rancher
/
security-scan
mirror of https://github.com/rancher/security-scan.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
security-scan/tests/deploy.yaml

368 lines
8.7 KiB
YAML
Raw Permalink Blame History

apiVersion: v1
kind: Namespace
metadata:
name: rancher-compliance-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: rc-serviceaccount
namespace: rancher-compliance-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/name: rancher-compliance
name: rc-scan
rules:
- apiGroups:
- '*'
resources:
- podsecuritypolicies
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- namespaces
- nodes
- pods
verbs:
- get
- list
- watch
# Permissions from here onwards are not part of the original rc-scan
# and were given to ensure the test can work.
- apiGroups:
- ""
resources:
- secrets
- configmaps
- pods
verbs:
- get
- list
- watch
- patch
- delete
- create
- apiGroups:
- "apps"
resources:
- daemonsets
verbs:
- get
- list
- watch
- patch
- delete
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: rc-scan
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: rc-scan
subjects:
- kind: ServiceAccount
name: rc-serviceaccount
namespace: rancher-compliance-system
---
apiVersion: v1
kind: ConfigMap
metadata:
name: rc-s-config-cm-scan-vk6d4
namespace: rancher-compliance-system
data:
config.json: |
{
"Description": "kube-bench plugin for Rancher Compliance",
"Filters": {
"LabelSelector": "",
"Namespaces": "[^\\w-.]+"
},
"PluginNamespace": "rancher-compliance-system",
"Plugins": [
{
"name": "rancher-kube-bench"
}
],
"PluginSearchPath": [
"/plugins.d"
],
"Resources": [],
"ResultsDir": "/tmp/sonobuoy",
"Server": {
"advertiseaddress": "service-rancher-compliance",
"bindaddress": "0.0.0.0",
"bindport": 443,
"timeoutseconds": 5400
},
"Namespace": "rancher-compliance-system",
"WorkerImage": "${SONOBUOY_IMAGE}",
"Version": "v0.56.7"
}
---
apiVersion: v1
kind: Service
metadata:
name: service-rancher-compliance
namespace: rancher-compliance-system
spec:
ports:
- name: http
port: 443
protocol: TCP
targetPort: 443
selector:
run: sonobuoy-master
type: ClusterIP
---
apiVersion: v1
kind: ConfigMap
metadata:
name: rc-s-plugins-cm-scan-vk6d4
namespace: rancher-compliance-system
data:
rancher-kube-bench.yaml: |
podSpec:
containers: []
dnsPolicy: ClusterFirstWithHostNet
hostIPC: true
hostNetwork: true
hostPID: true
serviceAccountName: rc-serviceaccount
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/controlplane
operator: Exists
- effect: NoSchedule
key: node-role.kubernetes.io/control-plane
operator: Exists
- effect: NoExecute
key: node-role.kubernetes.io/etcd
operator: Exists
- effect: NoExecute
key: CriticalAddonsOnly
operator: Exists
volumes:
- hostPath:
path: /
name: root
- hostPath:
path: /etc/passwd
name: etc-passwd
- hostPath:
path: /etc/group
name: etc-group
- hostPath:
path: /var/lib/rancher
name: rke2-root
- hostPath:
path: /etc/rancher
name: rke2-root-config
- hostPath:
path: /etc/cni/net.d
name: rke2-cni
- hostPath:
path: /var/log
name: var-log
- hostPath:
path: /run/log
name: run-log
sonobuoy-config:
driver: DaemonSet
plugin-name: rancher-kube-bench
result-type: rancher-kube-bench
result-format: raw
spec:
name: rancher-kube-bench
image: $IMAGE
command: ["/bin/bash", "-c", "run_sonobuoy_plugin.sh && sleep 3600"]
env:
- name: SONOBUOY_NS
value: rancher-compliance-system
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: RESULTS_DIR
value: /tmp/results
- name: CHROOT_DIR
value: /node
- name: OVERRIDE_BENCHMARK_VERSION
value: test-1
imagePullPolicy: Always
securityContext:
privileged: true
volumeMounts:
- mountPath: /tmp/results
name: results
readOnly: false
- mountPath: /node
name: root
readOnly: true
- mountPath: /etc/passwd
name: etc-passwd
readOnly: true
- mountPath: /etc/group
name: etc-group
readOnly: true
- mountPath: /var/lib/rancher
name: rke2-root
readOnly: true
- mountPath: /etc/rancher
name: rke2-root-config
readOnly: true
- mountPath: /etc/cni/net.d
name: rke2-cni
readOnly: true
- mountPath: /var/log/
name: var-log
readOnly: true
- mountPath: /run/log/
name: run-log
readOnly: true
---
apiVersion: v1
kind: Pod
metadata:
labels:
app.kubernetes.io/instance: security-scan-runner-scan-6fjs5
app.kubernetes.io/name: rancher-compliance
rc.cattle.io/clusterscanprofile: test-profile
rc.cattle.io/controller: compliance-operator
rc.cattle.io/scan: scan-6fjs5
controller-uid: d1c0f186-f321-481f-8cdb-8c052e5cd738
job-name: security-scan-runner-scan-6fjs5
run: sonobuoy-master
annotations:
sonobuoy.hept.io/status: "{}"
name: security-scan-runner-scan-test
namespace: rancher-compliance-system
spec:
containers:
- env:
- name: OVERRIDE_BENCHMARK_VERSION
value: test-1
- name: SONOBUOY_NS
value: rancher-compliance-system
- name: SONOBUOY_POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: SONOBUOY_ADVERTISE_IP
value: rcscan-rancher-compliance
- name: OUTPUT_CONFIGMAPNAME
value: rcscan-output-for-scan-vk6d4
- name: VERBOSE
value: "true"
image: $IMAGE
imagePullPolicy: Never
command: ["bash"]
args: ["-c", "while true; do echo hello; sleep 10;done"]
name: rancher-compliance
ports:
- containerPort: 8080
protocol: TCP
securityContext:
privileged: true
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /etc/sonobuoy
name: s-config-volume
- mountPath: /plugins.d
name: s-plugins-volume
- mountPath: /tmp/sonobuoy
name: output-volume
- mountPath: /var/lib/rancher
name: rke2-root
- mountPath: /etc/rancher
name: rke2-root-config
- mountPath: /etc/cni/net.d
name: rke2-cni
- mountPath: /etc/passwd
name: etc-passwd
- mountPath: /etc/group
name: etc-group
- mountPath: /var/log/
name: var-log
- mountPath: /run/log/
name: run-log
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: kube-api-access-6k6bd
readOnly: true
dnsPolicy: ClusterFirst
hostIPC: true
hostPID: true
nodeSelector:
kubernetes.io/os: linux
serviceAccount: rc-serviceaccount
serviceAccountName: rc-serviceaccount
volumes:
- configMap:
defaultMode: 420
name: rc-s-config-cm-scan-vk6d4
name: s-config-volume
- configMap:
defaultMode: 420
name: rc-s-plugins-cm-scan-vk6d4
name: s-plugins-volume
- emptyDir: {}
name: output-volume
- hostPath:
path: /var/lib/rancher
type: ''
name: rke2-root
- hostPath:
path: /etc/rancher
type: ''
name: rke2-root-config
- hostPath:
path: /etc/cni/net.d
type: ''
name: rke2-cni
- hostPath:
path: /etc/passwd
type: ''
name: etc-passwd
- hostPath:
path: /etc/group
type: ''
name: etc-group
- hostPath:
path: /var/log
type: ''
name: var-log
- hostPath:
path: /run/log
type: ''
name: run-log
- name: kube-api-access-6k6bd
projected:
defaultMode: 420
sources:
- serviceAccountToken:
expirationSeconds: 3607
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
path: namespace
---
Reference in New Issue View Git Blame Copy Permalink