diff --git a/examples/Makefile b/examples/Makefile index 2cef965e1d..9753db2c49 100755 --- a/examples/Makefile +++ b/examples/Makefile @@ -14,73 +14,73 @@ ifneq ($(UNAME_S),Linux) endif endif -# Download zarf, build all packages and launch a basic VM with the assets +.DEFAULT_GOAL := help + + +.PHONY: help +help: ## Show a list of all targets + @grep -E '^[a-zA-Z0-9_-]+:.*?## .*$$' $(MAKEFILE_LIST) \ + | sed -n 's/^\(.*\): \(.*\)##\(.*\)/\1:\3/p' \ + | column -t -s ":" + .PHONY: all -all: clean fetch-release package-examples vm-init +all: clean fetch-release package-examples vm-init ## Download zarf, build all packages and launch a basic VM with the assets -# Same as target 'all', but build the binaries using the current codebase rather than downloading the latest version from the internet .PHONY: all-dev -all-dev: clean build-release package-examples vm-init +all-dev: clean build-release package-examples vm-init ## Same as target 'all', but build the binaries using the current codebase rather than downloading the latest version from the internet -# Clean the sync dir .PHONY: clean -clean: +clean: ## Clean the sync dir @rm -fr sync && mkdir -p sync -# Grab the latest release as an alternative to needing to build the binaries .PHONY: fetch-release -fetch-release: +fetch-release: ## Grab the latest release as an alternative to needing to build the binaries @# This probably isn't the cleanest way to get a release, but since we're moving to github, not worth adding the code until post-migration @curl -fL "https://zarf-public.s3-us-gov-west-1.amazonaws.com/release/$$(git describe --tags --abbrev=0)/{zarf,zarf-mac-intel,zarf-mac-apple,zarf-init.tar.zst}" -o "sync/#1" @chmod +x sync/* -# Build the binaries as an alternative to downloading the latest release .PHONY: build-release -build-release: +build-release: ## Build the binaries as an alternative to downloading the latest release @cd .. && $(MAKE) build-test @cp -R ../build/* sync -# Stripped-down vagrant box to reduce friction for basic user testing -# Note the need to perform disk resizing for some examples .PHONY: vm-init -vm-init: vm-destroy +vm-init: vm-destroy ## Stripped-down vagrant box to reduce friction for basic user testing. Note the need to perform disk resizing for some examples @VAGRANT_EXPERIMENTAL="disks" vagrant up --no-color @echo -e "\n\n\n\033[1;93m ✅ VM READY. Logging in now, run \"sudo su\" once the prompt appears.\n\n\n\033[0m" @vagrant ssh -# Cleanup plz .PHONY: vm-destroy -vm-destroy: +vm-destroy: ## Cleanup plz @vagrant destroy -f -# Create zarf packages from all examples .PHONY: package-examples -package-examples: package-example-big-bang package-example-appliance package-example-data-injection package-example-game package-example-single-big-bang-package package-example-tiny-kafka package-example-postgres-operator +package-examples: package-example-big-bang package-example-appliance package-example-data-injection package-example-game package-example-single-big-bang-package package-example-tiny-kafka package-example-postgres-operator ## Create zarf packages from all examples .PHONY: package-example-big-bang -package-example-big-bang: +package-example-big-bang: ## Create the Big Bang Core example cd big-bang && kustomize build template/bigbang > manifests/bigbang_generated.yaml && kustomize build template/flux > manifests/flux_generated.yaml && $(ZARF_BIN) package create --confirm && mv zarf-package-* ../sync/ .PHONY: package-example-appliance -package-example-appliance: +package-example-appliance: ## Create the Podinfo example cd appliance && $(ZARF_BIN) package create --confirm && mv zarf-package-* ../sync/ .PHONY: package-example-data-injection -package-example-data-injection: +package-example-data-injection: ## Create the Data Injection example cd data-injection && $(ZARF_BIN) package create --confirm && mv zarf-package-* ../sync/ .PHONY: package-example-game -package-example-game: +package-example-game: ## Create the Doom example cd game && $(ZARF_BIN) package create --confirm && mv zarf-package-* ../sync/ .PHONY: package-example-single-big-bang-package -package-example-single-big-bang-package: +package-example-single-big-bang-package: ## Create the Single Big Bang Package example cd single-big-bang-package && $(ZARF_BIN) package create --confirm && mv zarf-package-* ../sync/ .PHONY: package-example-tiny-kafka -package-example-tiny-kafka: +package-example-tiny-kafka: ## Create the Tiny Kafka example cd tiny-kafka && $(ZARF_BIN) package create --confirm && mv zarf-package-* ../sync/ .PHONY: package-example-postgres-operator -package-example-postgres-operator: +package-example-postgres-operator: ## Create the Postgres Operator example cd postgres-operator && $(ZARF_BIN) package create --confirm && mv zarf-package-* ../sync/ diff --git a/examples/big-bang/README.md b/examples/big-bang/README.md index 51ed8e9427..ef84dae296 100644 --- a/examples/big-bang/README.md +++ b/examples/big-bang/README.md @@ -27,7 +27,7 @@ Because the same cluster will be running both Traefik and Istio, Istio's Virtual This example adds the `kubescape` binary, which can scan clusters for compliance with the NSA/CISA Kubernetes Hardening Guide ```shell -kubescape scan framework nsa --use-from /usr/local/bin/kubescape-framework-nsa.json +kubescape scan framework nsa --use-from=/usr/local/bin/kubescape-framework-nsa.json --exceptions=/usr/local/bin/kubescape-exceptions.json --results-locally=true ``` ## Services diff --git a/examples/big-bang/files/kubescape-exceptions.json b/examples/big-bang/files/kubescape-exceptions.json new file mode 100644 index 0000000000..618d767156 --- /dev/null +++ b/examples/big-bang/files/kubescape-exceptions.json @@ -0,0 +1,93 @@ +[ + { + "name": "ignore-allowed-hostpath", + "policyType": "postureExceptionPolicy", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "DaemonSet", + "name": "logging-fluent-bit" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "NSA", + "ruleName": "alert-rw-hostpath" + } + ] + }, + { + "name": "ignore-applications-credentials-in-configuration-files", + "policyType": "postureExceptionPolicy", + "actions": [ + "alertOnly" + ], + "resources": [ + { + "designatorType": "Attributes", + "attributes": { + "kind": "ConfigMap", + "name": "istio-ca-root-cert" + } + }, + { + "designatorType": "Attributes", + "attributes": { + "kind": "ConfigMap", + "name": "kube-root-ca.crt" + } + }, + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "istiod" + } + }, + { + "designatorType": "Attributes", + "attributes": { + "kind": "Deployment", + "name": "public-ingressgateway" + } + }, + { + "designatorType": "Attributes", + "attributes": { + "kind": "StatefulSet", + "name": "logging-ek-es-data" + } + }, + { + "designatorType": "Attributes", + "attributes": { + "kind": "StatefulSet", + "name": "logging-ek-es-master" + } + }, + // This one doesn't work yet + { + "designatorType": "Attributes", + "attributes": { + "kind": "ConfigMap", + "name": "common-.*" + } + } + ], + "posturePolicies": [ + { + "frameworkName": "NSA", + "ruleName": "rule-credentials-configmap" + }, + { + "frameworkName": "NSA", + "ruleName": "rule-credentials-in-env-var" + } + ] + } +] diff --git a/examples/big-bang/zarf.yaml b/examples/big-bang/zarf.yaml index 485b784e8e..a8dfa057d8 100644 --- a/examples/big-bang/zarf.yaml +++ b/examples/big-bang/zarf.yaml @@ -17,12 +17,12 @@ components: - name: kubescape default: true files: - - source: https://github.com/armosec/kubescape/releases/download/v1.0.88/kubescape-ubuntu-latest - shasum: 615c8ea98e0b87bf54dd027b413248565d60d0ff21b6b158acc600739140851b + - source: https://zarf-public.s3-us-gov-west-1.amazonaws.com/kubescape + shasum: 2754848328ce4ca288c8d03bb66a04ada08e326f6621195d28af903ae9d15884 target: "/usr/local/bin/kubescape" executable: true - - source: https://github.com/armosec/regolibrary/releases/download/v1.0.21/nsa - shasum: 306292a51a377e33eff448f654bdf5aa9881fecf74f671746106796f569dee44 + - source: https://zarf-public.s3-us-gov-west-1.amazonaws.com/kubescape-nsa + shasum: 25b6dda6ce2ad36bf6a4ea8d1e0ef0c6bda73f9111f4c0d71f260c36a16c6498 target: "/usr/local/bin/kubescape-framework-nsa.json" utilityCluster: