Skip to content

Commit

Permalink
Merge branch 'main' into issue_100
Browse files Browse the repository at this point in the history
  • Loading branch information
VedRatan authored Sep 4, 2024
2 parents 232a1b1 + 3e4fbc2 commit b09f413
Show file tree
Hide file tree
Showing 38 changed files with 330 additions and 203 deletions.
16 changes: 15 additions & 1 deletion .github/workflows/pr-checks.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -34,9 +34,9 @@ jobs:
- 'cmd/**'
- 'internal/**'
- 'pkg/processor/**'
- 'tests/controllers/**'
- 'Dockerfile'
- 'Makefile'
- 'go.mod'
adapters:
- 'pkg/adapter/**'
tests:
Expand Down Expand Up @@ -112,6 +112,13 @@ jobs:
- name: Build image
run: make docker-build

- name: Scan image
uses: anchore/scan-action@v4
with:
image: '5gsec/nimbus:latest'
severity-cutoff: critical
output-format: sarif

build-adapters-image:
needs: files-changed
if: ${{ needs.files-changed.outputs.adapters == 'true' }}
Expand All @@ -129,6 +136,13 @@ jobs:
working-directory: ./pkg/adapter/${{ matrix.adapters }}
run: make docker-build

- name: Scan image
uses: anchore/scan-action@v4
with:
image: '5gsec/${{ matrix.adapters }}:latest'
severity-cutoff: critical
output-format: sarif

integration-tests:
needs: files-changed
if: ${{ needs.files-changed.outputs.nimbus == 'true' || needs.files-changed.outputs.tests == 'true' }}
Expand Down
4 changes: 2 additions & 2 deletions deployments/nimbus-k8tls/Chart.yaml
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
apiVersion: v2
type: application
name: nimbus-k8tls
version: 0.1.0
appVersion: "0.1.0"
version: 0.1.1
appVersion: "0.1.1"
description: Nimbus adapter for k8tls
sources:
- https://github.com/5GSEC/nimbus
Expand Down
3 changes: 3 additions & 0 deletions deployments/nimbus-k8tls/templates/NOTES.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
Thank you for installing nimbus-k8tls.

Your release is named '{{ include "nimbus-k8tls.fullname" . }}' and deployed in '{{ .Release.Namespace }}' namespace.
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
apiVersion: apps/v1
kind: DaemonSet
kind: Deployment
metadata:
name: {{ include "nimbus-k8tls.fullname" . }}
labels:
Expand All @@ -26,4 +26,5 @@ spec:
- name: TTLSECONDSAFTERFINISHED
value: "{{ .Values.output.elasticsearch.ttlsecondsafterfinished }}"
{{- end }}
terminationGracePeriodSeconds: 10
resources:
{{- toYaml .Values.resources | nindent 12 }}
20 changes: 16 additions & 4 deletions deployments/nimbus-k8tls/values.yaml
Original file line number Diff line number Diff line change
@@ -1,5 +1,3 @@
# Default values for nimbus-k8tls.

image:
repository: 5gsec/nimbus-k8tls
pullPolicy: Always
Expand All @@ -13,9 +11,24 @@ serviceAccount:
automount: true
name: "nimbus-k8tls"

podSecurityContext:
fsGroup: 2000

securityContext:
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 65533
runAsUser: 1000

resources:
limits:
cpu: 50m
memory: 64Mi
requests:
cpu: 50m
memory: 64Mi

output:
elasticsearch:
Expand All @@ -26,4 +39,3 @@ output:
index: "findings"
password: "" # Password in base64 encoded format
ttlsecondsafterfinished: "10" # Amount of time to keep the pod around after job has been completed

2 changes: 1 addition & 1 deletion deployments/nimbus-kubearmor/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.1.3
version: 0.1.4

# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
Expand Down
3 changes: 3 additions & 0 deletions deployments/nimbus-kubearmor/templates/NOTES.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
Thank you for installing nimbus-kubearmor.

Your release is named '{{ include "nimbus-kubearmor.fullname" . }}' and deployed in '{{ .Release.Namespace }}' namespace.
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
apiVersion: apps/v1
kind: DaemonSet
kind: Deployment
metadata:
name: {{ include "nimbus-kubearmor.fullname" . }}
labels:
Expand All @@ -21,4 +21,5 @@ spec:
{{- toYaml .Values.securityContext | nindent 12 }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
terminationGracePeriodSeconds: 10
resources:
{{- toYaml .Values.resources | nindent 12 }}
24 changes: 19 additions & 5 deletions deployments/nimbus-kubearmor/values.yaml
Original file line number Diff line number Diff line change
@@ -1,7 +1,3 @@
# Default values for nimbus-kubearmor.

autoDeploy: true

image:
repository: 5gsec/nimbus-kubearmor
pullPolicy: Always
Expand All @@ -20,9 +16,27 @@ serviceAccount:
# If not set and create is true, a name is generated using the fullname template
name: "nimbus-kubearmor"

podSecurityContext:
fsGroup: 2000

securityContext:
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 65533
runAsUser: 1000

resources:
limits:
cpu: 50m
memory: 64Mi
requests:
cpu: 50m
memory: 64Mi

# Deploy engine
autoDeploy: true

kubearmor-operator:
autoDeploy: true
2 changes: 1 addition & 1 deletion deployments/nimbus-kyverno/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ kubeVersion: ">= 1.25"
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.1.1
version: 0.1.2

# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
Expand Down
3 changes: 3 additions & 0 deletions deployments/nimbus-kyverno/templates/NOTES.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
Thank you for installing nimbus-kyverno.

Your release is named '{{ include "nimbus-kyverno.fullname" . }}' and deployed in '{{ .Release.Namespace }}' namespace.
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
apiVersion: apps/v1
kind: DaemonSet
kind: Deployment
metadata:
name: {{ include "nimbus-kyverno.fullname" . }}
labels:
Expand All @@ -21,4 +21,5 @@ spec:
{{- toYaml .Values.securityContext | nindent 12 }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
terminationGracePeriodSeconds: 10
resources:
{{- toYaml .Values.resources | nindent 12 }}
24 changes: 19 additions & 5 deletions deployments/nimbus-kyverno/values.yaml
Original file line number Diff line number Diff line change
@@ -1,7 +1,3 @@
# Default values for nimbus-kyverno.

autoDeploy: true

image:
repository: 5gsec/nimbus-kyverno
pullPolicy: Always
Expand All @@ -20,6 +16,24 @@ serviceAccount:
# If not set and create is true, a name is generated using the fullname template
name: "nimbus-kyverno"

podSecurityContext:
fsGroup: 2000

securityContext:
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 65535
runAsUser: 1000

resources:
limits:
cpu: 50m
memory: 64Mi
requests:
cpu: 50m
memory: 64Mi

# Deploy engine
autoDeploy: true
2 changes: 1 addition & 1 deletion deployments/nimbus-netpol/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.1.2
version: 0.1.3

# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
Expand Down
3 changes: 3 additions & 0 deletions deployments/nimbus-netpol/templates/NOTES.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
Thank you for installing nimbus-netpol.

Your release is named '{{ include "nimbus-netpol.fullname" . }}' and deployed in '{{ .Release.Namespace }}' namespace.
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
apiVersion: apps/v1
kind: DaemonSet
kind: Deployment
metadata:
name: {{ include "nimbus-netpol.fullname" . }}
labels:
Expand All @@ -21,4 +21,5 @@ spec:
{{- toYaml .Values.securityContext | nindent 12 }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
terminationGracePeriodSeconds: 10
resources:
{{- toYaml .Values.resources | nindent 12 }}
17 changes: 16 additions & 1 deletion deployments/nimbus-netpol/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,21 @@ serviceAccount:
# If not set and create is true, a name is generated using the fullname template
name: "nimbus-netpol"

podSecurityContext:
fsGroup: 2000

securityContext:
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 65532
runAsUser: 1000

resources:
limits:
cpu: 50m
memory: 64Mi
requests:
cpu: 50m
memory: 64Mi
23 changes: 23 additions & 0 deletions deployments/nimbus/templates/NOTES.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
Thank you for installing Nimbus suite.

Your release is named '{{ include "nimbus.fullname" . }}' and deployed in '{{ .Release.Namespace }}' namespace.
{{printf "" }}

{{- if .Values.autoDeploy.kubearmor }}
Deployed nimbus-kubearmor adapter along with KubeArmor security engine in '{{ .Release.Namespace }}' namespace.
{{ printf "" }}
{{- end}}

{{- if .Values.autoDeploy.kyverno }}
Deployed nimbus-kyverno adapter along with Kyverno security engine in '{{ .Release.Namespace }}' namespace.
{{ printf "" }}
{{- end}}

{{- if .Values.autoDeploy.k8tls }}
Deployed nimbus-k8tls adapter in '{{ .Release.Namespace }}' namespace.
{{ printf "" }}
{{- end}}

{{- if .Values.autoDeploy.netpol }}
Deployed nimbus-netpol adapter in '{{ .Release.Namespace }}' namespace.
{{- end}}
3 changes: 2 additions & 1 deletion deployments/nimbus/templates/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -26,4 +26,5 @@ spec:
{{- toYaml .Values.livenessProbe | nindent 12 }}
readinessProbe:
{{- toYaml .Values.readinessProbe | nindent 12 }}
terminationGracePeriodSeconds: 10
resources:
{{- toYaml .Values.resources | nindent 12 }}
20 changes: 17 additions & 3 deletions deployments/nimbus/values.yaml
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
# Default values for nimbus.

# Deploy adapters
autoDeploy:
kubearmor: true
netpol: true
Expand All @@ -26,9 +25,24 @@ serviceAccount:
# If not set and create is true, a name is generated using the fullname template
name: "nimbus-operator"

podSecurityContext:
fsGroup: 2000

securityContext:
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 65534
runAsUser: 1000

resources:
limits:
cpu: 100m
memory: 128Mi
requests:
cpu: 100m
memory: 128Mi

livenessProbe:
httpGet:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -4,10 +4,10 @@
apiVersion: intent.security.nimbus.com/v1alpha1
kind: SecurityIntent
metadata:
name: ensure-tls-default
name: assess-tls-default
spec:
intent:
id: ensureTLS
id: assessTLS
action: Audit
description: |
Assess the TLS configuration to ensure compliance with the security standards. This includes verifying TLS protocol version,
Expand All @@ -17,10 +17,10 @@ spec:
apiVersion: intent.security.nimbus.com/v1alpha1
kind: ClusterSecurityIntentBinding
metadata:
name: ensure-tls-default
name: assess-tls-default
spec:
intents:
- name: ensure-tls-default
- name: assess-tls-default
selector:
nsSelector:
matchNames:
Expand Down
Loading

0 comments on commit b09f413

Please sign in to comment.