From e507515766a9e3194c44370041336ba1899b48a9 Mon Sep 17 00:00:00 2001 From: gwg313 Date: Sun, 28 Jun 2026 17:56:19 -0400 Subject: [PATCH] add pac Signed-off-by: gwg313 --- .tekton/ci.yaml | 137 ++++++++++ Taskfile.yaml | 2 +- apps/forgejo/deployment.yaml | 2 +- apps/forgejo/network-policy.yaml | 76 ++++-- apps/homelab-gitops/kustomization.yaml | 6 + apps/homelab-gitops/repository.yaml | 15 ++ apps/homelab-gitops/token-sealed.yaml | 15 ++ apps/tekton/kustomization.yaml | 25 ++ apps/tekton/namespace.yaml | 11 + apps/tekton/network-policy.yaml | 36 +++ apps/tekton/pac-network-policy.yaml | 46 ++++ apps/tekton/pac-role.yaml | 26 ++ apps/tekton/service-account.yaml | 8 + apps/tekton/tasks/git-clone.yaml | 249 ++++++++++++++++++ apps/tekton/tasks/kaniko.yaml | 70 +++++ apps/tekton/tekton-runner-binding.yaml | 15 ++ apps/tekton/tekton-runner-role.yaml | 34 +++ karakeep/iscsi-sealed.yaml | 1 - karakeep/karakeep-secrets-sealed.yaml | 1 - karakeep/meilisearch-service.yaml | 2 +- karakeep/web-deployment.yaml | 2 +- management/platform-apps/argocd-config.yaml | 20 ++ management/platform-apps/homelab-gitops.yaml | 20 ++ management/platform-apps/kustomization.yaml | 2 + management/platform-apps/kyverno-core.yaml | 1 - management/platform-apps/tekton.yaml | 2 +- platform/argocd/argocd-cm-patch.yaml | 6 + platform/argocd/kustomization.yaml | 5 + platform/kyverno/core/values.yaml | 2 + .../require-drop-all-capabilities.yaml | 6 + .../policies/20-require/require-non-root.yaml | 8 + .../disallow-hostpath-volumes.yaml | 6 + .../30-disallow/disallow-latest-tag.yaml | 4 + .../generate-namespace-network-baseline.yaml | 4 +- .../audit-network-connections.yaml | 21 ++ .../audit-process-execution.yaml | 23 ++ .../10-audit-baseline/kustomization.yaml | 9 + platform/tetragon/policies/kustomization.yaml | 10 +- .../tracingpolicy-network-connections.yaml | 8 - .../tracingpolicy-privilege-escalation.yaml | 9 - .../tracingpolicy-sensitive-binaries.yaml | 29 -- .../tracingpolicy-sensitive-file-access.yaml | 25 -- .../policies/tracingpolicy-shell-spawn.yaml | 24 -- 43 files changed, 895 insertions(+), 128 deletions(-) create mode 100644 .tekton/ci.yaml create mode 100644 apps/homelab-gitops/kustomization.yaml create mode 100644 apps/homelab-gitops/repository.yaml create mode 100644 apps/homelab-gitops/token-sealed.yaml create mode 100644 apps/tekton/namespace.yaml create mode 100644 apps/tekton/network-policy.yaml create mode 100644 apps/tekton/pac-network-policy.yaml create mode 100644 apps/tekton/pac-role.yaml create mode 100644 apps/tekton/service-account.yaml create mode 100644 apps/tekton/tasks/git-clone.yaml create mode 100644 apps/tekton/tasks/kaniko.yaml create mode 100644 apps/tekton/tekton-runner-binding.yaml create mode 100644 apps/tekton/tekton-runner-role.yaml create mode 100644 management/platform-apps/argocd-config.yaml create mode 100644 management/platform-apps/homelab-gitops.yaml create mode 100644 platform/argocd/argocd-cm-patch.yaml create mode 100644 platform/argocd/kustomization.yaml create mode 100644 platform/tetragon/policies/10-audit-baseline/audit-network-connections.yaml create mode 100644 platform/tetragon/policies/10-audit-baseline/audit-process-execution.yaml create mode 100644 platform/tetragon/policies/10-audit-baseline/kustomization.yaml delete mode 100644 platform/tetragon/policies/tracingpolicy-network-connections.yaml delete mode 100644 platform/tetragon/policies/tracingpolicy-privilege-escalation.yaml delete mode 100644 platform/tetragon/policies/tracingpolicy-sensitive-binaries.yaml delete mode 100644 platform/tetragon/policies/tracingpolicy-sensitive-file-access.yaml delete mode 100644 platform/tetragon/policies/tracingpolicy-shell-spawn.yaml diff --git a/.tekton/ci.yaml b/.tekton/ci.yaml new file mode 100644 index 0000000..6a9f395 --- /dev/null +++ b/.tekton/ci.yaml @@ -0,0 +1,137 @@ +--- +apiVersion: tekton.dev/v1 +kind: PipelineRun +metadata: + name: homelab-ci + annotations: + pipelinesascode.tekton.dev/on-event: "[pull_request, push]" + pipelinesascode.tekton.dev/on-target-branch: "[main]" + pipelinesascode.tekton.dev/max-keep-runs: "5" +spec: + taskRunTemplate: + serviceAccountName: tekton-runner + podTemplate: + metadata: + labels: + # triggers built-in exemption in require-non-root ClusterPolicy + security.policy/allow-root: "true" + securityContext: + seccompProfile: + type: RuntimeDefault + workspaces: + - name: source + volumeClaimTemplate: + spec: + accessModes: [ReadWriteOnce] + resources: + requests: + storage: 1Gi + params: + - name: repo_url + value: "{{ repo_url }}" + - name: revision + value: "{{ revision }}" + - name: clone_url + value: "http://forgejo.forgejo.svc.cluster.local/gwg313/homelab-gitops" + pipelineSpec: + params: + - name: repo_url + type: string + - name: revision + type: string + - name: clone_url + type: string + workspaces: + - name: source + tasks: + - name: clone + params: + - name: url + value: $(params.clone_url) + - name: revision + value: $(params.revision) + workspaces: + - name: output + workspace: source + taskRef: + resolver: cluster + params: + - name: kind + value: task + - name: name + value: git-clone + - name: namespace + value: cicd + + - name: lint-yaml + runAfter: [clone] + workspaces: + - name: source + workspace: source + taskSpec: + workspaces: + - name: source + steps: + - name: yamllint + image: pipelinecomponents/yamllint:latest + workingDir: $(workspaces.source.path) + # explicit false prevents default-run-as-non-root mutation from adding true + securityContext: + runAsNonRoot: false + allowPrivilegeEscalation: false + capabilities: + drop: [ALL] + script: yamllint . + + - name: validate + runAfter: [clone] + workspaces: + - name: source + workspace: source + taskSpec: + workspaces: + - name: source + steps: + - name: kubeconform + image: alpine:latest + workingDir: $(workspaces.source.path) + securityContext: + runAsNonRoot: false + allowPrivilegeEscalation: false + # empty capabilities block prevents default-drop-all-capabilities + # mutation from adding drop:ALL — apk needs CAP_CHOWN to install packages + capabilities: {} + script: | + #!/bin/sh + set -e + apk add --no-cache curl git tar + curl -sSL \ + https://github.com/yannh/kubeconform/releases/latest/download/kubeconform-linux-amd64.tar.gz \ + | tar xz -C /usr/local/bin + SCHEMA='https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/{{.ResourceKind}}-{{.ResourceAPIVersion}}.json' + git ls-files '*.yaml' '*.yml' | xargs kubeconform \ + -strict \ + -summary \ + -ignore-missing-schemas \ + -schema-location "$SCHEMA" \ + -schema-location default + + - name: scan-secrets + runAfter: [clone] + workspaces: + - name: source + workspace: source + taskSpec: + workspaces: + - name: source + steps: + - name: gitleaks + image: ghcr.io/zricethezav/gitleaks:latest + workingDir: $(workspaces.source.path) + securityContext: + runAsNonRoot: false + allowPrivilegeEscalation: false + capabilities: + drop: [ALL] + command: [gitleaks] + args: [detect, --no-git, -v, --redact, --source=.] diff --git a/Taskfile.yaml b/Taskfile.yaml index 1936abb..b3ea1e6 100644 --- a/Taskfile.yaml +++ b/Taskfile.yaml @@ -2,7 +2,7 @@ version: '3' vars: SEALED_SECRETS_NS: sealed-secrets - SEALED_SECRETS_NAME: sealed-secrets + SEALED_SECRETS_NAME: sealed-secrets-controller tasks: default: diff --git a/apps/forgejo/deployment.yaml b/apps/forgejo/deployment.yaml index 709fece..9bc9e48 100644 --- a/apps/forgejo/deployment.yaml +++ b/apps/forgejo/deployment.yaml @@ -41,7 +41,7 @@ spec: - name: FORGEJO__ssh__START_SSH_SERVER value: "false" - name: FORGEJO__webhook__ALLOWED_HOST_LIST - value: "ci.gwg313.xyz" + value: "ci.gwg313.xyz,pipelines-as-code-controller.pipelines-as-code.svc.cluster.local" - name: FORGEJO__migrations__ALLOWED_DOMAINS value: "github.com,*.github.com" volumeMounts: diff --git a/apps/forgejo/network-policy.yaml b/apps/forgejo/network-policy.yaml index c84ad13..60545cc 100644 --- a/apps/forgejo/network-policy.yaml +++ b/apps/forgejo/network-policy.yaml @@ -18,6 +18,21 @@ spec: - ports: - port: "3000" protocol: TCP + - fromEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: pipelines-as-code + app: pipelines-as-code-controller + toPorts: + - ports: + - port: "3000" + protocol: TCP + - fromEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: cicd + toPorts: + - ports: + - port: "3000" + protocol: TCP # --- # # ---------------------------------------------------- # # CI runner access (in-cluster service) @@ -43,6 +58,29 @@ spec: # - port: "443" # protocol: TCP # +--- +# ---------------------------------------------------- +# PAC controller webhook delivery (in-cluster) +# ---------------------------------------------------- +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-pac-egress + namespace: forgejo +spec: + endpointSelector: + matchLabels: + app: forgejo + egress: + - toEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: pipelines-as-code + app: pipelines-as-code-controller + toPorts: + - ports: + - port: "8082" + protocol: TCP + --- # ---------------------------------------------------- # External git providers (FQDN restricted) @@ -72,22 +110,22 @@ spec: # OPTIONAL: unrestricted egress (disabled by default) # Enable ONLY when required for troubleshooting or apps # ---------------------------------------------------- -apiVersion: cilium.io/v2 -kind: CiliumNetworkPolicy -metadata: - name: allow-all-egress - namespace: forgejo -spec: - endpointSelector: - matchLabels: - app: forgejo - - egress: - - toEntities: - - world - toPorts: - - ports: - - port: "443" - protocol: TCP - - port: "80" - protocol: TCP +# apiVersion: cilium.io/v2 +# kind: CiliumNetworkPolicy +# metadata: +# name: allow-all-egress +# namespace: forgejo +# spec: +# endpointSelector: +# matchLabels: +# app: forgejo +# +# egress: +# - toEntities: +# - world +# toPorts: +# - ports: +# - port: "443" +# protocol: TCP +# - port: "80" +# protocol: TCP diff --git a/apps/homelab-gitops/kustomization.yaml b/apps/homelab-gitops/kustomization.yaml new file mode 100644 index 0000000..d4de373 --- /dev/null +++ b/apps/homelab-gitops/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - repository.yaml + - token-sealed.yaml diff --git a/apps/homelab-gitops/repository.yaml b/apps/homelab-gitops/repository.yaml new file mode 100644 index 0000000..e2f30a5 --- /dev/null +++ b/apps/homelab-gitops/repository.yaml @@ -0,0 +1,15 @@ +apiVersion: pipelinesascode.tekton.dev/v1alpha1 +kind: Repository +metadata: + name: homelab-gitops + namespace: cicd +spec: + url: https://git.gwg313.xyz/gwg313/homelab-gitops + git_provider: + url: http://forgejo.forgejo.svc.cluster.local + secret: + name: pac-forgejo-token + key: token + webhook_secret: + name: pac-forgejo-token + key: webhook-secret diff --git a/apps/homelab-gitops/token-sealed.yaml b/apps/homelab-gitops/token-sealed.yaml new file mode 100644 index 0000000..ce88e0e --- /dev/null +++ b/apps/homelab-gitops/token-sealed.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + name: pac-forgejo-token + namespace: cicd +spec: + encryptedData: + token: AgABC/muQ4sYRfEXQDbj+KZioqckISHpdbRTAaYgAbjWtvC788LBnHpEX/nyBU1KxRX4Wn4ZtnlOQ02a9NTnrVPbYw4eLXF7NsugPV1jM5Wcs9DDqz0LjCqwOF8POuwrh73FYTUJeTe2h2sGT5iRn7T0r/LueRhb6pYVb4rF+Wx9zkhNBXz7+diFLFfKxCRvwIYbgITTNro6eHLX7IxrW3Tnb2h4vNK1d5p7bx2nIsDj6xVWkvkqw62snlKKoHAFtyWJZVHPuiH9eXLCaObRWMZVqqBYaz0NxDIzvk6Vf2nabCU7cqe6wqqt17paIXVOcZVaMSvLq9Xl4T96f0xEysJqCxfVGKHTbV3f5gpLHDHMObvcqGkmsLyH1GfWs3kGK4DY7task041bTUs3kiELGR9e5D3JGdlafzfrfUJ0AvxfLEfp0VFrVKnH8sBBiIAygMBXuFCfbKBT0hnaNr7YVKtapZc86hZPAclNDstzOS3TrAUqHbtpKAUUAwQxa1d9rIk4ts6nBy1ak9JErOJLNvtCWpK4IIn58I7FunjXnfYh+s/U/skM6kNicrEizHKWxTy9cTT+r8b5Q2AaGi/uvWb2I7/hET61qcZnIKJpACciSFl3pRYDCPIrTUChWAczcCl1uSChCPMu2MyMGOa7k2NvxPMhxkmR4I8LCvNSNm0llCpE0hCrrbvyMzGE5eA7cXA8AmlrKG10c8xT4ZXXFEl0TUDayrT7E/fvWuIP86li+Z6W8WmMair + webhook-secret: AgC1QZVBm/K8wzYHM+sXOb5zHQU49iTgUL0EHKYC7U+nHS66Wbn0S/GvuXUPgMWQAUfLKKSsXIDOkwEmGXOnqqKnz9GjaOG1Yf0NWWFFRCFyxuN5ooW0lmhFw2s3J76ibmSiulRVF8CjXgPkctIkbPosfrItoiaOtHU2Tjgfh5/IgCI5pK+1pF2oqVoOaDvoygvgJOrq6piLaTCO0gNSBzQ0m6ksWTi8WoVcO7hsgbYemzXHSus9R9X5hHdxGEpLUINjHd4z51Hkg+EtgByXYtXpuThFKGPVkkc4mrn9K89w6+whDRId6VMAlCJEZr79QQTkOdpBpDdyMdzPqvFfQaF6TtMD8XJq78kKxwddhUOIjmc4/E2WlJYbfTlmTksoIl5LC/MZc7TSg2I6G4RNG5QOmOs4drmRo/sG6AKESUYInRvQNTQcOoSaSjgAdXnEMDag9buH9E9kdrJbr0QaGzvTjQnPPbcApsx/kWlbScNgPKHnxIkr45MqZoRJ+HaUpS8RvrNz++9kvDnCFQlLFggDYnNaXpoO4iWEAPIfsQhIPa+K3eBs2tC9aCqaTXI8Ajr7vdhSSN5uhSc82EXS+n8Ztqs2+3CHd1ybiNJVSKKNyJDwSl8dBWPLE0cpobmq5dIfpSRTyDQexH7LtjKZ9lAJ3XOXEalyqQUxuKrAnl3r8GfaeagU1jULpmeK+exaq1WPs06py/btgEBOfE3ks5cSzlGyehtGOgW6C918AEBuqmK349QtvMxx + template: + metadata: + name: pac-forgejo-token + namespace: cicd + type: Opaque diff --git a/apps/tekton/kustomization.yaml b/apps/tekton/kustomization.yaml index 760fd85..d39e9d6 100644 --- a/apps/tekton/kustomization.yaml +++ b/apps/tekton/kustomization.yaml @@ -5,3 +5,28 @@ resources: - https://storage.googleapis.com/tekton-releases/pipeline/latest/release.yaml - https://storage.googleapis.com/tekton-releases/dashboard/latest/release.yaml - https://raw.githubusercontent.com/openshift-pipelines/pipelines-as-code/stable/release.k8s.yaml + - namespace.yaml + - service-account.yaml + - tekton-runner-role.yaml + - tekton-runner-binding.yaml + - network-policy.yaml + - tasks/git-clone.yaml + - tasks/kaniko.yaml + - pac-network-policy.yaml + - pac-role.yaml + +patches: + - patch: | + apiVersion: v1 + kind: Namespace + metadata: + name: tekton-pipelines + labels: + policy.home.arpa/allow-hostpath: "true" + - patch: | + apiVersion: v1 + kind: Namespace + metadata: + name: pipelines-as-code + labels: + policy.home.arpa/allow-hostpath: "true" diff --git a/apps/tekton/namespace.yaml b/apps/tekton/namespace.yaml new file mode 100644 index 0000000..a97f919 --- /dev/null +++ b/apps/tekton/namespace.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: cicd + labels: + app.kubernetes.io/name: cicd + app.kubernetes.io/part-of: tekton + app.kubernetes.io/managed-by: argocd + policy.home.arpa/allow-root: "true" + policy.home.arpa/allow-latest-tag: "true" + policy.home.arpa/allow-any-capabilities: "true" diff --git a/apps/tekton/network-policy.yaml b/apps/tekton/network-policy.yaml new file mode 100644 index 0000000..930ce89 --- /dev/null +++ b/apps/tekton/network-policy.yaml @@ -0,0 +1,36 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: cicd-egress + namespace: cicd +spec: + endpointSelector: {} + egress: + # Tekton entrypoint sidecar updates TaskRun status via the K8s API + - toEntities: + - kube-apiserver + toPorts: + - ports: + - port: "443" + protocol: TCP + # Push built images to Harbor registry in-cluster + - toEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: harbor + app: harbor + toPorts: + - ports: + - port: "80" + protocol: TCP + # Git clone from internal Forgejo + - toEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: forgejo + app: forgejo + toPorts: + - ports: + - port: "3000" + protocol: TCP + # Tool downloads (kubeconform), schema lookups + - toEntities: + - world diff --git a/apps/tekton/pac-network-policy.yaml b/apps/tekton/pac-network-policy.yaml new file mode 100644 index 0000000..329d260 --- /dev/null +++ b/apps/tekton/pac-network-policy.yaml @@ -0,0 +1,46 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-forgejo-webhook-ingress + namespace: pipelines-as-code +spec: + endpointSelector: + matchLabels: + app: pipelines-as-code-controller + ingress: + - fromEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: forgejo + app: forgejo + toPorts: + - ports: + - port: "8082" + protocol: TCP + egress: + - toEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: kube-system + k8s-app: kube-dns + toPorts: + - ports: + - port: "53" + protocol: UDP + - port: "53" + protocol: TCP + rules: + dns: + - matchPattern: "*" + - toEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: forgejo + app: forgejo + toPorts: + - ports: + - port: "3000" + protocol: TCP + - toEntities: + - kube-apiserver + toPorts: + - ports: + - port: "6443" + protocol: TCP diff --git a/apps/tekton/pac-role.yaml b/apps/tekton/pac-role.yaml new file mode 100644 index 0000000..ede6144 --- /dev/null +++ b/apps/tekton/pac-role.yaml @@ -0,0 +1,26 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: pac-task-reader + namespace: cicd +rules: + - apiGroups: ["tekton.dev"] + resources: ["tasks"] + verbs: ["get", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: pac-controller-cicd-access + namespace: cicd +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: pac-task-reader +subjects: + - kind: ServiceAccount + name: pipelines-as-code-controller + namespace: pipelines-as-code + - kind: ServiceAccount + name: tekton-pipelines-resolvers + namespace: tekton-pipelines diff --git a/apps/tekton/service-account.yaml b/apps/tekton/service-account.yaml new file mode 100644 index 0000000..29202fb --- /dev/null +++ b/apps/tekton/service-account.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: tekton-runner + namespace: cicd +automountServiceAccountToken: false +imagePullSecrets: + - name: registry-creds diff --git a/apps/tekton/tasks/git-clone.yaml b/apps/tekton/tasks/git-clone.yaml new file mode 100644 index 0000000..568a685 --- /dev/null +++ b/apps/tekton/tasks/git-clone.yaml @@ -0,0 +1,249 @@ +apiVersion: tekton.dev/v1 +kind: Task +metadata: + name: git-clone + namespace: cicd + labels: + app.kubernetes.io/version: "0.10" + annotations: + tekton.dev/pipelines.minVersion: "0.38.0" + tekton.dev/categories: Git + tekton.dev/tags: git + tekton.dev/displayName: "git clone" + tekton.dev/platforms: "linux/amd64,linux/s390x,linux/ppc64le,linux/arm64" +spec: + description: >- + These Tasks are Git tasks to work with repositories used by other tasks + in your Pipeline. + + The git-clone Task will clone a repo from the provided url into the + output Workspace. By default the repo will be cloned into the root of + your Workspace. You can clone into a subdirectory by setting this Task's + subdirectory param. This Task also supports sparse checkouts. To perform + a sparse checkout, pass a list of comma separated directory patterns to + this Task's sparseCheckoutDirectories param. + workspaces: + - name: output + description: The git repo will be cloned onto the volume backing this Workspace. + - name: ssh-directory + optional: true + description: | + A .ssh directory with private key, known_hosts, config, etc. Copied to + the user's home before git commands are executed. Used to authenticate + with the git remote when performing the clone. Binding a Secret to this + Workspace is strongly recommended over other volume types. + - name: basic-auth + optional: true + description: | + A Workspace containing a .gitconfig and .git-credentials file. These + will be copied to the user's home before any git commands are run. Any + other files in this Workspace are ignored. It is strongly recommended + to use ssh-directory over basic-auth whenever possible and to bind a + Secret to this Workspace over other volume types. + - name: ssl-ca-directory + optional: true + description: | + A workspace containing CA certificates, this will be used by Git to + verify the peer with when fetching or pushing over HTTPS. + params: + - name: url + description: Repository URL to clone from. + type: string + - name: revision + description: Revision to checkout. (branch, tag, sha, ref, etc...) + type: string + default: "" + - name: refspec + description: Refspec to fetch before checking out revision. + default: "" + - name: submodules + description: Initialize and fetch git submodules. + type: string + default: "true" + - name: depth + description: Perform a shallow clone, fetching only the most recent N commits. + type: string + default: "1" + - name: sslVerify + description: Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote. + type: string + default: "true" + - name: crtFileName + description: file name of mounted crt using ssl-ca-directory workspace. default value is ca-bundle.crt. + type: string + default: "ca-bundle.crt" + - name: subdirectory + description: Subdirectory inside the `output` Workspace to clone the repo into. + type: string + default: "" + - name: sparseCheckoutDirectories + description: Define the directory patterns to match or exclude when performing a sparse checkout. + type: string + default: "" + - name: deleteExisting + description: Clean out the contents of the destination directory if it already exists before cloning. + type: string + default: "true" + - name: httpProxy + description: HTTP proxy server for non-SSL requests. + type: string + default: "" + - name: httpsProxy + description: HTTPS proxy server for SSL requests. + type: string + default: "" + - name: noProxy + description: Opt out of proxying HTTP/HTTPS requests. + type: string + default: "" + - name: verbose + description: Log the commands that are executed during `git-clone`'s operation. + type: string + default: "true" + - name: gitInitImage + description: The image providing the git-init binary that this Task runs. + type: string + default: "ghcr.io/tektoncd-catalog/git-clone:v1.1.0" + - name: userHome + description: | + Absolute path to the user's home directory. + type: string + default: "/home/git" + results: + - name: commit + description: The precise commit SHA that was fetched by this Task. + - name: url + description: The precise URL that was fetched by this Task. + - name: committer-date + description: The epoch timestamp of the commit that was fetched by this Task. + steps: + - name: clone + image: "$(params.gitInitImage)" + env: + - name: HOME + value: "$(params.userHome)" + - name: PARAM_URL + value: $(params.url) + - name: PARAM_REVISION + value: $(params.revision) + - name: PARAM_REFSPEC + value: $(params.refspec) + - name: PARAM_SUBMODULES + value: $(params.submodules) + - name: PARAM_DEPTH + value: $(params.depth) + - name: PARAM_SSL_VERIFY + value: $(params.sslVerify) + - name: PARAM_CRT_FILENAME + value: $(params.crtFileName) + - name: PARAM_SUBDIRECTORY + value: $(params.subdirectory) + - name: PARAM_DELETE_EXISTING + value: $(params.deleteExisting) + - name: PARAM_HTTP_PROXY + value: $(params.httpProxy) + - name: PARAM_HTTPS_PROXY + value: $(params.httpsProxy) + - name: PARAM_NO_PROXY + value: $(params.noProxy) + - name: PARAM_VERBOSE + value: $(params.verbose) + - name: PARAM_SPARSE_CHECKOUT_DIRECTORIES + value: $(params.sparseCheckoutDirectories) + - name: PARAM_USER_HOME + value: $(params.userHome) + - name: WORKSPACE_OUTPUT_PATH + value: $(workspaces.output.path) + - name: WORKSPACE_SSH_DIRECTORY_BOUND + value: $(workspaces.ssh-directory.bound) + - name: WORKSPACE_SSH_DIRECTORY_PATH + value: $(workspaces.ssh-directory.path) + - name: WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND + value: $(workspaces.basic-auth.bound) + - name: WORKSPACE_BASIC_AUTH_DIRECTORY_PATH + value: $(workspaces.basic-auth.path) + - name: WORKSPACE_SSL_CA_DIRECTORY_BOUND + value: $(workspaces.ssl-ca-directory.bound) + - name: WORKSPACE_SSL_CA_DIRECTORY_PATH + value: $(workspaces.ssl-ca-directory.path) + securityContext: + runAsNonRoot: true + runAsUser: 65532 + volumeMounts: + - name: user-home + mountPath: $(params.userHome) + script: | + #!/usr/bin/env sh + set -eu + + if [ "${PARAM_VERBOSE}" = "true" ] ; then + set -x + fi + + if [ "${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}" = "true" ] ; then + cp "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials" "${PARAM_USER_HOME}/.git-credentials" + cp "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig" "${PARAM_USER_HOME}/.gitconfig" + chmod 400 "${PARAM_USER_HOME}/.git-credentials" + chmod 400 "${PARAM_USER_HOME}/.gitconfig" + fi + + if [ "${WORKSPACE_SSH_DIRECTORY_BOUND}" = "true" ] ; then + cp -R "${WORKSPACE_SSH_DIRECTORY_PATH}" "${PARAM_USER_HOME}"/.ssh + chmod 700 "${PARAM_USER_HOME}"/.ssh + chmod -R 400 "${PARAM_USER_HOME}"/.ssh/* + fi + + if [ "${WORKSPACE_SSL_CA_DIRECTORY_BOUND}" = "true" ] ; then + export GIT_SSL_CAPATH="${WORKSPACE_SSL_CA_DIRECTORY_PATH}" + if [ "${PARAM_CRT_FILENAME}" != "" ] ; then + export GIT_SSL_CAINFO="${WORKSPACE_SSL_CA_DIRECTORY_PATH}/${PARAM_CRT_FILENAME}" + fi + fi + CHECKOUT_DIR="${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}" + + cleandir() { + # Delete any existing contents of the repo directory if it exists. + # + # We don't just "rm -rf ${CHECKOUT_DIR}" because ${CHECKOUT_DIR} might be "/" + # or the root of a mounted volume. + if [ -d "${CHECKOUT_DIR}" ] ; then + # Delete non-hidden files and directories + rm -rf "${CHECKOUT_DIR:?}"/* + # Delete files and directories starting with . but excluding .. + rm -rf "${CHECKOUT_DIR}"/.[!.]* + # Delete files and directories starting with .. plus any other character + rm -rf "${CHECKOUT_DIR}"/..?* + fi + } + + if [ "${PARAM_DELETE_EXISTING}" = "true" ] ; then + cleandir || true + fi + + test -z "${PARAM_HTTP_PROXY}" || export HTTP_PROXY="${PARAM_HTTP_PROXY}" + test -z "${PARAM_HTTPS_PROXY}" || export HTTPS_PROXY="${PARAM_HTTPS_PROXY}" + test -z "${PARAM_NO_PROXY}" || export NO_PROXY="${PARAM_NO_PROXY}" + + git config --global --add safe.directory "${WORKSPACE_OUTPUT_PATH}" + /ko-app/git-init \ + -url="${PARAM_URL}" \ + -revision="${PARAM_REVISION}" \ + -refspec="${PARAM_REFSPEC}" \ + -path="${CHECKOUT_DIR}" \ + -sslVerify="${PARAM_SSL_VERIFY}" \ + -submodules="${PARAM_SUBMODULES}" \ + -depth="${PARAM_DEPTH}" \ + -sparseCheckoutDirectories="${PARAM_SPARSE_CHECKOUT_DIRECTORIES}" + cd "${CHECKOUT_DIR}" + RESULT_SHA="$(git rev-parse HEAD)" + EXIT_CODE="$?" + if [ "${EXIT_CODE}" != 0 ] ; then + exit "${EXIT_CODE}" + fi + RESULT_COMMITTER_DATE="$(git log -1 --pretty=%ct)" + printf "%s" "${RESULT_COMMITTER_DATE}" > "$(results.committer-date.path)" + printf "%s" "${RESULT_SHA}" > "$(results.commit.path)" + printf "%s" "${PARAM_URL}" > "$(results.url.path)" + volumes: + - name: user-home + emptyDir: {} diff --git a/apps/tekton/tasks/kaniko.yaml b/apps/tekton/tasks/kaniko.yaml new file mode 100644 index 0000000..bdcf67c --- /dev/null +++ b/apps/tekton/tasks/kaniko.yaml @@ -0,0 +1,70 @@ +apiVersion: tekton.dev/v1 +kind: Task +metadata: + name: kaniko + namespace: cicd + labels: + app.kubernetes.io/version: "0.7" + annotations: + tekton.dev/pipelines.minVersion: "0.43.0" + tekton.dev/categories: Image Build + tekton.dev/tags: image-build + tekton.dev/displayName: "Build and upload container image using Kaniko" + tekton.dev/platforms: "linux/amd64,linux/arm64,linux/ppc64le" + tekton.dev/deprecated: "true" +spec: + description: >- + This Task builds a simple Dockerfile with kaniko and pushes to a registry. + This Task stores the image name and digest as results, allowing Tekton Chains to pick up + that an image was built & sign it. + params: + - name: IMAGE + description: Name (reference) of the image to build. + - name: DOCKERFILE + description: Path to the Dockerfile to build. + default: ./Dockerfile + - name: CONTEXT + description: The build context used by Kaniko. + default: ./ + - name: EXTRA_ARGS + type: array + default: [] + - name: BUILDER_IMAGE + description: The image on which builds will run (default is v1.5.1) + default: gcr.io/kaniko-project/executor:v1.5.1@sha256:c6166717f7fe0b7da44908c986137ecfeab21f31ec3992f6e128fff8a94be8a5 + - name: WRITER_IMAGE + description: The image on which the write-url step will run (default is docker.io/library/bash:5.1.4@sha256:c523c636b722339f41b6a431b44588ab2f762c5de5ec3bd7964420ff982fb1d9) + default: docker.io/library/bash:5.1.4@sha256:c523c636b722339f41b6a431b44588ab2f762c5de5ec3bd7964420ff982fb1d9 + workspaces: + - name: source + description: Holds the context and Dockerfile + - name: dockerconfig + description: Includes a docker `config.json` + optional: true + mountPath: /kaniko/.docker + results: + - name: IMAGE_DIGEST + description: Digest of the image just built. + - name: IMAGE_URL + description: URL of the image just built. + steps: + - name: build-and-push + workingDir: $(workspaces.source.path) + image: $(params.BUILDER_IMAGE) + args: + - $(params.EXTRA_ARGS) + - --dockerfile=$(params.DOCKERFILE) + - --context=$(workspaces.source.path)/$(params.CONTEXT) # The user does not need to care the workspace and the source. + - --destination=$(params.IMAGE) + - --digest-file=$(results.IMAGE_DIGEST.path) + # kaniko assumes it is running as root, which means this example fails on platforms + # that default to run containers as random uid (like OpenShift). Adding this securityContext + # makes it explicit that it needs to run as root. + securityContext: + runAsUser: 0 + - name: write-url + image: $(params.WRITER_IMAGE) + script: | + set -e + image="$(params.IMAGE)" + printf "%s" "${image}" | tee "$(results.IMAGE_URL.path)" diff --git a/apps/tekton/tekton-runner-binding.yaml b/apps/tekton/tekton-runner-binding.yaml new file mode 100644 index 0000000..41c20f6 --- /dev/null +++ b/apps/tekton/tekton-runner-binding.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: tekton-runner + namespace: cicd + +subjects: + - kind: ServiceAccount + name: tekton-runner + namespace: cicd + +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: tekton-runner diff --git a/apps/tekton/tekton-runner-role.yaml b/apps/tekton/tekton-runner-role.yaml new file mode 100644 index 0000000..7629149 --- /dev/null +++ b/apps/tekton/tekton-runner-role.yaml @@ -0,0 +1,34 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: tekton-runner + namespace: cicd + +rules: + - apiGroups: ["tekton.dev"] + resources: + - pipelineruns + - taskruns + verbs: + - get + - list + - watch + - create + - delete + + - apiGroups: [""] + resources: + - pods + - pods/log + verbs: + - get + - list + - watch + + - apiGroups: [""] + resources: + - configmaps + verbs: + - get + - list + - watch diff --git a/karakeep/iscsi-sealed.yaml b/karakeep/iscsi-sealed.yaml index f699aa6..b9d1877 100644 --- a/karakeep/iscsi-sealed.yaml +++ b/karakeep/iscsi-sealed.yaml @@ -1,4 +1,3 @@ ---- apiVersion: bitnami.com/v1alpha1 kind: SealedSecret metadata: diff --git a/karakeep/karakeep-secrets-sealed.yaml b/karakeep/karakeep-secrets-sealed.yaml index 78135d3..7f348e7 100644 --- a/karakeep/karakeep-secrets-sealed.yaml +++ b/karakeep/karakeep-secrets-sealed.yaml @@ -1,4 +1,3 @@ ---- apiVersion: bitnami.com/v1alpha1 kind: SealedSecret metadata: diff --git a/karakeep/meilisearch-service.yaml b/karakeep/meilisearch-service.yaml index 373384e..c12701a 100644 --- a/karakeep/meilisearch-service.yaml +++ b/karakeep/meilisearch-service.yaml @@ -8,4 +8,4 @@ spec: ports: - protocol: TCP port: 7700 - targetPort: 7700 \ No newline at end of file + targetPort: 7700 diff --git a/karakeep/web-deployment.yaml b/karakeep/web-deployment.yaml index 294a97f..eebc620 100644 --- a/karakeep/web-deployment.yaml +++ b/karakeep/web-deployment.yaml @@ -25,7 +25,7 @@ spec: value: http://chrome:9222 - name: DATA_DIR value: /data - # Add OPENAI_API_KEY to the ConfigMap if necessary + # Add OPENAI_API_KEY to the ConfigMap if necessary volumeMounts: - mountPath: /data name: data diff --git a/management/platform-apps/argocd-config.yaml b/management/platform-apps/argocd-config.yaml new file mode 100644 index 0000000..d29b1df --- /dev/null +++ b/management/platform-apps/argocd-config.yaml @@ -0,0 +1,20 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: argocd-config + namespace: argocd +spec: + project: default + source: + repoURL: https://github.com/gwg313/homelab-gitops.git + targetRevision: main + path: platform/argocd + destination: + server: https://kubernetes.default.svc + namespace: argocd + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - ServerSideApply=true diff --git a/management/platform-apps/homelab-gitops.yaml b/management/platform-apps/homelab-gitops.yaml new file mode 100644 index 0000000..eef001e --- /dev/null +++ b/management/platform-apps/homelab-gitops.yaml @@ -0,0 +1,20 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: homelab-gitops-ci + namespace: argocd + annotations: + argoproj.io/sync-wave: "1" +spec: + project: default + source: + repoURL: https://github.com/gwg313/homelab-gitops.git + targetRevision: main + path: apps/homelab-gitops + destination: + server: https://kubernetes.default.svc + namespace: cicd + syncPolicy: + automated: + prune: true + selfHeal: true diff --git a/management/platform-apps/kustomization.yaml b/management/platform-apps/kustomization.yaml index 2aecd46..ae6aa50 100644 --- a/management/platform-apps/kustomization.yaml +++ b/management/platform-apps/kustomization.yaml @@ -15,8 +15,10 @@ resources: - audiobookshelf.yaml - yopass.yaml - tekton.yaml + - homelab-gitops.yaml - navidrome.yaml - bytestash.yaml - stirling-pdf.yaml # - soulsync.yaml - vikunja.yaml + - argocd-config.yaml diff --git a/management/platform-apps/kyverno-core.yaml b/management/platform-apps/kyverno-core.yaml index db565c9..8559eee 100644 --- a/management/platform-apps/kyverno-core.yaml +++ b/management/platform-apps/kyverno-core.yaml @@ -22,7 +22,6 @@ spec: - CreateNamespace=true - ServerSideApply=true - RespectIgnoreDifferences=true - ignoreDifferences: - group: apiextensions.k8s.io kind: CustomResourceDefinition diff --git a/management/platform-apps/tekton.yaml b/management/platform-apps/tekton.yaml index 2b323fc..56d39ca 100644 --- a/management/platform-apps/tekton.yaml +++ b/management/platform-apps/tekton.yaml @@ -4,7 +4,7 @@ metadata: name: tekton-pipelines namespace: argocd annotations: - argoproj.io/sync-wave: "0" + argoproj.io/sync-wave: "0" spec: project: default source: diff --git a/platform/argocd/argocd-cm-patch.yaml b/platform/argocd/argocd-cm-patch.yaml new file mode 100644 index 0000000..4fe9d26 --- /dev/null +++ b/platform/argocd/argocd-cm-patch.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: argocd-cm + namespace: argocd +data: {} diff --git a/platform/argocd/kustomization.yaml b/platform/argocd/kustomization.yaml new file mode 100644 index 0000000..c2754ff --- /dev/null +++ b/platform/argocd/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - argocd-cm-patch.yaml diff --git a/platform/kyverno/core/values.yaml b/platform/kyverno/core/values.yaml index 5b568b3..dcda70c 100644 --- a/platform/kyverno/core/values.yaml +++ b/platform/kyverno/core/values.yaml @@ -3,5 +3,7 @@ kyverno: replicas: 2 features: loggingFormat: text + policyExceptions: + enabled: true telemetry: enabled: false diff --git a/platform/kyverno/policies/20-require/require-drop-all-capabilities.yaml b/platform/kyverno/policies/20-require/require-drop-all-capabilities.yaml index bdb2d53..53f6c84 100644 --- a/platform/kyverno/policies/20-require/require-drop-all-capabilities.yaml +++ b/platform/kyverno/policies/20-require/require-drop-all-capabilities.yaml @@ -17,6 +17,12 @@ spec: - resources: kinds: - Pod + exclude: + any: + - resources: + namespaceSelector: + matchLabels: + policy.home.arpa/allow-any-capabilities: "true" validate: message: "All containers must drop ALL Linux capabilities." diff --git a/platform/kyverno/policies/20-require/require-non-root.yaml b/platform/kyverno/policies/20-require/require-non-root.yaml index 8372dee..324d921 100644 --- a/platform/kyverno/policies/20-require/require-non-root.yaml +++ b/platform/kyverno/policies/20-require/require-non-root.yaml @@ -23,6 +23,10 @@ spec: selector: matchLabels: security.policy/allow-root: "true" + - resources: + namespaceSelector: + matchLabels: + policy.home.arpa/allow-root: "true" validate: message: "Pods must set runAsNonRoot=true." @@ -43,6 +47,10 @@ spec: selector: matchLabels: security.policy/allow-root: "true" + - resources: + namespaceSelector: + matchLabels: + policy.home.arpa/allow-root: "true" validate: message: "All containers must set runAsNonRoot=true." diff --git a/platform/kyverno/policies/30-disallow/disallow-hostpath-volumes.yaml b/platform/kyverno/policies/30-disallow/disallow-hostpath-volumes.yaml index c659b3b..f5f860b 100644 --- a/platform/kyverno/policies/30-disallow/disallow-hostpath-volumes.yaml +++ b/platform/kyverno/policies/30-disallow/disallow-hostpath-volumes.yaml @@ -11,6 +11,12 @@ spec: any: - resources: kinds: ["Pod"] + exclude: + any: + - resources: + namespaceSelector: + matchLabels: + policy.home.arpa/allow-hostpath: "true" validate: message: "hostPath volumes are not allowed (escape risk)." diff --git a/platform/kyverno/policies/30-disallow/disallow-latest-tag.yaml b/platform/kyverno/policies/30-disallow/disallow-latest-tag.yaml index f794b83..3ef2211 100644 --- a/platform/kyverno/policies/30-disallow/disallow-latest-tag.yaml +++ b/platform/kyverno/policies/30-disallow/disallow-latest-tag.yaml @@ -23,6 +23,10 @@ spec: - tekton-pipelines - key: tekton.dev/task operator: Exists + - resources: + namespaceSelector: + matchLabels: + policy.home.arpa/allow-latest-tag: "true" validate: message: "Using the 'latest' tag or omitting image tags is forbidden. Use a specific version semantic tag." foreach: diff --git a/platform/kyverno/policies/40-generate/generate-namespace-network-baseline.yaml b/platform/kyverno/policies/40-generate/generate-namespace-network-baseline.yaml index 726db6c..d90eea9 100644 --- a/platform/kyverno/policies/40-generate/generate-namespace-network-baseline.yaml +++ b/platform/kyverno/policies/40-generate/generate-namespace-network-baseline.yaml @@ -9,7 +9,7 @@ metadata: policies.kyverno.io/description: >- Automatically provisions a baseline CiliumNetworkPolicy with default deny ingress and controlled DNS egress. - argocd.argoproj.io/sync-options: Force=true,Replace=true + argocd.argoproj.io/sync-options: Replace=true spec: background: true @@ -55,6 +55,8 @@ spec: metadata: labels: security-tier: baseline + annotations: + argocd.argoproj.io/sync-options: Prune=false spec: endpointSelector: {} diff --git a/platform/tetragon/policies/10-audit-baseline/audit-network-connections.yaml b/platform/tetragon/policies/10-audit-baseline/audit-network-connections.yaml new file mode 100644 index 0000000..eea036a --- /dev/null +++ b/platform/tetragon/policies/10-audit-baseline/audit-network-connections.yaml @@ -0,0 +1,21 @@ +apiVersion: cilium.io/v1alpha1 +kind: TracingPolicy +metadata: + name: audit-network-connections + annotations: + security-tier: audit-baseline + description: "Logs outound TCP connections at the kernel level." +spec: + kprobes: + - call: "tcp_connect" + syscall: false + args: + - index: 0 + type: "sock" + selectors: + - matchArgs: + - index: 0 + operator: "NotDAddr" + values: + - "127.0.0.1" + - "::1" diff --git a/platform/tetragon/policies/10-audit-baseline/audit-process-execution.yaml b/platform/tetragon/policies/10-audit-baseline/audit-process-execution.yaml new file mode 100644 index 0000000..0cd54b8 --- /dev/null +++ b/platform/tetragon/policies/10-audit-baseline/audit-process-execution.yaml @@ -0,0 +1,23 @@ +apiVersion: cilium.io/v1alpha1 +kind: TracingPolicy +metadata: + name: audit-process-execution + annotations: + security-tier: audit-baseline + description: "Logs all process executions (sys_execve) for cluster-wide visibility." +spec: + kprobes: + - call: "sys_execve" + syscall: true + args: + - index: 0 + type: "string" + - index: 1 + type: "string_array" + selectors: + - matchPIDs: + - operator: NotIn + followForks: true + isNamespacePID: true + values: + - 1 diff --git a/platform/tetragon/policies/10-audit-baseline/kustomization.yaml b/platform/tetragon/policies/10-audit-baseline/kustomization.yaml new file mode 100644 index 0000000..dc6cc1d --- /dev/null +++ b/platform/tetragon/policies/10-audit-baseline/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - audit-process-execution.yaml + - audit-network-connections.yaml + +commonAnnotations: + argocd.argoproj.io/sync-wave: "1" diff --git a/platform/tetragon/policies/kustomization.yaml b/platform/tetragon/policies/kustomization.yaml index 81730b6..5f46c41 100644 --- a/platform/tetragon/policies/kustomization.yaml +++ b/platform/tetragon/policies/kustomization.yaml @@ -2,11 +2,11 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - tracingpolicy-shell-spawn.yaml - - tracingpolicy-network-connections.yaml - - tracingpolicy-sensitive-binaries.yaml - - tracingpolicy-privilege-escalation.yaml - - tracingpolicy-sensitive-file-access.yaml + - 10-audit-baseline + # - 20-enforce-execution + # - 30-enforce-fim + # - 40-enforce-network + # - 50-enforce-privilege commonLabels: app.kubernetes.io/part-of: tetragon-policies diff --git a/platform/tetragon/policies/tracingpolicy-network-connections.yaml b/platform/tetragon/policies/tracingpolicy-network-connections.yaml deleted file mode 100644 index 82bd777..0000000 --- a/platform/tetragon/policies/tracingpolicy-network-connections.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: cilium.io/v1alpha1 -kind: TracingPolicy -metadata: - name: detect-network-connections -spec: - tracepoints: - - subsystem: tcp - event: tcp_connect diff --git a/platform/tetragon/policies/tracingpolicy-privilege-escalation.yaml b/platform/tetragon/policies/tracingpolicy-privilege-escalation.yaml deleted file mode 100644 index 0c9e394..0000000 --- a/platform/tetragon/policies/tracingpolicy-privilege-escalation.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: cilium.io/v1alpha1 -kind: TracingPolicy -metadata: - name: detect-privilege-escalation -spec: - kprobes: - - call: "commit_creds" - syscall: false - return: true diff --git a/platform/tetragon/policies/tracingpolicy-sensitive-binaries.yaml b/platform/tetragon/policies/tracingpolicy-sensitive-binaries.yaml deleted file mode 100644 index d45fee7..0000000 --- a/platform/tetragon/policies/tracingpolicy-sensitive-binaries.yaml +++ /dev/null @@ -1,29 +0,0 @@ -apiVersion: cilium.io/v1alpha1 -kind: TracingPolicy -metadata: - name: detect-sensitive-binary-execution -spec: - kprobes: - - call: "security_bprm_check" - syscall: false - - selectors: - - matchBinaries: - - operator: In - values: - - /usr/bin/curl - - /usr/bin/wget - - /usr/bin/nc - - /usr/bin/netcat - - /usr/bin/nmap - - /usr/bin/socat - - /usr/bin/ssh - - /usr/sbin/iptables - - /usr/bin/apt - - /usr/bin/apt-get - - args: - - index: 0 - type: string - - return: true diff --git a/platform/tetragon/policies/tracingpolicy-sensitive-file-access.yaml b/platform/tetragon/policies/tracingpolicy-sensitive-file-access.yaml deleted file mode 100644 index 977e93a..0000000 --- a/platform/tetragon/policies/tracingpolicy-sensitive-file-access.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: cilium.io/v1alpha1 -kind: TracingPolicy -metadata: - name: detect-sensitive-file-access -spec: - kprobes: - - call: "security_file_open" - syscall: false - - selectors: - - matchArgs: - - index: 0 - operator: Prefix - values: - - /etc/shadow - - /etc/passwd - - /root - - /proc/kcore - - /var/run/secrets/kubernetes.io - - args: - - index: 0 - type: string - - return: true diff --git a/platform/tetragon/policies/tracingpolicy-shell-spawn.yaml b/platform/tetragon/policies/tracingpolicy-shell-spawn.yaml deleted file mode 100644 index 180dfc9..0000000 --- a/platform/tetragon/policies/tracingpolicy-shell-spawn.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: cilium.io/v1alpha1 -kind: TracingPolicy -metadata: - name: detect-shell-spawn -spec: - kprobes: - - call: "security_bprm_check" - syscall: false - - selectors: - - matchBinaries: - - operator: In - values: - - /bin/sh - - /bin/bash - - /bin/dash - - /bin/ash - - /busybox/sh - - args: - - index: 0 - type: string - - return: true