From 92c91402b73004f003223719a6881958ecf3ecca Mon Sep 17 00:00:00 2001 From: Matheus Moraes Date: Tue, 9 May 2023 12:18:12 -0300 Subject: [PATCH] update config/ files --- config/crd/kustomization.yaml | 14 -- config/crd/kustomizeconfig.yaml | 14 -- .../patches/cainjection_in_clusterissues.yaml | 14 -- .../crd/patches/cainjection_in_clusters.yaml | 14 -- .../patches/cainjection_in_clusterscans.yaml | 14 -- .../crd/patches/cainjection_in_plugins.yaml | 14 -- .../crd/patches/webhook_in_clusterissues.yaml | 14 -- config/crd/patches/webhook_in_clusters.yaml | 14 -- .../crd/patches/webhook_in_clusterscans.yaml | 14 -- config/crd/patches/webhook_in_plugins.yaml | 14 -- config/default/kustomization.yaml | 152 ++++++++++++------ config/default/manager_auth_proxy_patch.yaml | 21 +-- config/default/manager_config_patch.yaml | 24 --- config/manager/controller_manager_config.yaml | 25 --- config/manager/kustomization.yaml | 28 ---- config/manager/manager.yaml | 56 +++++-- config/prometheus/kustomization.yaml | 14 -- config/prometheus/monitor.yaml | 20 +-- config/samples/kustomization.yaml | 7 + config/samples/zora_v1alpha1_cluster.yaml | 20 +-- .../samples/zora_v1alpha1_clusterissue.yaml | 48 ++---- config/samples/zora_v1alpha1_clusterscan.yaml | 20 +-- .../samples/zora_v1alpha1_plugin_marvin.yaml | 20 +-- .../samples/zora_v1alpha1_plugin_popeye.yaml | 20 +-- 24 files changed, 203 insertions(+), 412 deletions(-) delete mode 100644 config/manager/controller_manager_config.yaml create mode 100644 config/samples/kustomization.yaml diff --git a/config/crd/kustomization.yaml b/config/crd/kustomization.yaml index 451fe475..86d8392b 100644 --- a/config/crd/kustomization.yaml +++ b/config/crd/kustomization.yaml @@ -1,17 +1,3 @@ -# Copyright 2022 Undistro Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - # This kustomization.yaml is not intended to be run by itself, # since it depends on service name and namespace that are out of this kustomize package. # It should be run by config/default diff --git a/config/crd/kustomizeconfig.yaml b/config/crd/kustomizeconfig.yaml index 3fdf520f..ec5c150a 100644 --- a/config/crd/kustomizeconfig.yaml +++ b/config/crd/kustomizeconfig.yaml @@ -1,17 +1,3 @@ -# Copyright 2022 Undistro Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - # This file is for teaching kustomize how to substitute name and namespace reference in CRD nameReference: - kind: Service diff --git a/config/crd/patches/cainjection_in_clusterissues.yaml b/config/crd/patches/cainjection_in_clusterissues.yaml index a6c96db4..cab731ed 100644 --- a/config/crd/patches/cainjection_in_clusterissues.yaml +++ b/config/crd/patches/cainjection_in_clusterissues.yaml @@ -1,17 +1,3 @@ -# Copyright 2022 Undistro Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - # The following patch adds a directive for certmanager to inject CA into the CRD apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition diff --git a/config/crd/patches/cainjection_in_clusters.yaml b/config/crd/patches/cainjection_in_clusters.yaml index c1dd4493..4885e603 100644 --- a/config/crd/patches/cainjection_in_clusters.yaml +++ b/config/crd/patches/cainjection_in_clusters.yaml @@ -1,17 +1,3 @@ -# Copyright 2022 Undistro Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - # The following patch adds a directive for certmanager to inject CA into the CRD apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition diff --git a/config/crd/patches/cainjection_in_clusterscans.yaml b/config/crd/patches/cainjection_in_clusterscans.yaml index 0df39f92..9874020f 100644 --- a/config/crd/patches/cainjection_in_clusterscans.yaml +++ b/config/crd/patches/cainjection_in_clusterscans.yaml @@ -1,17 +1,3 @@ -# Copyright 2022 Undistro Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - # The following patch adds a directive for certmanager to inject CA into the CRD apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition diff --git a/config/crd/patches/cainjection_in_plugins.yaml b/config/crd/patches/cainjection_in_plugins.yaml index f31cf970..f75ae0c9 100644 --- a/config/crd/patches/cainjection_in_plugins.yaml +++ b/config/crd/patches/cainjection_in_plugins.yaml @@ -1,17 +1,3 @@ -# Copyright 2022 