testing

.github/workflows/ci.yaml

@@ -0,0 +1,81 @@
+---
+# on: push    # yamllint disable-line rule:truthy
+name: CI
+
+
+on:
+  push:
+    branches:
+      - "**"
+    tags:
+      - "*"
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Install yamllint
+        run: pip install yamllint
+
+      - name: Lint YAML files
+        run: yamllint ${PWD}/
+
+
+  # kubescape:
+  #   runs-on: ubuntu-latest
+  #   permissions:
+  #     actions: read
+  #     contents: read
+  #     security-events: write
+  #   steps:
+  #     - uses: actions/checkout@v3
+  #     - uses: kubescape/github-action@main
+  #       continue-on-error: true
+  #       with:
+  #         format: sarif
+  #         outputFile: results
+  #         # # Optional: Specify the Kubescape Portal credentials 
+  #         # account: ${{secrets.KUBESCAPE_ACCOUNT}}
+  #         # accessKey: ${{secrets.KUBESCAPE_ACCESS_KEY}}
+  #         # server: ${{ vars.KUBESCAPE_SERVER }}
+  #         # # Optional: Scan a specific path. Default will scan the whole repository
+  #         # files: "examples/*.yaml"
+  #     - name: Upload Kubescape scan results to Github Code Scanning
+  #       uses: github/codeql-action/upload-sarif@v3
+  #       with:
+  #         sarif_file: results.sarif
+
+
+  # kubescape-fix-pr-reviews:
+  #   runs-on: ubuntu-latest
+  #   permissions:
+  #     pull-requests: write
+
+  #   steps:
+  #     - uses: actions/checkout@v3
+  #       with:
+  #         fetch-depth: 0
+  #         ref: ${{github.event.pull_request.head.ref}}
+  #         repository: ${{github.event.pull_request.head.repo.full_name}}
+
+  #     - name: Get changed files
+  #       id: changed-files
+  #       uses: tj-actions/changed-files@v46.0.1
+
+  #     - uses: kubescape/github-action@main
+  #       with:
+  #         # account: ${{secrets.KUBESCAPE_ACCOUNT}}
+  #         # accessKey: ${{secrets.KUBESCAPE_ACCESS_KEY}}
+  #         # server: ${{ vars.KUBESCAPE_SERVER }}
+  #         # files: ${{ steps.changed-files.outputs.all_changed_files }}
+  #         fixFiles: true
+  #         format: "sarif"
+
+  #     - name: PR Suggester according to SARIF file
+  #       if: github.event_name == 'pull_request_target'
+  #       uses: HollowMan6/sarif4reviewdog@v1.0.0
+  #       with:
+  #         file: 'results.sarif'
+  #         level: warning

.github/workflows/kubescape-pr.yaml

@@ -0,0 +1,47 @@
+# ---
+# # on: push    # yamllint disable-line rule:truthy
+# name: Suggest autofixes with Kubescape for PR by reviews
+# on:
+#   - pull_request_target
+#   - pull_request  
+
+
+# jobs:
+
+#   kubescape-fix-pr-reviews:
+#     runs-on: ubuntu-latest
+#     permissions:
+#       pull-requests: write
+
+#     steps:
+#       - uses: actions/checkout@v3
+#         with:
+#           fetch-depth: 0
+#           ref: ${{github.event.pull_request.head.ref}}
+#           repository: ${{github.event.pull_request.head.repo.full_name}}
+
+#       - name: Get changed files
+#         id: changed-files
+#         uses: tj-actions/changed-files@v46.0.1
+
+#       - uses: kubescape/github-action@main
+#         with:
+#           outputFile: results
+#           # account: ${{secrets.KUBESCAPE_ACCOUNT}}
+#           # accessKey: ${{secrets.KUBESCAPE_ACCESS_KEY}}
+#           # server: ${{ vars.KUBESCAPE_SERVER }}
+#           # files: ${{ steps.changed-files.outputs.all_changed_files }}
+#           fixFiles: true
+#           format: "sarif"
+
+#       - name: Upload Kubescape scan results to Github Code Scanning
+#         uses: github/codeql-action/upload-sarif@v3
+#         with:
+#           sarif_file: results.sarif
+
+#       - name: PR Suggester according to SARIF file
+#         # if: github.event_name == 'pull_request_target'
+#         uses: HollowMan6/sarif4reviewdog@v1.0.0
+#         with:
+#           file: 'results.sarif'
+#           level: warning

