From 2816cd60f20ca93eea2159cf7c8c72cc83d3129b Mon Sep 17 00:00:00 2001 From: Jon Date: Sun, 1 Jun 2025 12:21:46 +0930 Subject: [PATCH 01/49] testing --- .github/workflows/ci.yaml | 15 +++ .vscode/extensions.json | 5 + .vscode/settings.json | 35 ++++++ .yamllint | 69 ++++++++++++ manifests/centurion/base/Deployment-api.yaml | 102 ++++++++++++++++++ .../centurion/base/Deployment-worker.yaml | 97 +++++++++++++++++ manifests/centurion/base/PVC-centurion.yaml | 12 +++ manifests/centurion/base/Service-api.yaml | 19 ++++ manifests/centurion/base/kustomization.yaml | 13 +++ 9 files changed, 367 insertions(+) create mode 100644 .github/workflows/ci.yaml create mode 100644 .vscode/extensions.json create mode 100644 .vscode/settings.json create mode 100644 .yamllint create mode 100644 manifests/centurion/base/Deployment-api.yaml create mode 100644 manifests/centurion/base/Deployment-worker.yaml create mode 100644 manifests/centurion/base/PVC-centurion.yaml create mode 100644 manifests/centurion/base/Service-api.yaml create mode 100644 manifests/centurion/base/kustomization.yaml diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml new file mode 100644 index 0000000..2022f0e --- /dev/null +++ b/.github/workflows/ci.yaml @@ -0,0 +1,15 @@ +--- +on: push # yamllint disable-line rule:truthy + +jobs: + + lint: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + + - name: Install yamllint + run: pip install yamllint + + - name: Lint YAML files + run: yamllint . diff --git a/.vscode/extensions.json b/.vscode/extensions.json new file mode 100644 index 0000000..3700c79 --- /dev/null +++ b/.vscode/extensions.json @@ -0,0 +1,5 @@ +{ + "recommendations": [ + "fnando.linter" + ] +} \ No newline at end of file diff --git a/.vscode/settings.json b/.vscode/settings.json new file mode 100644 index 0000000..88762a7 --- /dev/null +++ b/.vscode/settings.json @@ -0,0 +1,35 @@ +{ + "linter.linters": { + "yamllint": { + "capabilities": [ + "ignore-line" + ], + "command": [ + "yamllint", + "--format", + "parsable", + [ + "$config", + "--config-file", + "$config" + ], + "-" + ], + "configFiles": [ + ".yamllint.yml", + ".yamllint.yaml", + ".yamllint" + ], + "enabled": true, + "languages": [ + "yaml" + ], + "name": "yamllint", + "url": "https://github.com/adrienverge/yamllint" + } + }, + "editor.tabSize": 4, + "files.eol": "\n", + "editor.detectIndentation": false, + "editor.indentSize": "tabSize" +} \ No newline at end of file diff --git a/.yamllint b/.yamllint new file mode 100644 index 0000000..f62bc44 --- /dev/null +++ b/.yamllint @@ -0,0 +1,69 @@ +--- + +extends: default + +rules: + braces: + level: error + max-spaces-inside: 1 + min-spaces-inside: 1 + min-spaces-inside-empty: 0 + max-spaces-inside-empty: 0 + + brackets: + level: error + max-spaces-inside: 1 + min-spaces-inside: 1 + min-spaces-inside-empty: 0 + max-spaces-inside-empty: 0 + + colons: + level: warning + max-spaces-after: 1 + + commas: + level: warning + + comments: + level: error + require-starting-space: true + ignore-shebangs: true + min-spaces-from-content: 4 + + comments-indentation: + level: error + + document-end: + level: error + present: false + + document-start: + level: error + present: true + + empty-lines: + level: warning + max: 2 + max-start: 0 + max-end: 0 + + hyphens: + level: warning + max-spaces-after: 1 + + indentation: + level: error + spaces: 4 + indent-sequences: true + check-multi-line-strings: true + + line-length: + level: warning + max: 100 + allow-non-breakable-inline-mappings: true + + new-lines: + level: error + type: unix + + truthy: disable diff --git a/manifests/centurion/base/Deployment-api.yaml b/manifests/centurion/base/Deployment-api.yaml new file mode 100644 index 0000000..1d4e660 --- /dev/null +++ b/manifests/centurion/base/Deployment-api.yaml @@ -0,0 +1,102 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/component: API + app.kubernetes.io/name: centurion + name: api +spec: + selector: + matchLabels: + app.kubernetes.io/component: API + app.kubernetes.io/name: centurion + replicas: 1 + minReadySeconds: 10 + template: + metadata: + labels: + app.kubernetes.io/component: API + app.kubernetes.io/name: centurion + spec: + terminationGracePeriodSeconds: 10 + affinity: { } + + + + containers: + - name: web + image: nofusscomputing/centurion-erp:dev + env: + - name: PROMETHEUS_MULTIPROC_DIR + value: "/tmp/prometheus" + resources: + limits: + cpu: 1500m + # memory: 800Mi # OOMKilled + memory: 1Gi + requests: + cpu: 10m + memory: 20Mi + + ports: + - containerPort: 8000 + name: http + - containerPort: 8080 + name: metrics + + volumeMounts: + - name: data + mountPath: /data + subPath: data + + - name: celery-broker + mountPath: /etc/itsm/celery-broker.py + subPath: celery-broker.py + readOnly: true + + - name: configuration + mountPath: /etc/itsm/settings.py + subPath: settings.py + readOnly: true + + - name: database + mountPath: /etc/itsm/database.py + subPath: database.py + readOnly: true + + - mountPath: /tmp + name: tmp + subPath: tmp + + tolerations: [] + volumes: + - name: celery-broker + secret: + secretName: celery-broker + items: + - key: celery-broker.py + path: celery-broker.py + + - name: configuration + configMap: + name: configuration + items: + - key: settings.py + path: settings.py + + - name: data + persistentVolumeClaim: + claimName: centurion + + - name: database + secret: + secretName: database + items: + - key: database.py + path: database.py + + - name: tmp + emptyDir: + medium: Memory + # sizeLimit: 64Mi diff --git a/manifests/centurion/base/Deployment-worker.yaml b/manifests/centurion/base/Deployment-worker.yaml new file mode 100644 index 0000000..d36c2ef --- /dev/null +++ b/manifests/centurion/base/Deployment-worker.yaml @@ -0,0 +1,97 @@ +--- + +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/component: Worker + app.kubernetes.io/name: centurion + name: worker +spec: + selector: + matchLabels: + app.kubernetes.io/component: Worker + app.kubernetes.io/name: centurion + replicas: 1 + minReadySeconds: 10 + template: + metadata: + labels: + app.kubernetes.io/component: Worker + app.kubernetes.io/name: centurion + spec: + terminationGracePeriodSeconds: 10 + affinity: {} + containers: + - name: worker + image: nofusscomputing/centurion-erp:dev + command: + - celery + - -A + - app + - worker + - -l + - INFO + resources: + limits: + cpu: 800m + memory: 200Mi + requests: + cpu: 10m + memory: 20Mi + + ports: + - containerPort: 8080 + name: metrics + + volumeMounts: + + - name: celery-broker + mountPath: /etc/itsm/celery-broker.py + subPath: celery-broker.py + readOnly: true + + - name: configuration + mountPath: /etc/itsm/settings.py + subPath: settings.py + readOnly: true + + - name: database + mountPath: /etc/itsm/database.py + subPath: database.py + readOnly: true + + - mountPath: /tmp + name: tmp + subPath: tmp + + tolerations: [] + volumes: + + - name: celery-broker + secret: + secretName: celery-broker + items: + - key: celery-broker.py + path: celery-broker.py + + - name: configuration + configMap: + name: configuration + items: + - key: settings.py + path: settings.py + + - name: database + secret: + secretName: database + items: + - key: database.py + path: database.py + + - name: tmp + emptyDir: + medium: Memory + # sizeLimit: 64Mi + + diff --git a/manifests/centurion/base/PVC-centurion.yaml b/manifests/centurion/base/PVC-centurion.yaml new file mode 100644 index 0000000..3d1fac2 --- /dev/null +++ b/manifests/centurion/base/PVC-centurion.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: centurion +spec: + volumeMode: Filesystem + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 5Gi diff --git a/manifests/centurion/base/Service-api.yaml b/manifests/centurion/base/Service-api.yaml new file mode 100644 index 0000000..91e76b7 --- /dev/null +++ b/manifests/centurion/base/Service-api.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: api + labels: + app.kubernetes.io/component: API + app.kubernetes.io/name: centurion +spec: + selector: + app.kubernetes.io/component: API + app.kubernetes.io/name: centurion + ports: + - name: http + port: 80 + targetPort: http + - name: metrics + port: 8080 + targetPort: metrics diff --git a/manifests/centurion/base/kustomization.yaml b/manifests/centurion/base/kustomization.yaml new file mode 100644 index 0000000..15709e6 --- /dev/null +++ b/manifests/centurion/base/kustomization.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + + + +resources: + - PVC-centurion.yaml + - Deployment-api.yaml + - Deployment-worker.yaml + - Service-api.yaml + + From 0507a7317879ff7bc75d8531486b46e1e77e5ebd Mon Sep 17 00:00:00 2001 From: Jon Date: Sun, 1 Jun 2025 12:26:55 +0930 Subject: [PATCH 02/49] jghjgh --- manifests/centurion/base/Deployment-api.