Undistro Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - # The following patch adds a directive for certmanager to inject CA into the CRD apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition diff --git a/config/crd/patches/webhook_in_clusterissues.yaml b/config/crd/patches/webhook_in_clusterissues.yaml index 3b79e66d..34c3858c 100644 --- a/config/crd/patches/webhook_in_clusterissues.yaml +++ b/config/crd/patches/webhook_in_clusterissues.yaml @@ -1,17 +1,3 @@ -# Copyright 2022 Undistro Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - # The following patch enables a conversion webhook for the CRD apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition diff --git a/config/crd/patches/webhook_in_clusters.yaml b/config/crd/patches/webhook_in_clusters.yaml index a69fe080..6158ce90 100644 --- a/config/crd/patches/webhook_in_clusters.yaml +++ b/config/crd/patches/webhook_in_clusters.yaml @@ -1,17 +1,3 @@ -# Copyright 2022 Undistro Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - # The following patch enables a conversion webhook for the CRD apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition diff --git a/config/crd/patches/webhook_in_clusterscans.yaml b/config/crd/patches/webhook_in_clusterscans.yaml index 61980dc2..07761c33 100644 --- a/config/crd/patches/webhook_in_clusterscans.yaml +++ b/config/crd/patches/webhook_in_clusterscans.yaml @@ -1,17 +1,3 @@ -# Copyright 2022 Undistro Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - # The following patch enables a conversion webhook for the CRD apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition diff --git a/config/crd/patches/webhook_in_plugins.yaml b/config/crd/patches/webhook_in_plugins.yaml index e5d6d0b7..93055a8f 100644 --- a/config/crd/patches/webhook_in_plugins.yaml +++ b/config/crd/patches/webhook_in_plugins.yaml @@ -1,17 +1,3 @@ -# Copyright 2022 Undistro Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - # The following patch enables a conversion webhook for the CRD apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml index 8a7cd8bd..2d146a0f 100644 --- a/config/default/kustomization.yaml +++ b/config/default/kustomization.yaml @@ -1,17 +1,3 @@ -# Copyright 2022 Undistro Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - # Adds namespace to all resources. namespace: zora-system @@ -23,10 +9,12 @@ namespace: zora-system namePrefix: zora- # Labels to add to all resources and selectors. -#commonLabels: -# someName: someValue +#labels: +#- includeSelectors: true +# pairs: +# someName: someValue -bases: +resources: - ../crd - ../rbac - ../manager @@ -44,9 +32,7 @@ patchesStrategicMerge: # endpoint w/o any authn/z, please comment the following line. - manager_auth_proxy_patch.yaml -# Mount the controller config file for loading manager configurations -# through a ComponentConfig type -#- manager_config_patch.yaml + # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in # crd/kustomization.yaml @@ -57,32 +43,102 @@ patchesStrategicMerge: # 'CERTMANAGER' needs to be enabled to use ca injection #- webhookcainjection_patch.yaml -# the following config is for teaching kustomize how to do var substitution -vars: # [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix. -#- name: CERTIFICATE_NAMESPACE # namespace of the certificate CR -# objref: -# kind: Certificate -# group: cert-manager.io -# version: v1 -# name: serving-cert # this name should match the one in certificate.yaml -# fieldref: -# fieldpath: metadata.namespace -#- name: CERTIFICATE_NAME -# objref: -# kind: Certificate -# group: cert-manager.io -# version: v1 -# name: serving-cert # this name should match the one in certificate.yaml -#- name: SERVICE_NAMESPACE # namespace of the service -# objref: -# kind: Service -# version: v1 -# name: webhook-service -# fieldref: -# fieldpath: metadata.namespace -#- name: SERVICE_NAME -# objref: -# kind: Service -# version: v1 -# name: webhook-service +# Uncomment the following replacements to add the cert-manager CA injection annotations +#replacements: +# - source: # Add cert-manager annotation to ValidatingWebhookConfiguration, MutatingWebhookConfiguration and CRDs +# kind: Certificate +# group: cert-manager.io +# version: v1 +# name: serving-cert # this name should match the one in certificate.yaml +# fieldPath: .metadata.namespace # namespace of the certificate CR +# targets: +# - select: +# kind: ValidatingWebhookConfiguration +# fieldPaths: +# - .metadata.annotations.