - EKS + - CIS + complexity: easy + impact: If an application is compromised, account tokens in Pods can be stolen and used to further compromise the cluster. When an application does not need to access the service account directly, token mounting should be disabled + schema: + definitions: + podPattern: + if: + properties: + kind: + enum: + - Pod + then: + properties: + spec: + properties: + automountServiceAccountToken: + const: false + required: + - automountServiceAccountToken + serviceAccountPattern: + if: + properties: + kind: + enum: + - ServiceAccount + then: + properties: + automountServiceAccountToken: + const: false + required: + - automountServiceAccountToken + allOf: + - $ref: '#/definitions/podPattern' + - $ref: '#/definitions/serviceAccountPattern' + - id: 54 + name: Ensure resource has a configured name + uniqueName: RESOURCE_MISSING_NAME + enabledByDefault: true + documentationUrl: 'https://hub.datree.io/built-in-rules/ensure-resource-name' + messageOnFailure: 'Missing key `name` or `generateName` - one of them must be set to apply resource to a cluster' + categories: + - cdk8s + complexity: easy + impact: Configurations that miss this property will pass k8s schema validation, but will fail when pushed into a cluster (i.e. when running kubectl apply/create) + schema: + definitions: + metadataNamePattern: + properties: + metadata: + type: object + properties: + name: + type: string + required: + - name + required: + - metadata + metadataGenerateNamePattern: + properties: + metadata: + type: object + properties: + generateName: + type: string + required: + - generateName + required: + - metadata + if: + properties: + kind: + not: + enum: + - Kustomization + then: + anyOf: + - $ref: '#/definitions/metadataNamePattern' + - $ref: '#/definitions/metadataGenerateNamePattern' + - id: 55 + name: Ensure each container probe has an initial delay configured + uniqueName: CONTAINERS_INCORRECT_INITIALDELAYSECONDS_VALUE + enabledByDefault: false + documentationUrl: 'https://hub.datree.io/built-in-rules/ensure-initial-probe-delay' + messageOnFailure: 'Incorrect value for key `initialDelaySeconds` - set explicitly to control the start time before a probe is initiated (min 0)' + categories: + - Probes + complexity: medium + impact: "`initialDelaySeconds` defines the number of seconds after the container has started before liveness or readiness probes are initiated. It's recommended to set this value explicitly and not rely on the default value (0)" + schema: + definitions: + probePattern: + if: + properties: + spec: + properties: + containers: + items: + anyOf: + - required: + - livenessProbe + - required: + - readinessProbe + - required: + - startupProbe + then: + properties: + spec: + properties: + containers: + items: + properties: + livenessProbe: + properties: + initialDelaySeconds: + minimum: 0 + required: + - initialDelaySeconds + readinessProbe: + properties: + initialDelaySeconds: + minimum: 0 + required: + - initialDelaySeconds + startupProbe: + properties: + initialDelaySeconds: + minimum: 0 + required: + - initialDelaySeconds + allOf: + - $ref: '#/definitions/probePattern' + additionalProperties: + $ref: '#' + items: + $ref: '#' + - id: 56 + name: Ensure each container probe has a configured frequency + uniqueName: CONTAINERS_INCORRECT_PERIODSECONDS_VALUE + enabledByDefault: false + documentationUrl: 'https://hub.datree.io/built-in-rules/ensure-probe-frequency' + messageOnFailure: 'Incorrect value for key `periodSeconds` - set explicitly to control how often a probe is performed (min 1)' + categories: + - Probes + complexity: medium + impact: "`periodSeconds` defines how often (in seconds) the kubelet should perform a liveness probe. It's recommended to set this value explicitly and not rely on the default value (10)" + schema: + definitions: + probePattern: + if: + properties: + spec: + properties: + containers: + items: + anyOf: + - required: + - livenessProbe + - required: + - readinessProbe + - required: + - startupProbe + then: + properties: + spec: + properties: + containers: + items: + properties: + livenessProbe: + properties: + periodSeconds: + minimum: 1 + required: + - periodSeconds + readinessProbe: + properties: + periodSeconds: + minimum: 1 + required: + - periodSeconds + startupProbe: + properties: + periodSeconds: + minimum: 1 + required: + - periodSeconds + allOf: + - $ref: '#/definitions/probePattern' + additionalProperties: + $ref: '#' + items: + $ref: '#' + - id: 57 + name: Ensure each container probe has a configured timeout + uniqueName: CONTAINERS_INCORRECT_TIMEOUTSECONDS_VALUE + enabledByDefault: false + documentationUrl: 'https://hub.datree.io/built-in-rules/ensure-probe-timeout' + messageOnFailure: 'Incorrect value for key `timeoutSeconds` - set explicitly to control when a probe times out (min 1)' + categories: + - Probes + complexity: medium + impact: "`timeoutSeconds` defines the number of seconds after which the probe times out. It's recommended to set this value explicitly and not rely on the default value (1)" + schema: + definitions: + probePattern: + if: + properties: + spec: + properties: + containers: + items: + anyOf: + - required: + - livenessProbe + - required: + - readinessProbe + - required: + - startupProbe + then: + properties: + spec: + properties: + containers: + items: + properties: + livenessProbe: + properties: + timeoutSeconds: + minimum: 1 + required: + - timeoutSeconds + readinessProbe: + properties: + timeoutSeconds: + minimum: 1 + required: + - timeoutSeconds + startupProbe: + properties: + timeoutSeconds: + minimum: 1 + required: + - timeoutSeconds + allOf: + - $ref: '#/definitions/probePattern' + additionalProperties: + $ref: '#' + items: + $ref: '#' + - id: 58 + name: Ensure each container probe has a configured minimum success threshold + uniqueName: CONTAINERS_INCORRECT_SUCCESSTHRESHOLD_VALUE + enabledByDefault: false + documentationUrl: 'https://hub.datree.io/built-in-rules/ensure-probe-min-success-threshold' + messageOnFailure: 'Incorrect value for key `successThreshold` - set explicitly to control when a probe is considered successful after having failed' + categories: + - Probes + complexity: medium + impact: "`successThreshold` defines the minimum consecutive successes required for the probe to be successful after failing. It's recommended to set this value explicitly and not rely on the default value (1)" + schema: + definitions: + probePattern: + if: + properties: + spec: + properties: + containers: + items: + anyOf: + - required: + - livenessProbe + - required: + - readinessProbe + - required: + - startupProbe + then: + properties: + spec: + properties: + containers: + items: + properties: + livenessProbe: + properties: + successThreshold: + const: 1 + required: + - successThreshold + readinessProbe: + properties: + successThreshold: + minimum: 1 + required: + - successThreshold + startupProbe: + properties: + successThreshold: + const: 1 + required: + - successThreshold + allOf: + - $ref: '#/definitions/probePattern' + additionalProperties: + $ref: '#' + items: + $ref: '#' + - id: 59 + name: Ensure each container probe has a configured failure threshold + uniqueName: CONTAINERS_INCORRECT_FAILURETHRESHOLD_VALUE + enabledByDefault: false + documentationUrl: 'https://hub.datree.io/built-in-rules/ensure-probe-failure-threshold' + messageOnFailure: 'Incorrect value for key `failureThreshold` - set explicitly to control the number of retries after a probe fails (min 1)' + categories: + - Probes + complexity: medium + impact: "`failureThreshold` defines the number of times Kubernetes will try to initialize a failed probe before giving up. It's recommended to set this value explicitly and not rely on the default value (3)" + schema: + definitions: + probePattern: + if: + properties: + spec: + properties: + containers: + items: + anyOf: + - required: + - livenessProbe + - required: + - readinessProbe + - required: + - startupProbe + then: + properties: + spec: + properties: + containers: + items: + properties: + livenessProbe: + properties: + failureThreshold: + minimum: 1 + required: + - failureThreshold + readinessProbe: + properties: + failureThreshold: + minimum: 1 + required: + - failureThreshold + startupProbe: + properties: + failureThreshold: + minimum: 1 + required: + - failureThreshold + allOf: + - $ref: '#/definitions/probePattern' + additionalProperties: + $ref: '#' + items: + $ref: '#' + - id: 60 + name: Ensure each container has a configured pre-stop hook + uniqueName: CONTAINERS_MISSING_PRESTOP_KEY + enabledByDefault: false + documentationUrl: 'https://hub.datree.io/built-in-rules/ensure-prestop' + messageOnFailure: 'Missing property object `preStop` - set to ensure graceful shutdown of the container' + categories: + - Other + complexity: hard + impact: Once Kubernetes has decided to terminate one of your pods, it will proceed to send a SIGTERM signal to it. If your application doesn't gracefully shut down when receiving a SIGTERM, this can cause undesired behavior and loss of data + schema: + definitions: + prestopPattern: + properties: + spec: + properties: + containers: + type: array + items: + properties: + lifecycle: + properties: + preStop: + type: object + required: + - preStop + required: + - lifecycle + allOf: + - $ref: '#/definitions/prestopPattern' + additionalProperties: + $ref: '#' + items: + $ref: '#' + - id: 61 + name: 'Prevent containers from having unnecessary system call privileges' + uniqueName: CONTAINERS_INCORRECT_SECCOMP_PROFILE + enabledByDefault: false + documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-system-call-privileges' + messageOnFailure: 'Incorrect value for key seccompProfile - set an explicit value to prevent malicious use of system calls within the container' + categories: + - EKS + complexity: medium + impact: Running containers/Pods with the `seccomp` profile set to `unconfined` can give attackers dangerous privileges + schema: + definitions: + seccompExplicit: + if: *standardKinds + then: + properties: + spec: + oneOf: + - $ref: '#/$defs/securityContextSeccompReq' + - $ref: '#/definitions/seccompExplicitInContainer' + seccompExplicitInContainer: + if: *standardKinds + then: + properties: + containers: + type: array + items: + $ref: '#/$defs/securityContextSeccompReq' + initContainers: + type: array + items: + $ref: '#/$defs/securityContextSeccompReq' + ephemeralContainers: + type: array + items: + $ref: '#/$defs/securityContextSeccompReq' + seccompPatternInSpec: + if: *standardKinds + then: + properties: + spec: + $ref: '#/$defs/securityContextSeccomp' + seccompPatternInContainer: + if: *standardKinds + then: + properties: + spec: + properties: + containers: + type: array + items: + $ref: '#/$defs/securityContextSeccomp' + initContainers: + type: array + items: + $ref: '#/$defs/securityContextSeccomp' + ephemeralContainers: + type: array + items: + $ref: '#/$defs/securityContextSeccomp' + allOf: + - $ref: '#/definitions/seccompExplicit' + - $ref: '#/definitions/seccompPatternInSpec' + - $ref: '#/definitions/seccompPatternInContainer' + additionalProperties: + $ref: '#' + items: + $ref: '#' + $defs: + securityContextSeccompReq: + required: + - securityContext + properties: + securityContext: + type: object + required: + - seccompProfile + properties: + seccompProfile: + type: object + required: + - type + securityContextSeccomp: + properties: + securityContext: + type: object + properties: + seccompProfile: + type: object + properties: + type: + not: + enum: + - 'unconfined' + - 'Unconfined' + - id: 62 + name: Prevent exposed BitBucket secrets in objects + uniqueName: ALL_EXPOSED_SECRET_BITBUCKET + enabledByDefault: false + documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-exposed-secrets-bitbucket' + messageOnFailure: 'Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen' + categories: + - Secrets + complexity: medium + impact: Exposing sensitive data in resource configs is risky and highly unrecommended, as it can be stolen and used maliciously + schema: + definitions: + regexes: + anyOf: + - pattern: (?:bitbucket)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{32})(?:['|\"|\n|\r|\s|\x60|;]|$) + if: *notKindSecret + then: *recursiveDontAllowValue + - id: 63 + name: Prevent exposed Datadog secrets in objects + uniqueName: ALL_EXPOSED_SECRET_DATADOG + enabledByDefault: false + documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-exposed-secrets-datadog' + messageOnFailure: 'Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen' + categories: + - Secrets + complexity: medium + impact: Exposing sensitive data in resource configs is risky and highly unrecommended, as it can be stolen and used maliciously + schema: + definitions: + regexes: + anyOf: + - pattern: (?:datadog)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{40})(?:['|\"|\n|\r|\s|\x60|;]|$) + if: *notKindSecret + then: *recursiveDontAllowValue + - id: 64 + name: Prevent exposed GCP secrets in objects + uniqueName: ALL_EXPOSED_SECRET_GCP + enabledByDefault: false + documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-exposed-secrets-gcp' + messageOnFailure: 'Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen' + categories: + - Secrets + complexity: medium + impact: Exposing sensitive data in resource configs is risky and highly unrecommended, as it can be stolen and used maliciously + schema: + definitions: + regexes: + anyOf: + - pattern: \b(AIza[0-9A-Za-z\\-_]{35})(?:['|\"|\n|\r|\s|\x60|;]|$) + if: *notKindSecret + then: *recursiveDontAllowValue + - id: 65 + name: Prevent exposed AWS secrets in objects + uniqueName: ALL_EXPOSED_SECRET_AWS + enabledByDefault: false + documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-exposed-secrets-aws' + messageOnFailure: 'Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen' + categories: + - Secrets + complexity: medium + impact: Exposing sensitive data in resource configs is risky and highly unrecommended, as it can be stolen and used maliciously + schema: + definitions: + regexes: + anyOf: + - pattern: (A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16} + if: *notKindSecret + then: *recursiveDontAllowValue + - id: 66 + name: Prevent exposed GitHub secrets in objects + uniqueName: ALL_EXPOSED_SECRET_GITHUB + enabledByDefault: false + documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-exposed-secrets-github' + messageOnFailure: 'Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen' + categories: + - Secrets + complexity: medium + impact: Exposing sensitive data in resource configs is risky and highly unrecommended, as it can be stolen and used maliciously + schema: + definitions: + regexes: + anyOf: + - pattern: (ghu|ghs)_[0-9a-zA-Z]{36} + - pattern: gho_[0-9a-zA-Z]{36} + - pattern: ghp_[0-9a-zA-Z]{36} + - pattern: ghr_[0-9a-zA-Z]{36} + if: *notKindSecret + then: *recursiveDontAllowValue + - id: 67 + name: Prevent exposed GitLab secrets in objects + uniqueName: ALL_EXPOSED_SECRET_GITLAB + enabledByDefault: false + documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-exposed-secrets-gitlab' + messageOnFailure: 'Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen' + categories: + - Secrets + complexity: medium + impact: Exposing sensitive data in resource configs is risky and highly unrecommended, as it can be stolen and used maliciously + schema: + definitions: + regexes: + anyOf: + - pattern: glpat-[0-9a-zA-Z\-\_]{20} + if: *notKindSecret + then: *recursiveDontAllowValue + - id: 68 + name: Prevent exposed Terraform secrets in objects + uniqueName: ALL_EXPOSED_SECRET_TERRAFORM + enabledByDefault: false + documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-exposed-secrets-terraform' + messageOnFailure: 'Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen' + categories: + - Secrets + complexity: medium + impact: Exposing sensitive data in resource configs is risky and highly unrecommended, as it can be stolen and used maliciously + schema: + definitions: + regexes: + anyOf: + - pattern: '[a-z0-9]{14}\.atlasv1\.[a-z0-9\-_=]{60,70}' + if: *notKindSecret + then: *recursiveDontAllowValue + - id: 69 + name: Prevent exposed Heroku secrets in objects + uniqueName: ALL_EXPOSED_SECRET_HEROKU + enabledByDefault: false + documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-exposed-secrets-heroku' + messageOnFailure: 'Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen' + categories: + - Secrets + complexity: medium + impact: Exposing sensitive data in resource configs is risky and highly unrecommended, as it can be stolen and used maliciously + schema: + definitions: + regexes: + anyOf: + - pattern: (?:heroku)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})(?:['|\"|\n|\r|\s|\x60|;]|$) + if: *notKindSecret + then: *recursiveDontAllowValue + - id: 70 + name: Prevent exposed JWT secrets in objects + uniqueName: ALL_EXPOSED_SECRET_JWT + enabledByDefault: false + documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-exposed-secrets-jwt' + messageOnFailure: 'Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen' + categories: + - Secrets + complexity: medium + impact: Exposing sensitive data in resource configs is risky and highly unrecommended, as it can be stolen and used maliciously + schema: + definitions: + regexes: + anyOf: + - pattern: \b(ey[0-9a-z]{30,34}\.ey[0-9a-z-\/_]{30,500}\.[0-9a-zA-Z-\/_]{10,200})(?:['|\"|\n|\r|\s|\x60|;]|$) + if: *notKindSecret + then: *recursiveDontAllowValue + - id: 71 + name: Prevent exposed LaunchDarkly secrets in objects + uniqueName: ALL_EXPOSED_SECRET_LAUNCHDARKLY + enabledByDefault: false + documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-exposed-secrets-launchdarkly' + messageOnFailure: 'Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen' + categories: + - Secrets + complexity: medium + impact: Exposing sensitive data in resource configs is risky and highly unrecommended, as it can be stolen and used maliciously + schema: + definitions: + regexes: + anyOf: + - pattern: (?:launchdarkly)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9=_\-]{40})(?:['|\"|\n|\r|\s|\x60|;]|$) + if: *notKindSecret + then: *recursiveDontAllowValue + - id: 72 + name: Prevent exposed New Relic secrets in objects + uniqueName: ALL_EXPOSED_SECRET_NEWRELIC + enabledByDefault: false + documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-exposed-secrets-newrelic' + messageOnFailure: 'Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen' + categories: + - Secrets + complexity: medium + impact: Exposing sensitive data in resource configs is risky and highly unrecommended, as it can be stolen and used maliciously + schema: + definitions: + regexes: + anyOf: + - pattern: (?:new-relic|newrelic|new_relic)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}(NRJS-[a-f0-9]{19})(?:['|\"|\n|\r|\s|\x60|;]|$) + - pattern: (?:new-relic|newrelic|new_relic)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{64})(?:['|\"|\n|\r|\s|\x60|;]|$) + - pattern: (?:new-relic|newrelic|new_relic)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}(NRAK-[a-z0-9]{27})(?:['|\"|\n|\r|\s|\x60|;]|$) + if: *notKindSecret + then: *recursiveDontAllowValue + - id: 73 + name: Prevent exposed npm secrets in objects + uniqueName: ALL_EXPOSED_SECRET_NPM + enabledByDefault: false + documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-exposed-secrets-npm' + messageOnFailure: 'Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen' + categories: + - Secrets + complexity: medium + impact: Exposing sensitive data in resource configs is risky and highly unrecommended, as it can be stolen and used maliciously + schema: + definitions: + regexes: + anyOf: + - pattern: \b(npm_[a-z0-9]{36})(?:['|\"|\n|\r|\s|\x60|;]|$) + if: *notKindSecret + then: *recursiveDontAllowValue + - id: 74 + name: Prevent exposed Okta secrets in objects + uniqueName: ALL_EXPOSED_SECRET_OKTA + enabledByDefault: false + documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-exposed-secrets-okta' + messageOnFailure: 'Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen' + categories: + - Secrets + complexity: medium + impact: Exposing sensitive data in resource configs is risky and highly unrecommended, as it can be stolen and used maliciously + schema: + definitions: + regexes: + anyOf: + - pattern: (?:okta)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9=_\-]{42})(?:['|\"|\n|\r|\s|\x60|;]|$) + if: *notKindSecret + then: *recursiveDontAllowValue + - id: 75 + name: Prevent exposed Stripe secrets in objects + uniqueName: ALL_EXPOSED_SECRET_STRIPE + enabledByDefault: false + documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-exposed-secrets-stripe' + messageOnFailure: 'Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen' + categories: + - Secrets + complexity: medium + impact: Exposing sensitive data in resource configs is risky and highly unrecommended, as it can be stolen and used maliciously + schema: + definitions: + regexes: + anyOf: + - pattern: (sk|pk)_(test|live)_[0-9a-z]{10,32} + if: *notKindSecret + then: *recursiveDontAllowValue + - id: 76 + name: Prevent exposed SumoLogic secrets in objects + uniqueName: ALL_EXPOSED_SECRET_SUMOLOGIC + enabledByDefault: false + documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-exposed-secrets-sumologic' + messageOnFailure: 'Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen' + categories: + - Secrets + complexity: medium + impact: Exposing sensitive data in resource configs is risky and highly unrecommended, as it can be stolen and used maliciously + schema: + definitions: + regexes: + anyOf: + - pattern: (?:sumo)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{14})(?:['|\"|\n|\r|\s|\x60|;]|$) + - pattern: (?:sumo)(?:[0-9a-z\-_\t .]{0,20})(?:[\s|']|[\s|"]){0,3}(?:=|>|:=|\|\|:|<=|=>|:)(?:'|\"|\s|=|\x60){0,5}([a-z0-9]{64})(?:['|\"|\n|\r|\s|\x60|;]|$) + if: *notKindSecret + then: *recursiveDontAllowValue + - id: 77 + name: Prevent exposed Twilio secrets in objects + uniqueName: ALL_EXPOSED_SECRET_TWILIO + enabledByDefault: false + documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-exposed-secrets-twilio' + messageOnFailure: 'Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen' + categories: + - Secrets + complexity: medium + impact: Exposing sensitive data in resource configs is risky and highly unrecommended, as it can be stolen and used maliciously + schema: + definitions: + regexes: + anyOf: + - pattern: SK[0-9a-fA-F]{32} + if: *notKindSecret + then: *recursiveDontAllowValue + - id: 78 + name: Prevent exposed Vault secrets in objects + uniqueName: ALL_EXPOSED_SECRET_VAULT + enabledByDefault: false + documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-exposed-secrets-vault' + messageOnFailure: 'Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen' + categories: + - Secrets + complexity: medium + impact: Exposing sensitive data in resource configs is risky and highly unrecommended, as it can be stolen and used maliciously + schema: + definitions: + regexes: + anyOf: + - pattern: \b(hvb\.[a-z0-9_-]{138,212})(?:['|\"|\n|\r|\s|\x60|;]|$) + - pattern: \b(hvs\.[a-z0-9_-]{90,100})(?:['|\"|\n|\r|\s|\x60|;]|$) + if: *notKindSecret + then: *recursiveDontAllowValue + - id: 79 + name: Prevent exposed private keys in objects + uniqueName: ALL_EXPOSED_SECRET_PRIVATEKEY + enabledByDefault: false + documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-exposed-secrets-privatekey' + messageOnFailure: 'Secret data found in config - keep your sensitive data elsewhere to prevent it from being stolen' + categories: + - Secrets + complexity: medium + impact: Exposing sensitive data in resource configs is risky and highly unrecommended, as it can be stolen and used maliciously + schema: + definitions: + regexes: + anyOf: + - pattern: (?i)-----BEGIN[ A-Z0-9_-]{0,100}PRIVATE KEY-----[\s\S-]*KEY---- + if: *notKindSecret + then: *recursiveDontAllowValue + - id: 80 + name: Ensure each container fully utilizes CPU with no limitations + uniqueName: EKS_INVALID_CPU_LIMIT + enabledByDefault: false + documentationUrl: 'https://hub.datree.io/built-in-rules/ensure-no-cpu-limit' + messageOnFailure: 'Invalid key `limits.cpu` - refrain from setting a CPU limit to better utilize the CPU and prevent starvation' + categories: + - EKS + complexity: easy + impact: Setting a CPU limit may cause starvation and sub-optimal utilization of the CPU + schema: + definitions: + cpuLimitPattern: + properties: + spec: + properties: + containers: + type: array + items: + properties: + resources: + properties: + limits: + type: object + not: + required: + - cpu + allOf: + - $ref: '#/definitions/cpuLimitPattern' + additionalProperties: + $ref: '#' + items: + $ref: '#' + - id: 81 + name: Ensure container memory request and memory limit are equal + uniqueName: EKS_INVALID_MEMORY_REQUEST_LIMIT + enabledByDefault: false + documentationUrl: 'https://hub.datree.io/built-in-rules/ensure-memory-request-limit-equal' + messageOnFailure: 'Invalid value for memory request and/or memory limit - ensure they are equal to prevent unpredictable behavior' + categories: + - EKS + complexity: easy + impact: Setting memory request and limit to different values may cause unpredictable behavior + schema: + definitions: + containerResourcesPattern: + properties: + spec: + properties: + containers: + items: + properties: + resources: + customKeyRule81: + type: string + allOf: + - $ref: '#/definitions/containerResourcesPattern' + additionalProperties: + $ref: '#' + items: + $ref: '#' + - id: 82 + name: Ensure containers have limited capabilities + uniqueName: EKS_INVALID_CAPABILITIES_EKS + enabledByDefault: false + documentationUrl: 'https://hub.datree.io/built-in-rules/ensure-containers-limited-capabilities' + messageOnFailure: 'Incorrect value for key `add` - refrain from using insecure capabilities to prevent access to sensitive components' + categories: + - EKS + - CIS + complexity: medium + impact: Giving containers unnecessary capabilities may compromise them and allow