.github/workflows/kubescape.yaml

@@ -0,0 +1,96 @@
+---
+# name: Kubescape scanning for misconfigurations
+# on: [ pull_request ]
+# jobs:
+#   kubescape:
+#     runs-on: ubuntu-latest
+#     permissions:
+#       actions: read
+#       contents: read
+#       security-events: write
+#     steps:
+#     - uses: actions/checkout@v3
+#     - uses: kubescape/github-action@main
+#       continue-on-error: false
+#       with:
+#         frameworks: NSA,MITRE
+#         verbose: true
+#         severityThreshold: low
+# on: push    # yamllint disable-line rule:truthy
+name: Kubescape scanning for misconfigurations
+on: 
+  - pull_request
+  # - push
+
+jobs:
+
+  kubescape:
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+      pull-requests: write
+    steps:
+      - uses: actions/checkout@v3
+      # - uses: kubescape/github-action@main
+      #   continue-on-error: true
+      #   with:
+      #     format: sarif
+      #     outputFile: results
+      #     # # Optional: Specify the Kubescape Portal credentials 
+      #     # account: ${{secrets.KUBESCAPE_ACCOUNT}}
+      #     # accessKey: ${{secrets.KUBESCAPE_ACCESS_KEY}}
+      #     # server: ${{ vars.KUBESCAPE_SERVER }}
+      #     # # Optional: Scan a specific path. Default will scan the whole repository
+      #     files: "${PWD}/manifests/*.yaml"
+      #     frameworks: NSA,MITRE
+      #     verbose: true
+      #     severityThreshold: low
+
+      - name: Install Kubescape
+        run: |
+          KUBESCAPE_DIR="$HOME/kubescape-bin"
+          mkdir -p "$KUBESCAPE_DIR"
+          LATEST_VERSION=$(curl -s https://api.github.com/repos/kubescape/kubescape/releases/latest | jq -r .tag_name)
+          curl -sL "https://github.com/kubescape/kubescape/releases/download/${LATEST_VERSION}/kubescape-ubuntu-latest" -o "$KUBESCAPE_DIR/kubescape"
+          chmod +x "$KUBESCAPE_DIR/kubescape"
+          echo "$KUBESCAPE_DIR" >> $GITHUB_PATH
+
+      - name: Run Kubescape debug
+        run: |
+          kubescape scan --help
+
+      - name: Run Kubescape scan
+        run: |
+          kubescape scan framework AllControls ${PWD}/manifests/nginx/overlays/static-site-gitlab-built/ \
+            --verbose \
+            --format sarif \
+            --output results.sarif
+
+      - name: Debug SARIF Contents
+        run: |
+          if [ -f results.sarif ]; then
+            cat results.sarif
+          else
+            echo "No SARIF file generated"
+          fi
+
+      - name: Upload Kubescape scan results to Github Code Scanning
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif
+
+      - name: Upload scan results (json Report)
+        uses: actions/upload-artifact@v4
+        with:
+          name: results.sarif
+          path: results.sarif
+
+      - name: PR Suggester according to SARIF file
+        # if: github.event_name == 'pull_request_target'
+        uses: HollowMan6/sarif4reviewdog@v1.0.0
+        with:
+          file: 'results.sarif'
+          level: warning
+          filter_mode: nofilter

.vscode/extensions.json

@@ -0,0 +1,5 @@
+{
+    "recommendations": [
+        "fnando.linter"
+    ]
+}

.vscode/settings.json

@@ -0,0 +1,35 @@
+{
+    "linter.linters": {
+        "yamllint": {
+            "capabilities": [
+                "ignore-line"
+            ],
+            "command": [
+                "yamllint",
+                "--format",
+                "parsable",
+                [
+                    "$config",
+                    "--config-file",
+                    "$config"
+                ],
+                "-"
+            ],
+            "configFiles": [
+                ".yamllint.yml",
+                ".yamllint.yaml",
+                ".yamllint"
+            ],
+            "enabled": true,
+            "languages": [
+                "yaml"
+            ],
+            "name": "yamllint",
+            "url": "https://github.com/adrienverge/yamllint"
+        }
+    },
+    "editor.detectIndentation": false,
+    "editor.indentSize": "tabSize",
+    "editor.tabSize": 2,
+    "files.eol": "\n"
+}

.yamllint

@@ -0,0 +1,69 @@
+---
+
+# extends: default
+
+rules:
+  braces:
+    level: error
+    max-spaces-inside: 1
+    min-spaces-inside: 1
+    min-spaces-inside-empty: 0
+    max-spaces-inside-empty: 0
+
+  brackets:
+    level: error
+    max-spaces-inside: 1
+    min-spaces-inside: 1
+    min-spaces-inside-empty: 0
+    max-spaces-inside-empty: 0
+
+  colons:
+    level: warning
+    max-spaces-after: 1
+
+  commas:
+    level: warning
+
+  comments:
+    level: error
+    require-starting-space: true
+    ignore-shebangs: true
+    min-spaces-from-content: 4
+
+  comments-indentation:
+    level: error
+
+  document-end:
+    level: error
+    present: false
+
+  document-start:
+    level: error
+    present: true
+
+  empty-lines:
+    level: error
+    max: 2
+    max-start: 0
+    max-end: 0
+
+  hyphens:
+    level: error
+    max-spaces-after: 1
+
+  indentation:
+    level: error
+    spaces: 2
+    indent-sequences: true
+    check-multi-line-strings: true
+
+  line-length:
+    level: warning
+    max: 100
+    allow-non-breakable-inline-mappings: true
+
+  new-lines:
+    level: error
+    type: unix
+
+  truthy: disable

manifests/centurion/base/CiliumNetworkPolicy-centurion-api.yaml

@@ -0,0 +1,38 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: centurion-api
+spec:
+  endpointSelector:
+    matchLabels:
+      name: centurion
+      component: api
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            app.kubernetes.io/name: ingress-nginx
+            app.kubernetes.io/component: controller
+            io.kubernetes.pod.namespace: ingress
+      toPorts:
+        - ports:
+            - port: "80"
+  egress:
+    - toEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: kube-system
+            k8s-app: kube-dns
+      toPorts:
+        - ports:
+            - port: "53"
+              protocol: UDP
+          rules:
+            dns:
+              - matchPattern: "*"
+    - toServices:
+        - k8sService:
+            serviceName: main-rw
+            namespace: postgres
+    - toServices:
+        - k8sService:
+            serviceName: main
+            namespace: rabbitmq