[cert-manager.io/inject-ca-from] +# options: +# delimiter: '/' +# index: 0 +# create: true +# - select: +# kind: MutatingWebhookConfiguration +# fieldPaths: +# - .metadata.annotations.[cert-manager.io/inject-ca-from] +# options: +# delimiter: '/' +# index: 0 +# create: true +# - select: +# kind: CustomResourceDefinition +# fieldPaths: +# - .metadata.annotations.[cert-manager.io/inject-ca-from] +# options: +# delimiter: '/' +# index: 0 +# create: true +# - source: +# kind: Certificate +# group: cert-manager.io +# version: v1 +# name: serving-cert # this name should match the one in certificate.yaml +# fieldPath: .metadata.name +# targets: +# - select: +# kind: ValidatingWebhookConfiguration +# fieldPaths: +# - .metadata.annotations.[cert-manager.io/inject-ca-from] +# options: +# delimiter: '/' +# index: 1 +# create: true +# - select: +# kind: MutatingWebhookConfiguration +# fieldPaths: +# - .metadata.annotations.[cert-manager.io/inject-ca-from] +# options: +# delimiter: '/' +# index: 1 +# create: true +# - select: +# kind: CustomResourceDefinition +# fieldPaths: +# - .metadata.annotations.[cert-manager.io/inject-ca-from] +# options: +# delimiter: '/' +# index: 1 +# create: true +# - source: # Add cert-manager annotation to the webhook Service +# kind: Service +# version: v1 +# name: webhook-service +# fieldPath: .metadata.name # namespace of the service +# targets: +# - select: +# kind: Certificate +# group: cert-manager.io +# version: v1 +# fieldPaths: +# - .spec.dnsNames.0 +# - .spec.dnsNames.1 +# options: +# delimiter: '.' +# index: 0 +# create: true +# - source: +# kind: Service +# version: v1 +# name: webhook-service +# fieldPath: .metadata.namespace # namespace of the service +# targets: +# - select: +# kind: Certificate +# group: cert-manager.io +# version: v1 +# fieldPaths: +# - .spec.dnsNames.0 +# - .spec.dnsNames.1 +# options: +# delimiter: '.' +# index: 1 +# create: true diff --git a/config/default/manager_auth_proxy_patch.yaml b/config/default/manager_auth_proxy_patch.yaml index b4db887c..352b2e31 100644 --- a/config/default/manager_auth_proxy_patch.yaml +++ b/config/default/manager_auth_proxy_patch.yaml @@ -1,17 +1,3 @@ -# Copyright 2022 Undistro Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - # This patch inject a sidecar container which is a HTTP proxy for the # controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. apiVersion: apps/v1 @@ -24,7 +10,12 @@ spec: spec: containers: - name: kube-rbac-proxy - image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.13.1 args: - "--secure-listen-address=0.0.0.0:8443" - "--upstream=http://127.0.0.1:8080/" diff --git a/config/default/manager_config_patch.yaml b/config/default/manager_config_patch.yaml index 2633ea20..f6f58916 100644 --- a/config/default/manager_config_patch.yaml +++ b/config/default/manager_config_patch.yaml @@ -1,17 +1,3 @@ -# Copyright 2022 Undistro Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - apiVersion: apps/v1 kind: Deployment metadata: @@ -22,13 +8,3 @@ spec: spec: containers: - name: manager - args: - - "--config=controller_manager_config.yaml" - volumeMounts: - - name: manager-config - mountPath: /controller_manager_config.yaml - subPath: controller_manager_config.yaml - volumes: - - name: manager-config - configMap: - name: manager-config diff --git a/config/manager/controller_manager_config.yaml b/config/manager/controller_manager_config.yaml deleted file mode 100644 index 420fca87..00000000 --- a/config/manager/controller_manager_config.yaml +++ /dev/null @@ -1,25 +0,0 @@ -# Copyright 2022 Undistro Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: controller-runtime.sigs.k8s.io/v1alpha1 -kind: ControllerManagerConfig -health: - healthProbeBindAddress: :8081 -metrics: - bindAddress: 127.0.0.1:8080 -webhook: - port: 9443 -leaderElection: - leaderElect: true - resourceName: e0f4eef4.zora.undistro.io diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml index e18b0e37..5c5f0b84 100644 --- a/config/manager/kustomization.yaml +++ b/config/manager/kustomization.yaml @@ -1,30 +1,2 @@ -# Copyright 2022 Undistro Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - resources: - manager.yaml - -generatorOptions: - disableNameSuffixHash: true - -configMapGenerator: -- files: - - controller_manager_config.yaml - name: manager-config -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -images: -- name: controller - newName: localhost:5000/operator - newTag: latest diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml index 43ec3d1e..e3e3e128 100644 --- a/config/manager/manager.yaml +++ b/config/manager/manager.yaml @@ -1,22 +1,14 @@ -# Copyright 2022 Undistro Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - apiVersion: v1 kind: Namespace metadata: labels: control-plane: controller-manager + app.kubernetes.io/name: namespace + app.kubernetes.io/instance: system + app.kubernetes.io/component: manager + app.kubernetes.io/created-by: zora + app.kubernetes.io/part-of: zora + app.kubernetes.io/managed-by: kustomize name: system --- apiVersion: apps/v1 @@ -26,6 +18,12 @@ metadata: namespace: system labels: control-plane: controller-manager + app.kubernetes.io/name: deployment + app.kubernetes.io/instance: controller-manager + app.kubernetes.io/component: manager + app.kubernetes.io/created-by: zora + app.kubernetes.io/part-of: zora + app.kubernetes.io/managed-by: kustomize spec: selector: matchLabels: @@ -38,8 +36,35 @@ spec: labels: control-plane: controller-manager spec: + # TODO(user): Uncomment the following code to configure the nodeAffinity expression + # according to the platforms which are supported by your solution. + # It is considered best practice to support multiple architectures. You can + # build your manager image using the makefile target docker-buildx. + # affinity: + # nodeAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # nodeSelectorTerms: + # - matchExpressions: + # - key: kubernetes.io/arch + # operator: In + # values: + # - amd64 + # - arm64 + # - ppc64le + # - s390x + # - key: kubernetes.io/os + # operator: In + # values: + # - linux securityContext: runAsNonRoot: true + # TODO(user): For common cases that do not require escalating privileges + # it is recommended to ensure that all your Pods/Containers are restrictive. + # More info: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted + # Please uncomment the following code if your project does NOT have to work on old Kubernetes + # versions < 1.19 or on vendors versions which do NOT support this field by default (i.e. Openshift < 4.11 ). + # seccompProfile: + # type: RuntimeDefault containers: - command: - /manager @@ -49,6 +74,9 @@ spec: name: manager securityContext: allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" livenessProbe: httpGet: path: /healthz diff --git a/config/prometheus/kustomization.yaml b/config/prometheus/kustomization.yaml index 45149ce8..ed137168 100644 --- a/config/prometheus/kustomization.yaml +++ b/config/prometheus/kustomization.yaml @@ -1,16 +1,2 @@ -# Copyright 2022 Undistro Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - resources: - monitor.yaml diff --git a/config/prometheus/monitor.yaml b/config/prometheus/monitor.yaml index c330212a..0c7d9b8e 100644 --- a/config/prometheus/monitor.yaml +++ b/config/prometheus/monitor.yaml @@ -1,17 +1,3 @@ -# Copyright 2022 Undistro Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - # Prometheus Monitor Service (Metrics) apiVersion: monitoring.coreos.com/v1 @@ -19,6 +5,12 @@ kind: ServiceMonitor metadata: labels: control-plane: controller-manager + app.kubernetes.io/name: servicemonitor + app.kubernetes.io/instance: controller-manager-metrics-monitor + app.kubernetes.io/component: metrics + app.kubernetes.io/created-by: zora + app.kubernetes.io/part-of: zora + app.kubernetes.io/managed-by: kustomize name: controller-manager-metrics-monitor namespace: system spec: diff --git a/config/samples/kustomization.yaml b/config/samples/kustomization.yaml new file mode 100644 index 00000000..7855e77d --- /dev/null +++ b/config/samples/kustomization.yaml @@ -0,0 +1,7 @@ +## Append samples of your project ## +resources: +- zora_v1alpha1_cluster.yaml +- zora_v1alpha1_plugin.yaml +- zora_v1alpha1_clusterissue.yaml +- zora_v1alpha1_clusterscan.yaml +#+kubebuilder:scaffold:manifestskustomizesamples diff --git a/config/samples/zora_v1alpha1_cluster.yaml b/config/samples/zora_v1alpha1_cluster.yaml index dd728e93..c7eb6b81 100644 --- a/config/samples/zora_v1alpha1_cluster.yaml +++ b/config/samples/zora_v1alpha1_cluster.yaml @@ -1,20 +1,12 @@ -# Copyright 2022 Undistro Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - apiVersion: zora.undistro.io/v1alpha1 kind: Cluster metadata: + labels: + app.kubernetes.io/name: cluster + app.kubernetes.io/instance: mycluster + app.kubernetes.io/part-of: zora + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/created-by: zora name: mycluster spec: kubeconfigRef: diff --git a/config/samples/zora_v1alpha1_clusterissue.yaml b/config/samples/zora_v1alpha1_clusterissue.yaml index d1a4956f..d5c3bcdd 100644 --- a/config/samples/zora_v1alpha1_clusterissue.yaml +++ b/config/samples/zora_v1alpha1_clusterissue.yaml @@ -1,44 +1,24 @@ -# Copyright 2022 Undistro Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - apiVersion: zora.undistro.io/v1alpha1 kind: ClusterIssue metadata: - name: mycluster-pop-106 labels: + category: Security cluster: mycluster - id: POP-106 - severity: Medium - category: Container + id: M-102 + plugin: marvin + scanID: b8622b8b-8be0-444c-8aaa-d67d3ac7bfd3 + severity: High + name: mycluster-m-102-d67d3ac7bfd3 + namespace: zora-system spec: + category: Security cluster: mycluster - id: POP-106 - message: No resources requests/limits defined - severity: Medium - category: Container - totalResources: 10 + id: M-102 + message: Privileged container resources: apps/v1/daemonsets: - - kube-system/aws-node - apps/v1/deployments: - - kube-system/cluster-autoscaler-aws-cluster-autoscaler - - cert-manager/cert-manager - - cert-manager/cert-manager-cainjector - - cert-manager/cert-manager-webhook - - kube-system/metrics-server + - kube-system/kube-proxy v1/pods: - - kube-system/aws-node-xls4r - - kube-system/cluster-autoscaler-aws-cluster-autoscaler-6549789d78-bfjdp - - kube-system/metrics-server-694d47d564-zxpwb - - kube-system/aws-node-5qb87 + - kube-system/kube-proxy-ggxqd + severity: High + url: https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline diff --git a/config/samples/zora_v1alpha1_clusterscan.yaml b/config/samples/zora_v1alpha1_clusterscan.yaml index 00bc3b5e..a013728b 100644 --- a/config/samples/zora_v1alpha1_clusterscan.yaml +++ b/config/samples/zora_v1alpha1_clusterscan.yaml @@ -1,20 +1,12 @@ -# Copyright 2022 Undistro Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - apiVersion: zora.undistro.io/v1alpha1 kind: ClusterScan metadata: + labels: + app.kubernetes.io/name: clusterscan + app.kubernetes.io/instance: mycluster + app.kubernetes.io/part-of: zora + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/created-by: zora name: mycluster spec: clusterRef: diff --git a/config/samples/zora_v1alpha1_plugin_marvin.yaml b/config/samples/zora_v1alpha1_plugin_marvin.yaml index d572997c..93073bc2 100644 --- a/config/samples/zora_v1alpha1_plugin_marvin.yaml +++ b/config/samples/zora_v1alpha1_plugin_marvin.yaml @@ -1,20 +1,12 @@ -# Copyright 2023 Undistro Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - apiVersion: zora.undistro.io/v1alpha1 kind: Plugin metadata: + labels: + app.kubernetes.io/name: plugin + app.kubernetes.io/instance: marvin + app.kubernetes.io/part-of: zora + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/created-by: zora name: marvin spec: image: ghcr.io/undistro/marvin:v0.1.4 diff --git a/config/samples/zora_v1alpha1_plugin_popeye.yaml b/config/samples/zora_v1alpha1_plugin_popeye.yaml index ab6ee643..ab498858 100644 --- a/config/samples/zora_v1alpha1_plugin_popeye.yaml +++ b/config/samples/zora_v1alpha1_plugin_popeye.yaml @@ -1,20 +1,12 @@ -# Copyright 2022 Undistro Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - apiVersion: zora.undistro.io/v1alpha1 kind: Plugin metadata: + labels: + app.kubernetes.io/name: plugin + app.kubernetes.io/instance: popeye + app.kubernetes.io/part-of: zora + app.kubernetes.io/managed-by: kustomize + app.kubernetes.io/created-by: zora name: popeye spec: image: ghcr.io/undistro/popeye:pr252