From 0b6f88709e8d2278ace536fc088af267ece547a2 Mon Sep 17 00:00:00 2001 From: Anurag Rajawat Date: Sat, 2 Dec 2023 14:30:57 +0530 Subject: [PATCH 1/4] fix: Typo in Dockerfile Signed-off-by: Anurag Rajawat --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 11b9c4be..37ef8260 100644 --- a/Dockerfile +++ b/Dockerfile @@ -14,7 +14,7 @@ RUN go mod download # Copy the go source COPY main.go main.go COPY api/ api/ -COPY controller/ controller/ +COPY controllers/ controllers/ # Build # the GOARCH has not a default value to allow the binary be built according to the host where the command From 2d8e7f5d833070f6733e8ffe26f2ac0179563f56 Mon Sep 17 00:00:00 2001 From: Anurag Rajawat Date: Sat, 2 Dec 2023 15:21:13 +0530 Subject: [PATCH 2/4] chore: Create license.header Signed-off-by: Anurag Rajawat --- scripts/license.header | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 scripts/license.header diff --git a/scripts/license.header b/scripts/license.header new file mode 100644 index 00000000..38c7f771 --- /dev/null +++ b/scripts/license.header @@ -0,0 +1,2 @@ +SPDX-License-Identifier: Apache-2.0 +Copyright 2023 Authors of Nimbus From 76409f0c35c104e87d69d4734b6a48f07719c081 Mon Sep 17 00:00:00 2001 From: Anurag Rajawat Date: Sat, 2 Dec 2023 15:43:04 +0530 Subject: [PATCH 3/4] chore: Add license header to all files Signed-off-by: Anurag Rajawat --- Dockerfile | 3 +++ Makefile | 2 ++ api/v1/groupversion_info.go | 17 ++-------------- api/v1/securityintent_types.go | 17 ++-------------- api/v1/zz_generated.deepcopy.go | 17 ++-------------- controllers/general/general_controller.go | 3 +++ controllers/general/watch_intent.go | 3 +++ controllers/policy/network_policy.go | 3 +++ controllers/policy/policy_controller.go | 3 +++ controllers/policy/system_policy.go | 3 +++ controllers/securityintent_controller.go | 17 ++-------------- controllers/suite_test.go | 17 ++-------------- controllers/utils/utils_policy.go | 3 +++ hack/boilerplate.go.txt | 17 ++-------------- main.go | 17 ++-------------- scripts/add-license-header.sh | 20 +++++++++++++++++++ test-yaml/env/busybox-pod.yaml | 3 +++ test-yaml/env/multiubuntu.yaml | 3 +++ test-yaml/env/redis-pod.yaml | 3 +++ .../network/intent-net-icmp-audit.yaml | 3 +++ .../network/intent-network-sample.yaml | 3 +++ test-yaml/intents/network/intent-redis.yaml | 3 +++ .../network/intent-risky-network-access.yaml | 3 +++ .../system/intent-accessd-shadow-file.yaml | 3 +++ ...ntent-allow-access-to-credentials-dir.yaml | 3 +++ .../intents/system/intent-bug-block.yaml | 3 +++ .../system/intent-cap-net-raw-block.yaml | 3 +++ .../intent-do-not-allow-priv-escalation.yaml | 3 +++ .../intents/system/intent-path-block.yaml | 3 +++ ...-restrict-write-access-to-sys-folders.yaml | 3 +++ test-yaml/intents/template-intent.yaml | 3 +++ test-yaml/policy/cnp/policy-redis.yaml | 3 +++ test-yaml/policy/cnp/policy-risky.yaml | 3 +++ .../hsp/policy-accessed-shadow-file.yaml | 3 +++ test-yaml/policy/hsp/policy-bug-block.yaml | 3 +++ .../policy/ksp/policy-audit-all-unlink.yaml | 3 +++ .../policy/ksp/policy-cap-net-raw-block.yaml | 3 +++ ...olicy-file-dir-allow-from-source-path.yaml | 3 +++ .../policy/ksp/policy-net-icmp-audit.yaml | 3 +++ test-yaml/policy/ksp/policy-path-block.yaml | 3 +++ .../policy/ksp/policy-proc-dir-block.yaml | 3 +++ 41 files changed, 132 insertions(+), 105 deletions(-) create mode 100755 scripts/add-license-header.sh diff --git a/Dockerfile b/Dockerfile index 37ef8260..7ec52042 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,3 +1,6 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + # Build the manager binary FROM golang:1.20 as builder ARG TARGETOS diff --git a/Makefile b/Makefile index 9ff17464..4262a20c 100644 --- a/Makefile +++ b/Makefile @@ -1,3 +1,5 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus # Image URL to use all building/pushing image targets IMG ?