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/centurion/base/Deployment-api.yaml b/manifests/centurion/base/Deployment-api.yaml index 1d4e660..64e8587 100644 --- a/manifests/centurion/base/Deployment-api.yaml +++ b/manifests/centurion/base/Deployment-api.yaml @@ -45,7 +45,7 @@ spec: - containerPort: 8080 name: metrics - volumeMounts: + volumeMounts: - name: data mountPath: /data subPath: data From 68ee3f0b0931f8e63cef21f0dd1244188f8d8ea8 Mon Sep 17 00:00:00 2001 From: Jon Date: Sun, 1 Jun 2025 12:29:43 +0930 Subject: [PATCH 03/49] kl --- .github/workflows/ci.yaml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 2022f0e..fd163c5 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -1,8 +1,14 @@ --- -on: push # yamllint disable-line rule:truthy +# on: push # yamllint disable-line rule:truthy -jobs: +on: + push: + branches: + - "**" + tags: + - "*" +jobs: lint: runs-on: ubuntu-latest steps: From 3785ba9d454ed0c9c4621f5005520cfb82298e6d Mon Sep 17 00:00:00 2001 From: Jon Date: Sun, 1 Jun 2025 12:34:04 +0930 Subject: [PATCH 04/49] ci update --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index fd163c5..b92d5cc 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -18,4 +18,4 @@ jobs: run: pip install yamllint - name: Lint YAML files - run: yamllint . + run: yamllint ${PWD}/ From d397cf5bf8a5ef44cfb5c71220fbf3cbf2d8982c Mon Sep 17 00:00:00 2001 From: Jon Date: Sun, 1 Jun 2025 12:47:03 +0930 Subject: [PATCH 05/49] dsfds --- .github/workflows/ci.yaml | 28 ++-- .yamllint | 104 ++++++------ manifests/centurion/base/Deployment-api.yaml | 168 +++++++++---------- 3 files changed, 150 insertions(+), 150 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index b92d5cc..43ca99b 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -1,21 +1,23 @@ --- # on: push # yamllint disable-line rule:truthy +name: CI + on: - push: - branches: - - "**" - tags: - - "*" + push: + branches: + - "**" + tags: + - "*" jobs: - lint: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 + lint: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 - - name: Install yamllint - run: pip install yamllint + - name: Install yamllint + run: pip install yamllint - - name: Lint YAML files - run: yamllint ${PWD}/ + - name: Lint YAML files + run: yamllint ${PWD}/ diff --git a/.yamllint b/.yamllint index f62bc44..92512aa 100644 --- a/.yamllint +++ b/.yamllint @@ -1,69 +1,69 @@ --- -extends: default +# extends: default rules: - braces: - level: error - max-spaces-inside: 1 - min-spaces-inside: 1 - min-spaces-inside-empty: 0 - max-spaces-inside-empty: 0 + braces: + level: error + max-spaces-inside: 1 + min-spaces-inside: 1 + min-spaces-inside-empty: 0 + max-spaces-inside-empty: 0 - brackets: - level: error - max-spaces-inside: 1 - min-spaces-inside: 1 - min-spaces-inside-empty: 0 - max-spaces-inside-empty: 0 + brackets: + level: error + max-spaces-inside: 1 + min-spaces-inside: 1 + min-spaces-inside-empty: 0 + max-spaces-inside-empty: 0 - colons: - level: warning - max-spaces-after: 1 + colons: + level: warning + max-spaces-after: 1 - commas: - level: warning + commas: + level: warning - comments: - level: error - require-starting-space: true - ignore-shebangs: true - min-spaces-from-content: 4 + comments: + level: error + require-starting-space: true + ignore-shebangs: true + min-spaces-from-content: 4 - comments-indentation: - level: error + comments-indentation: + level: error - document-end: - level: error - present: false + document-end: + level: error + present: false - document-start: - level: error - present: true + document-start: + level: error + present: true - empty-lines: - level: warning - max: 2 - max-start: 0 - max-end: 0 + empty-lines: + level: warning + max: 2 + max-start: 0 + max-end: 0 - hyphens: - level: warning - max-spaces-after: 1 + hyphens: + level: warning + max-spaces-after: 1 - indentation: - level: error - spaces: 4 - indent-sequences: true - check-multi-line-strings: true + indentation: + level: error + spaces: 2 + indent-sequences: true + check-multi-line-strings: true - line-length: - level: warning - max: 100 - allow-non-breakable-inline-mappings: true + line-length: + level: warning + max: 100 + allow-non-breakable-inline-mappings: true - new-lines: - level: error - type: unix + new-lines: + level: error + type: unix - truthy: disable + truthy: disable diff --git a/manifests/centurion/base/Deployment-api.yaml b/manifests/centurion/base/Deployment-api.yaml index 64e8587..1a86cbf 100644 --- a/manifests/centurion/base/Deployment-api.yaml +++ b/manifests/centurion/base/Deployment-api.yaml @@ -1,102 +1,100 @@ --- + apiVersion: apps/v1 kind: Deployment metadata: - labels: + labels: + app.kubernetes.io/component: API + app.kubernetes.io/name: centurion + name: api +spec: + selector: + matchLabels: + app.kubernetes.io/component: API + app.kubernetes.io/name: centurion + replicas: 1 + minReadySeconds: 10 + template: + metadata: + labels: app.kubernetes.io/component: API app.kubernetes.io/name: centurion - name: api -spec: - selector: - matchLabels: - app.kubernetes.io/component: API - app.kubernetes.io/name: centurion - replicas: 1 - minReadySeconds: 10 - template: - metadata: - labels: - app.kubernetes.io/component: API - app.kubernetes.io/name: centurion - spec: - terminationGracePeriodSeconds: 10 - affinity: { } - - + spec: + terminationGracePeriodSeconds: 10 + affinity: {} + containers: + - name: web + image: nofusscomputing/centurion-erp:dev + env: + - name: PROMETHEUS_MULTIPROC_DIR + value: "/tmp/prometheus" + resources: + limits: + cpu: 1500m + # memory: 800Mi # OOMKilled + memory: 1Gi + requests: + cpu: 10m + memory: 20Mi - containers: - - name: web - image: nofusscomputing/centurion-erp:dev - env: - - name: PROMETHEUS_MULTIPROC_DIR - value: "/tmp/prometheus" - resources: - limits: - cpu: 1500m - # memory: 800Mi # OOMKilled - memory: 1Gi - requests: - cpu: 10m - memory: 20Mi + ports: + - containerPort: 8000 + name: http + - containerPort: 8080 + name: metrics - ports: - - containerPort: 8000 - name: http - - containerPort: 8080 - name: metrics - - volumeMounts: - - name: data - mountPath: /data - subPath: data + volumeMounts: + - name: data + mountPath: /data + subPath: data - - name: celery-broker - mountPath: /etc/itsm/celery-broker.py - subPath: celery-broker.py - readOnly: true + - name: celery-broker + mountPath: /etc/itsm/celery-broker.py + subPath: celery-broker.py + readOnly: true - - name: configuration - mountPath: /etc/itsm/settings.py - subPath: settings.py - readOnly: true + - name: configuration + mountPath: /etc/itsm/settings.py + subPath: settings.py + readOnly: true - - name: database - mountPath: /etc/itsm/database.py - subPath: database.py - readOnly: true + - name: database + mountPath: /etc/itsm/database.py + subPath: database.py + readOnly: true - - mountPath: /tmp - name: tmp - subPath: tmp + - mountPath: /tmp + name: tmp + subPath: tmp - tolerations: [] - volumes: - - name: celery-broker - secret: - secretName: celery-broker - items: - - key: celery-broker.py - path: celery-broker.py + tolerations: [] + volumes: + - name: celery-broker + secret: + secretName: celery-broker + items: + - key: celery-broker.py + path: celery-broker.py - - name: configuration - configMap: - name: configuration - items: - - key: settings.py - path: settings.py + - name: configuration + configMap: + name: configuration + items: + - key: settings.py + path: settings.py - - name: data - persistentVolumeClaim: - claimName: centurion + - name: data + persistentVolumeClaim: + claimName: centurion - - name: database - secret: - secretName: database - items: - - key: database.py - path: database.py + - name: database + secret: + secretName: database + items: + - key: database.py + path: database.py - - name: tmp - emptyDir: - medium: Memory - # sizeLimit: 64Mi + - name: tmp + emptyDir: + medium: Memory + # sizeLimit: 64Mi From 55c229565c80dd0effb719412970ca24957fd094 Mon Sep 17 00:00:00 2001 From: Jon Date: Sun, 1 Jun 2025 12:54:35 +0930 Subject: [PATCH 06/49] errs --- .yamllint | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.yamllint b/.yamllint index 92512aa..66fd8f4 100644 --- a/.yamllint +++ b/.yamllint @@ -42,13 +42,13 @@ rules: present: true empty-lines: - level: warning + level: error max: 2 max-start: 0 max-end: 0 hyphens: - level: warning + level: error max-spaces-after: 1 indentation: From adc08001cfddf667fdf5795827f3256280aec8d0 Mon Sep 17 00:00:00 2001 From: Jon Date: Sun, 1 Jun 2025 13:01:39 +0930 Subject: [PATCH 07/49] kubescape --- .github/workflows/ci.yaml | 55 +++++++++++++++++++++++++++++++++++++++ .vscode/settings.json | 6 ++--- 2 files changed, 58 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 43ca99b..caaf40f 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -21,3 +21,58 @@ jobs: - name: Lint YAML files run: yamllint ${PWD}/ + + + kubescape: + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + steps: + - uses: actions/checkout@v3 + - uses: kubescape/github-action@main + continue-on-error: true + with: + format: sarif + outputFile: results + # # Optional: Specify the Kubescape Portal credentials + # account: ${{secrets.KUBESCAPE_ACCOUNT}} + # accessKey: ${{secrets.KUBESCAPE_ACCESS_KEY}} + # server: ${{ vars.KUBESCAPE_SERVER }} + # # Optional: Scan a specific path. Default will scan the whole repository + # files: "examples/*.yaml" + - name: Upload Kubescape scan results to Github Code Scanning + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: results.sarif + + + kubescape-fix-pr-reviews: + runs-on: ubuntu-latest + permissions: + pull-requests: write + + steps: + - uses: actions/checkout@v3 + with: + fetch-depth: 0 + ref: ${{github.event.pull_request.head.ref}} + repository: ${{github.event.pull_request.head.repo.full_name}} + - name: Get changed files + id: changed-files + uses: tj-actions/changed-files@v35 + - uses: kubescape/github-action@main + with: + # account: ${{secrets.KUBESCAPE_ACCOUNT}} + # accessKey: ${{secrets.KUBESCAPE_ACCESS_KEY}} + # server: ${{ vars.KUBESCAPE_SERVER }} + # files: ${{ steps.changed-files.outputs.all_changed_files }} + fixFiles: true + format: "sarif" + - name: PR Suggester according to SARIF file + if: github.event_name == 'pull_request_target' + uses: HollowMan6/sarif4reviewdog@v1.0.0 + with: + file: 'results.sarif' + level: warning diff --git a/.vscode/settings.json b/.vscode/settings.json index 88762a7..01b1f47 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -28,8 +28,8 @@ "url": "https://github.com/adrienverge/yamllint" } }, - "editor.tabSize": 4, - "files.eol": "\n", "editor.detectIndentation": false, - "editor.indentSize": "tabSize" + "editor.indentSize": "tabSize", + "editor.tabSize": 2, + "files.eol": "\n" } \ No newline at end of file From a729fa4aada160d5f675c205f8a6ba36eecca855 Mon Sep 17 00:00:00 2001 From: Jon Date: Sun, 1 Jun 2025 13:07:49 +0930 Subject: [PATCH 08/49] v3 codeql --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index caaf40f..4952f30 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -43,7 +43,7 @@ jobs: # # Optional: Scan a specific path. Default will scan the whole repository # files: "examples/*.yaml" - name: Upload Kubescape scan results to Github Code Scanning - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: results.sarif From d4ca82828848aabaaddf8f6e233e820777630d06 Mon Sep 17 00:00:00 2001 From: Jon Date: Sun, 1 Jun 2025 13:10:38 +0930 Subject: [PATCH 09/49] changed files fix --- .github/workflows/ci.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 4952f30..77ed44f 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -59,9 +59,11 @@ jobs: fetch-depth: 0 ref: ${{github.event.pull_request.head.ref}} repository: ${{github.event.pull_request.head.repo.full_name}} + - name: Get changed files id: changed-files - uses: tj-actions/changed-files@v35 + uses: tj-actions/changed-files@46.0.1 + - uses: kubescape/github-action@main with: # account: ${{secrets.KUBESCAPE_ACCOUNT}} @@ -70,6 +72,7 @@ jobs: # files: ${{ steps.changed-files.outputs.all_changed_files }} fixFiles: true format: "sarif" + - name: PR Suggester according to SARIF file if: github.event_name == 'pull_request_target' uses: HollowMan6/sarif4reviewdog@v1.0.0 From e33e446a122a2bdbdb475ee99e1db562b615dffc Mon Sep 17 00:00:00 2001 From: Jon Date: Sun, 1 Jun 2025 13:12:25 +0930 Subject: [PATCH 10/49] changed files fix again --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 77ed44f..f86c10b 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -62,7 +62,7 @@ jobs: - name: Get changed files id: changed-files - uses: tj-actions/changed-files@46.0.1 + uses: tj-actions/changed-files@v46.0.1 - uses: kubescape/github-action@main with: From 9c48180025c0905bb1dc02ed3b446756e3f9f288 Mon Sep 17 00:00:00 2001 From: Jon Date: Sun, 1 Jun 2025 13:16:43 +0930 Subject: [PATCH 11/49] seperate ci --- .github/workflows/kubescape-pr.yaml | 40 +++++++++++++++++++++++++++++ .github/workflows/kubescape.yaml | 31 ++++++++++++++++++++++ 2 files changed, 71 insertions(+) create mode 100644 .github/workflows/kubescape-pr.yaml create mode 100644 .github/workflows/kubescape.yaml diff --git a/.github/workflows/kubescape-pr.yaml b/.github/workflows/kubescape-pr.yaml new file mode 100644 index 0000000..dff87d8 --- /dev/null +++ b/.github/workflows/kubescape-pr.yaml @@ -0,0 +1,40 @@ +--- +# on: push # yamllint disable-line rule:truthy +name: Suggest autofixes with Kubescape for PR by reviews +on: + pull_request_target: + + +jobs: + + kubescape-fix-pr-reviews: + runs-on: ubuntu-latest + permissions: + pull-requests: write + + steps: + - uses: actions/checkout@v3 + with: + fetch-depth: 0 + ref: ${{github.event.pull_request.head.ref}} + repository: ${{github.event.pull_request.head.repo.full_name}} + + - name: Get changed files + id: changed-files + uses: tj-actions/changed-files@v46.0.1 + + - uses: kubescape/github-action@main + with: + # account: ${{secrets.KUBESCAPE_ACCOUNT}} + # accessKey: ${{secrets.KUBESCAPE_ACCESS_KEY}} + # server: ${{ vars.KUBESCAPE_SERVER }} + # files: ${{ steps.changed-files.outputs.all_changed_files }} + fixFiles: true + format: "sarif" + + - name: PR Suggester according to SARIF file + if: github.event_name == 'pull_request_target' + uses: HollowMan6/sarif4reviewdog@v1.0.0 + with: + file: 'results.sarif' + level: warning diff --git a/.github/workflows/kubescape.yaml b/.github/workflows/kubescape.yaml new file mode 100644 index 0000000..62c8da0 --- /dev/null +++ b/.github/workflows/kubescape.yaml @@ -0,0 +1,31 @@ +--- +# on: push # yamllint disable-line rule:truthy +name: Kubescape scanning for misconfigurations +on: [ push, pull_request ] + +jobs: + + + kubescape: + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + steps: + - uses: actions/checkout@v3 + - uses: kubescape/github-action@main + continue-on-error: true + with: + format: sarif + outputFile: results + # # Optional: Specify the Kubescape Portal credentials + # account: ${{secrets.KUBESCAPE_ACCOUNT}} + # accessKey: ${{secrets.KUBESCAPE_ACCESS_KEY}} + # server: ${{ vars.KUBESCAPE_SERVER }} + # # Optional: Scan a specific path. Default will scan the whole repository + # files: "examples/*.yaml" + - name: Upload Kubescape scan results to Github Code Scanning + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: results.sarif From 2f2b54f27adf7d35c65eceebbe777252e9c46958 Mon Sep 17 00:00:00 2001 From: Jon Date: Sun, 1 Jun 2025 13:16:59 +0930 Subject: [PATCH 12/49] seperate ci --- .github/workflows/ci.yaml | 100 +++++++++++++++++++------------------- 1 file changed, 50 insertions(+), 50 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index f86c10b..4c6615e 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -23,59 +23,59 @@ jobs: run: yamllint ${PWD}/ - kubescape: - runs-on: ubuntu-latest - permissions: - actions: read - contents: read - security-events: write - steps: - - uses: actions/checkout@v3 - - uses: kubescape/github-action@main - continue-on-error: true - with: - format: sarif - outputFile: results - # # Optional: Specify the Kubescape Portal credentials - # account: ${{secrets.KUBESCAPE_ACCOUNT}} - # accessKey: ${{secrets.KUBESCAPE_ACCESS_KEY}} - # server: ${{ vars.KUBESCAPE_SERVER }} - # # Optional: Scan a specific path. Default will scan the whole repository - # files: "examples/*.yaml" - - name: Upload Kubescape scan results to Github Code Scanning - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: results.sarif + # kubescape: + # runs-on: ubuntu-latest + # permissions: + # actions: read + # contents: read + # security-events: write + # steps: + # - uses: actions/checkout@v3 + # - uses: kubescape/github-action@main + # continue-on-error: true + # with: + # format: sarif + # outputFile: results + # # # Optional: Specify the Kubescape Portal credentials + # # account: ${{secrets.KUBESCAPE_ACCOUNT}} + # # accessKey: ${{secrets.KUBESCAPE_ACCESS_KEY}} + # # server: ${{ vars.KUBESCAPE_SERVER }} + # # # Optional: Scan a specific path. Default will scan the whole repository + # # files: "examples/*.yaml" + # - name: Upload Kubescape scan results to Github Code Scanning + # uses: github/codeql-action/upload-sarif@v3 + # with: + # sarif_file: results.sarif - kubescape-fix-pr-reviews: - runs-on: ubuntu-latest - permissions: - pull-requests: write + # kubescape-fix-pr-reviews: + # runs-on: ubuntu-latest + # permissions: + # pull-requests: write - steps: - - uses: actions/checkout@v3 - with: - fetch-depth: 0 - ref: ${{github.event.pull_request.head.ref}} - repository: ${{github.event.pull_request.head.repo.full_name}} + # steps: + # - uses: actions/checkout@v3 + # with: + # fetch-depth: 0 + # ref: ${{github.event.pull_request.head.ref}} + # repository: ${{github.event.pull_request.head.repo.full_name}} - - name: Get changed files - id: changed-files - uses: tj-actions/changed-files@v46.0.1 + # - name: Get changed files + # id: changed-files + # uses: tj-actions/changed-files@v46.0.1 - - uses: kubescape/github-action@main - with: - # account: ${{secrets.KUBESCAPE_ACCOUNT}} - # accessKey: ${{secrets.KUBESCAPE_ACCESS_KEY}} - # server: ${{ vars.KUBESCAPE_SERVER }} - # files: ${{ steps.changed-files.outputs.all_changed_files }} - fixFiles: true - format: "sarif" + # - uses: kubescape/github-action@main + # with: + # # account: ${{secrets.KUBESCAPE_ACCOUNT}} + # # accessKey: ${{secrets.KUBESCAPE_ACCESS_KEY}} + # # server: ${{ vars.KUBESCAPE_SERVER }} + # # files: ${{ steps.changed-files.outputs.all_changed_files }} + # fixFiles: true + # format: "sarif" - - name: PR Suggester according to SARIF file - if: github.event_name == 'pull_request_target' - uses: HollowMan6/sarif4reviewdog@v1.0.0 - with: - file: 'results.sarif' - level: warning + # - name: PR Suggester according to SARIF file + # if: github.event_name == 'pull_request_target' + # uses: HollowMan6/sarif4reviewdog@v1.0.0 + # with: + # file: 'results.sarif' + # level: warning From 78f843ea9d41b9c49faf0eafd3bc955c7c0b6061 Mon Sep 17 00:00:00 2001 From: Jon Date: Sun, 1 Jun 2025 13:20:47 +0930 Subject: [PATCH 13/49] ghgf --- .github/workflows/kubescape-pr.