attackers access to sensitive components + schema: + definitions: + specContainerPattern: + properties: + spec: + properties: + containers: + type: array + items: + properties: + securityContext: + properties: + capabilities: + properties: + add: + type: array + items: + enum: + - 'AUDIT_WRITE' + - 'CHOWN' + - 'DAC_OVERRIDE' + - 'FOWNER' + - 'FSETID' + - 'KILL' + - 'MKNOD' + - 'NET_BIND_SERVICE' + - 'SETFCAP' + - 'SETGID' + - 'SETPCAP' + - 'SETUID' + - 'SYS_CHROOT' + allOf: + - $ref: '#/definitions/specContainerPattern' + additionalProperties: + $ref: '#' + items: + $ref: '#' + - id: 83 + name: Ensure multiple replicas run on different nodes + uniqueName: EKS_MISSING_KEY_TOPOLOGYKEY + enabledByDefault: false + documentationUrl: 'https://hub.datree.io/built-in-rules/ensure-replicas-different-nodes' + messageOnFailure: 'Missing key `topologyKey` - add it to ensure replicas are spread across multiple nodes' + categories: + - EKS + complexity: medium + impact: Running multiple replicas on the same node may cause downtime if the node becomes unavailable + schema: + definitions: + antiAffinityPreferredPattern: + properties: + spec: + properties: + affinity: + properties: + podAntiAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + type: array + items: + properties: + podAffinityTerm: + properties: + topologyKey: + type: string + required: + - topologyKey + antiAffinityRequiredPattern: + properties: + spec: + properties: + affinity: + properties: + podAntiAffinity: + properties: + requiredDuringSchedulingIgnoredDuringExecution: + type: array + items: + properties: + podAffinityTerm: + properties: + topologyKey: + type: string + required: + - topologyKey + + allOf: + - $ref: '#/definitions/antiAffinityPreferredPattern' + - $ref: '#/definitions/antiAffinityRequiredPattern' + additionalProperties: + $ref: '#' + items: + $ref: '#' + - id: 84 + name: Prevent pods from becoming unschedulable + uniqueName: EKS_INVALID_VALUE_DONOOTSCHEDULE + enabledByDefault: false + documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-pods-becoming-unschedulable' + messageOnFailure: 'Incorrect value for key `whenUnsatisfiable` - use a different value to ensure your pod does not become unschedulable' + categories: + - EKS + complexity: easy + impact: Setting `whenUnsatisfiable` to `DoNotSchedule` will cause pods to be “unschedulable” if the topology spread constraint can't be fulfilled + schema: + definitions: + specConstraintsPattern: + properties: + spec: + properties: + topologySpreadConstraints: + type: array + items: + properties: + whenUnsatisfiable: + not: + enum: + - DoNotSchedule + allOf: + - $ref: '#/definitions/specConstraintsPattern' + additionalProperties: + $ref: '#' + items: + $ref: '#' + - id: 85 + name: Prevent Windows containers from running with unnecessary privileges + uniqueName: EKS_INVALID_HOSTPROCESS_VALUE + enabledByDefault: false + documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-windows-containers-unnecessary-privileges' + messageOnFailure: "Incorrect value for key `hostProcess` - don't set or set to false to prevent unnecessary privileges" + categories: + - EKS + - CIS + complexity: easy + impact: Setting `hostProcess` to `true` will cause pods to be “unschedulable” if the topology spread constraint can't be fulfilled + schema: + definitions: + hostProcessPattern: + properties: + windowsOptions: + properties: + hostProcess: + enum: + - false + allOf: + - $ref: '#/definitions/hostProcessPattern' + additionalProperties: + $ref: '#' + items: + $ref: '#' + - id: 86 + name: Prevent SELinux containers from running with unnecessary privileges + uniqueName: EKS_INVALID_SELINUXOPTIONS_TYPE_VALUE + enabledByDefault: false + documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-selinux-containers-unnecessary-privileges' + messageOnFailure: 'Invalid value for key `type` - set to a predefined type to prevent unnecessary privileges' + categories: + - EKS + complexity: medium + impact: Using a different type than the allowed ones may grant attackers access to sensitive components + schema: + definitions: + selinuxTypePattern: + properties: + securityContext: + properties: + seLinuxOptions: + properties: + type: + enum: + - container_t + - container_init_t + - container_kvm_t + allOf: + - $ref: '#/definitions/selinuxTypePattern' + additionalProperties: + $ref: '#' + items: + $ref: '#' + - id: 87 + name: Prevent SELinux containers from setting a user + uniqueName: EKS_INVALID_SELINUXOPTIONS_USER_VALUE + enabledByDefault: false + documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-selinux-containers-user' + messageOnFailure: 'Invalid key `user` - refrain from setting this key to prevent potential access to the host filesystem' + categories: + - EKS + complexity: easy + impact: Setting an SELinux user may grant attackers access to sensitive components + schema: + definitions: + selinuxUserPattern: + properties: + securityContext: + properties: + seLinuxOptions: + not: + required: + - user + allOf: + - $ref: '#/definitions/selinuxUserPattern' + additionalProperties: + $ref: '#' + items: + $ref: '#' + - id: 88 + name: Prevent SELinux containers from setting a role + uniqueName: EKS_INVALID_SELINUXOPTIONS_ROLE_VALUE + enabledByDefault: false + documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-selinux-containers-role' + messageOnFailure: 'Invalid key `role` - refrain from setting this key to prevent potential access to the host filesystem' + categories: + - EKS + complexity: easy + impact: Setting an SELinux role may grant attackers access to sensitive components + schema: + definitions: + selinuxUserPattern: + properties: + securityContext: + properties: + seLinuxOptions: + not: + required: + - role + allOf: + - $ref: '#/definitions/selinuxUserPattern' + additionalProperties: + $ref: '#' + items: + $ref: '#' + - id: 89 + name: Ensure hostPath volume mounts are read-only + uniqueName: EKS_INVALID_HOSTPATH_MOUNT_READONLY_VALUE + enabledByDefault: false + documentationUrl: 'https://hub.datree.io/built-in-rules/ensure-hostpath-mounts-readonly' + messageOnFailure: "Invalid key `readOnly` - set to 'true' to prevent potential attacks on the host filesystem" + categories: + - EKS + complexity: easy + impact: Not setting hostPath mounts as `readOnly` may allow attackers to modify the host filesystem + schema: + definitions: + specContainers: + properties: + spec: + customKeyRule89: + type: string + allOf: + - $ref: '#/definitions/specContainers' + additionalProperties: + $ref: '#' + items: + $ref: '#' + - id: 90 + name: Prevent deprecated APIs in Kubernetes v1.19 + uniqueName: K8S_DEPRECATED_APIVERSION_1.19 + enabledByDefault: false + documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-deprecated-api-119' + messageOnFailure: 'Incorrect value for key `apiVersion` - the version of the resource you are trying to use is deprecated in k8s v1.19' + categories: + - Deprecation + complexity: easy + impact: Deploying a resource with a deprecated API version will cause Kubernetes to reject it + schema: + allOf: + - if: + properties: + apiVersion: + enum: + - networking.k8s.io/v1beta1 + then: + properties: + kind: + not: + enum: + - Ingress + - IngressClass + - if: + properties: + apiVersion: + enum: + - storage.k8s.io/v1beta1 + then: + properties: + kind: + not: + enum: + - CSIDriver + - if: + properties: + apiVersion: + enum: + - certificates.k8s.io/v1beta1 + then: + properties: + kind: + not: + enum: + - CertificateSigningRequest + - if: + properties: + apiVersion: + enum: + - events.k8s.io/v1beta1 + then: + properties: + kind: + not: + enum: + - Event + - if: + properties: + apiVersion: + enum: + - coordination.k8s.io/v1beta1 + then: + properties: + kind: + not: + enum: + - Lease + - LeaseList + - if: + properties: + apiVersion: + enum: + - apiregistration.k8s.io/v1beta1 + then: + properties: + kind: + not: + enum: + - APIService + - APIServiceList + - id: 91 + name: Prevent deprecated APIs in Kubernetes v1.21 + uniqueName: K8S_DEPRECATED_APIVERSION_1.21 + enabledByDefault: false + documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-deprecated-api-121' + messageOnFailure: 'Incorrect value for key `apiVersion` - the version of the resource you are trying to use is deprecated in k8s v1.21' + categories: + - Deprecation + complexity: easy + impact: Deploying a resource with a deprecated API version will cause Kubernetes to reject it + schema: + allOf: + - if: + properties: + apiVersion: + enum: + - policy/v1beta1 + then: + properties: + kind: + not: + enum: + - PodSecurityPolicy + - PodDisruptionBudget + - PodDisruptionBudgetList + - if: + properties: + apiVersion: + enum: + - batch/v1beta1 + then: + properties: + kind: + not: + enum: + - CronJob + - CronJobList + - if: + properties: + apiVersion: + enum: + - discovery.k8s.io/v1beta1 + then: + properties: + kind: + not: + enum: + - EndpointSlice + - if: + properties: + apiVersion: + enum: + - audit.k8s.io/v1beta1 + - audit.k8s.io/v1alpha1 + then: + properties: + kind: + not: + enum: + - Event + - EventList + - Policy + - PolicyList + - id: 92 + name: Prevent deprecated APIs in Kubernetes v1.22 + uniqueName: K8S_DEPRECATED_APIVERSION_1.22 + enabledByDefault: false + documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-deprecated-api-122' + messageOnFailure: 'Incorrect value for key `apiVersion` - the version of the resource you are trying to use is deprecated in k8s v1.22' + categories: + - Deprecation + complexity: easy + impact: Deploying a resource with a deprecated API version will cause Kubernetes to reject it + schema: + allOf: + - if: + properties: + apiVersion: + enum: + - autoscaling/v2beta1 + then: + properties: + kind: + not: + enum: + - HorizontalPodAutoscaler + - HorizontalPodAutoscalerList + - id: 93 + name: Prevent deprecated APIs in Kubernetes v1.23 + uniqueName: K8S_DEPRECATED_APIVERSION_1.23 + enabledByDefault: false + documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-deprecated-api-123' + messageOnFailure: 'Incorrect value for key `apiVersion` - the version of the resource you are trying to use is deprecated in k8s v1.23' + categories: + - Deprecation + complexity: easy + impact: Deploying a resource with a deprecated API version will cause Kubernetes to reject it + schema: + allOf: + - if: + properties: + apiVersion: + enum: + - autoscaling/v2beta2 + then: + properties: + kind: + not: + enum: + - HorizontalPodAutoscaler + - HorizontalPodAutoscalerList + - id: 94 + name: Prevent deprecated APIs in Kubernetes v1.24 + uniqueName: K8S_DEPRECATED_APIVERSION_1.24 + enabledByDefault: false + documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-deprecated-api-124' + messageOnFailure: 'Incorrect value for key `apiVersion` - the version of the resource you are trying to use is deprecated in k8s v1.24' + categories: + - Deprecation + complexity: easy + impact: Deploying a resource with a deprecated API version will cause Kubernetes to reject it + schema: + allOf: + - if: + properties: + apiVersion: + enum: + - storage.k8s.io/v1beta1 + then: + properties: + kind: + not: + enum: + - CSIStorageCapacity + - id: 95 + name: Prevent use of the `cluster-admin` role + uniqueName: CIS_INVALID_ROLE_CLUSTER_ADMIN + enabledByDefault: false + documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-cluster-admin-role' + messageOnFailure: 'Incorrect value for key `name` - the RBAC role `cluster-admin` provides wide-ranging powers over the environment and should be used only where needed' + categories: + - CIS + complexity: easy + impact: The cluster-admin allows super-user access to perform any action on any resource and may be used maliciously + schema: + if: + properties: + kind: + enum: + - ClusterRoleBinding + - RoleBinding + required: + - kind + then: + properties: + roleRef: + properties: + name: + not: + enum: + - cluster-admin + - id: 96 + name: Prevent access to secrets + uniqueName: CIS_INVALID_VERB_SECRETS + enabledByDefault: false + documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-access-to-secrets' + messageOnFailure: 'Incorrect value/s for key `verbs` - access to secrets should be restricted to the smallest possible group of users to reduce the risk of privilege escalation' + categories: + - CIS + complexity: medium + impact: Inappropriate access to cluster secrets can allow an attacker to gain access to the cluster or external resources whose credentials are stored as secrets + schema: + if: + properties: + kind: + enum: + - ClusterRole + - Role + required: + - kind + then: + properties: + rules: + type: array + items: + if: + properties: + resources: + type: array + contains: + enum: + - secrets + then: + properties: + verbs: + type: array + items: + not: + enum: + - get + - list + - watch + - id: 97 + name: Prevent use of wildcards in Roles and ClusterRoles + uniqueName: CIS_INVALID_WILDCARD_ROLE + enabledByDefault: false + documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-wildcards-role-clusterrole' + messageOnFailure: 'Incorrect value for key `apiGroups`/`resources`/`verbs` - wildcards may provide excessive rights and should only be used when necessary' + categories: + - CIS + complexity: medium + impact: The use of wildcards may allow for inadvertent access to be granted when new resources are added to the Kubernetes API + schema: + if: + properties: + kind: + enum: + - ClusterRole + - Role + required: + - kind + then: + properties: + rules: + type: array + items: + properties: + apiGroups: + type: array + items: + not: + enum: + - '*' + resources: + type: array + items: + not: + enum: + - '*' + verbs: + type: array + items: + not: + enum: + - '*' + - id: 98 + name: Prevent use of secrets as environment variables + uniqueName: CIS_INVALID_KEY_SECRETKEYREF_SECRETREF + enabledByDefault: false + documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-secrets-as-env-variables' + messageOnFailure: 'Incorrect key `secretKeyRef`/`secretRef` - mount secrets as files and not as env variables to avoid exposing sensitive data' + categories: + - CIS + complexity: hard + impact: Using secrets as environment variables is not secure and may expose sensitive data to undesired entities + schema: + definitions: + containerValueFromPattern: + properties: + spec: + properties: + containers: + type: array + items: + properties: + env: + type: array + items: + properties: + valueFrom: + not: + required: + - secretKeyRef + containerEnvFromPattern: + properties: + spec: + properties: + containers: + type: array + items: + properties: + envFrom: + type: array + items: + not: + required: + - secretRef + allOf: + - $ref: '#/definitions/containerValueFromPattern' + - $ref: '#/definitions/containerEnvFromPattern' + additionalProperties: + $ref: '#' + items: + $ref: '#' + - id: 99 + name: Ensure seccomp profile is set to docker/default or runtime/default + uniqueName: CIS_INVALID_VALUE_SECCOMP_PROFILE + enabledByDefault: false + documentationUrl: 'https://hub.datree.io/built-in-rules/ensure-seccomp-profile-default' + messageOnFailure: 'Invalid value for key `seccomp.security.alpha.kubernetes.io/pod` - set to docker/default or runtime/default to ensure restricted privileges' + categories: + - CIS + complexity: medium + impact: Using the default seccomp profile may allow risky privileges for workloads + schema: + definitions: + podAnnotationsPattern: + if: + properties: + kind: + enum: + - Pod + required: + - kind + then: + properties: + metadata: + properties: + annotations: + properties: + seccomp.security.alpha.kubernetes.io/pod: + enum: + - docker/default + - runtime/default + required: + - seccomp.security.alpha.kubernetes.io/pod + required: + - annotations + required: + - metadata + templateAnnotationsPattern: + properties: + spec: + properties: + template: + properties: + metadata: + properties: + annotations: + properties: + seccomp.security.alpha.kubernetes.io/pod: + enum: + - docker/default + - runtime/default + required: + - seccomp.security.alpha.kubernetes.io/pod + required: + - annotations + required: + - metadata + allOf: + - $ref: '#/definitions/podAnnotationsPattern' + - $ref: '#/definitions/templateAnnotationsPattern' + additionalProperties: + $ref: '#' + items: + $ref: '#' + - id: 100 + name: Ensure containers and pods have a configured security context + uniqueName: CIS_MISSING_KEY_SECURITYCONTEXT + enabledByDefault: false + documentationUrl: 'https://hub.datree.io/built-in-rules/ensure-containers-pods-security-context' + messageOnFailure: "Missing key `securityContext` - set to enforce your containers' security and stability" + categories: + - CIS + complexity: medium + impact: Omitting security contexts may cause undesired behavior when running your containers + schema: + definitions: + podSecurityContextPattern: + properties: + kind: + enum: + - Pod + spec: + required: + - securityContext + required: + - kind + - spec + containerSecurityContextPattern: + allOf: + - properties: + spec: + properties: + containers: + type: array + items: + required: + - securityContext + additionalProperties: + $ref: '#/definitions/containerSecurityContextPattern' + items: + $ref: '#/definitions/containerSecurityContextPattern' + templateSecurityContextPattern: + allOf: + - properties: + spec: + properties: + template: + properties: + spec: + required: + - securityContext + required: + - spec + required: + - template + required: + - spec + additionalProperties: + $ref: '#/definitions/templateSecurityContextPattern' + items: + $ref: '#/definitions/templateSecurityContextPattern' + anyOf: + - $ref: '#/definitions/containerSecurityContextPattern' + - $ref: '#/definitions/templateSecurityContextPattern' + - $ref: '#/definitions/podSecurityContextPattern' + - id: 101 + name: Prevent access to create pods + uniqueName: CIS_INVALID_VALUE_CREATE_POD + enabledByDefault: false + documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-access-create-pods' + messageOnFailure: 'Invalid value for key `resources`/`verbs` - prohibit creating pods to prevent undesired privilege escalation' + categories: + - CIS + complexity: medium + impact: The ability to create pods in a cluster opens up possibilities for privilege escalation + schema: + if: + properties: + kind: + enum: + - ClusterRole + - Role + required: + - kind + then: + properties: + rules: + type: array + customKeyRule101: + type: string + - id: 102 + name: Ensure that default service accounts are not actively used + uniqueName: CIS_INVALID_VALUE_AUTOMOUNTSERVICEACCOUNTTOKEN + enabledByDefault: false + documentationUrl: 'https://hub.datree.io/built-in-rules/ensure-default-service-account-not-used' + messageOnFailure: 'Invalid value for key `automountServiceAccountToken` - set to `false` to ensure rights can be more easily audited' + categories: + - CIS + complexity: easy + impact: Using default service accounts may provide undesired rights to applications + schema: + if: + properties: + kind: + enum: + - ServiceAccount + metadata: + properties: + name: + enum: + - default + required: + - kind + - metadata + then: + properties: + automountServiceAccountToken: + enum: + - false + required: + - automountServiceAccountToken + - id: 103 + name: Prevent the admission of containers with the NET_RAW capability + uniqueName: CIS_MISSING_VALUE_DROP_NET_RAW + enabledByDefault: false + documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-containers-net-raw-capability' + messageOnFailure: 'Invalid value for key `drop` - prohibit the potentially dangerous NET_RAW capability' + categories: + - CIS + complexity: easy + impact: The NET_RAW capability may be misused by malicious containers + schema: + definitions: + specContainerPattern: + properties: + spec: + properties: + containers: + type: array + items: + properties: + securityContext: + properties: + capabilities: + properties: + drop: + type: array + items: + contains: + enum: + - 'NET_RAW' + - 'ALL' + required: + - drop + required: + - capabilities + required: + - securityContext + allOf: + - $ref: '#/definitions/specContainerPattern' + additionalProperties: + $ref: '#' + items: + $ref: '#' + - id: 104 + name: Prevent use of the system:masters group + uniqueName: CIS_INVALID_VALUE_SYSTEM_MASTERS + enabledByDefault: false + documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-system-masters-group' + messageOnFailure: 'Invalid value for key `subjects.name` - do not use the system:masters group to prevent unnecessary unrestriced access to the Kubernetes API' + categories: + - CIS + complexity: medium + impact: Use of the system:masters group can allow for irrevocable cluster-admin level credentials to exist for a cluster + schema: + if: + properties: + kind: + enum: + - ClusterRoleBinding + - RoleBinding + required: + - kind + then: + properties: + subjects: + type: array + items: + properties: + name: + not: + enum: + - system:masters + - id: 105 + name: Prevent role privilege escalation + uniqueName: CIS_INVALID_VALUE_BIND_IMPERSONATE_ESCALATE + enabledByDefault: false + documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-role-privilege-escalation' + messageOnFailure: 'Invalid value for key `verbs` - do not use `bind`/`impersonate`/`escalate` to prevent privilege escalation' + categories: + - CIS + complexity: medium + impact: Use of the `bind`/`impersonate`/`escalate` permissions can allow for privilege escalation to cluster-admin level + schema: + if: + properties: + kind: + enum: + - ClusterRole + - Role + required: + - kind + then: + properties: + rules: + type: array + items: + properties: + verbs: + type: array + items: + not: + enum: + - bind + - impersonate + - escalate + - id: 106 + name: Prevent removed APIs in Kubernetes v1.22 + uniqueName: K8S_REMOVED_APIVERSION_1.22 + enabledByDefault: false + documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-removed-api-122' + messageOnFailure: 'Incorrect value for key `apiVersion` - the version of the resource you are trying to use is removed in k8s v1.22' + categories: + - Deprecation + complexity: easy + impact: Deploying a resource with a removed API version will cause Kubernetes to reject it + schema: + allOf: + - if: + properties: + apiVersion: + enum: + - admissionregistration.k8s.io/v1beta1 + then: + properties: + kind: + not: + enum: + - MutatingWebhookConfiguration + - ValidatingWebhookConfiguration + - if: + properties: + apiVersion: + enum: + - apiextensions.k8s.io/v1beta1 + then: + properties: + kind: + not: + enum: + - CustomResourceDefinition + - if: + properties: + apiVersion: + enum: + - apiregistration.k8s.io/v1beta1 + then: + properties: + kind: + not: + enum: + - APIService + - if: + properties: + apiVersion: + enum: + - authentication.k8s.io/v1beta1 + then: + properties: + kind: + not: + enum: + - TokenReview + - if: + properties: + apiVersion: + enum: + - authorization.k8s.io/v1beta1 + then: + properties: + kind: + not: + enum: + - SubjectAccessReview + - LocalSubjectAccessReview + - SelfSubjectAccessReview + - if: + properties: + apiVersion: + enum: + - certificates.k8s.io/v1beta1 + then: + properties: + kind: + not: + enum: + - CertificateSigningRequest + - if: + properties: + apiVersion: + enum: + - coordination.k8s.io/v1beta1 + then: + properties: + kind: + not: + enum: + - Lease + - if: + properties: + apiVersion: + enum: + - extensions/v1beta1 + - networking.k8s.io/v1beta1 + then: + properties: + kind: + not: + enum: + - Ingress + - if: + properties: + apiVersion: + enum: + - rbac.authorization.k8s.io/v1beta1 + then: + properties: + kind: + not: + enum: + - ClusterRole + - ClusterRoleBinding + - Role + - RoleBinding + - if: + properties: + apiVersion: + enum: + - scheduling.k8s.io/v1beta1 + then: + properties: + kind: + not: + enum: + - PriorityClass + - if: + properties: + apiVersion: + enum: + - storage.k8s.io/v1beta1 + then: + properties: + kind: + not: + enum: + - CSIDriver + - CSINode + - StorageClass + - VolumeAttachment + - id: 107 + name: Prevent removed APIs in Kubernetes v1.23 + uniqueName: K8S_REMOVED_APIVERSION_1.23 + enabledByDefault: false + documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-removed-api-123' + messageOnFailure: 'Incorrect value for key `apiVersion` - the version of the resource you are trying to use is removed in k8s v1.23' + categories: + - Deprecation + complexity: easy + impact: Deploying a resource with a removed API version will cause Kubernetes to reject it + schema: + properties: + apiVersion: + not: + enum: + - rbac.authorization.k8s.io/v1alpha1 + - scheduling.k8s.io/v1alpha1 + - id: 108 + name: Prevent removed APIs in Kubernetes v1.24 + uniqueName: K8S_REMOVED_APIVERSION_1.24 + enabledByDefault: false + documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-removed-api-124' + messageOnFailure: 'Incorrect value for key `apiVersion` - the version of the resource you are trying to use is removed in k8s v1.24' + categories: + - Deprecation + complexity: easy + impact: Deploying a resource with a removed API version will cause Kubernetes to reject it + schema: + allOf: + - if: + properties: + apiVersion: + enum: + - client.authentication.k8s.io/v1alpha1 + then: + properties: + kind: + not: + enum: + - ExecCredential + - if: + properties: + apiVersion: + enum: + - node.k8s.io/v1alpha1 + then: + properties: + kind: + not: + enum: + - RuntimeClass + - id: 109 + name: Prevent removed APIs in Kubernetes v1.25 + uniqueName: K8S_REMOVED_APIVERSION_1.25 + enabledByDefault: false + documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-removed-api-125' + messageOnFailure: 'Incorrect value for key `apiVersion` - the version of the resource you are trying to use is removed in k8s v1.25' + categories: + - Deprecation + complexity: easy + impact: Deploying a resource with a removed API version will cause Kubernetes to reject it + schema: + allOf: + - if: + properties: + apiVersion: + enum: + - batch/v1beta1 + then: + properties: + kind: + not: + enum: + - CronJob + - if: + properties: + apiVersion: + enum: + - discovery.k8s.io/v1beta1 + then: + properties: + kind: + not: + enum: + - EndpointSlice + - if: + properties: + apiVersion: + enum: + - events.k8s.io/v1beta1 + then: + properties: + kind: + not: + enum: + - Event + - if: + properties: + apiVersion: + enum: + - autoscaling/v2beta1 + then: + properties: + kind: + not: + enum: + - HorizontalPodAutoscaler + - if: + properties: + apiVersion: + enum: + - policy/v1beta1 + then: + properties: + kind: + not: + enum: + - PodDisruptionBudget + - PodSecurityPolicy + - if: + properties: + apiVersion: + enum: + - node.k8s.io/v1beta1 + then: + properties: + kind: + not: + enum: + - RuntimeClass + - id: 110 + name: Prevent removed APIs in Kubernetes v1.26 + uniqueName: K8S_REMOVED_APIVERSION_1.26 + enabledByDefault: false + documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-removed-api-126' + messageOnFailure: 'Incorrect value for key `apiVersion` - the version of the resource you are trying to use is removed in k8s v1.26' + categories: + - Deprecation + complexity: easy + impact: Deploying a resource with a removed API version will cause Kubernetes to reject it + schema: + allOf: + - if: + properties: + apiVersion: + enum: + - flowcontrol.apiserver.k8s.io/v1beta1 + then: + properties: + kind: + not: + enum: + - FlowSchema + - PriorityLevelConfiguration + - if: + properties: + apiVersion: + enum: + - autoscaling/v2beta2 + then: + properties: + kind: + not: + enum: + - HorizontalPodAutoscaler + - id: 111 + name: Prevent removed APIs in Kubernetes v1.27 + uniqueName: K8S_REMOVED_APIVERSION_1.27 + enabledByDefault: false + documentationUrl: 'https://hub.datree.io/built-in-rules/prevent-removed-api-127' + messageOnFailure: 'Incorrect value for key `apiVersion` - the version of the resource you are trying to use is removed in k8s v1.27' + categories: + - Deprecation + complexity: easy + impact: Deploying a resource with a removed API version will cause Kubernetes to reject it + schema: + allOf: + - if: + properties: + apiVersion: + enum: + - storage.k8s.io/v1beta1 + then: + properties: + kind: + not: + enum: + - CSIStorageCapacity diff --git a/resource-validation/rule-sets/default/policies.yaml b/resource-validation/rule-sets/default/policies.yaml new file mode 100644 index 0000000000..abfaae53fc --- /dev/null +++ b/resource-validation/rule-sets/default/policies.yaml @@ -0,0 +1,66 @@ +# yaml-language-server: $schema=../../rulesetSchema.json + +apiVersion: v1 +policies: + - name: Default + rules: + - identifier: CONTAINERS_MISSING_IMAGE_VALUE_VERSION + - identifier: CONTAINERS_MISSING_MEMORY_REQUEST_KEY + - identifier: CONTAINERS_MISSING_CPU_REQUEST_KEY + - identifier: CONTAINERS_MISSING_MEMORY_LIMIT_KEY + - identifier: CONTAINERS_MISSING_CPU_LIMIT_KEY + - identifier: INGRESS_INCORRECT_HOST_VALUE_PERMISSIVE + - identifier: SERVICE_INCORRECT_TYPE_VALUE_NODEPORT + - identifier: CRONJOB_INVALID_SCHEDULE_VALUE + - identifier: WORKLOAD_INVALID_LABELS_VALUE + - identifier: WORKLOAD_INCORRECT_RESTARTPOLICY_VALUE_ALWAYS + - identifier: CONTAINERS_MISSING_LIVENESSPROBE_KEY + - identifier: CONTAINERS_MISSING_READINESSPROBE_KEY + - identifier: HPA_MISSING_MINREPLICAS_KEY + - identifier: HPA_MISSING_MAXREPLICAS_KEY + - identifier: WORKLOAD_INCORRECT_NAMESPACE_VALUE_DEFAULT + - identifier: DEPLOYMENT_INCORRECT_REPLICAS_VALUE + - identifier: CRONJOB_MISSING_STARTINGDEADLINESECOND_KEY + - identifier: K8S_DEPRECATED_APIVERSION_1.16 + - identifier: K8S_DEPRECATED_APIVERSION_1.17 + - identifier: CONTAINERS_INCORRECT_PRIVILEGED_VALUE_TRUE + - identifier: WORKLOAD_MISSING_LABEL_OWNER_VALUE + - identifier: DEPLOYMENT_MISSING_LABEL_ENV_VALUE + - identifier: CONTAINERS_MISSING_IMAGE_VALUE_DIGEST + - identifier: CRONJOB_MISSING_CONCURRENCYPOLICY_KEY + - identifier: K8S_INCORRECT_KIND_VALUE_POD + - identifier: CONTAINERS_INCORRECT_HOSTPID_VALUE_TRUE + - identifier: CONTAINERS_INCORRECT_HOSTIPC_VALUE_TRUE + - identifier: CONTAINERS_INCORRECT_HOSTNETWORK_VALUE_TRUE + - identifier: CONTAINERS_INCORRECT_RUNASUSER_VALUE_LOWUID + - identifier: CONTAINERS_INCORRECT_PATH_VALUE_DOCKERSOCKET + - identifier: CONFIGMAP_CVE2021_25742_INCORRECT_SNIPPET_ANNOTATIONS_VALUE + - identifier: INGRESS_CVE2021_25742_INCORRECT_SERVER_SNIPPET_KEY + - identifier: CONTAINER_CVE2021_25741_INCORRECT_SUBPATH_KEY + - identifier: ENDPOINTSLICE_CVE2021_25373_INCORRECT_ADDRESSES_VALUE + - identifier: ARGO_WORKFLOW_INCORRECT_FAILFAST_VALUE_FALSE + - identifier: ARGO_WORKFLOW_INCORRECT_SERVICE_ACCOUNT_NAME_VALUE_DEFAULT + - identifier: ARGO_CONFIGMAP_MISSING_PART_OF_LABEL_VALUE_ARGOCD + - identifier: ARGO_ROLLOUT_MISSING_PAUSE_DURATION + - identifier: ARGO_APP_PROJECT_INCORRECT_NAMESPACE_VALUE + - identifier: ARGO_WORKFLOW_INCORRECT_RETRY_STRATEGY_VALUE_EMPTY + - identifier: ARGO_WORKFLOW_INCORRECT_REVISION_HISTORY_LIMIT_VALUE_0 + - identifier: ARGO_ROLLOUT_INCORRECT_SCALE_DOWN_DELAY_VALUE_BELOW_30 + - identifier: ARGO_ROLLOUT_INCORRECT_PROGRESS_DEADLINE_ABORT_VALUE_FALSE + - identifier: ARGO_WORKFLOW_ENSURE_RETRY_ON_BOTH_ERROR_AND_TRANSIENT_ERROR + - identifier: CONTAINERS_INCORRECT_READONLYROOTFILESYSTEM_VALUE + - identifier: CONTAINERS_INCORRECT_KEY_HOSTPATH + - identifier: CONTAINERS_MISSING_KEY_ALLOWPRIVILEGEESCALATION + - identifier: CONTAINERS_INCORRECT_RESOURCES_VERBS_VALUE + - identifier: CONTAINERS_INVALID_CAPABILITIES_VALUE + - identifier: CONTAINERS_INCORRECT_KEY_HOSTPORT + - identifier: CONTAINERS_INCORRECT_RUNASGROUP_VALUE_LOWGID + - identifier: CONTAINERS_INCORRECT_RUNASNONROOT_VALUE + - identifier: SRVACC_INCORRECT_AUTOMOUNTSERVICEACCOUNTTOKEN_VALUE + - identifier: RESOURCE_MISSING_NAME + - identifier: CONTAINERS_INCORRECT_INITIALDELAYSECONDS_VALUE + - identifier: CONTAINERS_INCORRECT_PERIODSECONDS_VALUE + - identifier: CONTAINERS_INCORRECT_TIMEOUTSECONDS_VALUE + - identifier: CONTAINERS_INCORRECT_SUCCESSTHRESHOLD_VALUE + - identifier: CONTAINERS_INCORRECT_FAILURETHRESHOLD_VALUE + - identifier: CONTAINERS_MISSING_PRESTOP_KEY diff --git a/resource-validation/rule-sets/kubernetes-pod-security-standards/policies.yaml b/resource-validation/rule-sets/kubernetes-pod-security-standards/policies.yaml new file mode 100644 index 0000000000..f7222cd9e1 --- /dev/null +++ b/resource-validation/rule-sets/kubernetes-pod-security-standards/policies.yaml @@ -0,0 +1,55 @@ +# yaml-language-server: $schema=../../rulesetSchema.json + +apiVersion: v1 +policies: + - name: PodSecurityStandardsBaseline + rules: + # Rules for the Kubernetes Pod Security Standards Baseline + # https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline + + # HostProcess + - 'EKS_INVALID_HOSTPROCESS_VALUE' + # Host Namespaces + - 'CONTAINERS_INCORRECT_HOSTNETWORK_VALUE_TRUE' + - 'CONTAINERS_INCORRECT_HOSTPID_VALUE_TRUE' + - 'CONTAINERS_INCORRECT_HOSTIPC_VALUE_TRUE' + # Privileged Containers + - 'CONTAINERS_INCORRECT_PRIVILEGED_VALUE_TRUE' + # Capabilities + - 'EKS_INVALID_CAPABILITIES_EKS' + # HostPath Volumes + - 'CONTAINERS_INCORRECT_KEY_HOSTPATH' + # Host Ports + - 'CONTAINERS_INCORRECT_KEY_HOSTPORT' + # AppArmor + - 'K8S_POD_SEC_APPARMOR' + # SELinux + - 'EKS_INVALID_SELINUXOPTIONS_TYPE_VALUE' + - 'EKS_INVALID_SELINUXOPTIONS_USER_VALUE' + - 'EKS_INVALID_SELINUXOPTIONS_ROLE_VALUE' + # /proc Mount Type + - 'K8S_POD_SEC_PROC_MOUNT' + # Seccomp + - 'K8S_POD_SEC_SECCOMP_PROFILE' + # Sysctls + - 'K8S_POD_SEC_SYSCTLS' + - name: PodSecurityStandardsRestricted + # Rules for the Kubernetes Pod Security Standards Restricted + # https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted + + includes: + - PodSecurityStandardsBaseline + rules: + # Volume Types + - 'K8S_POD_SEC_ALLOWED_VOLUME_TYPES' + # Privilege Escalation (or v1.25+ for linux only) + - 'K8S_POD_SEC_PRIVILEGE_ESCALATION' # CONTAINERS_MISSING_KEY_ALLOWPRIVILEGEESCALATION checks only for containers, not for initContainers and ephemeralContainers + # Running as Non-root + - 'K8S_POD_SEC_RUNNING_AS_NON_ROOT' # CONTAINERS_INCORRECT_RUNASNONROOT_VALUE checks only for containers, not for initContainers and ephemeralContainers + # Running as Non-root user (v1.23+) + - 'K8S_POD_SEC_RUNNING_AS_NON_ROOT_USER' # CONTAINERS_INCORRECT_RUNASUSER_VALUE_LOWUID also checks this partly, but only inside the container spec + # Seccomp (v1.19+) (or v1.25+ for linux only) + - 'K8S_POD_SEC_SECCOMP_PROFILE_REQUIRED' + # Capabilities (v1.22) (or v1.25+ for linux only) + - 'K8S_POD_SEC_DROP_ALL_CAPABILITIES' + - 'K8S_POD_SEC_CAPABILITIES_ADD_ONLY_NET_BIND_SERVICE' diff --git a/resource-validation/rule-sets/kubernetes-pod-security-standards/rules.yaml b/resource-validation/rule-sets/kubernetes-pod-security-standards/rules.yaml new file mode 100644 index 0000000000..20860d3200 --- /dev/null +++ b/resource-validation/rule-sets/kubernetes-pod-security-standards/rules.yaml @@ -0,0 +1,679 @@ +# yaml-language-server: $schema=../../rulesetSchema.json + +apiVersion: v1 +aliases: + - properties: + kind: + enum: + - Deployment + - Pod + - DaemonSet + - StatefulSet + - ReplicaSet + - CronJob + - Job +rules: + - id: 10001 + name: Enforce the baseline Pod Security Standards + uniqueName: K8S_POD_SEC_ENFORCE_BASELINE + enabledByDefault: true + documentationUrl: >- + https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline + messageOnFailure: >- + Incorrect or missing value for key `pod-security.kubernetes.io/enforce` - + set it to either baseline or restricted + category: Pod Security Standards Baseline + schema: + if: + properties: + kind: + enum: + - Namespace + then: + required: [metadata] + properties: + metadata: + required: [labels] + properties: + labels: + required: [pod-security.kubernetes.io/enforce] + properties: + pod-security.kubernetes.io/enforce: + enum: + - baseline + - restricted + - id: 10002 + name: Enforce the restricted Pod Security Standards + uniqueName: K8S_POD_SEC_ENFORCE_RESTRICTED + enabledByDefault: false + documentationUrl: >- + https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted + messageOnFailure: >- + Incorrect or missing value for key `pod-security.kubernetes.io/enforce` - + set it to restricted + category: Pod Security Standards Restricted + schema: + if: + properties: + kind: + enum: + - Namespace + then: + required: + - metadata + properties: + metadata: + required: + - labels + properties: + labels: + required: + - pod-security.kubernetes.io/enforce + properties: + pod-security.kubernetes.io/enforce: + enum: + - restricted + - id: 10003 + name: Prevent Windows containers from running with unnecessary privileges + uniqueName: K8S_POD_SEC_HOST_PROCESS + enabledByDefault: true + documentationUrl: >- + https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline + messageOnFailure: >- + Incorrect value for key `hostProcess` - remove the property or set it to + false + category: Pod Security Standards Baseline + note: Dulicate to EKS_INVALID_HOSTPROCESS_VALUE + schema: + $defs: + validSecurityContext: + properties: + securityContext: + properties: + windowsOptions: + properties: + hostProcess: + enum: + - 'false' + properties: + spec: + allOf: + - $ref: '#/$defs/validSecurityContext' + - properties: + containers: + items: + $ref: '#/$defs/validSecurityContext' + initContainers: + items: + $ref: '#/$defs/validSecurityContext' + ephemeralContainers: + items: + $ref: '#/$defs/validSecurityContext' + additionalProperties: + $ref: '#' + items: + $ref: '#' + - id: 10004 + name: Prevent overriding or disabling the default AppArmor profile + uniqueName: K8S_POD_SEC_APPARMOR + enabledByDefault: true + documentationUrl: https://kubernetes.io/docs/tutorials/security/apparmor + messageOnFailure: >- + Incorrect value for key `container.apparmor.security.beta.kubernetes.io/*` + - remove the property or set it to runtime/default or localhost/* + category: Pod Security Standards Baseline + schema: + properties: + metadata: + properties: + annotations: + properties: + container.apparmor.security.beta.kubernetes.io/*: + oneOf: + - enum: + - runtime/default + - pattern: ^localhost/.