= controller:latest diff --git a/api/v1/groupversion_info.go b/api/v1/groupversion_info.go index e70a6d14..4159ec09 100644 --- a/api/v1/groupversion_info.go +++ b/api/v1/groupversion_info.go @@ -1,18 +1,5 @@ -/* -Copyright 2023. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ +// SPDX-License-Identifier: Apache-2.0 +// Copyright 2023 Authors of Nimbus // Package v1 contains API Schema definitions for the intent v1 API group // +kubebuilder:object:generate=true diff --git a/api/v1/securityintent_types.go b/api/v1/securityintent_types.go index 41e14bcd..7938246f 100644 --- a/api/v1/securityintent_types.go +++ b/api/v1/securityintent_types.go @@ -1,18 +1,5 @@ -/* -Copyright 2023. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ +// SPDX-License-Identifier: Apache-2.0 +// Copyright 2023 Authors of Nimbus package v1 diff --git a/api/v1/zz_generated.deepcopy.go b/api/v1/zz_generated.deepcopy.go index 9d8a64db..875d649d 100644 --- a/api/v1/zz_generated.deepcopy.go +++ b/api/v1/zz_generated.deepcopy.go @@ -1,20 +1,7 @@ //go:build !ignore_autogenerated -/* -Copyright 2023. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ +// SPDX-License-Identifier: Apache-2.0 +// Copyright 2023 Authors of Nimbus // Code generated by controller-gen. DO NOT EDIT. diff --git a/controllers/general/general_controller.go b/controllers/general/general_controller.go index a0c54586..a188c2d4 100644 --- a/controllers/general/general_controller.go +++ b/controllers/general/general_controller.go @@ -1,3 +1,6 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright 2023 Authors of Nimbus + package general import ( diff --git a/controllers/general/watch_intent.go b/controllers/general/watch_intent.go index 7ffd7e36..ab6a207b 100644 --- a/controllers/general/watch_intent.go +++ b/controllers/general/watch_intent.go @@ -1,3 +1,6 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright 2023 Authors of Nimbus + package general import ( diff --git a/controllers/policy/network_policy.go b/controllers/policy/network_policy.go index 159ac3c6..7cf06683 100644 --- a/controllers/policy/network_policy.go +++ b/controllers/policy/network_policy.go @@ -1,3 +1,6 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright 2023 Authors of Nimbus + package policy import ( diff --git a/controllers/policy/policy_controller.go b/controllers/policy/policy_controller.go index f0ef1e81..36642fb6 100644 --- a/controllers/policy/policy_controller.go +++ b/controllers/policy/policy_controller.go @@ -1,3 +1,6 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright 2023 Authors of Nimbus + package policy import ( diff --git a/controllers/policy/system_policy.go b/controllers/policy/system_policy.go index 8bcf92ab..11ac44f0 100644 --- a/controllers/policy/system_policy.go +++ b/controllers/policy/system_policy.go @@ -1,3 +1,6 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright 2023 Authors of Nimbus + package policy import ( diff --git a/controllers/securityintent_controller.go b/controllers/securityintent_controller.go index bfbdfbd3..c6008ee1 100644 --- a/controllers/securityintent_controller.go +++ b/controllers/securityintent_controller.go @@ -1,18 +1,5 @@ -/* -Copyright 2023. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ +// SPDX-License-Identifier: Apache-2.0 +// Copyright 2023 Authors of Nimbus package controllers diff --git a/controllers/suite_test.go b/controllers/suite_test.go index 59066b3c..846d176e 100644 --- a/controllers/suite_test.go +++ b/controllers/suite_test.go @@ -1,18 +1,5 @@ -/* -Copyright 2023. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ +// SPDX-License-Identifier: Apache-2.0 +// Copyright 2023 Authors of Nimbus package controllers diff --git a/controllers/utils/utils_policy.go b/controllers/utils/utils_policy.go index 327795f2..34f73d4c 100644 --- a/controllers/utils/utils_policy.go +++ b/controllers/utils/utils_policy.go @@ -1,3 +1,6 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright 2023 Authors of Nimbus + package utils import ( diff --git a/hack/boilerplate.go.txt b/hack/boilerplate.go.txt index 65b86227..8ce09148 100644 --- a/hack/boilerplate.go.txt +++ b/hack/boilerplate.go.txt @@ -1,15 +1,2 @@ -/* -Copyright 2023. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ \ No newline at end of file +// SPDX-License-Identifier: Apache-2.0 +// Copyright 2023 Authors of Nimbus diff --git a/main.go b/main.go index 08f3e2a4..1097c3ce 100644 --- a/main.go +++ b/main.go @@ -1,18 +1,5 @@ -/* -Copyright 2023. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ +// SPDX-License-Identifier: Apache-2.0 +// Copyright 2023 Authors of Nimbus package main diff --git a/scripts/add-license-header.sh b/scripts/add-license-header.sh new file mode 100755 index 00000000..928540e1 --- /dev/null +++ b/scripts/add-license-header.sh @@ -0,0 +1,20 @@ +#!/usr/bin/env bash +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + +if ! command -v addlicense >/dev/null; then + echo "Installing addlicense..." + go install github.com/google/addlicense@latest +fi + +GIT_ROOT=$(git rev-parse --show-toplevel) +LICENSE_HEADER=${GIT_ROOT}/scripts/license.header + +if [ -z $1 ]; then + echo "No Argument Supplied, Checking and Fixing all files from project root" + addlicense -f ${LICENSE_HEADER} -v ${GIT_ROOT}/**/*.sh ${GIT_ROOT}/**/*.go + echo "Done" +else + addlicense -f ${LICENSE_HEADER} -v $1 + echo "Done" +fi \ No newline at end of file diff --git a/test-yaml/env/busybox-pod.yaml b/test-yaml/env/busybox-pod.yaml index 08714724..7f85454f 100644 --- a/test-yaml/env/busybox-pod.yaml +++ b/test-yaml/env/busybox-pod.yaml @@ -1,3 +1,6 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + apiVersion: v1 kind: Pod metadata: diff --git a/test-yaml/env/multiubuntu.yaml b/test-yaml/env/multiubuntu.yaml index 2cc01a0a..e67316a2 100644 --- a/test-yaml/env/multiubuntu.yaml +++ b/test-yaml/env/multiubuntu.yaml @@ -1,3 +1,6 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + apiVersion: v1 kind: Namespace metadata: diff --git a/test-yaml/env/redis-pod.yaml b/test-yaml/env/redis-pod.yaml index b8bb85fe..9122ee40 100644 --- a/test-yaml/env/redis-pod.yaml +++ b/test-yaml/env/redis-pod.yaml @@ -1,3 +1,6 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + apiVersion: v1 kind: Pod metadata: diff --git a/test-yaml/intents/network/intent-net-icmp-audit.yaml b/test-yaml/intents/network/intent-net-icmp-audit.yaml index 777e6be4..bf1b8c9a 100644 --- a/test-yaml/intents/network/intent-net-icmp-audit.yaml +++ b/test-yaml/intents/network/intent-net-icmp-audit.yaml @@ -1,3 +1,6 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + apiVersion: intent.security.nimbus.com/v1 kind: SecurityIntent metadata: diff --git a/test-yaml/intents/network/intent-network-sample.yaml b/test-yaml/intents/network/intent-network-sample.yaml index 6d9bf27d..0cd1e4f6 100644 --- a/test-yaml/intents/network/intent-network-sample.yaml +++ b/test-yaml/intents/network/intent-network-sample.yaml @@ -1,3 +1,6 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + apiVersion: intent.security.nimbus.com/v1 kind: SecurityIntent metadata: diff --git a/test-yaml/intents/network/intent-redis.yaml b/test-yaml/intents/network/intent-redis.yaml index e0c1d9e4..8ca970f9 100644 --- a/test-yaml/intents/network/intent-redis.yaml +++ b/test-yaml/intents/network/intent-redis.yaml @@ -1,3 +1,6 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + apiVersion: intent.security.nimbus.com/v1 kind: SecurityIntent metadata: diff --git a/test-yaml/intents/network/intent-risky-network-access.yaml b/test-yaml/intents/network/intent-risky-network-access.yaml index 5f2d9cd9..4888b685 100644 --- a/test-yaml/intents/network/intent-risky-network-access.yaml +++ b/test-yaml/intents/network/intent-risky-network-access.yaml @@ -1,3 +1,6 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + #kind: SecurityIntent #metadata: # name: risky-network-access diff --git a/test-yaml/intents/system/intent-accessd-shadow-file.yaml b/test-yaml/intents/system/intent-accessd-shadow-file.yaml index b3781254..14745954 100644 --- a/test-yaml/intents/system/intent-accessd-shadow-file.yaml +++ b/test-yaml/intents/system/intent-accessd-shadow-file.yaml @@ -1,3 +1,6 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + apiVersion: intent.security.nimbus.com/v1 kind: SecurityIntent metadata: diff --git a/test-yaml/intents/system/intent-allow-access-to-credentials-dir.yaml b/test-yaml/intents/system/intent-allow-access-to-credentials-dir.yaml index c6bf7134..0f5e8f84 100644 --- a/test-yaml/intents/system/intent-allow-access-to-credentials-dir.yaml +++ b/test-yaml/intents/system/intent-allow-access-to-credentials-dir.yaml @@ -1,3 +1,6 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + apiVersion: intent.security.nimbus.com/v1 kind: SecurityIntent metadata: diff --git a/test-yaml/intents/system/intent-bug-block.yaml b/test-yaml/intents/system/intent-bug-block.yaml index 9d536266..5f63ef08 100644 --- a/test-yaml/intents/system/intent-bug-block.yaml +++ b/test-yaml/intents/system/intent-bug-block.yaml @@ -1,3 +1,6 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + #apiVersion: intent.security.nimbus.com/v1 #kind: SecurityIntent #metadata: diff --git a/test-yaml/intents/system/intent-cap-net-raw-block.yaml b/test-yaml/intents/system/intent-cap-net-raw-block.yaml index 95557e08..6c71ab9b 100644 --- a/test-yaml/intents/system/intent-cap-net-raw-block.yaml +++ b/test-yaml/intents/system/intent-cap-net-raw-block.yaml @@ -1,3 +1,6 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + apiVersion: intent.security.nimbus.com/v1 kind: SecurityIntent metadata: diff --git a/test-yaml/intents/system/intent-do-not-allow-priv-escalation.yaml b/test-yaml/intents/system/intent-do-not-allow-priv-escalation.yaml index 791f59c6..1e41f795 100644 --- a/test-yaml/intents/system/intent-do-not-allow-priv-escalation.yaml +++ b/test-yaml/intents/system/intent-do-not-allow-priv-escalation.yaml @@ -1,3 +1,6 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + apiVersion: intent.security.nimbus.com/v1 kind: SecurityIntent metadata: diff --git a/test-yaml/intents/system/intent-path-block.yaml b/test-yaml/intents/system/intent-path-block.yaml index 06316c87..6cfe4f76 100644 --- a/test-yaml/intents/system/intent-path-block.yaml +++ b/test-yaml/intents/system/intent-path-block.yaml @@ -1,3 +1,6 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + apiVersion: intent.security.nimbus.com/v1 kind: SecurityIntent metadata: diff --git a/test-yaml/intents/system/intent-restrict-write-access-to-sys-folders.yaml b/test-yaml/intents/system/intent-restrict-write-access-to-sys-folders.yaml index 25a05959..87330ec9 100644 --- a/test-yaml/intents/system/intent-restrict-write-access-to-sys-folders.yaml +++ b/test-yaml/intents/system/intent-restrict-write-access-to-sys-folders.yaml @@ -1,3 +1,6 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + apiVersion: intent.security.nimbus.com/v1 kind: SecurityIntent metadata: diff --git a/test-yaml/intents/template-intent.yaml b/test-yaml/intents/template-intent.yaml index 2a8c2ede..1049d5b5 100644 --- a/test-yaml/intents/template-intent.yaml +++ b/test-yaml/intents/template-intent.yaml @@ -1,3 +1,6 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + apiVersion: intent.security.nimbus.com/v1 kind: SecurityIntent metadata: diff --git a/test-yaml/policy/cnp/policy-redis.yaml b/test-yaml/policy/cnp/policy-redis.yaml index ab114261..6635ce5f 100644 --- a/test-yaml/policy/cnp/policy-redis.yaml +++ b/test-yaml/policy/cnp/policy-redis.yaml @@ -1,3 +1,6 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: diff --git a/test-yaml/policy/cnp/policy-risky.yaml b/test-yaml/policy/cnp/policy-risky.yaml index cc9a3ad8..96e692bc 100644 --- a/test-yaml/policy/cnp/policy-risky.yaml +++ b/test-yaml/policy/cnp/policy-risky.yaml @@ -1,3 +1,6 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: diff --git a/test-yaml/policy/hsp/policy-accessed-shadow-file.yaml b/test-yaml/policy/hsp/policy-accessed-shadow-file.yaml index 54d2d33a..46021c27 100644 --- a/test-yaml/policy/hsp/policy-accessed-shadow-file.yaml +++ b/test-yaml/policy/hsp/policy-accessed-shadow-file.yaml @@ -1,3 +1,6 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + # KubeArmor is an open source software that enables you to protect your cloud workload at run-time. # To learn more about KubeArmor visit: # https://www.accuknox.com/kubearmor/ diff --git a/test-yaml/policy/hsp/policy-bug-block.yaml b/test-yaml/policy/hsp/policy-bug-block.yaml index b4654856..0a1a3bab 100644 --- a/test-yaml/policy/hsp/policy-bug-block.yaml +++ b/test-yaml/policy/hsp/policy-bug-block.yaml @@ -1,3 +1,6 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + #apiVersion: security.kubearmor.com/v1 #kind: KubeArmorHostPolicy #metadata: diff --git a/test-yaml/policy/ksp/policy-audit-all-unlink.yaml b/test-yaml/policy/ksp/policy-audit-all-unlink.yaml index f5047a36..80443097 100644 --- a/test-yaml/policy/ksp/policy-audit-all-unlink.yaml +++ b/test-yaml/policy/ksp/policy-audit-all-unlink.yaml @@ -1,3 +1,6 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + apiVersion: security.kubearmor.com/v1 kind: KubeArmorPolicy metadata: diff --git a/test-yaml/policy/ksp/policy-cap-net-raw-block.yaml b/test-yaml/policy/ksp/policy-cap-net-raw-block.yaml index cd4c74bd..a11512c9 100644 --- a/test-yaml/policy/ksp/policy-cap-net-raw-block.yaml +++ b/test-yaml/policy/ksp/policy-cap-net-raw-block.yaml @@ -1,3 +1,6 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + apiVersion: security.kubearmor.com/v1 kind: KubeArmorPolicy metadata: diff --git a/test-yaml/policy/ksp/policy-file-dir-allow-from-source-path.yaml b/test-yaml/policy/ksp/policy-file-dir-allow-from-source-path.yaml index ecab2272..e3ac76e6 100644 --- a/test-yaml/policy/ksp/policy-file-dir-allow-from-source-path.yaml +++ b/test-yaml/policy/ksp/policy-file-dir-allow-from-source-path.yaml @@ -1,3 +1,6 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + apiVersion: security.kubearmor.com/v1 kind: KubeArmorPolicy metadata: diff --git a/test-yaml/policy/ksp/policy-net-icmp-audit.yaml b/test-yaml/policy/ksp/policy-net-icmp-audit.yaml index 459e43d4..51118811 100644 --- a/test-yaml/policy/ksp/policy-net-icmp-audit.yaml +++ b/test-yaml/policy/ksp/policy-net-icmp-audit.yaml @@ -1,3 +1,6 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + apiVersion: security.kubearmor.com/v1 kind: KubeArmorPolicy metadata: diff --git a/test-yaml/policy/ksp/policy-path-block.yaml b/test-yaml/policy/ksp/policy-path-block.yaml index c2a476e0..8781778f 100644 --- a/test-yaml/policy/ksp/policy-path-block.yaml +++ b/test-yaml/policy/ksp/policy-path-block.yaml @@ -1,3 +1,6 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + apiVersion: security.kubearmor.com/v1 kind: KubeArmorPolicy metadata: diff --git a/test-yaml/policy/ksp/policy-proc-dir-block.yaml b/test-yaml/policy/ksp/policy-proc-dir-block.yaml index acd5f385..30ffe514 100644 --- a/test-yaml/policy/ksp/policy-proc-dir-block.yaml +++ b/test-yaml/policy/ksp/policy-proc-dir-block.yaml @@ -1,3 +1,6 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + apiVersion: security.kubearmor.com/v1 kind: KubeArmorPolicy metadata: From 7d37e1ed2e38ed796ba42d8a45d5605fa3c358af Mon Sep 17 00:00:00 2001 From: Anurag Rajawat Date: Sat, 2 Dec 2023 15:45:45 +0530 Subject: [PATCH 4/4] ci: Add initial workflows Signed-off-by: Anurag Rajawat --- .github/workflows/latest-release.yaml | 46 +++++++++++++++++ .github/workflows/pr-checks.yaml | 73 +++++++++++++++++++++++++++ .licenserc.yaml | 21 ++++++++ Makefile | 11 ++-- 4 files changed, 147 insertions(+), 4 deletions(-) create mode 100644 .github/workflows/latest-release.yaml create mode 100644 .github/workflows/pr-checks.yaml create mode 100644 .licenserc.yaml diff --git a/.github/workflows/latest-release.yaml b/.github/workflows/latest-release.yaml new file mode 100644 index 00000000..b99c7f13 --- /dev/null +++ b/.github/workflows/latest-release.yaml @@ -0,0 +1,46 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + +name: Latest release + +on: + push: + branches: + - main + - "v*" + create: + branches: + - "v*" + +permissions: read-all + +jobs: + release-nimbus-image: + runs-on: ubuntu-latest + steps: + - name: Checkout source code + uses: actions/checkout@v3 + + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Login to Docker Hub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Get tag + id: tag + run: | + if [ ${{ github.ref }} == "refs/heads/main" ]; then + echo "tag=latest" >> $GITHUB_OUTPUT + else + echo "tag=${GITHUB_REF#refs/*/}" >> $GITHUB_OUTPUT + fi + + - name: Build and push nimbus image + run: make docker-buildx TAG=${{ steps.tag.outputs.tag }} diff --git a/.github/workflows/pr-checks.yaml b/.github/workflows/pr-checks.yaml new file mode 100644 index 00000000..a6f9aefa --- /dev/null +++ b/.github/workflows/pr-checks.yaml @@ -0,0 +1,73 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + +name: PR checks + +on: + pull_request: + types: [ opened, reopened, synchronize, ready_for_review ] + paths-ignore: + - '**.md' + - '**.sh' + - 'docs/**' + - 'LICENSE' + +permissions: read-all + +jobs: + license: + name: License + runs-on: ubuntu-20.04 + steps: + - uses: actions/checkout@v3 + + - name: Check License Header + uses: apache/skywalking-eyes@a790ab8dd23a7f861c18bd6aaa9b012e3a234bce + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + test: + name: Test + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + + - name: Setup go + uses: actions/setup-go@v4 + with: + go-version: '1.20' + + - name: go fmt + run: make fmt + + - name: Lint + id: lint + uses: golangci/golangci-lint-action@v3 + with: + version: v1.54 + args: --deadline=30m --out-format=line-number + skip-cache: true # https://github.com/golangci/golangci-lint-action/issues/244#issuecomment-1052197778 + + - name: Run unit tests + run: make test + + go-sec: + runs-on: ubuntu-latest + permissions: + security-events: write + env: + GO111MODULE: on + steps: + - name: Checkout Source + uses: actions/checkout@v3 + + - name: Run Gosec Security Scanner + uses: securego/gosec@master + with: + # we let the report trigger content trigger a failure using the GitHub Security features. + args: '-no-fail -fmt sarif -out results.sarif ./...' + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: results.sarif diff --git a/.licenserc.yaml b/.licenserc.yaml new file mode 100644 index 00000000..ca2cb77d --- /dev/null +++ b/.licenserc.yaml @@ -0,0 +1,21 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + +header: + license: + spdx-id: Apache-2.0 + copyright-owner: Nimbus + content: | + SPDX-License-Identifier: Apache-2.0 + + paths: + - "**/*.go" + - "**/*.sh" + - "**/Dockerfile" + - "**/Makefile" + + comment: on-failure + +dependency: + files: + - go.mod diff --git a/Makefile b/Makefile index 4262a20c..ea881017 100644 --- a/Makefile +++ b/Makefile @@ -2,7 +2,9 @@ # Copyright 2023 Authors of Nimbus # Image URL to use all building/pushing image targets -IMG ?= controller:latest +IMG ?= 5gsec/nimbus +# Image Tag to use all building/pushing image targets +TAG ?= v0.1 # ENVTEST_K8S_VERSION refers to the version of kubebuilder assets to be downloaded by envtest binary. ENVTEST_K8S_VERSION = 1.28.0 @@ -97,11 +99,12 @@ run: manifests generate fmt vet ## Run a controller from your host. # More info: https://docs.docker.com/develop/develop-images/build_enhancements/ .PHONY: docker-build docker-build: ## Build docker image with the manager. - $(CONTAINER_TOOL) build -t ${IMG} . + $(CONTAINER_TOOL) build -t ${IMG}:${TAG} -t ${IMG}:latest --build-arg VERSION=${TAG} . .PHONY: docker-push docker-push: ## Push docker image with the manager. - $(CONTAINER_TOOL) push ${IMG} + $(CONTAINER_TOOL) push ${IMG}:${TAG} + $(CONTAINER_TOOL) push ${IMG}:latest # PLATFORMS defines the target platforms for the manager image be built to provide support to multiple # architectures. (i.e. make docker-buildx IMG=myregistry/mypoperator:0.0.1). To use this option you need to: @@ -116,7 +119,7 @@ docker-buildx: ## Build and push docker image for the manager for cross-platform sed -e '1 s/\(^FROM\)/FROM --platform=\$$\{BUILDPLATFORM\}/; t' -e ' 1,// s//FROM --platform=\$$\{BUILDPLATFORM\}/' Dockerfile > Dockerfile.cross - $(CONTAINER_TOOL) buildx create --name project-v3-builder $(CONTAINER_TOOL) buildx use project-v3-builder - - $(CONTAINER_TOOL) buildx build --push --platform=$(PLATFORMS) --tag ${IMG} -f Dockerfile.cross . + - $(CONTAINER_TOOL) buildx build --push --platform=$(PLATFORMS) --build-arg VERSION=${TAG} --tag ${IMG}:${TAG} -f Dockerfile.cross . - $(CONTAINER_TOOL) buildx rm project-v3-builder rm Dockerfile.cross