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/kubescape-pr.yaml b/.github/workflows/kubescape-pr.yaml index dff87d8..ea4409e 100644 --- a/.github/workflows/kubescape-pr.yaml +++ b/.github/workflows/kubescape-pr.yaml @@ -28,7 +28,7 @@ jobs: # account: ${{secrets.KUBESCAPE_ACCOUNT}} # accessKey: ${{secrets.KUBESCAPE_ACCESS_KEY}} # server: ${{ vars.KUBESCAPE_SERVER }} - # files: ${{ steps.changed-files.outputs.all_changed_files }} + files: ${{ steps.changed-files.outputs.all_changed_files }} fixFiles: true format: "sarif" From af3c2559e944f61e8228ae8b1b122551e3ecb276 Mon Sep 17 00:00:00 2001 From: Jon Date: Sun, 1 Jun 2025 13:21:15 +0930 Subject: [PATCH 14/49] gfh --- .github/workflows/kubescape.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/kubescape.yaml b/.github/workflows/kubescape.yaml index 62c8da0..9555a61 100644 --- a/.github/workflows/kubescape.yaml +++ b/.github/workflows/kubescape.yaml @@ -24,7 +24,7 @@ jobs: # accessKey: ${{secrets.KUBESCAPE_ACCESS_KEY}} # server: ${{ vars.KUBESCAPE_SERVER }} # # Optional: Scan a specific path. Default will scan the whole repository - # files: "examples/*.yaml" + files: "manifests/*.yaml" - name: Upload Kubescape scan results to Github Code Scanning uses: github/codeql-action/upload-sarif@v3 with: From eefa28f6bdd7052ffde97f74e2f4ae8166568f2b Mon Sep 17 00:00:00 2001 From: Jon Date: Sun, 1 Jun 2025 13:24:03 +0930 Subject: [PATCH 15/49] fdgfdgd --- .github/workflows/kubescape-pr.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/kubescape-pr.yaml b/.github/workflows/kubescape-pr.yaml index ea4409e..4e8e69b 100644 --- a/.github/workflows/kubescape-pr.yaml +++ b/.github/workflows/kubescape-pr.yaml @@ -2,7 +2,8 @@ # on: push # yamllint disable-line rule:truthy name: Suggest autofixes with Kubescape for PR by reviews on: - pull_request_target: + - pull_request_target + - pull_request jobs: From 41d0dc7d8b212b1a5c5d0607e623067a88f56419 Mon Sep 17 00:00:00 2001 From: Jon Date: Sun, 1 Jun 2025 13:24:56 +0930 Subject: [PATCH 16/49] gfhfgh --- .github/workflows/kubescape-pr.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/kubescape-pr.yaml b/.github/workflows/kubescape-pr.yaml index 4e8e69b..eb8000e 100644 --- a/.github/workflows/kubescape-pr.yaml +++ b/.github/workflows/kubescape-pr.yaml @@ -34,7 +34,7 @@ jobs: format: "sarif" - name: PR Suggester according to SARIF file - if: github.event_name == 'pull_request_target' + # if: github.event_name == 'pull_request_target' uses: HollowMan6/sarif4reviewdog@v1.0.0 with: file: 'results.sarif' From 143c9e20983ff74a96aa21572996d588fba82dff Mon Sep 17 00:00:00 2001 From: Jon Date: Sun, 1 Jun 2025 13:29:18 +0930 Subject: [PATCH 17/49] hjgh --- .github/workflows/kubescape-pr.yaml | 8 +++++++- .github/workflows/kubescape.yaml | 1 + 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/.github/workflows/kubescape-pr.yaml b/.github/workflows/kubescape-pr.yaml index eb8000e..165c53a 100644 --- a/.github/workflows/kubescape-pr.yaml +++ b/.github/workflows/kubescape-pr.yaml @@ -26,13 +26,19 @@ jobs: - uses: kubescape/github-action@main with: + outputFile: results # account: ${{secrets.KUBESCAPE_ACCOUNT}} # accessKey: ${{secrets.KUBESCAPE_ACCESS_KEY}} # server: ${{ vars.KUBESCAPE_SERVER }} - files: ${{ steps.changed-files.outputs.all_changed_files }} + # files: ${{ steps.changed-files.outputs.all_changed_files }} fixFiles: true format: "sarif" + - name: Upload Kubescape scan results to Github Code Scanning + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: results.sarif + - name: PR Suggester according to SARIF file # if: github.event_name == 'pull_request_target' uses: HollowMan6/sarif4reviewdog@v1.0.0 diff --git a/.github/workflows/kubescape.yaml b/.github/workflows/kubescape.yaml index 9555a61..873bbb7 100644 --- a/.github/workflows/kubescape.yaml +++ b/.github/workflows/kubescape.yaml @@ -25,6 +25,7 @@ jobs: # server: ${{ vars.KUBESCAPE_SERVER }} # # Optional: Scan a specific path. Default will scan the whole repository files: "manifests/*.yaml" + - name: Upload Kubescape scan results to Github Code Scanning uses: github/codeql-action/upload-sarif@v3 with: From 155615db40d7e633eeb64817c790d9e3b26ceaa8 Mon Sep 17 00:00:00 2001 From: Jon Date: Sun, 1 Jun 2025 13:35:30 +0930 Subject: [PATCH 18/49] jklj --- .github/workflows/kubescape.yaml | 59 ++++++++++++++++++++------------ 1 file changed, 38 insertions(+), 21 deletions(-) diff --git a/.github/workflows/kubescape.yaml b/.github/workflows/kubescape.yaml index 873bbb7..0194987 100644 --- a/.github/workflows/kubescape.yaml +++ b/.github/workflows/kubescape.yaml @@ -1,11 +1,7 @@ --- -# on: push # yamllint disable-line rule:truthy name: Kubescape scanning for misconfigurations -on: [ push, pull_request ] - +on: [ pull_request ] jobs: - - kubescape: runs-on: ubuntu-latest permissions: @@ -13,20 +9,41 @@ jobs: contents: read security-events: write steps: - - uses: actions/checkout@v3 - - uses: kubescape/github-action@main - continue-on-error: true - with: - format: sarif - outputFile: results - # # Optional: Specify the Kubescape Portal credentials - # account: ${{secrets.KUBESCAPE_ACCOUNT}} - # accessKey: ${{secrets.KUBESCAPE_ACCESS_KEY}} - # server: ${{ vars.KUBESCAPE_SERVER }} - # # Optional: Scan a specific path. Default will scan the whole repository - files: "manifests/*.yaml" + - uses: actions/checkout@v3 + - uses: kubescape/github-action@main + continue-on-error: false + with: + frameworks: NSA,MITRE + verbose: true + severityThreshold: low +# # on: push # yamllint disable-line rule:truthy +# name: Kubescape scanning for misconfigurations +# on: [ push, pull_request ] + +# jobs: + + +# kubescape: +# runs-on: ubuntu-latest +# permissions: +# actions: read +# contents: read +# security-events: write +# steps: +# - uses: actions/checkout@v3 +# - uses: kubescape/github-action@main +# continue-on-error: true +# with: +# format: sarif +# outputFile: results +# # # Optional: Specify the Kubescape Portal credentials +# # account: ${{secrets.KUBESCAPE_ACCOUNT}} +# # accessKey: ${{secrets.KUBESCAPE_ACCESS_KEY}} +# # server: ${{ vars.KUBESCAPE_SERVER }} +# # # Optional: Scan a specific path. Default will scan the whole repository +# files: "manifests/*.yaml" - - name: Upload Kubescape scan results to Github Code Scanning - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: results.sarif +# - name: Upload Kubescape scan results to Github Code Scanning +# uses: github/codeql-action/upload-sarif@v3 +# with: +# sarif_file: results.sarif From d88098f8e5e8de4f57e81735cfa99bfaed57b4f2 Mon Sep 17 00:00:00 2001 From: Jon Date: Sun, 1 Jun 2025 13:37:55 +0930 Subject: [PATCH 19/49] fdgdfgdf --- .github/workflows/kubescape.yaml | 79 +++++++++++++++++--------------- 1 file changed, 41 insertions(+), 38 deletions(-) diff --git a/.github/workflows/kubescape.yaml b/.github/workflows/kubescape.yaml index 0194987..b58bd8d 100644 --- a/.github/workflows/kubescape.yaml +++ b/.github/workflows/kubescape.yaml @@ -1,28 +1,7 @@ --- -name: Kubescape scanning for misconfigurations -on: [ pull_request ] -jobs: - kubescape: - runs-on: ubuntu-latest - permissions: - actions: read - contents: read - security-events: write - steps: - - uses: actions/checkout@v3 - - uses: kubescape/github-action@main - continue-on-error: false - with: - frameworks: NSA,MITRE - verbose: true - severityThreshold: low -# # on: push # yamllint disable-line rule:truthy # name: Kubescape scanning for misconfigurations -# on: [ push, pull_request ] - +# on: [ pull_request ] # jobs: - - # kubescape: # runs-on: ubuntu-latest # permissions: @@ -30,20 +9,44 @@ jobs: # contents: read # security-events: write # steps: -# - uses: actions/checkout@v3 -# - uses: kubescape/github-action@main -# continue-on-error: true -# with: -# format: sarif -# outputFile: results -# # # Optional: Specify the Kubescape Portal credentials -# # account: ${{secrets.KUBESCAPE_ACCOUNT}} -# # accessKey: ${{secrets.KUBESCAPE_ACCESS_KEY}} -# # server: ${{ vars.KUBESCAPE_SERVER }} -# # # Optional: Scan a specific path. Default will scan the whole repository -# files: "manifests/*.yaml" +# - uses: actions/checkout@v3 +# - uses: kubescape/github-action@main +# continue-on-error: false +# with: +# frameworks: NSA,MITRE +# verbose: true +# severityThreshold: low +# on: push # yamllint disable-line rule:truthy +name: Kubescape scanning for misconfigurations +on: [ push, pull_request ] + +jobs: + + + kubescape: + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + steps: + - uses: actions/checkout@v3 + - uses: kubescape/github-action@main + continue-on-error: true + with: + format: sarif + outputFile: results + # # Optional: Specify the Kubescape Portal credentials + # account: ${{secrets.KUBESCAPE_ACCOUNT}} + # accessKey: ${{secrets.KUBESCAPE_ACCESS_KEY}} + # server: ${{ vars.KUBESCAPE_SERVER }} + # # Optional: Scan a specific path. Default will scan the whole repository + # files: "manifests/*.yaml" + frameworks: NSA,MITRE + verbose: true + severityThreshold: low -# - name: Upload Kubescape scan results to Github Code Scanning -# uses: github/codeql-action/upload-sarif@v3 -# with: -# sarif_file: results.sarif + - name: Upload Kubescape scan results to Github Code Scanning + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: results.sarif From d0cb620404567096c5ae9741b48d8d7bf33e8883 Mon Sep 17 00:00:00 2001 From: Jon Date: Sun, 1 Jun 2025 13:39:01 +0930 Subject: [PATCH 20/49] fgdfdf --- .github/workflows/kubescape.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/workflows/kubescape.yaml b/.github/workflows/kubescape.yaml index b58bd8d..cf613f9 100644 --- a/.github/workflows/kubescape.yaml +++ b/.github/workflows/kubescape.yaml @@ -50,3 +50,10 @@ jobs: uses: github/codeql-action/upload-sarif@v3 with: sarif_file: results.sarif + + - name: PR Suggester according to SARIF file + # if: github.event_name == 'pull_request_target' + uses: HollowMan6/sarif4reviewdog@v1.0.0 + with: + file: 'results.sarif' + level: warning From 587fe9c710063d65da3f3d216ff3d64ed9c2f048 Mon Sep 17 00:00:00 2001 From: Jon Date: Sun, 1 Jun 2025 13:41:49 +0930 Subject: [PATCH 21/49] dfgfd --- .github/workflows/kubescape.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/kubescape.yaml b/.github/workflows/kubescape.yaml index cf613f9..4314e86 100644 --- a/.github/workflows/kubescape.yaml +++ b/.github/workflows/kubescape.yaml @@ -41,7 +41,7 @@ jobs: # accessKey: ${{secrets.KUBESCAPE_ACCESS_KEY}} # server: ${{ vars.KUBESCAPE_SERVER }} # # Optional: Scan a specific path. Default will scan the whole repository - # files: "manifests/*.yaml" + files: "${PWD}/manifests/*.yaml" frameworks: NSA,MITRE verbose: true severityThreshold: low From 4223bae2dac05683edadc48890cd24c7256f5221 Mon Sep 17 00:00:00 2001 From: Jon Date: Sun, 1 Jun 2025 13:41:53 +0930 Subject: [PATCH 22/49] dfgfd --- .github/workflows/kubescape.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/kubescape.yaml b/.github/workflows/kubescape.yaml index 4314e86..7439818 100644 --- a/.github/workflows/kubescape.yaml +++ b/.github/workflows/kubescape.yaml @@ -18,7 +18,7 @@ # severityThreshold: low # on: push # yamllint disable-line rule:truthy name: Kubescape scanning for misconfigurations -on: [ push, pull_request ] +on: [ pull_request ] jobs: From 8ea98cd60f4884249206ace1b123238f8679c977 Mon Sep 17 00:00:00 2001 From: Jon Date: Sun, 1 Jun 2025 13:43:14 +0930 Subject: [PATCH 23/49] pr write --- .github/workflows/kubescape.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/kubescape.yaml b/.github/workflows/kubescape.yaml index 7439818..c371eb6 100644 --- a/.github/workflows/kubescape.yaml +++ b/.github/workflows/kubescape.yaml @@ -29,6 +29,7 @@ jobs: actions: read contents: read security-events: write + pull-requests: write steps: - uses: actions/checkout@v3 - uses: kubescape/github-action@main From eb23d4f004493d3e5a3b20d6541f2904e4909199 Mon Sep 17 00:00:00 2001 From: Jon Date: Sun, 1 Jun 2025 13:44:47 +0930 Subject: [PATCH 24/49] pr write --- .github/workflows/kubescape.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/kubescape.yaml b/.github/workflows/kubescape.yaml index c371eb6..f2fe7db 100644 --- a/.github/workflows/kubescape.yaml +++ b/.github/workflows/kubescape.yaml @@ -22,7 +22,6 @@ on: [ pull_request ] jobs: - kubescape: runs-on: ubuntu-latest permissions: From 8b51d0ec38e7857912192951ecb289c924b96b4f Mon Sep 17 00:00:00 2001 From: Jon Date: Sun, 1 Jun 2025 13:52:13 +0930 Subject: [PATCH 25/49] hgjgj --- .github/workflows/kubescape.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/kubescape.yaml b/.github/workflows/kubescape.yaml index f2fe7db..1ef721b 100644 --- a/.github/workflows/kubescape.yaml +++ b/.github/workflows/kubescape.yaml @@ -41,7 +41,7 @@ jobs: # accessKey: ${{secrets.KUBESCAPE_ACCESS_KEY}} # server: ${{ vars.KUBESCAPE_SERVER }} # # Optional: Scan a specific path. Default will scan the whole repository - files: "${PWD}/manifests/*.yaml" + # files: "${PWD}/manifests/*.yaml" frameworks: NSA,MITRE verbose: true severityThreshold: low @@ -57,3 +57,4 @@ jobs: with: file: 'results.sarif' level: warning + filter_mode: nofilter From 0779c542039b0e841ea1d8d2e969d3fdd296c581 Mon Sep 17 00:00:00 2001 From: Jon Date: Sun, 1 Jun 2025 13:53:05 +0930 Subject: [PATCH 26/49] ghgfh --- .github/workflows/kubescape.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/kubescape.yaml b/.github/workflows/kubescape.yaml index 1ef721b..0cff7f3 100644 --- a/.github/workflows/kubescape.yaml +++ b/.github/workflows/kubescape.yaml @@ -51,6 +51,12 @@ jobs: with: sarif_file: results.sarif + - name: Upload scan results (json Report) + uses: actions/upload-artifact@v4 + with: + name: results.sarif + path: results.sarif + - name: PR Suggester according to SARIF file # if: github.event_name == 'pull_request_target' uses: HollowMan6/sarif4reviewdog@v1.0.0 From b63a6eab527cea0e5c948b451da7e6608e44d1ac Mon Sep 17 00:00:00 2001 From: Jon Date: Sun, 1 Jun 2025 13:58:29 +0930 Subject: [PATCH 27/49] files --- .github/workflows/kubescape.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/kubescape.yaml b/.github/workflows/kubescape.yaml index 0cff7f3..186d469 100644 --- a/.github/workflows/kubescape.yaml +++ b/.github/workflows/kubescape.yaml @@ -41,7 +41,7 @@ jobs: # accessKey: ${{secrets.KUBESCAPE_ACCESS_KEY}} # server: ${{ vars.KUBESCAPE_SERVER }} # # Optional: Scan a specific path. Default will scan the whole repository - # files: "${PWD}/manifests/*.yaml" + files: "${PWD}/manifests/*.yaml" frameworks: NSA,MITRE verbose: true severityThreshold: low From 6eaa2128b274d07a98f58d1158b1bb097e8f428e Mon Sep 17 00:00:00 2001 From: Jon Date: Sun, 1 Jun 2025 14:00:00 +0930 Subject: [PATCH 28/49] hfghfg --- manifests/centurion/base/Deployment-api.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/manifests/centurion/base/Deployment-api.yaml b/manifests/centurion/base/Deployment-api.yaml index 1a86cbf..98a724e 100644 --- a/manifests/centurion/base/Deployment-api.yaml +++ b/manifests/centurion/base/Deployment-api.yaml @@ -8,6 +8,7 @@ metadata: app.kubernetes.io/name: centurion name: api spec: + selector: matchLabels: app.kubernetes.io/component: API From 06d4ad2723450fe8db8e1ff79ccd49709400fa48 Mon Sep 17 00:00:00 2001 From: Jon Date: Sun, 1 Jun 2025 14:04:31 +0930 Subject: [PATCH 29/49] hgjgh --- .github/workflows/kubescape.yaml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/.github/workflows/kubescape.yaml b/.github/workflows/kubescape.yaml index 186d469..f0c9bd7 100644 --- a/.github/workflows/kubescape.yaml +++ b/.github/workflows/kubescape.yaml @@ -18,7 +18,7 @@ # severityThreshold: low # on: push # yamllint disable-line rule:truthy name: Kubescape scanning for misconfigurations -on: [ pull_request ] +on: [ pull_request, push ] jobs: @@ -46,6 +46,14 @@ jobs: verbose: true severityThreshold: low + - name: Debug SARIF Contents + run: | + if [ -f results.sarif ]; then + cat results.sarif + else + echo "No SARIF file generated" + fi + - name: Upload Kubescape scan results to Github Code Scanning uses: github/codeql-action/upload-sarif@v3 with: From 3bf61e8c7863ffd69a30193981f4d65ad0e21e2c Mon Sep 17 00:00:00 2001 From: Jon Date: Sun, 1 Jun 2025 14:06:54 +0930 Subject: [PATCH 30/49] ghgfh --- .github/workflows/kubescape.yaml | 43 +++++++++++++++++++++----------- 1 file changed, 29 insertions(+), 14 deletions(-) diff --git a/.github/workflows/kubescape.yaml b/.github/workflows/kubescape.yaml index f0c9bd7..dd55861 100644 --- a/.github/workflows/kubescape.yaml +++ b/.github/workflows/kubescape.yaml @@ -31,20 +31,35 @@ jobs: pull-requests: write steps: - uses: actions/checkout@v3 - - uses: kubescape/github-action@main - continue-on-error: true - with: - format: sarif - outputFile: results - # # Optional: Specify the Kubescape Portal credentials - # account: ${{secrets.KUBESCAPE_ACCOUNT}} - # accessKey: ${{secrets.KUBESCAPE_ACCESS_KEY}} - # server: ${{ vars.KUBESCAPE_SERVER }} - # # Optional: Scan a specific path. Default will scan the whole repository - files: "${PWD}/manifests/*.yaml" - frameworks: NSA,MITRE - verbose: true - severityThreshold: low + # - uses: kubescape/github-action@main + # continue-on-error: true + # with: + # format: sarif + # outputFile: results + # # # Optional: Specify the Kubescape Portal credentials + # # account: ${{secrets.KUBESCAPE_ACCOUNT}} + # # accessKey: ${{secrets.KUBESCAPE_ACCESS_KEY}} + # # server: ${{ vars.KUBESCAPE_SERVER }} + # # # Optional: Scan a specific path. Default will scan the whole repository + # files: "${PWD}/manifests/*.yaml" + # frameworks: NSA,MITRE + # verbose: true + # severityThreshold: low + + - name: Install Kubescape + run: | + KUBESCAPE_DIR="$HOME/kubescape-bin" + mkdir -p "$KUBESCAPE_DIR" + LATEST_VERSION=$(curl -s https://api.github.com/repos/kubescape/kubescape/releases/latest | jq -r .tag_name) + curl -sL "https://github.com/kubescape/kubescape/releases/download/${LATEST_VERSION}/kubescape-ubuntu-latest" -o "$KUBESCAPE_DIR/kubescape" + chmod +x "$KUBESCAPE_DIR/kubescape" + echo "$KUBESCAPE_DIR" >> $GITHUB_PATH + + - name: Run Kubescape scan + run: | + kubescape scan . \ + --format sarif \ + --output results.sarif - name: Debug SARIF Contents run: | From 758bf4ea047534d7e72b7f3d96c4cd404566aa46 Mon Sep 17 00:00:00 2001 From: Jon Date: Sun, 1 Jun 2025 14:18:34 +0930 Subject: [PATCH 31/49] verbose framework --- .github/workflows/kubescape.