chore: format

controlplaneio · Dec 21, 2023 · 127c16a · 127c16a
1 parent edfa422
commit 127c16a
Show file tree

Hide file tree

Showing 128 changed files with 89,165 additions and 66,553 deletions.
diff --git a/README.md b/README.md
@@ -2,7 +2,6 @@
 
 A distributed systems and infrastructure simulator for attacking and debugging Kubernetes
 
-
 1. Build the container image and cli
 2. Build the AMIs
 3. Configure the cli

diff --git a/ansible/roles/build-a-backdoor/files/manifests/01-kyverno-install.yaml b/ansible/roles/build-a-backdoor/files/manifests/01-kyverno-install.yaml
diff --git a/ansible/roles/build-a-backdoor/files/manifests/02-netpol-policies.yaml b/ansible/roles/build-a-backdoor/files/manifests/02-netpol-policies.yaml
@@ -16,27 +16,27 @@ spec:
   validationFailureAction: enforce
   background: true
   rules:
-  - name: empty-podselector
-    match:
-      any:
-      - resources:
-          kinds:
-          - NetworkPolicy
-    exclude:
-      any:
-      - resources:
-          kinds:
-          - NetworkPolicy
-          names:
-          - default-deny
-    validate:
-      message: "SECOPS ALERT: NetworkPolicies must not use an empty podSelector."
-      deny:
-        conditions:
-          any:
-          - key: "{{request.object.spec.podSelector.keys(@) | length(@)}}"
-            operator: Equals
-            value: 0
+    - name: empty-podselector
+      match:
+        any:
+          - resources:
+              kinds:
+                - NetworkPolicy
+      exclude:
+        any:
+          - resources:
+              kinds:
+                - NetworkPolicy
+              names:
+                - default-deny
+      validate:
+        message: "SECOPS ALERT: NetworkPolicies must not use an empty podSelector."
+        deny:
+          conditions:
+            any:
+              - key: "{{request.object.spec.podSelector.keys(@) | length(@)}}"
+                operator: Equals
+                value: 0
 ---
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
@@ -54,24 +54,24 @@ spec:
   validationFailureAction: enforce
   background: true
   rules:
-  - name: restrict-allow-all-ingress
-    match:
-      any:
-      - resources:
-          kinds:
-          - NetworkPolicy
-    exclude:
-      any:
-      - resources:
-          kinds:
-          - NetworkPolicy
-          names:
-          - default-deny
-    validate:
-      message: "SECOPS ALERT: NetworkPolicies must not use an allow all ingress."
-      deny:
-        conditions:
-          any:
-          - key: "{{request.object.spec.ingress[].ports[].keys(@) | length(@) }}"
-            operator: Equals
-            value: 0
+    - name: restrict-allow-all-ingress
+      match:
+        any:
+          - resources:
+              kinds:
+                - NetworkPolicy
+      exclude:
+        any:
+          - resources:
+              kinds:
+                - NetworkPolicy
+              names:
+                - default-deny
+      validate:
+        message: "SECOPS ALERT: NetworkPolicies must not use an allow all ingress."
+        deny:
+          conditions:
+            any:
+              - key: "{{request.object.spec.ingress[].ports[].keys(@) | length(@) }}"
+                operator: Equals
+                value: 0
diff --git a/ansible/roles/build-a-backdoor/files/manifests/03-nodeport-policy.yaml b/ansible/roles/build-a-backdoor/files/manifests/03-nodeport-policy.yaml
@@ -18,16 +18,16 @@ spec:
   validationFailureAction: enforce
   background: true
   rules:
-  - name: validate-nodeport
-    match:
-      any:
-      - resources:
-          kinds:
-          - Service
-          namespaces:
-          - ii-prod
-    validate:
-      message: "SECOPS ALERT: Services of type NodePort are restricted."
-      pattern:
-        spec:
-          =(type): "!NodePort"
+    - name: validate-nodeport
+      match:
+        any:
+          - resources:
+              kinds:
+                - Service
+              namespaces:
+                - ii-prod
+      validate:
+        message: "SECOPS ALERT: Services of type NodePort are restricted."
+        pattern:
+          spec:
+            =(type): "!NodePort"
diff --git a/ansible/roles/build-a-backdoor/files/manifests/04-ingress-policies.yaml b/ansible/roles/build-a-backdoor/files/manifests/04-ingress-policies.yaml
@@ -21,20 +21,20 @@ spec:
     - name: check-config-map
       match:
         any:
-        - resources:
-            kinds:
-            - ConfigMap
+          - resources:
+              kinds:
+                - ConfigMap
       validate:
         message: "ingress-nginx allow-snippet-annotations must be set to false"
         pattern:
           =(data):
-            =(allow-snippet-annotations) : "false"
+            =(allow-snippet-annotations): "false"
     - name: check-ingress-annotations
       match:
         any:
-        - resources:
-            kinds:
-            - networking.k8s.io/v1/Ingress
+          - resources:
+              kinds:
+                - networking.k8s.io/v1/Ingress
       validate:
         message: "SECOPS ALERT: Blocking attempted Nginx exploit"
         pattern:
@@ -66,29 +66,29 @@ spec:
     - name: check-ingress
       match:
         any:
-        - resources:
-            kinds:
-            - networking.k8s.io/v1/Ingress
+          - resources:
+              kinds:
+                - networking.k8s.io/v1/Ingress
       validate:
         message: "SECOPS ALERT: Blocking attempted Nginx exploit"
         deny:
           conditions:
             any:
-            - key: "{{request.object.metadata.annotations.values(@)[].regex_match('\\s*alias\\s*.*;', @)}}"
