Skip to content

Commit

Permalink
Docs and refactors for better kubescape scanning of BB example (#80)
Browse files Browse the repository at this point in the history
  • Loading branch information
RothAndrew authored Oct 3, 2021
1 parent e2ee947 commit 6cb3958
Show file tree
Hide file tree
Showing 4 changed files with 122 additions and 29 deletions.
48 changes: 24 additions & 24 deletions examples/Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -14,73 +14,73 @@ ifneq ($(UNAME_S),Linux)
endif
endif

# Download zarf, build all packages and launch a basic VM with the assets
.DEFAULT_GOAL := help


.PHONY: help
help: ## Show a list of all targets
@grep -E '^[a-zA-Z0-9_-]+:.*?## .*$$' $(MAKEFILE_LIST) \
| sed -n 's/^\(.*\): \(.*\)##\(.*\)/\1:\3/p' \
| column -t -s ":"

.PHONY: all
all: clean fetch-release package-examples vm-init
all: clean fetch-release package-examples vm-init ## Download zarf, build all packages and launch a basic VM with the assets

# Same as target 'all', but build the binaries using the current codebase rather than downloading the latest version from the internet
.PHONY: all-dev
all-dev: clean build-release package-examples vm-init
all-dev: clean build-release package-examples vm-init ## Same as target 'all', but build the binaries using the current codebase rather than downloading the latest version from the internet

# Clean the sync dir
.PHONY: clean
clean:
clean: ## Clean the sync dir
@rm -fr sync && mkdir -p sync

# Grab the latest release as an alternative to needing to build the binaries
.PHONY: fetch-release
fetch-release:
fetch-release: ## Grab the latest release as an alternative to needing to build the binaries
@# This probably isn't the cleanest way to get a release, but since we're moving to github, not worth adding the code until post-migration
@curl -fL "https://zarf-public.s3-us-gov-west-1.amazonaws.com/release/$$(git describe --tags --abbrev=0)/{zarf,zarf-mac-intel,zarf-mac-apple,zarf-init.tar.zst}" -o "sync/#1"
@chmod +x sync/*

# Build the binaries as an alternative to downloading the latest release
.PHONY: build-release
build-release:
build-release: ## Build the binaries as an alternative to downloading the latest release
@cd .. && $(MAKE) build-test
@cp -R ../build/* sync

# Stripped-down vagrant box to reduce friction for basic user testing
# Note the need to perform disk resizing for some examples
.PHONY: vm-init
vm-init: vm-destroy
vm-init: vm-destroy ## Stripped-down vagrant box to reduce friction for basic user testing. Note the need to perform disk resizing for some examples
@VAGRANT_EXPERIMENTAL="disks" vagrant up --no-color
@echo -e "\n\n\n\033[1;93m ✅ VM READY. Logging in now, run \"sudo su\" once the prompt appears.\n\n\n\033[0m"
@vagrant ssh

# Cleanup plz
.PHONY: vm-destroy
vm-destroy:
vm-destroy: ## Cleanup plz
@vagrant destroy -f

# Create zarf packages from all examples
.PHONY: package-examples
package-examples: package-example-big-bang package-example-appliance package-example-data-injection package-example-game package-example-single-big-bang-package package-example-tiny-kafka package-example-postgres-operator
package-examples: package-example-big-bang package-example-appliance package-example-data-injection package-example-game package-example-single-big-bang-package package-example-tiny-kafka package-example-postgres-operator ## Create zarf packages from all examples

.PHONY: package-example-big-bang
package-example-big-bang:
package-example-big-bang: ## Create the Big Bang Core example
cd big-bang && kustomize build template/bigbang > manifests/bigbang_generated.yaml && kustomize build template/flux > manifests/flux_generated.yaml && $(ZARF_BIN) package create --confirm && mv zarf-package-* ../sync/

.PHONY: package-example-appliance
package-example-appliance:
package-example-appliance: ## Create the Podinfo example
cd appliance && $(ZARF_BIN) package create --confirm && mv zarf-package-* ../sync/

.PHONY: package-example-data-injection
package-example-data-injection:
package-example-data-injection: ## Create the Data Injection example
cd data-injection && $(ZARF_BIN) package create --confirm && mv zarf-package-* ../sync/

.PHONY: package-example-game
package-example-game:
package-example-game: ## Create the Doom example
cd game && $(ZARF_BIN) package create --confirm && mv zarf-package-* ../sync/

.PHONY: package-example-single-big-bang-package
package-example-single-big-bang-package:
package-example-single-big-bang-package: ## Create the Single Big Bang Package example
cd single-big-bang-package && $(ZARF_BIN) package create --confirm && mv zarf-package-* ../sync/

.PHONY: package-example-tiny-kafka
package-example-tiny-kafka:
package-example-tiny-kafka: ## Create the Tiny Kafka example
cd tiny-kafka && $(ZARF_BIN) package create --confirm && mv zarf-package-* ../sync/

.PHONY: package-example-postgres-operator
package-example-postgres-operator:
package-example-postgres-operator: ## Create the Postgres Operator example
cd postgres-operator && $(ZARF_BIN) package create --confirm && mv zarf-package-* ../sync/
2 changes: 1 addition & 1 deletion examples/big-bang/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ Because the same cluster will be running both Traefik and Istio, Istio's Virtual
This example adds the `kubescape` binary, which can scan clusters for compliance with the NSA/CISA Kubernetes Hardening Guide

```shell
kubescape scan framework nsa --use-from /usr/local/bin/kubescape-framework-nsa.json
kubescape scan framework nsa --use-from=/usr/local/bin/kubescape-framework-nsa.json --exceptions=/usr/local/bin/kubescape-exceptions.json --results-locally=true
```

## Services
Expand Down
93 changes: 93 additions & 0 deletions examples/big-bang/files/kubescape-exceptions.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,93 @@
[
{
"name": "ignore-allowed-hostpath",
"policyType": "postureExceptionPolicy",
"actions": [
"alertOnly"
],
"resources": [
{
"designatorType": "Attributes",
"attributes": {
"kind": "DaemonSet",
"name": "logging-fluent-bit"
}
}
],
"posturePolicies": [
{
"frameworkName": "NSA",
"ruleName": "alert-rw-hostpath"
}
]
},
{
"name": "ignore-applications-credentials-in-configuration-files",
"policyType": "postureExceptionPolicy",
"actions": [
"alertOnly"
],
"resources": [
{
"designatorType": "Attributes",
"attributes": {
"kind": "ConfigMap",
"name": "istio-ca-root-cert"
}
},
{
"designatorType": "Attributes",
"attributes": {
"kind": "ConfigMap",
"name": "kube-root-ca.crt"
}
},
{
"designatorType": "Attributes",
"attributes": {
"kind": "Deployment",
"name": "istiod"
}
},
{
"designatorType": "Attributes",
"attributes": {
"kind": "Deployment",
"name": "public-ingressgateway"
}
},
{
"designatorType": "Attributes",
"attributes": {
"kind": "StatefulSet",
"name": "logging-ek-es-data"
}
},
{
"designatorType": "Attributes",
"attributes": {
"kind": "StatefulSet",
"name": "logging-ek-es-master"
}
},
// This one doesn't work yet
{
"designatorType": "Attributes",
"attributes": {
"kind": "ConfigMap",
"name": "common-.*"
}
}
],
"posturePolicies": [
{
"frameworkName": "NSA",
"ruleName": "rule-credentials-configmap"
},
{
"frameworkName": "NSA",
"ruleName": "rule-credentials-in-env-var"
}
]
}
]
8 changes: 4 additions & 4 deletions examples/big-bang/zarf.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -17,12 +17,12 @@ components:
- name: kubescape
default: true
files:
- source: https://github.com/armosec/kubescape/releases/download/v1.0.88/kubescape-ubuntu-latest
shasum: 615c8ea98e0b87bf54dd027b413248565d60d0ff21b6b158acc600739140851b
- source: https://zarf-public.s3-us-gov-west-1.amazonaws.com/kubescape
shasum: 2754848328ce4ca288c8d03bb66a04ada08e326f6621195d28af903ae9d15884
target: "/usr/local/bin/kubescape"
executable: true
- source: https://github.com/armosec/regolibrary/releases/download/v1.0.21/nsa
shasum: 306292a51a377e33eff448f654bdf5aa9881fecf74f671746106796f569dee44
- source: https://zarf-public.s3-us-gov-west-1.amazonaws.com/kubescape-nsa
shasum: 25b6dda6ce2ad36bf6a4ea8d1e0ef0c6bda73f9111f4c0d71f260c36a16c6498
target: "/usr/local/bin/kubescape-framework-nsa.json"

utilityCluster:
Expand Down

0 comments on commit 6cb3958

Please sign in to comment.