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/kubescape.yaml b/.github/workflows/kubescape.yaml index dd55861..901940c 100644 --- a/.github/workflows/kubescape.yaml +++ b/.github/workflows/kubescape.yaml @@ -57,7 +57,8 @@ jobs: - name: Run Kubescape scan run: | - kubescape scan . \ + kubescape scan framework mitre,nsa . \ + --verbose \ --format sarif \ --output results.sarif From f7336c786e16526534131306430769bd74816a06 Mon Sep 17 00:00:00 2001 From: Jon Date: Sun, 1 Jun 2025 14:22:22 +0930 Subject: [PATCH 32/49] dfgdfg --- .github/workflows/kubescape.yaml | 4 +++- manifests/centurion/base/kustomization.yaml | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/kubescape.yaml b/.github/workflows/kubescape.yaml index 901940c..b45b516 100644 --- a/.github/workflows/kubescape.yaml +++ b/.github/workflows/kubescape.yaml @@ -18,7 +18,9 @@ # severityThreshold: low # on: push # yamllint disable-line rule:truthy name: Kubescape scanning for misconfigurations -on: [ pull_request, push ] +on: + - pull_request + # - push jobs: diff --git a/manifests/centurion/base/kustomization.yaml b/manifests/centurion/base/kustomization.yaml index 15709e6..d61b897 100644 --- a/manifests/centurion/base/kustomization.yaml +++ b/manifests/centurion/base/kustomization.yaml @@ -2,7 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization - +namespace: centurion resources: - PVC-centurion.yaml From bf8b0cf84a3bf48faa9b3b2c4e7d56d8608e85bc Mon Sep 17 00:00:00 2001 From: Jon Date: Sun, 1 Jun 2025 14:25:58 +0930 Subject: [PATCH 33/49] at np test --- .../CiliumNetworkPolicy-centurion-api.yaml | 39 +++++++++++++++++++ .../CiliumNetworkPolicy-centurion-ui.yaml | 21 ++++++++++ .../CiliumNetworkPolicy-centurion-worker.yaml | 32 +++++++++++++++ manifests/centurion/base/kustomization.yaml | 3 ++ 4 files changed, 95 insertions(+) create mode 100644 manifests/centurion/base/CiliumNetworkPolicy-centurion-api.yaml create mode 100644 manifests/centurion/base/CiliumNetworkPolicy-centurion-ui.yaml create mode 100644 manifests/centurion/base/CiliumNetworkPolicy-centurion-worker.yaml diff --git a/manifests/centurion/base/CiliumNetworkPolicy-centurion-api.yaml b/manifests/centurion/base/CiliumNetworkPolicy-centurion-api.yaml new file mode 100644 index 0000000..98e1872 --- /dev/null +++ b/manifests/centurion/base/CiliumNetworkPolicy-centurion-api.yaml @@ -0,0 +1,39 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: centurion-api + namespace: centurion +spec: + endpointSelector: + matchLabels: + name: centurion + component: api + ingress: + - fromEndpoints: + - matchLabels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/component: controller + io.kubernetes.pod.namespace: ingress + toPorts: + - ports: + - port: "80" + egress: + - toEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: kube-system + k8s-app: kube-dns + toPorts: + - ports: + - port: "53" + protocol: UDP + rules: + dns: + - matchPattern: "*" + - toServices: + - k8sService: + serviceName: main-rw + namespace: postgres + - toServices: + - k8sService: + serviceName: main + namespace: rabbitmq diff --git a/manifests/centurion/base/CiliumNetworkPolicy-centurion-ui.yaml b/manifests/centurion/base/CiliumNetworkPolicy-centurion-ui.yaml new file mode 100644 index 0000000..63ac8e8 --- /dev/null +++ b/manifests/centurion/base/CiliumNetworkPolicy-centurion-ui.yaml @@ -0,0 +1,21 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: centurion-ui + namespace: centurion +spec: + endpointSelector: + matchLabels: + name: centurion + component: ui + ingress: + - fromEndpoints: + - matchLabels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/component: controller + io.kubernetes.pod.namespace: ingress + toPorts: + - ports: + - port: "80" + egress: + - {} diff --git a/manifests/centurion/base/CiliumNetworkPolicy-centurion-worker.yaml b/manifests/centurion/base/CiliumNetworkPolicy-centurion-worker.yaml new file mode 100644 index 0000000..53ab955 --- /dev/null +++ b/manifests/centurion/base/CiliumNetworkPolicy-centurion-worker.yaml @@ -0,0 +1,32 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: centurion-worker + namespace: centurion +spec: + endpointSelector: + matchLabels: + name: centurion + component: worker + ingress: + - {} + egress: + - toEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: kube-system + k8s-app: kube-dns + toPorts: + - ports: + - port: "53" + protocol: UDP + rules: + dns: + - matchPattern: "*" + - toServices: + - k8sService: + serviceName: main-rw + namespace: postgres + - toServices: + - k8sService: + serviceName: main + namespace: rabbitmq diff --git a/manifests/centurion/base/kustomization.yaml b/manifests/centurion/base/kustomization.yaml index d61b897..aef5dac 100644 --- a/manifests/centurion/base/kustomization.yaml +++ b/manifests/centurion/base/kustomization.yaml @@ -9,5 +9,8 @@ resources: - Deployment-api.yaml - Deployment-worker.yaml - Service-api.yaml + - CiliumNetworkPolicy-centurion-api.yaml + - CiliumNetworkPolicy-centurion-ui.yaml + - CiliumNetworkPolicy-centurion-worker.yaml From 06a5952b8fa1450702c3c8131f10bad6c8b28cc9 Mon Sep 17 00:00:00 2001 From: Jon Date: Sun, 1 Jun 2025 14:46:56 +0930 Subject: [PATCH 34/49] test customize --- .github/workflows/kubescape-pr.yaml | 94 ++++++++++++++--------------- .github/workflows/kubescape.yaml | 2 +- 2 files changed, 48 insertions(+), 48 deletions(-) diff --git a/.github/workflows/kubescape-pr.yaml b/.github/workflows/kubescape-pr.yaml index 165c53a..2cd234f 100644 --- a/.github/workflows/kubescape-pr.yaml +++ b/.github/workflows/kubescape-pr.yaml @@ -1,47 +1,47 @@ ---- -# on: push # yamllint disable-line rule:truthy -name: Suggest autofixes with Kubescape for PR by reviews -on: - - pull_request_target - - pull_request - - -jobs: - - kubescape-fix-pr-reviews: - runs-on: ubuntu-latest - permissions: - pull-requests: write - - steps: - - uses: actions/checkout@v3 - with: - fetch-depth: 0 - ref: ${{github.event.pull_request.head.ref}} - repository: ${{github.event.pull_request.head.repo.full_name}} - - - name: Get changed files - id: changed-files - uses: tj-actions/changed-files@v46.0.1 - - - uses: kubescape/github-action@main - with: - outputFile: results - # account: ${{secrets.KUBESCAPE_ACCOUNT}} - # accessKey: ${{secrets.KUBESCAPE_ACCESS_KEY}} - # server: ${{ vars.KUBESCAPE_SERVER }} - # files: ${{ steps.changed-files.outputs.all_changed_files }} - fixFiles: true - format: "sarif" - - - name: Upload Kubescape scan results to Github Code Scanning - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: results.sarif - - - name: PR Suggester according to SARIF file - # if: github.event_name == 'pull_request_target' - uses: HollowMan6/sarif4reviewdog@v1.0.0 - with: - file: 'results.sarif' - level: warning +# --- +# # on: push # yamllint disable-line rule:truthy +# name: Suggest autofixes with Kubescape for PR by reviews +# on: +# - pull_request_target +# - pull_request + + +# jobs: + +# kubescape-fix-pr-reviews: +# runs-on: ubuntu-latest +# permissions: +# pull-requests: write + +# steps: +# - uses: actions/checkout@v3 +# with: +# fetch-depth: 0 +# ref: ${{github.event.pull_request.head.ref}} +# repository: ${{github.event.pull_request.head.repo.full_name}} + +# - name: Get changed files +# id: changed-files +# uses: tj-actions/changed-files@v46.0.1 + +# - uses: kubescape/github-action@main +# with: +# outputFile: results +# # account: ${{secrets.KUBESCAPE_ACCOUNT}} +# # accessKey: ${{secrets.KUBESCAPE_ACCESS_KEY}} +# # server: ${{ vars.KUBESCAPE_SERVER }} +# # files: ${{ steps.changed-files.outputs.all_changed_files }} +# fixFiles: true +# format: "sarif" + +# - name: Upload Kubescape scan results to Github Code Scanning +# uses: github/codeql-action/upload-sarif@v3 +# with: +# sarif_file: results.sarif + +# - name: PR Suggester according to SARIF file +# # if: github.event_name == 'pull_request_target' +# uses: HollowMan6/sarif4reviewdog@v1.0.0 +# with: +# file: 'results.sarif' +# level: warning diff --git a/.github/workflows/kubescape.yaml b/.github/workflows/kubescape.yaml index b45b516..3d173c7 100644 --- a/.github/workflows/kubescape.yaml +++ b/.github/workflows/kubescape.yaml @@ -59,7 +59,7 @@ jobs: - name: Run Kubescape scan run: | - kubescape scan framework mitre,nsa . \ + kubescape scan framework mitre,nsa manifests/centurion/base \ --verbose \ --format sarif \ --output results.sarif From 1f51f615bc5849c9523d518a7243f1f3c922d57e Mon Sep 17 00:00:00 2001 From: Jon Date: Sun, 1 Jun 2025 15:07:26 +0930 Subject: [PATCH 35/49] fgdf --- .github/workflows/kubescape.yaml | 4 ++++ .../centurion/base/CiliumNetworkPolicy-centurion-api.yaml | 1 - .../centurion/base/CiliumNetworkPolicy-centurion-ui.yaml | 1 - .../centurion/base/CiliumNetworkPolicy-centurion-worker.yaml | 1 - 4 files changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/kubescape.yaml b/.github/workflows/kubescape.yaml index 3d173c7..fe659ba 100644 --- a/.github/workflows/kubescape.yaml +++ b/.github/workflows/kubescape.yaml @@ -57,6 +57,10 @@ jobs: chmod +x "$KUBESCAPE_DIR/kubescape" echo "$KUBESCAPE_DIR" >> $GITHUB_PATH + - name: Run Kubescape debug + run: | + kubescape list frameworks + - name: Run Kubescape scan run: | kubescape scan framework mitre,nsa manifests/centurion/base \ diff --git a/manifests/centurion/base/CiliumNetworkPolicy-centurion-api.yaml b/manifests/centurion/base/CiliumNetworkPolicy-centurion-api.yaml index 98e1872..5b4804e 100644 --- a/manifests/centurion/base/CiliumNetworkPolicy-centurion-api.yaml +++ b/manifests/centurion/base/CiliumNetworkPolicy-centurion-api.yaml @@ -2,7 +2,6 @@ apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: name: centurion-api - namespace: centurion spec: endpointSelector: matchLabels: diff --git a/manifests/centurion/base/CiliumNetworkPolicy-centurion-ui.yaml b/manifests/centurion/base/CiliumNetworkPolicy-centurion-ui.yaml index 63ac8e8..6c6964f 100644 --- a/manifests/centurion/base/CiliumNetworkPolicy-centurion-ui.yaml +++ b/manifests/centurion/base/CiliumNetworkPolicy-centurion-ui.yaml @@ -2,7 +2,6 @@ apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: name: centurion-ui - namespace: centurion spec: endpointSelector: matchLabels: diff --git a/manifests/centurion/base/CiliumNetworkPolicy-centurion-worker.yaml b/manifests/centurion/base/CiliumNetworkPolicy-centurion-worker.yaml index 53ab955..0a6caa5 100644 --- a/manifests/centurion/base/CiliumNetworkPolicy-centurion-worker.yaml +++ b/manifests/centurion/base/CiliumNetworkPolicy-centurion-worker.yaml @@ -2,7 +2,6 @@ apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: name: centurion-worker - namespace: centurion spec: endpointSelector: matchLabels: From ebd0a210173e0e8937d73e4027148c9f723e3d2d Mon Sep 17 00:00:00 2001 From: Jon Date: Sun, 1 Jun 2025 15:09:32 +0930 Subject: [PATCH 36/49] all controls --- .github/workflows/kubescape.