*$ + additionalProperties: + $ref: '#' + items: + $ref: '#' + - id: 10005 + name: Use the default /proc mount + uniqueName: K8S_POD_SEC_PROC_MOUNT + enabledByDefault: true + documentationUrl: >- + https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline + messageOnFailure: Incorrect value for key `procMount` - remove it or set it to Default + category: Pod Security Standards Baseline + schema: + $defs: + validSecurityContext: + properties: + securityContext: + properties: + procMount: + enum: + - Default + properties: + spec: + properties: + containers: + items: + $ref: '#/$defs/validSecurityContext' + initContainers: + items: + $ref: '#/$defs/validSecurityContext' + ephemeralContainers: + items: + $ref: '#/$defs/validSecurityContext' + template: + $ref: '#' + - id: 10006 + name: Prevent setting the seccompProfile to unconfined + uniqueName: K8S_POD_SEC_SECCOMP_PROFILE + enabledByDefault: true + documentationUrl: >- + https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline + messageOnFailure: >- + Incorrect value for key `seccompProfile` - remove it or set the type to + RuntimeDefault or Localhost + category: Pod Security Standards Baseline + schema: + $defs: + validSecurityContext: + properties: + securityContext: + properties: + seccompProfile: + properties: + type: + enum: + - RuntimeDefault + - Localhost + properties: + spec: + properties: + containers: + items: + $ref: '#/$defs/validSecurityContext' + initContainers: + items: + $ref: '#/$defs/validSecurityContext' + ephemeralContainers: + items: + $ref: '#/$defs/validSecurityContext' + template: + $ref: '#' + - id: 10007 + name: Prevent disabling security mechanisms via sysctls + uniqueName: K8S_POD_SEC_SYSCTLS + enabledByDefault: true + documentationUrl: >- + https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline + messageOnFailure: >- + Incorrect value for key `sysctls[*].name` - Remove it or set it to one of + the allowed values + category: Pod Security Standards Baseline + schema: + $defs: + validSecurityContext: + properties: + securityContext: + properties: + sysctls: + items: + properties: + name: + enum: + - kernel.shm_rmid_forced + - net.ipv4.ip_local_port_range + - net.ipv4.ip_unprivileged_port_start + - net.ipv4.tcp_syncookies + - net.ipv4.ping_group_range + properties: + spec: + allOf: + - $ref: '#/$defs/validSecurityContext' + - properties: + template: + $ref: '#' + - id: 10008 + name: Use one of the allowed volume types + uniqueName: K8S_POD_SEC_ALLOWED_VOLUME_TYPES + enabledByDefault: true + documentationUrl: >- + https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted + messageOnFailure: >- + Incorrect volume entry - Each volume has to be of one of the allowed + volume types + category: Pod Security Standards Restricted + schema: + properties: + spec: + allOf: + - properties: + volumes: + items: + oneOf: + - required: + - configMap + - required: + - csi + - required: + - downwardAPI + - required: + - emptyDir + - required: + - ephemeral + - required: + - persistentVolumeClaim + - required: + - projected + - required: + - secret + - properties: + template: + $ref: '#' + - id: 10009 + name: Prevent allowing privilege escalation + uniqueName: K8S_POD_SEC_PRIVILEGE_ESCALATION + enabledByDefault: true + documentationUrl: >- + https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted + messageOnFailure: >- + Incorrect value for key `allowPrivilegeEscalation` - remove it or set it + to false + category: Pod Security Standards Restricted + schema: + $defs: + validSecurityContext: + properties: + securityContext: + properties: + allowPrivilegeEscalation: + enum: + - false + validContainers: + properties: + containers: + items: + $ref: '#/$defs/validSecurityContext' + initContainers: + items: + $ref: '#/$defs/validSecurityContext' + ephemeralContainers: + items: + $ref: '#/$defs/validSecurityContext' + properties: + spec: + allOf: + - if: + properties: + os: + properties: + not: + enum: + - windows + then: + $ref: '#/$defs/validContainers' + - properties: + template: + $ref: '#' + - id: 10010 + name: Prevent running as root + uniqueName: K8S_POD_SEC_RUNNING_AS_NON_ROOT + enabledByDefault: true + documentationUrl: >- + https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted + messageOnFailure: Incorrect value for key `runAsNonRoot` - set it to true + category: Pod Security Standards Restricted + schema: + $defs: + validSecurityContext: + required: + - securityContext + properties: + securityContext: + required: + - runAsNonRoot + properties: + runAsNonRoot: + enum: + - true + conditionallyValidSecurityContext: + properties: + securityContext: + properties: + runAsNonRoot: + enum: + - null + - null + - true + validSpec: + properties: + spec: + anyOf: + - allOf: + - $ref: '#/$defs/validSecurityContext' + - properties: + containers: + items: + $ref: '#/$defs/conditionallyValidSecurityContext' + initContainers: + items: + $ref: '#/$defs/conditionallyValidSecurityContext' + ephemeralContainers: + items: + $ref: '#/$defs/conditionallyValidSecurityContext' + - properties: + containers: + items: + $ref: '#/$defs/validSecurityContext' + initContainers: + items: + $ref: '#/$defs/validSecurityContext' + ephemeralContainers: + items: + $ref: '#/$defs/validSecurityContext' + allOf: + - if: + properties: + kind: + enum: + - Pod + then: + $ref: '#/$defs/validSpec' + - if: + properties: + kind: + enum: + - Deployment + - DaemonSet + - StatefulSet + - ReplicaSet + - CronJob + - Job + then: + properties: + spec: + properties: + template: + $ref: '#/$defs/validSpec' + - id: 10011 + name: Run as non-root user + uniqueName: K8S_POD_SEC_RUNNING_AS_NON_ROOT_USER + enabledByDefault: true + documentationUrl: >- + https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted + messageOnFailure: >- + Incorrect value for key `runAsUser` - set it to a non-zero value or remove + it + category: Pod Security Standards Restricted + schema: + $defs: + validSecurityContext: + properties: + securityContext: + properties: + runAsUser: + not: + enum: + - 0 + properties: + spec: + allOf: + - $ref: '#/$defs/validSecurityContext' + - properties: + containers: + items: + $ref: '#/$defs/validSecurityContext' + initContainers: + items: + $ref: '#/$defs/validSecurityContext' + ephemeralContainers: + items: + $ref: '#/$defs/validSecurityContext' + - properties: + template: + $ref: '#' + - id: 10012 + name: Explicitely set the seccomp profile + uniqueName: K8S_POD_SEC_SECCOMP_PROFILE_REQUIRED + enabledByDefault: true + documentationUrl: >- + https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted + messageOnFailure: >- + Incorrect or missing value for key `seccompProfile.type` - set it to + RuntimeDefault or Localhost + category: Pod Security Standards Restricted + schema: + $defs: + validSecurityContext: + required: + - securityContext + properties: + securityContext: + required: + - seccompProfile + properties: + seccompProfile: + required: + - type + properties: + type: + enum: + - RuntimeDefault + - Localhost + conditionallyValidSecurityContext: + properties: + securityContext: + properties: + seccompProfile: + properties: + type: + enum: + - null + - null + - RuntimeDefault + - Localhost + validSpec: + properties: + spec: + if: + properties: + os: + properties: + name: + not: + enum: + - windows + then: + anyOf: + - allOf: + - $ref: '#/$defs/validSecurityContext' + - properties: + containers: + items: + $ref: '#/$defs/conditionallyValidSecurityContext' + initContainers: + items: + $ref: '#/$defs/conditionallyValidSecurityContext' + ephemeralContainers: + items: + $ref: '#/$defs/conditionallyValidSecurityContext' + - allOf: + - $ref: '#/$defs/conditionallyValidSecurityContext' + - properties: + containers: + items: + $ref: '#/$defs/validSecurityContext' + initContainers: + items: + $ref: '#/$defs/validSecurityContext' + ephemeralContainers: + items: + $ref: '#/$defs/validSecurityContext' + allOf: + - if: + properties: + kind: + enum: + - Pod + then: + $ref: '#/$defs/validSpec' + - if: + properties: + kind: + enum: + - Deployment + - DaemonSet + - StatefulSet + - ReplicaSet + - CronJob + - Job + then: + properties: + spec: + properties: + template: + $ref: '#/$defs/validSpec' + - id: 10013 + name: Containers must drop all capabilities + uniqueName: K8S_POD_SEC_DROP_ALL_CAPABILITIES + enabledByDefault: true + documentationUrl: >- + https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted + messageOnFailure: Incorrect or missing values for `capabilities.drop` - must contain ALL + category: Pod Security Standards Restricted + schema: + $defs: + validSecurityContext: + required: + - securityContext + properties: + securityContext: + required: + - capabilities + properties: + capabilities: + required: + - drop + properties: + drop: + contains: + enum: + - ALL + validSpec: + properties: + spec: + if: + properties: + os: + properties: + name: + not: + enum: + - windows + then: + properties: + containers: + items: + $ref: '#/$defs/validSecurityContext' + initContainers: + items: + $ref: '#/$defs/validSecurityContext' + ephemeralContainers: + items: + $ref: '#/$defs/validSecurityContext' + allOf: + - if: + properties: + kind: + enum: + - Pod + then: + $ref: '#/$defs/validSpec' + - if: + properties: + kind: + enum: + - Deployment + - DaemonSet + - StatefulSet + - ReplicaSet + - CronJob + - Job + then: + properties: + spec: + properties: + template: + $ref: '#/$defs/validSpec' + - id: 10014 + name: Containers must only add back NET_BIND_SERVICE + uniqueName: K8S_POD_SEC_CAPABILITIES_ADD_ONLY_NET_BIND_SERVICE + enabledByDefault: true + documentationUrl: >- + https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted + messageOnFailure: >- + Incorrect value for `capabilities.add` - must only contain + NET_BIND_SERVICE + category: Pod Security Standards Restricted + schema: + $defs: + validSecurityContext: + properties: + securityContext: + properties: + capabilities: + properties: + add: + items: + enum: + - NET_BIND_SERVICE + validSpec: + properties: + spec: + if: + properties: + os: + properties: + name: + not: + enum: + - windows + then: + properties: + containers: + items: + $ref: '#/$defs/validSecurityContext' + initContainers: + items: + $ref: '#/$defs/validSecurityContext' + ephemeralContainers: + items: + $ref: '#/$defs/validSecurityContext' + allOf: + - if: + properties: + kind: + enum: + - Pod + then: + $ref: '#/$defs/validSpec' + - if: + properties: + kind: + enum: + - Deployment + - DaemonSet + - StatefulSet + - ReplicaSet + - CronJob + - Job + then: + properties: + spec: + properties: + template: + $ref: '#/$defs/validSpec' diff --git a/resource-validation/rulesetSchema.json b/resource-validation/rulesetSchema.json new file mode 100644 index 0000000000..4ce6e209f9 --- /dev/null +++ b/resource-validation/rulesetSchema.json @@ -0,0 +1,85 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "definitions": { + "uniqueRuleName": { + "type": "string", + "minLength": 1, + "pattern": "^([A-Za-z0-9_])*([0-9]+\\.?[0-9]*|\\.[0-9]+)?([A-Za-z0-9_])*$" + }, + "rule": { + "type": "object", + "properties": { + "id": { + "type": "number" + }, + "name": { + "type": "string", + "minLength": 1 + }, + "uniqueName": { + "$ref": "#/definitions/uniqueRuleName" + }, + "documentationUrl": { + "type": "string", + "minLength": 1 + }, + "messageOnFailure": { + "type": "string" + }, + "schema": { + "$ref": "http://json-schema.org/draft-07/schema#", + "description": "this is the rule logic, should be a json schema" + } + }, + "required": ["uniqueName", "messageOnFailure", "schema"] + }, + "ruleReference": { + "type": "object", + "properties": { + "identifier": { + "$ref": "#/definitions/uniqueRuleName" + } + }, + "required": ["identifier"] + }, + "policy": { + "properties": { + "name": { + "type": "string", + "minLength": 1 + }, + "rules": { + "type": "array", + "items": { + "anyOf": [ + { + "$ref": "#/definitions/uniqueRuleName" + }, + { + "$ref": "#/definitions/ruleReference" + } + ] + } + } + }, + "required": ["name", "rules"] + } + }, + "properties": { + "apiVersion": { + "type": "string" + }, + "rules": { + "type": "array", + "items": { + "$ref": "#/definitions/rule" + } + }, + "policies": { + "type": "array", + "items": { + "$ref": "#/definitions/policy" + } + } + } +} diff --git a/vite.config.mts b/vite.config.mts index b0c46a9dd4..87c5df3795 100644 --- a/vite.config.mts +++ b/vite.config.mts @@ -38,11 +38,11 @@ export default defineConfig({ viteStaticCopy({ targets: [ { - src: 'resources/base/resource-validation/rule-sets/**/*.yaml', + src: 'resource-validation/rule-sets/**/*.yaml', dest: 'resource-validation', rename: 'rule-set.yaml', transform() { - return mergeYamlFiles('resources/base/resource-validation/rule-sets/**/*.yaml'); + return mergeYamlFiles('resource-validation/rule-sets/**/*.yaml'); }, }, ], diff --git a/vitest.config.js b/vitest.config.js index 0003ee7291..895938ae59 100644 --- a/vitest.config.js +++ b/vitest.config.js @@ -1,4 +1,5 @@ import { defineConfig, mergeConfig } from 'vitest/config'; +outputs; import viteConfig from './vite.config.mts'; import viteTsconfigPaths from 'vite-tsconfig-paths'; From b1c5fc63ad554f4461d4752cdbcd31585ffc15c4 Mon Sep 17 00:00:00 2001 From: Damian Badura Date: Fri, 3 Jan 2025 11:16:52 +0100 Subject: [PATCH 15/31] remove accident addition --- vitest.config.js | 1 - 1 file changed, 1 deletion(-) diff --git a/vitest.config.js b/vitest.config.js index 895938ae59..0003ee7291 100644 --- a/vitest.config.js +++ b/vitest.config.js @@ -1,5 +1,4 @@ import { defineConfig, mergeConfig } from 'vitest/config'; -outputs; import viteConfig from './vite.config.mts'; import viteTsconfigPaths from 'vite-tsconfig-paths'; From b78c98dddab44ff0054d3ef4fa3d22c2652fe05a Mon Sep 17 00:00:00 2001 From: Damian Badura Date: Fri, 3 Jan 2025 11:51:48 +0100 Subject: [PATCH 16/31] improve cm location --- resources/base/busola/deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/resources/base/busola/deployment.yaml b/resources/base/busola/deployment.yaml index a8f7ae0a70..2450819668 100644 --- a/resources/base/busola/deployment.yaml +++ b/resources/base/busola/deployment.yaml @@ -27,7 +27,7 @@ spec: name: environment