-              operator: AnyIn
-              value: [true]
-            - key: "{{request.object.metadata.annotations.values(@)[].regex_match('\\s*root\\s*.*;', @)}}"
-              operator: AnyIn
-              value: [true]
-            - key: "{{request.object.metadata.annotations.values(@)[].regex_match('/etc/(passwd|shadow|group|nginx|ingress-controller)', @)}}"
-              operator: AnyIn
-              value: [true]
-            - key: "{{request.object.metadata.annotations.values(@)[].regex_match('/var/run/secrets', @)}}"
-              operator: AnyIn
-              value: [true]
-            - key: "{{request.object.metadata.annotations.values(@)[].regex_match('.*_by_lua.*', @)}}"
-              operator: AnyIn
-              value: [true]
+              - key: "{{request.object.metadata.annotations.values(@)[].regex_match('\\s*alias\\s*.*;', @)}}"
+                operator: AnyIn
+                value: [ true ]
+              - key: "{{request.object.metadata.annotations.values(@)[].regex_match('\\s*root\\s*.*;', @)}}"
+                operator: AnyIn
+                value: [ true ]
+              - key: "{{request.object.metadata.annotations.values(@)[].regex_match('/etc/(passwd|shadow|group|nginx|ingress-controller)', @)}}"
+                operator: AnyIn
+                value: [ true ]
+              - key: "{{request.object.metadata.annotations.values(@)[].regex_match('/var/run/secrets', @)}}"
+                operator: AnyIn
+                value: [ true ]
+              - key: "{{request.object.metadata.annotations.values(@)[].regex_match('.*_by_lua.*', @)}}"
+                operator: AnyIn
+                value: [ true ]
 ---
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
@@ -112,29 +112,29 @@ spec:
     - name: check-paths
       match:
         any:
-        - resources:
-            kinds:
-            - networking.k8s.io/v1/Ingress
+          - resources:
+              kinds:
+                - networking.k8s.io/v1/Ingress
       validate:
         message: "SECOPS ALERT: Blocking attempted Nginx exploit"
         deny:
           conditions:
             any:
-            - key: "{{ request.object.spec.rules[].http.paths[].path.contains(@,'/etc') }}"
-              operator: AnyIn
-              value: [true]
-            - key: "{{ request.object.spec.rules[].http.paths[].path.contains(@,'/var/run/secrets') }}"
-              operator: AnyIn
-              value: [true]
-            - key: "{{ request.object.spec.rules[].http.paths[].path.contains(@,'/root') }}"
-              operator: AnyIn
-              value: [true]
-            - key: "{{ request.object.spec.rules[].http.paths[].path.contains(@,'/var/run/kubernetes/serviceaccount') }}"
-              operator: AnyIn
-              value: [true]
-            - key: "{{ request.object.spec.rules[].http.paths[].path.contains(@,'/etc/kubernetes/admin.conf') }}"
-              operator: AnyIn
-              value: [true]
+              - key: "{{ request.object.spec.rules[].http.paths[].path.contains(@,'/etc') }}"
+                operator: AnyIn
+                value: [ true ]
+              - key: "{{ request.object.spec.rules[].http.paths[].path.contains(@,'/var/run/secrets') }}"
+                operator: AnyIn
+                value: [ true ]
+              - key: "{{ request.object.spec.rules[].http.paths[].path.contains(@,'/root') }}"
+                operator: AnyIn
+                value: [ true ]
+              - key: "{{ request.object.spec.rules[].http.paths[].path.contains(@,'/var/run/kubernetes/serviceaccount') }}"
+                operator: AnyIn
+                value: [ true ]
+              - key: "{{ request.object.spec.rules[].http.paths[].path.contains(@,'/etc/kubernetes/admin.conf') }}"
+                operator: AnyIn
+                value: [ true ]
 ---
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
@@ -157,18 +157,18 @@ spec:
   validationFailureAction: enforce
   background: true
   rules:
-  - name: validate-ingress
-    match:
-      any:
-      - resources:
-          kinds:
-          - Ingress
-    validate:
-      message: "SECOPS ALERT: Unknown Ingress Class defined"
-      pattern:
-        metadata:
-          annotations:
-            kubernetes.io/ingress.class: "nginx"
+    - name: validate-ingress
+      match:
+        any:
+          - resources:
+              kinds:
+                - Ingress
+      validate:
+        message: "SECOPS ALERT: Unknown Ingress Class defined"
+        pattern:
+          metadata:
+            annotations:
+              kubernetes.io/ingress.class: "nginx"
 ---
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
@@ -186,20 +186,20 @@ spec:
   validationFailureAction: enforce
   background: true
   rules:
-  - name: restrict-web-port-removal
-    match:
-      any:
-      - resources:
-          kinds:
-          - Ingress
-    validate:
-      message: "SECOPS ALERT: Removal of the Web Port is restricted"
-      pattern:
-        spec:
-          rules:
-          - http:
-              ^(paths):
-              - backend:
-                  service:
-                    port:
-                      number: 80
+    - name: restrict-web-port-removal
+      match:
+        any:
+          - resources:
+              kinds:
+                - Ingress
+      validate:
+        message: "SECOPS ALERT: Removal of the Web Port is restricted"
+        pattern:
+          spec:
+            rules:
+              - http:
+                  ^(paths):
+                    - backend:
+                        service:
+                          port:
+                            number: 80