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/kubescape.yaml b/.github/workflows/kubescape.yaml index fe659ba..e8f0da5 100644 --- a/.github/workflows/kubescape.yaml +++ b/.github/workflows/kubescape.yaml @@ -63,7 +63,7 @@ jobs: - name: Run Kubescape scan run: | - kubescape scan framework mitre,nsa manifests/centurion/base \ + kubescape scan framework AllControls . \ --verbose \ --format sarif \ --output results.sarif From 516cb4a7e9b9250bc768a02ce2b47a8a02dc6aae Mon Sep 17 00:00:00 2001 From: Jon Date: Tue, 10 Jun 2025 17:56:27 +0930 Subject: [PATCH 37/49] nginx test --- .github/workflows/kubescape.yaml | 2 +- manifests/nginx/base/configmap-nginx.yaml | 21 ++++++++++ manifests/nginx/base/deployment-nginx.yaml | 39 +++++++++++++++++ manifests/nginx/base/kustomization.yaml | 17 ++++++++ manifests/nginx/base/service.yaml | 11 +++++ .../gitlab_runner/kustomization.yaml | 26 ++++++++++++ .../gitlab_runner/runner-website.yaml | 33 +++++++++++++++ .../nginx/components/ingress/ingress.yaml | 35 ++++++++++++++++ .../components/ingress/kustomization.yaml | 35 ++++++++++++++++ .../kustomization.yaml | 42 +++++++++++++++++++ .../runner-registration-token.env | 1 + 11 files changed, 261 insertions(+), 1 deletion(-) create mode 100644 manifests/nginx/base/configmap-nginx.yaml create mode 100644 manifests/nginx/base/deployment-nginx.yaml create mode 100644 manifests/nginx/base/kustomization.yaml create mode 100644 manifests/nginx/base/service.yaml create mode 100644 manifests/nginx/components/gitlab_runner/kustomization.yaml create mode 100644 manifests/nginx/components/gitlab_runner/runner-website.yaml create mode 100644 manifests/nginx/components/ingress/ingress.yaml create mode 100644 manifests/nginx/components/ingress/kustomization.yaml create mode 100644 manifests/nginx/overlays/static-site-gitlab-built/kustomization.yaml create mode 100644 manifests/nginx/overlays/static-site-gitlab-built/runner-registration-token.env diff --git a/.github/workflows/kubescape.yaml b/.github/workflows/kubescape.yaml index e8f0da5..e86d4cb 100644 --- a/.github/workflows/kubescape.yaml +++ b/.github/workflows/kubescape.yaml @@ -63,7 +63,7 @@ jobs: - name: Run Kubescape scan run: | - kubescape scan framework AllControls . \ + kubescape scan framework AllControls manifests/nginx/overlays/static-site-gitlab-built/ \ --verbose \ --format sarif \ --output results.sarif diff --git a/manifests/nginx/base/configmap-nginx.yaml b/manifests/nginx/base/configmap-nginx.yaml new file mode 100644 index 0000000..44ce718 --- /dev/null +++ b/manifests/nginx/base/configmap-nginx.yaml @@ -0,0 +1,21 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: nginx +data: + default.conf: | + server { + + listen 80; + + access_log /var/log/nginx/access-default.log main; + error_log /var/log/nginx/error-default.log; + + error_page 500 502 503 504 /50x.html; + + location / { + root /usr/share/nginx/html/; + + } + } diff --git a/manifests/nginx/base/deployment-nginx.yaml b/manifests/nginx/base/deployment-nginx.yaml new file mode 100644 index 0000000..bff6dee --- /dev/null +++ b/manifests/nginx/base/deployment-nginx.yaml @@ -0,0 +1,39 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nginx +spec: + replicas: 1 + template: + spec: + containers: + - name: backend + image: docker.io/nginx:alpine + imagePullPolicy: Always + ports: + - containerPort: 80 + name: http + resources: + limits: + cpu: 200m + memory: 256Mi + requests: + cpu: 10m + memory: 20Mi + volumeMounts: + - name: http-root + mountPath: /usr/share/nginx/html + mountPropagation: HostToContainer + - name: nginx-config + mountPath: /etc/nginx/conf.d + tolerations: [] + volumes: + - name: http-root + hostPath: + # Ensure the file directory is created. + path: /opt/webserver + type: DirectoryOrCreate + - name: nginx-config + configMap: + name: nginx-config diff --git a/manifests/nginx/base/kustomization.yaml b/manifests/nginx/base/kustomization.yaml new file mode 100644 index 0000000..cda279d --- /dev/null +++ b/manifests/nginx/base/kustomization.yaml @@ -0,0 +1,17 @@ +--- + +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +namespace: website + +commonLabels: + app.kubernetes.io/part-of: website + app.kubernetes.io/component: webserver + app.kubernetes.io/name: nginx + + +resources: + - configmap-nginx.yaml + - service.yaml + - deployment-nginx.yaml diff --git a/manifests/nginx/base/service.yaml b/manifests/nginx/base/service.yaml new file mode 100644 index 0000000..d66a0b0 --- /dev/null +++ b/manifests/nginx/base/service.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: nginx +spec: + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 80 diff --git a/manifests/nginx/components/gitlab_runner/kustomization.yaml b/manifests/nginx/components/gitlab_runner/kustomization.yaml new file mode 100644 index 0000000..f3d3842 --- /dev/null +++ b/manifests/nginx/components/gitlab_runner/kustomization.yaml @@ -0,0 +1,26 @@ +--- + +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component + +images: + - name: registry.gitlab.com/gitlab-org/gitlab-runner + newTag: v17.6.1 + + +resources: + - runner-website.yaml + + +patches: + - target: + kind: Runner + name: gitlab-runner + patch: |- + - op: add + path: /spec/tags + value: production,website + + - op: add + path: /spec/runnerImage + value: registry.gitlab.com/gitlab-org/gitlab-runner:v17.6.0 diff --git a/manifests/nginx/components/gitlab_runner/runner-website.yaml b/manifests/nginx/components/gitlab_runner/runner-website.yaml new file mode 100644 index 0000000..8182df1 --- /dev/null +++ b/manifests/nginx/components/gitlab_runner/runner-website.yaml @@ -0,0 +1,33 @@ +--- + +apiVersion: apps.gitlab.com/v1beta2 +kind: Runner +metadata: + name: gitlab-runner +spec: + gitlabUrl: https://gitlab.com + podSpec: + - name: gitlab-runner + patchType: merge + patch: | + securityContext: + runAsNonRoot: false + + # # Production patch: why - the runner pod will need to be on the same node as the website web server + # - name: website-runner + # patchType: merge + # patch: | + # affinity: + # nodeAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # nodeSelectorTerms: + # - matchExpressions: + # - key: kubernetes.io/arch + # operator: In + # values: + # - amd64 + # securityContext: + # runAsNonRoot: false + # runnerImage: "see-patch" + token: token-secret-name + # tags: tag1,tag2 diff --git a/manifests/nginx/components/ingress/ingress.yaml b/manifests/nginx/components/ingress/ingress.yaml new file mode 100644 index 0000000..db12f6c --- /dev/null +++ b/manifests/nginx/components/ingress/ingress.yaml @@ -0,0 +1,35 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: nginx + annotations: + cert-manager.io/cluster-issuer: "cluster" + cert-manager.io/common-name: "domain-name.tld" + cert-manager.io/duration: "2160h" + cert-manager.io/subject-organizations: "N/A" + cert-manager.io/subject-organizationalunits: "N/A" + cert-manager.io/subject-countries: "N/A" + cert-manager.io/subject-provinces: "N/A" + # cert-manager.io/subject-localities: "N/A" + cert-manager.io/private-key-algorithm: "ECDSA" + cert-manager.io/private-key-size: "384" + cert-manager.io/private-key-rotation-policy: "Always" + nginx.ingress.kubernetes.io/ssl-redirect: "true" + +spec: + rules: + - host: "domain-name.tld" + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: nginx + port: + name: http + tls: + - hosts: + - "domain-name.tld" + secretName: "certificate-tls-domain-name.tld" diff --git a/manifests/nginx/components/ingress/kustomization.yaml b/manifests/nginx/components/ingress/kustomization.yaml new file mode 100644 index 0000000..b7ab36f --- /dev/null +++ b/manifests/nginx/components/ingress/kustomization.yaml @@ -0,0 +1,35 @@ +--- + +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component + + +resources: + - ingress.yaml + +patches: + + - patch: |- + - op: replace + path: /metadata/annotations/cert-manager.io~1cluster-issuer + value: cluster + + - op: replace + path: /metadata/annotations/cert-manager.io~1common-name + value: my-domain-name.tld + + - op: replace + path: /spec/rules/0/host + value: my-domain-name.tld + + - op: replace + path: /spec/tls/0/hosts/0 + value: my-domain-name.tld + + - op: replace + path: /spec/tls/0/secretName + value: certificate-tls-domain-name.tld + target: + kind: Ingress + name: nginx + version: v1 diff --git a/manifests/nginx/overlays/static-site-gitlab-built/kustomization.yaml b/manifests/nginx/overlays/static-site-gitlab-built/kustomization.yaml new file mode 100644 index 0000000..963b781 --- /dev/null +++ b/manifests/nginx/overlays/static-site-gitlab-built/kustomization.yaml @@ -0,0 +1,42 @@ +--- + +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + + +namePrefix: nofusscomputing- + + +namespace: website + + +resources: + - ../../base/ + + +components: + - ../../components/gitlab_runner/ + - ../../components/ingress/ + + +secretGenerator: + - name: gitlab-runner-token + envs: + - runner-registration-token.env + type: Opaque + +generatorOptions: + disableNameSuffixHash: true + + +replacements: + - source: + kind: Secret + name: gitlab-runner-token + fieldPath: metadata.name + targets: + - select: + kind: Runner + name: gitlab-runner + fieldPaths: + - spec.token diff --git a/manifests/nginx/overlays/static-site-gitlab-built/runner-registration-token.env b/manifests/nginx/overlays/static-site-gitlab-built/runner-registration-token.env new file mode 100644 index 0000000..4eeeea7 --- /dev/null +++ b/manifests/nginx/overlays/static-site-gitlab-built/runner-registration-token.env @@ -0,0 +1 @@ +runner-registration-token=MY-GITLAB-REGISTRATION-TOKEN From ff285b90a6fd31d960900c5e785a45071748be42 Mon Sep 17 00:00:00 2001 From: Jon Date: Tue, 10 Jun 2025 18:07:38 +0930 Subject: [PATCH 38/49] test with full path --- .github/workflows/kubescape.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/kubescape.yaml b/.github/workflows/kubescape.yaml index e86d4cb..44aef4f 100644 --- a/.github/workflows/kubescape.yaml +++ b/.github/workflows/kubescape.yaml @@ -63,7 +63,7 @@ jobs: - name: Run Kubescape scan run: | - kubescape scan framework AllControls manifests/nginx/overlays/static-site-gitlab-built/ \ + kubescape scan framework AllControls ${PWD}/manifests/nginx/overlays/static-site-gitlab-built/ \ --verbose \ --format sarif \ --output results.sarif From 3609f0a3a7d692ad215b81c95e98f122cc48357f Mon Sep 17 00:00:00 2001 From: Jon Date: Tue, 10 Jun 2025 18:13:43 +0930 Subject: [PATCH 39/49] base scan --- .github/workflows/kubescape.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/kubescape.yaml b/.github/workflows/kubescape.yaml index 44aef4f..e549122 100644 --- a/.github/workflows/kubescape.yaml +++ b/.github/workflows/kubescape.yaml @@ -63,7 +63,7 @@ jobs: - name: Run Kubescape scan run: | - kubescape scan framework AllControls ${PWD}/manifests/nginx/overlays/static-site-gitlab-built/ \ + kubescape scan framework AllControls ${PWD}/manifests/nginx/base/ \ --verbose \ --format sarif \ --output results.sarif From d81f06f7b35216cd074e8f2a81216080ed5dca1b Mon Sep 17 00:00:00 2001 From: Jon Date: Tue, 10 Jun 2025 18:15:48 +0930 Subject: [PATCH 40/49] app scan --- .github/workflows/kubescape.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/kubescape.yaml b/.github/workflows/kubescape.yaml index e549122..301f840 100644 --- a/.github/workflows/kubescape.yaml +++ b/.github/workflows/kubescape.yaml @@ -63,7 +63,8 @@ jobs: - name: Run Kubescape scan run: | - kubescape scan framework AllControls ${PWD}/manifests/nginx/base/ \ + # kubescape scan framework AllControls ${PWD}/manifests/nginx/base/ \ + kubescape scan framework AllControls nginx/ \ --verbose \ --format sarif \ --output results.sarif From 78977d9cfe533fda45108b5d065e437e8eee6bd1 Mon Sep 17 00:00:00 2001 From: Jon Date: Tue, 10 Jun 2025 18:17:13 +0930 Subject: [PATCH 41/49] app scan --- .github/workflows/kubescape.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/kubescape.yaml b/.github/workflows/kubescape.yaml index 301f840..4c89526 100644 --- a/.github/workflows/kubescape.yaml +++ b/.github/workflows/kubescape.yaml @@ -63,7 +63,6 @@ jobs: - name: Run Kubescape scan run: | - # kubescape scan framework AllControls ${PWD}/manifests/nginx/base/ \ kubescape scan framework AllControls nginx/ \ --verbose \ --format sarif \ From 420780f2358b0c2083c032a3da6573425ba8de95 Mon Sep 17 00:00:00 2001 From: Jon Date: Tue, 10 Jun 2025 18:18:54 +0930 Subject: [PATCH 42/49] hlp cmd --- .github/workflows/kubescape.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/kubescape.yaml b/.github/workflows/kubescape.yaml index 4c89526..a81f771 100644 --- a/.github/workflows/kubescape.yaml +++ b/.github/workflows/kubescape.yaml @@ -59,11 +59,11 @@ jobs: - name: Run Kubescape debug run: | - kubescape list frameworks + kubescape --helh - name: Run Kubescape scan run: | - kubescape scan framework AllControls nginx/ \ + kubescape scan framework AllControls nginx/. \ --verbose \ --format sarif \ --output results.sarif From e7f3201e00524ba72d10cfa7ee6020e3f1254564 Mon Sep 17 00:00:00 2001 From: Jon Date: Tue, 10 Jun 2025 18:20:01 +0930 Subject: [PATCH 43/49] hlp cmd --- .github/workflows/kubescape.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/kubescape.yaml b/.github/workflows/kubescape.yaml index a81f771..0777aad 100644 --- a/.github/workflows/kubescape.yaml +++ b/.github/workflows/kubescape.yaml @@ -59,7 +59,7 @@ jobs: - name: Run Kubescape debug run: | - kubescape --helh + kubescape scan --help - name: Run Kubescape scan run: | From 163e7cb5667528711595446b1af9d88e3fc4ef1d Mon Sep 17 00:00:00 2001 From: Jon Date: Tue, 10 Jun 2025 18:22:21 +0930 Subject: [PATCH 44/49] star --- .github/workflows/kubescape.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/kubescape.yaml b/.github/workflows/kubescape.yaml index 0777aad..40f6aee 100644 --- a/.github/workflows/kubescape.yaml +++ b/.github/workflows/kubescape.yaml @@ -63,7 +63,7 @@ jobs: - name: Run Kubescape scan run: | - kubescape scan framework AllControls nginx/. \ + kubescape scan framework AllControls nginx/* \ --verbose \ --format sarif \ --output results.sarif From d5255b7c7ec4c546c8ea519cdac91feac51afcc3 Mon Sep 17 00:00:00 2001 From: Jon Date: Tue, 10 Jun 2025 18:23:55 +0930 Subject: [PATCH 45/49] use correct path --- .github/workflows/kubescape.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/kubescape.yaml b/.github/workflows/kubescape.yaml index 40f6aee..261708a 100644 --- a/.github/workflows/kubescape.yaml +++ b/.github/workflows/kubescape.yaml @@ -63,7 +63,7 @@ jobs: - name: Run Kubescape scan run: | - kubescape scan framework AllControls nginx/* \ + kubescape scan framework AllControls manifests/nginx/ \ --verbose \ --format sarif \ --output results.sarif From 97d260016ed92e1c0ce51fb9825460d56eee6be3 Mon Sep 17 00:00:00 2001 From: Jon Date: Tue, 10 Jun 2025 18:26:12 +0930 Subject: [PATCH 46/49] fukll path app --- .github/workflows/kubescape.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/kubescape.yaml b/.github/workflows/kubescape.yaml index 261708a..d05731c 100644 --- a/.github/workflows/kubescape.yaml +++ b/.github/workflows/kubescape.yaml @@ -63,7 +63,7 @@ jobs: - name: Run Kubescape scan run: | - kubescape scan framework AllControls manifests/nginx/ \ + kubescape scan framework AllControls ${PWD}/manifests/nginx/ \ --verbose \ --format sarif \ --output results.sarif From a312272ee4b3a8ff5054607cedd5c2a68b435eff Mon Sep 17 00:00:00 2001 From: Jon Date: Tue, 10 Jun 2025 18:28:24 +0930 Subject: [PATCH 47/49] cd app dir scan dot --- .github/workflows/kubescape.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/kubescape.yaml b/.github/workflows/kubescape.yaml index d05731c..c9bd22e 100644 --- a/.github/workflows/kubescape.yaml +++ b/.github/workflows/kubescape.yaml @@ -63,7 +63,8 @@ jobs: - name: Run Kubescape scan run: | - kubescape scan framework AllControls ${PWD}/manifests/nginx/ \ + cd ${PWD}/manifests/nginx/; + kubescape scan framework AllControls . \ --verbose \ --format sarif \ --output results.sarif From 391391eee3553d73c5d0d6644b97bab30c6f37a4 Mon Sep 17 00:00:00 2001 From: Jon Date: Tue, 10 Jun 2025 18:30:46 +0930 Subject: [PATCH 48/49] scan dot --- .github/workflows/kubescape.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/kubescape.yaml b/.github/workflows/kubescape.yaml index c9bd22e..0374369 100644 --- a/.github/workflows/kubescape.yaml +++ b/.github/workflows/kubescape.yaml @@ -63,7 +63,6 @@ jobs: - name: Run Kubescape scan run: | - cd ${PWD}/manifests/nginx/; kubescape scan framework AllControls . \ --verbose \ --format sarif \ From 1f5ae83d28cca98c11961f48dd01980e4b1bde58 Mon Sep 17 00:00:00 2001 From: Jon Date: Tue, 10 Jun 2025 18:36:31 +0930 Subject: [PATCH 49/49] overlay scan --- .github/workflows/kubescape.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/kubescape.yaml b/.github/workflows/kubescape.yaml index 0374369..54b9236 100644 --- a/.github/workflows/kubescape.yaml +++ b/.github/workflows/kubescape.yaml @@ -63,7 +63,7 @@ jobs: - name: Run Kubescape scan run: | - kubescape scan framework AllControls . \ + kubescape scan framework AllControls ${PWD}/manifests/nginx/overlays/static-site-gitlab-built/ \ --verbose \ --format sarif \ --output results.sarif