volumeMounts: - name: config - mountPath: /app/config + mountPath: /app/core-ui/config resources: requests: cpu: 100m From 18dc70e3c2829acb44758e7a6156e790d13bde5f Mon Sep 17 00:00:00 2001 From: Damian Badura Date: Tue, 7 Jan 2025 16:29:16 +0100 Subject: [PATCH 17/31] remove backend address calculation --- Makefile | 2 +- src/state/utils/getBackendInfo.ts | 19 +------------------ 2 files changed, 2 insertions(+), 19 deletions(-) diff --git a/Makefile b/Makefile index 4653ae08c1..a9dedf5b27 100644 --- a/Makefile +++ b/Makefile @@ -24,7 +24,7 @@ release-local: build-image-local push-image-local build-image: ## Build busola backend image docker build -t $(APP_NAME) -f Dockerfile . -install-busola: build-image ## Build busola web image and install it on local k3d cluster +install-busola-k3d: build-image ## Build busola web image and install it on local k3d cluster $(eval HASH_TAG=$(shell docker images $(APP_NAME):latest --quiet)) docker tag $(APP_NAME) $(APP_NAME):$(HASH_TAG) diff --git a/src/state/utils/getBackendInfo.ts b/src/state/utils/getBackendInfo.ts index 4fdee42a94..d295ce51e2 100644 --- a/src/state/utils/getBackendInfo.ts +++ b/src/state/utils/getBackendInfo.ts @@ -1,23 +1,6 @@ const domain = window.location.hostname; -const getBackendAddress = () => { - // local busola - needed for e2e tests to work locally - if ( - window.location.hostname.startsWith('localhost') && - window.location.port === '8080' && - !process.env.IS_DOCKER - ) { - return 'http://127.0.0.1:3001/backend'; - // dev busola - } else if (window.location.hostname.startsWith('localhost')) { - return 'http://localhost:3001/backend'; - // on cluster - } else { - return '/backend'; - } -}; - export const getClusterConfig = () => ({ domain, - backendAddress: getBackendAddress(), + backendAddress: '/backend', }); From 25ea0c8814cae2b0f3a85339de15508bae859a50 Mon Sep 17 00:00:00 2001 From: Damian Badura <45110612+dbadura@users.noreply.github.com> Date: Tue, 7 Jan 2025 16:55:36 +0100 Subject: [PATCH 18/31] Apply suggestions from code review Co-authored-by: Grzegorz Karaluch --- README.md | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/README.md b/README.md index 570889c6c2..83198b263d 100644 --- a/README.md +++ b/README.md @@ -178,43 +178,43 @@ For the information on how to run tests and configure them, go to the [`tests`]( docker run --rm -it -p 3001:3001 -v :/app/core-ui/environments/ --env ENVIRONMENT={your-env} --pid=host --name busola europe-docker.pkg.dev/kyma-project/prod/busola:latest ``` -## Deploy Busola in Kubernetes Cluster +## Deploy Busola on the Kubernetes Cluster -To install Busola on Kubernetes cluster run: +To install Busola on the Kubernetes cluster, run: ```shell (cd resources && kustomize build base/ | kubectl apply -f- ) ``` -To install Busola using specific environment configuration, set `ENVIRONMENT` shell environment variable and run: +To install Busola using a specific environment configuration, set the `ENVIRONMENT` shell environment variable and run: ```shell (cd resources && kustomize build environments/${ENVIRONMENT} | kubectl apply -f- ) ``` -## Access Busola installed on Kubernetes +## Access Busola Installed on Kubernetes -### Kubectl +### kubectl -The simplest method which always works is to use capabilities of `kubectl`. +The simplest method that always works is to use the capabilities of kubectl. ```shell kubectl port-forward services/busola 3001:3001 ``` -### Busola installed on K3d +### k3d Prerequisites: - K3d with installed Traefik, by default it's installed. -Install ingress resources by running: +1. Install Ingress resources: ```shell (cd resources && kubectl apply -f ingress/ingress.yaml) ``` -Go to `localhost` +2. Go to `localhost` #### Connect to the k3d cluster where Busola is installed. @@ -229,26 +229,26 @@ k3d kubeconfig get ${K3D_CLUSTER_NAME} > k3d-kubeconfig.yaml yq --inplace '.clusters[].cluster.server = "https://kubernetes.default.svc:443"' k3d-kubeconfig.yaml ``` -### Kubernetes cluster with Istio installed +### Kubernetes Cluster with Istio Installed Prerequisites: -- Sidecar Proxy injection enabled, see [Kyma docs](https://kyma-project.io/#/istio/user/tutorials/01-40-enable-sidecar-injection?id=enable-istio-sidecar-proxy-injection), how to enable it. -- Api gateway module installed, see [install docs](https://kyma-project.io/#/02-get-started/01-quick-install) +- Sidecar Proxy injection enabled, see [Enable Istio Sidecar Proxy Injection](https://kyma-project.io/#/istio/user/tutorials/01-40-enable-sidecar-injection?id=enable-istio-sidecar-proxy-injection). +- The API Gateway module installed, see [Quick Install](https://kyma-project.io/#/02-get-started/01-quick-install) -Install Istio needed resources by running: +1. Install the Istio required resources: ```shell (cd resources && kubectl apply -k istio) ``` -To get Busola address run: +2. To get the Busola address, run: ```shell kubectl get virtualservices.networking.istio.io ``` -and find `busola-***` virtual service. Under `HOSTS` there is address to access Busola page. +and find the `busola-***` virtual service. Under `HOSTS,` there is an address where you can access the Busola page. ## Troubleshooting From 2c5c14555b8c1df39daf5308c4f8c38c7e44ed3e Mon Sep 17 00:00:00 2001 From: Damian Badura Date: Tue, 7 Jan 2025 17:07:03 +0100 Subject: [PATCH 19/31] fix hpa and mention yq --- README.md | 9 +++++++-- resources/base/busola/hpa.yaml | 2 +- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 83198b263d..3f4f4791ff 100644 --- a/README.md +++ b/README.md @@ -221,8 +221,13 @@ Prerequisites: To be able to connect to the same K3d cluster where Busola is installed. Download kubeconfig and change cluster server address to `https://kubernetes.default.svc:443`. -Using shell: -Set `K3D_CLUSTER_NAME` shell environment variable to name of your cluster. +Using shell. + +Prerequisites: + +- [yq](https://mikefarah.gitbook.io/yq) + +Set `K3D_CLUSTER_NAME` shell environment variable to name of your cluster and run: ```shell k3d kubeconfig get ${K3D_CLUSTER_NAME} > k3d-kubeconfig.yaml diff --git a/resources/base/busola/hpa.yaml b/resources/base/busola/hpa.yaml index 681445e712..9fbdb37d2c 100644 --- a/resources/base/busola/hpa.yaml +++ b/resources/base/busola/hpa.yaml @@ -8,7 +8,7 @@ spec: scaleTargetRef: apiVersion: apps/v1 kind: Deployment - name: web + name: busola minReplicas: 1 maxReplicas: 11 metrics: From a3da831dcbb302b8c84bed676fc86d600ca3af41 Mon Sep 17 00:00:00 2001 From: Damian Badura Date: Tue, 7 Jan 2025 17:17:00 +0100 Subject: [PATCH 20/31] update info about k3d --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 3f4f4791ff..3fab089f1c 100644 --- a/README.md +++ b/README.md @@ -206,7 +206,9 @@ kubectl port-forward services/busola 3001:3001 Prerequisites: -- K3d with installed Traefik, by default it's installed. +- K3d with exposed loadbalancer on port 80. + > **TIP:** To create K3d with exposed load balancer run: `k3d cluster create -p "80:80@loadbalancer"`. + > More details available in k3d docs [exposing services](https://k3d.io/v5.6.3/usage/exposing_services/). 1. Install Ingress resources: From b0b31f3ae0fad0b20ff826ab7db2ad0058afc01d Mon Sep 17 00:00:00 2001 From: Damian Badura Date: Wed, 8 Jan 2025 10:28:48 +0100 Subject: [PATCH 21/31] fix local dev --- vite.config.mts | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/vite.config.mts b/vite.config.mts index 87c5df3795..d056603ede 100644 --- a/vite.config.mts +++ b/vite.config.mts @@ -15,6 +15,13 @@ export default defineConfig({ }, server: { port: 8080, + proxy: { + // with options + '^/backend/.*': { + target: 'http://localhost:3001', + changeOrigin: true, + }, + }, }, plugins: [ { From 0ce0f6c611a939cf54027f253a1ee2a9e41f1392 Mon Sep 17 00:00:00 2001 From: Damian Badura <45110612+dbadura@users.noreply.github.com> Date: Wed, 8 Jan 2025 10:53:34 +0100 Subject: [PATCH 22/31] Apply suggestions from code review Co-authored-by: Grzegorz Karaluch --- README.md | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 3fab089f1c..ebfd47e149 100644 --- a/README.md +++ b/README.md @@ -208,7 +208,7 @@ Prerequisites: - K3d with exposed loadbalancer on port 80. > **TIP:** To create K3d with exposed load balancer run: `k3d cluster create -p "80:80@loadbalancer"`. - > More details available in k3d docs [exposing services](https://k3d.io/v5.6.3/usage/exposing_services/). + > See [Exposing Services](https://k3d.io/v5.6.3/usage/exposing_services/) for more details. 1. Install Ingress resources: @@ -218,10 +218,9 @@ Prerequisites: 2. Go to `localhost` -#### Connect to the k3d cluster where Busola is installed. +#### Connect to the k3d Cluster With Busola Installed. -To be able to connect to the same K3d cluster where Busola is installed. -Download kubeconfig and change cluster server address to `https://kubernetes.default.svc:443`. +To connect to the same k3d cluster with Busola installed, download kubeconfig and change the cluster server address to `https://kubernetes.default.svc:443`. Using shell. @@ -229,7 +228,7 @@ Prerequisites: - [yq](https://mikefarah.gitbook.io/yq) -Set `K3D_CLUSTER_NAME` shell environment variable to name of your cluster and run: +Set the `K3D_CLUSTER_NAME` shell environment variable to the name of your cluster and run: ```shell k3d kubeconfig get ${K3D_CLUSTER_NAME} > k3d-kubeconfig.yaml From b4819a39b6f739d6d3a9d8e71734c662f68c3b0a Mon Sep 17 00:00:00 2001 From: Grzegorz Karaluch Date: Wed, 8 Jan 2025 11:46:37 +0100 Subject: [PATCH 23/31] Change on to in --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index ebfd47e149..9155a2c096 100644 --- a/README.md +++ b/README.md @@ -178,9 +178,9 @@ For the information on how to run tests and configure them, go to the [`tests`]( docker run --rm -it -p 3001:3001 -v :/app/core-ui/environments/ --env ENVIRONMENT={your-env} --pid=host --name busola europe-docker.pkg.dev/kyma-project/prod/busola:latest ``` -## Deploy Busola on the Kubernetes Cluster +## Deploy Busola in the Kubernetes Cluster -To install Busola on the Kubernetes cluster, run: +To install Busola in the Kubernetes cluster, run: ```shell (cd resources && kustomize build base/ | kubectl apply -f- ) From 260624246b2af6b70d5cc77772cb1f0ed8afdd2f Mon Sep 17 00:00:00 2001 From: pbochynski Date: Wed, 8 Jan 2025 12:27:32 +0100 Subject: [PATCH 24/31] Remove reference to port 3001 on localhost in custom extension --- examples/custom-extension/script.js | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/examples/custom-extension/script.js b/examples/custom-extension/script.js index bc3c6bd601..841aeacbc8 100644 --- a/examples/custom-extension/script.js +++ b/examples/custom-extension/script.js @@ -6,9 +6,7 @@ function fetchWrapper(url, options = {}) { } function proxyFetch(url, options = {}) { - const baseUrl = window.location.hostname.startsWith('localhost') - ? 'http://localhost:3001/proxy' - : '/proxy'; + const baseUrl = '/proxy'; const encodedUrl = encodeURIComponent(url); const proxyUrl = `${baseUrl}?url=${encodedUrl}`; return fetch(proxyUrl, options); From f2b87c85b14daaaff06702b9c3c5e4dca5a3971e Mon Sep 17 00:00:00 2001 From: Damian Badura Date: Wed, 8 Jan 2025 14:43:16 +0100 Subject: [PATCH 25/31] better naming --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 9155a2c096..a1067b3e28 100644 --- a/README.md +++ b/README.md @@ -165,7 +165,7 @@ For the information on how to run tests and configure them, go to the [`tests`]( docker run --rm -it -p 3001:3001 -v :/app/core-ui/kubeconfig/ --pid=host --name busola europe-docker.pkg.dev/kyma-project/prod/busola:latest ``` -2. When you open Busola in your browser, go to `http://localhost:3001?kubeconfigID={YOUR_KUBECONFIG_FILE_NAME}`. Busola will try to download that file and add it for your Busola instance. +2. When you open Busola in your browser, visit `http://localhost:3001?kubeconfigID={YOUR_KUBECONFIG_FILE_NAME}`. Busola will try to download that file and add it for your Busola instance. ### Set active environment @@ -216,13 +216,13 @@ Prerequisites: (cd resources && kubectl apply -f ingress/ingress.yaml) ``` -2. Go to `localhost` +2. Visit `localhost` #### Connect to the k3d Cluster With Busola Installed. To connect to the same k3d cluster with Busola installed, download kubeconfig and change the cluster server address to `https://kubernetes.default.svc:443`. -Using shell. +Use shell to quickly process the file Prerequisites: From 063ef28833d235c02e40fac45ed88541e123c459 Mon Sep 17 00:00:00 2001 From: Grzegorz Karaluch Date: Wed, 8 Jan 2025 14:46:02 +0100 Subject: [PATCH 26/31] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index a1067b3e28..7e1a6e5259 100644 --- a/README.md +++ b/README.md @@ -222,7 +222,7 @@ Prerequisites: To connect to the same k3d cluster with Busola installed, download kubeconfig and change the cluster server address to `https://kubernetes.default.svc:443`. -Use shell to quickly process the file +Use shell to quickly process the file. Prerequisites: From a26faa2581b26a5c987034e40eb8cd856d942e02 Mon Sep 17 00:00:00 2001 From: Damian Badura Date: Wed, 8 Jan 2025 15:32:54 +0100 Subject: [PATCH 27/31] adjust running of integration tests --- .github/workflows/pull-integration-cluster-k3d.yml | 9 ++------- .github/workflows/pull-integration-namespace-k3d.yml | 9 ++------- .github/workflows/pull-lighthouse.yml | 8 ++------ 3 files changed, 6 insertions(+), 20 deletions(-) diff --git a/.github/workflows/pull-integration-cluster-k3d.yml b/.github/workflows/pull-integration-cluster-k3d.yml index eae5c6fd1a..a507dfb53f 100644 --- a/.github/workflows/pull-integration-cluster-k3d.yml +++ b/.github/workflows/pull-integration-cluster-k3d.yml @@ -45,17 +45,12 @@ jobs: set -e npm ci npm run build - npm i -g serve - name: run_tests shell: bash run: | k3d kubeconfig get k3dCluster > tests/integration/fixtures/kubeconfig.yaml - export CYPRESS_DOMAIN=http://localhost:3000 - serve -s build > busola.log & - - pushd backend - npm start > backend.log & - popd + export CYPRESS_DOMAIN=http://localhost:3001 + npm run start echo "waiting for server to be up..." while [[ "$(curl -s -o /dev/null -w ''%{http_code}'' "$CYPRESS_DOMAIN")" != "200" ]]; do sleep 5; done diff --git a/.github/workflows/pull-integration-namespace-k3d.yml b/.github/workflows/pull-integration-namespace-k3d.yml index 1acd4901c4..4dc4bffaf6 100644 --- a/.github/workflows/pull-integration-namespace-k3d.yml +++ b/.github/workflows/pull-integration-namespace-k3d.yml @@ -45,17 +45,12 @@ jobs: set -e npm ci npm run build - npm i -g serve - name: run_tests shell: bash run: | k3d kubeconfig get k3dCluster > tests/integration/fixtures/kubeconfig.yaml - export CYPRESS_DOMAIN=http://localhost:3000 - serve -s build > busola.log & - - pushd backend - npm start > backend.log & - popd + export CYPRESS_DOMAIN=http://localhost:3001 + npm run start echo "waiting for server to be up..." while [[ "$(curl -s -o /dev/null -w ''%{http_code}'' "$CYPRESS_DOMAIN")" != "200" ]]; do sleep 5; done diff --git a/.github/workflows/pull-lighthouse.yml b/.github/workflows/pull-lighthouse.yml index 011d3dc150..463e2f131e 100644 --- a/.github/workflows/pull-lighthouse.yml +++ b/.github/workflows/pull-lighthouse.yml @@ -43,12 +43,8 @@ jobs: shell: bash run: | k3d kubeconfig get k3dCluster > tests/lighthouse/fixtures/kubeconfig.yaml - export DOMAIN=http://localhost:3000 - serve -s build > busola.log & - - pushd backend - npm start > backend.log & - popd + export DOMAIN=http://localhost:3001 + npm run start echo "waiting for server to be up..." while [[ "$(curl -s -o /dev/null -w ''%{http_code}'' "$DOMAIN")" != "200" ]]; do sleep 5; done From d52a6c943b77aee9d3e7c5c1fdc5617f29498fa0 Mon Sep 17 00:00:00 2001 From: Damian Badura Date: Wed, 8 Jan 2025 15:51:11 +0100 Subject: [PATCH 28/31] fix hanging the tests --- .github/workflows/pull-integration-cluster-k3d.yml | 2 +- .github/workflows/pull-integration-namespace-k3d.yml | 2 +- .github/workflows/pull-lighthouse.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/pull-integration-cluster-k3d.yml b/.github/workflows/pull-integration-cluster-k3d.yml index a507dfb53f..bf51cf79f2 100644 --- a/.github/workflows/pull-integration-cluster-k3d.yml +++ b/.github/workflows/pull-integration-cluster-k3d.yml @@ -50,7 +50,7 @@ jobs: run: | k3d kubeconfig get k3dCluster > tests/integration/fixtures/kubeconfig.yaml export CYPRESS_DOMAIN=http://localhost:3001 - npm run start + npm run start & echo "waiting for server to be up..." while [[ "$(curl -s -o /dev/null -w ''%{http_code}'' "$CYPRESS_DOMAIN")" != "200" ]]; do sleep 5; done diff --git a/.github/workflows/pull-integration-namespace-k3d.yml b/.github/workflows/pull-integration-namespace-k3d.yml index 4dc4bffaf6..57ffb30c58 100644 --- a/.github/workflows/pull-integration-namespace-k3d.yml +++ b/.github/workflows/pull-integration-namespace-k3d.yml @@ -50,7 +50,7 @@ jobs: run: | k3d kubeconfig get k3dCluster > tests/integration/fixtures/kubeconfig.yaml export CYPRESS_DOMAIN=http://localhost:3001 - npm run start + npm run start & echo "waiting for server to be up..." while [[ "$(curl -s -o /dev/null -w ''%{http_code}'' "$CYPRESS_DOMAIN")" != "200" ]]; do sleep 5; done diff --git a/.github/workflows/pull-lighthouse.yml b/.github/workflows/pull-lighthouse.yml index 463e2f131e..3bcc2a035b 100644 --- a/.github/workflows/pull-lighthouse.yml +++ b/.github/workflows/pull-lighthouse.yml @@ -44,7 +44,7 @@ jobs: run: | k3d kubeconfig get k3dCluster > tests/lighthouse/fixtures/kubeconfig.yaml export DOMAIN=http://localhost:3001 - npm run start + npm run start & echo "waiting for server to be up..." while [[ "$(curl -s -o /dev/null -w ''%{http_code}'' "$DOMAIN")" != "200" ]]; do sleep 5; done From e646f9912bd3b648fa422d13dea1527d667f0afb Mon Sep 17 00:00:00 2001 From: Damian Badura Date: Wed, 8 Jan 2025 16:01:13 +0100 Subject: [PATCH 29/31] redirect log --- .../pull-integration-cluster-k3d.yml | 2 +- .../pull-integration-namespace-k3d.yml | 2 +- .github/workflows/pull-lighthouse.yml | 2 +- busola.log | 53 +++++++++++++++++++ 4 files changed, 56 insertions(+), 3 deletions(-) create mode 100644 busola.log diff --git a/.github/workflows/pull-integration-cluster-k3d.yml b/.github/workflows/pull-integration-cluster-k3d.yml index bf51cf79f2..e1be09f699 100644 --- a/.github/workflows/pull-integration-cluster-k3d.yml +++ b/.github/workflows/pull-integration-cluster-k3d.yml @@ -50,7 +50,7 @@ jobs: run: | k3d kubeconfig get k3dCluster > tests/integration/fixtures/kubeconfig.yaml export CYPRESS_DOMAIN=http://localhost:3001 - npm run start & + npm run start > busola.log & echo "waiting for server to be up..." while [[ "$(curl -s -o /dev/null -w ''%{http_code}'' "$CYPRESS_DOMAIN")" != "200" ]]; do sleep 5; done diff --git a/.github/workflows/pull-integration-namespace-k3d.yml b/.github/workflows/pull-integration-namespace-k3d.yml index 57ffb30c58..23db73eb9b 100644 --- a/.github/workflows/pull-integration-namespace-k3d.yml +++ b/.github/workflows/pull-integration-namespace-k3d.yml @@ -50,7 +50,7 @@ jobs: run: | k3d kubeconfig get k3dCluster > tests/integration/fixtures/kubeconfig.yaml export CYPRESS_DOMAIN=http://localhost:3001 - npm run start & + npm run start > busola.log & echo "waiting for server to be up..." while [[ "$(curl -s -o /dev/null -w ''%{http_code}'' "$CYPRESS_DOMAIN")" != "200" ]]; do sleep 5; done diff --git a/.github/workflows/pull-lighthouse.yml b/.github/workflows/pull-lighthouse.yml index 3bcc2a035b..d4e1635a3b 100644 --- a/.github/workflows/pull-lighthouse.yml +++ b/.github/workflows/pull-lighthouse.yml @@ -44,7 +44,7 @@ jobs: run: | k3d kubeconfig get k3dCluster > tests/lighthouse/fixtures/kubeconfig.yaml export DOMAIN=http://localhost:3001 - npm run start & + npm run start > busola.log & echo "waiting for server to be up..." while [[ "$(curl -s -o /dev/null -w ''%{http_code}'' "$DOMAIN")" != "200" ]]; do sleep 5; done diff --git a/busola.log b/busola.log new file mode 100644 index 0000000000..dbb509fe37 --- /dev/null +++ b/busola.log @@ -0,0 +1,53 @@ + +> @kyma-project/busola@0.0.1-rc.8 start +> concurrently -c cyan,green npm:busola npm:backend + +[busola] +[busola] > @kyma-project/busola@0.0.1-rc.8 busola +[busola] > npm run copy-themes; BROWSER=none GENERATE_SOURCEMAP=false vite +[busola] +[backend] +[backend] > @kyma-project/busola@0.0.1-rc.8 backend +[backend] > cd backend && npm run start +[backend] +[busola] +[busola] > @kyma-project/busola@0.0.1-rc.8 copy-themes +[busola] > cp node_modules/@sap-theming/theming-base-content/content/Base/baseLib/sap_horizon/css_variables.css public/themes/@sap-theming/default.css; for theme in hcb dark hcw ; do cp node_modules/@sap-theming/theming-base-content/content/Base/baseLib/sap_horizon_$theme/css_variables.css public/themes/@sap-theming/$theme.css ; done +[busola] +[backend] +[backend] > backend@1.0.0 start +[backend] > SSL_CERT_FILE=certs.pem NODE_ENV=development nodemon --exec babel-node index.js +[backend] +[backend] [nodemon] 2.0.22 +[backend] [nodemon] to restart at any time, enter `rs` +[backend] [nodemon] watching path(s): *.* +[backend] [nodemon] watching extensions: js,mjs,json +[backend] [nodemon] starting `babel-node index.js` +[busola] Forced re-optimization of dependencies +[busola] [vite-plugin-static-copy] Collected 1 items. +[busola] +[busola] VITE v5.4.3 ready in 1274 ms +[busola] +[busola] ➜ Local: http://localhost:8080/ +[busola] ➜ Network: use --host to expose +[backend] node:events:496 +[backend] throw er; // Unhandled 'error' event +[backend] ^ +[backend] +[backend] Error: listen EADDRINUSE: address already in use 0.0.0.0:3001 +[backend] at Server.setupListenHandle [as _listen2] (node:net:1897:16) +[backend] at listenInCluster (node:net:1945:12) +[backend] at doListen (node:net:2109:7) +[backend] at processTicksAndRejections (node:internal/process/task_queues:83:21) +[backend] Emitted 'error' event on Server instance at: +[backend] at emitErrorNT (node:net:1924:8) +[backend] at processTicksAndRejections (node:internal/process/task_queues:82:21) { +[backend] code: 'EADDRINUSE', +[backend] errno: -98, +[backend] syscall: 'listen', +[backend] address: '0.0.0.0', +[backend] port: 3001 +[backend] } +[backend] +[backend] Node.js v20.12.1 +[backend] [nodemon] app crashed - waiting for file changes before starting... From 5f2e4bc8671dd5d3f754d9d9cec92eaeaa6de97f Mon Sep 17 00:00:00 2001 From: Damian Badura Date: Wed, 8 Jan 2025 16:27:28 +0100 Subject: [PATCH 30/31] fix tests --- .github/workflows/pull-integration-cluster-k3d.yml | 6 ++---- .github/workflows/pull-integration-namespace-k3d.yml | 8 +++----- .github/workflows/pull-lighthouse.yml | 7 ++----- 3 files changed, 7 insertions(+), 14 deletions(-) diff --git a/.github/workflows/pull-integration-cluster-k3d.yml b/.github/workflows/pull-integration-cluster-k3d.yml index e1be09f699..3bb328c41c 100644 --- a/.github/workflows/pull-integration-cluster-k3d.yml +++ b/.github/workflows/pull-integration-cluster-k3d.yml @@ -44,13 +44,12 @@ jobs: run: | set -e npm ci - npm run build + npm run start > busola.log & - name: run_tests shell: bash run: | k3d kubeconfig get k3dCluster > tests/integration/fixtures/kubeconfig.yaml - export CYPRESS_DOMAIN=http://localhost:3001 - npm run start > busola.log & + export CYPRESS_DOMAIN=http://localhost:8080 echo "waiting for server to be up..." while [[ "$(curl -s -o /dev/null -w ''%{http_code}'' "$CYPRESS_DOMAIN")" != "200" ]]; do sleep 5; done @@ -71,6 +70,5 @@ jobs: with: name: busola-logs-${{ github.job }} path: | - backend/backend.log busola.log retention-days: 90 diff --git a/.github/workflows/pull-integration-namespace-k3d.yml b/.github/workflows/pull-integration-namespace-k3d.yml index 23db73eb9b..073151997c 100644 --- a/.github/workflows/pull-integration-namespace-k3d.yml +++ b/.github/workflows/pull-integration-namespace-k3d.yml @@ -44,14 +44,13 @@ jobs: run: | set -e npm ci - npm run build + npm run start > busola.log & - name: run_tests shell: bash run: | k3d kubeconfig get k3dCluster > tests/integration/fixtures/kubeconfig.yaml - export CYPRESS_DOMAIN=http://localhost:3001 - npm run start > busola.log & - + export CYPRESS_DOMAIN=http://localhost:8080 + echo "waiting for server to be up..." while [[ "$(curl -s -o /dev/null -w ''%{http_code}'' "$CYPRESS_DOMAIN")" != "200" ]]; do sleep 5; done sleep 10 @@ -71,6 +70,5 @@ jobs: with: name: busola-logs-${{ github.job }} path: | - backend/backend.log busola.log retention-days: 90 diff --git a/.github/workflows/pull-lighthouse.yml b/.github/workflows/pull-lighthouse.yml index d4e1635a3b..7095573eaf 100644 --- a/.github/workflows/pull-lighthouse.yml +++ b/.github/workflows/pull-lighthouse.yml @@ -37,14 +37,12 @@ jobs: run: | set -e npm ci - npm run build - npm i -g serve + npm run start > busola.log & - name: run_tests shell: bash run: | k3d kubeconfig get k3dCluster > tests/lighthouse/fixtures/kubeconfig.yaml - export DOMAIN=http://localhost:3001 - npm run start > busola.log & + export DOMAIN=http://localhost:8080 echo "waiting for server to be up..." while [[ "$(curl -s -o /dev/null -w ''%{http_code}'' "$DOMAIN")" != "200" ]]; do sleep 5; done @@ -58,6 +56,5 @@ jobs: with: name: busola-logs-${{ github.job }} path: | - backend/backend.log busola.log retention-days: 90 From 95ecbe4d497b9ed839ef28451b2d68d46935b1f1 Mon Sep 17 00:00:00 2001 From: Damian Badura Date: Wed, 8 Jan 2025 16:38:26 +0100 Subject: [PATCH 31/31] fix lighthouse --- tests/lighthouse/lighthouse.spec.js | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/tests/lighthouse/lighthouse.spec.js b/tests/lighthouse/lighthouse.spec.js index b0716c54b4..ad70ba3459 100644 --- a/tests/lighthouse/lighthouse.spec.js +++ b/tests/lighthouse/lighthouse.spec.js @@ -3,9 +3,7 @@ import { playAudit } from 'playwright-lighthouse'; import { chromium } from 'playwright'; import { tmpdir } from 'os'; -const ADDRESS = process.env.LOCAL - ? 'http://localhost:8080' - : 'http://localhost:3000'; +const ADDRESS = 'http://localhost:8080'; test('Busola Lighthouse audit', async () => { const context = await chromium.launchPersistentContext(tmpdir(), {