From 4bc22cfbed2cb0637e55e42ac98b06661944c064 Mon Sep 17 00:00:00 2001 From: Jop Zitman Date: Wed, 9 Jun 2021 14:06:47 +0200 Subject: [PATCH 01/19] Amass: refactor values according to new spec Signed-off-by: Jop Zitman --- scanners/amass/README.md | 26 +++++----- .../templates/amass-parse-definition.yaml | 4 +- scanners/amass/templates/amass-scan-type.yaml | 22 ++++----- scanners/amass/values.yaml | 47 +++++++++---------- 4 files changed, 49 insertions(+), 50 deletions(-) diff --git a/scanners/amass/README.md b/scanners/amass/README.md index d4c5cfe1b7..c51df90630 100644 --- a/scanners/amass/README.md +++ b/scanners/amass/README.md @@ -39,19 +39,19 @@ Special command line options: | Key | Type | Default | Description | |-----|------|---------|-------------| -| image.repository | string | `"caffix/amass"` | Container Image to run the scan | -| image.tag | string | `nil` | defaults to the charts appVersion | -| parseJob.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | -| parserImage.repository | string | `"docker.io/securecodebox/parser-amass"` | Parser image repository | -| parserImage.tag | string | defaults to the charts version | Parser image tag | -| scannerJob.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | -| scannerJob.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | -| scannerJob.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | -| scannerJob.extraVolumeMounts | list | `[{"mountPath":"/amass/output/config.ini","name":"amass-config","subPath":"config.ini"}]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | -| scannerJob.extraVolumes | list | `[{"configMap":{"name":"amass-config"},"name":"amass-config"}]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | -| scannerJob.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) | -| scannerJob.securityContext | object | `{}` | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) | -| scannerJob.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | +| parser.image.repository | string | `"docker.io/securecodebox/parser-amass"` | Parser image repository | +| parser.image.tag | string | defaults to the charts version | Parser image tag | +| parser.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | +| scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | +| scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | +| scanner.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | +| scanner.extraVolumeMounts | list | `[{"mountPath":"/amass/output/config.ini","name":"amass-config","subPath":"config.ini"}]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | +| scanner.extraVolumes | list | `[{"configMap":{"name":"amass-config"},"name":"amass-config"}]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | +| scanner.image.repository | string | `"caffix/amass"` | Container Image to run the scan | +| scanner.image.tag | string | `nil` | defaults to the charts appVersion | +| scanner.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) | +| scanner.securityContext | object | `{}` | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) | +| scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | [owasp_amass_project]: https://owasp.org/www-project-amass/ [amass github]: https://github.com/OWASP/Amass diff --git a/scanners/amass/templates/amass-parse-definition.yaml b/scanners/amass/templates/amass-parse-definition.yaml index 2984faf8f5..7f09462c73 100644 --- a/scanners/amass/templates/amass-parse-definition.yaml +++ b/scanners/amass/templates/amass-parse-definition.yaml @@ -7,5 +7,5 @@ kind: ParseDefinition metadata: name: "amass-jsonl" spec: - image: "{{ .Values.parserImage.repository }}:{{ .Values.parserImage.tag | default .Chart.Version }}" - ttlSecondsAfterFinished: {{ .Values.parseJob.ttlSecondsAfterFinished }} + image: "{{ .Values.parser.image.repository }}:{{ .Values.parser.image.tag | default .Chart.Version }}" + ttlSecondsAfterFinished: {{ .Values.parser.ttlSecondsAfterFinished }} diff --git a/scanners/amass/templates/amass-scan-type.yaml b/scanners/amass/templates/amass-scan-type.yaml index ffb6cbdebd..d7b19b5ead 100644 --- a/scanners/amass/templates/amass-scan-type.yaml +++ b/scanners/amass/templates/amass-scan-type.yaml @@ -13,34 +13,34 @@ spec: location: "/home/securecodebox/amass-results.jsonl" jobTemplate: spec: - {{- if .Values.scannerJob.ttlSecondsAfterFinished }} - ttlSecondsAfterFinished: {{ .Values.scannerJob.ttlSecondsAfterFinished }} + {{- if .Values.scanner.ttlSecondsAfterFinished }} + ttlSecondsAfterFinished: {{ .Values.scanner.ttlSecondsAfterFinished }} {{- end }} - backoffLimit: {{ .Values.scannerJob.backoffLimit }} + backoffLimit: {{ .Values.scanner.backoffLimit }} template: spec: restartPolicy: OnFailure containers: - name: amass - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + image: "{{ .Values.scanner.image.repository }}:{{ .Values.scanner.image.tag | default .Chart.AppVersion }}" command: - "amass" - "enum" - "-json" - "/home/securecodebox/amass-results.jsonl" resources: - {{- toYaml .Values.scannerJob.resources | nindent 16 }} + {{- toYaml .Values.scanner.resources | nindent 16 }} securityContext: - {{- toYaml .Values.scannerJob.securityContext | nindent 16 }} + {{- toYaml .Values.scanner.securityContext | nindent 16 }} env: - {{- toYaml .Values.scannerJob.env | nindent 16 }} + {{- toYaml .Values.scanner.env | nindent 16 }} volumeMounts: - {{- toYaml .Values.scannerJob.extraVolumeMounts | nindent 16 }} - {{- if .Values.scannerJob.extraContainers }} - {{- toYaml .Values.scannerJob.extraContainers | nindent 12 }} + {{- toYaml .Values.scanner.extraVolumeMounts | nindent 16 }} + {{- if .Values.scanner.extraContainers }} + {{- toYaml .Values.scanner.extraContainers | nindent 12 }} {{- end }} volumes: - {{- toYaml .Values.scannerJob.extraVolumes | nindent 12 }} + {{- toYaml .Values.scanner.extraVolumes | nindent 12 }} --- apiVersion: v1 kind: ConfigMap diff --git a/scanners/amass/values.yaml b/scanners/amass/values.yaml index 0126298d95..0664e36f5b 100644 --- a/scanners/amass/values.yaml +++ b/scanners/amass/values.yaml @@ -2,31 +2,30 @@ # # SPDX-License-Identifier: Apache-2.0 -image: - # image.repository -- Container Image to run the scan - repository: caffix/amass - # image.tag -- defaults to the charts appVersion - tag: null - -parserImage: - # parserImage.repository -- Parser image repository - repository: docker.io/securecodebox/parser-amass - # parserImage.tag -- Parser image tag - # @default -- defaults to the charts version - tag: null - -parseJob: - # parseJob.ttlSecondsAfterFinished -- seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ +parser: + image: + # parser.image.repository -- Parser image repository + repository: docker.io/securecodebox/parser-amass + # parser.image.tag -- Parser image tag + # @default -- defaults to the charts version + tag: null + + # parser.ttlSecondsAfterFinished -- seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ ttlSecondsAfterFinished: null -scannerJob: - # scannerJob.ttlSecondsAfterFinished -- seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ +scanner: + image: + # scanner.image.repository -- Container Image to run the scan + repository: caffix/amass + # scanner.image.tag -- defaults to the charts appVersion + tag: null + # scanner.ttlSecondsAfterFinished -- seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ ttlSecondsAfterFinished: null - # scannerJob.backoffLimit -- There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) + # scanner.backoffLimit -- There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) # @default -- 3 backoffLimit: 3 - # scannerJob.resources -- CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) + # scanner.resources -- CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) resources: {} # resources: # requests: @@ -36,23 +35,23 @@ scannerJob: # memory: "512Mi" # cpu: "500m" - # scannerJob.env -- Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) + # scanner.env -- Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) env: [] - # scannerJob.extraVolumes -- Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) + # scanner.extraVolumes -- Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) extraVolumes: - name: "amass-config" configMap: name: "amass-config" - # scannerJob.extraVolumeMounts -- Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) + # scanner.extraVolumeMounts -- Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) extraVolumeMounts: - name: "amass-config" mountPath: "/amass/output/config.ini" subPath: "config.ini" - # scannerJob.extraContainers -- Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) + # scanner.extraContainers -- Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) extraContainers: [] - # scannerJob.securityContext -- Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) + # scanner.securityContext -- Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) securityContext: {} From 86ecccd0b4953d2ae18a8759cf7a70eea616ed61 Mon Sep 17 00:00:00 2001 From: Jop Zitman Date: Wed, 9 Jun 2021 14:11:09 +0200 Subject: [PATCH 02/19] Angular CSTI: refactor values according to new spec Signed-off-by: Jop Zitman --- scanners/angularjs-csti-scanner/README.md | 24 +++++----- ...gularjs-csti-scanner-parse-definition.yaml | 4 +- .../angularjs-csti-scanner-scan-type.yaml | 20 ++++---- scanners/angularjs-csti-scanner/values.yaml | 46 +++++++++---------- 4 files changed, 46 insertions(+), 48 deletions(-) diff --git a/scanners/angularjs-csti-scanner/README.md b/scanners/angularjs-csti-scanner/README.md index 4cba60c1a6..49171a04df 100644 --- a/scanners/angularjs-csti-scanner/README.md +++ b/scanners/angularjs-csti-scanner/README.md @@ -134,15 +134,15 @@ options.scope.request_methods = [ | Key | Type | Default | Description | |-----|------|---------|-------------| -| image.repository | string | `"docker.io/securecodebox/scanner-angularjs-csti-scanner"` | Container Image to run the scan | -| image.tag | string | `nil` | defaults to the charts version | -| parseJob.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | -| parserImage.repository | string | `"docker.io/securecodebox/parser-angularjs-csti-scanner"` | Parser image repository | -| parserImage.tag | string | defaults to the charts version | Parser image tag | -| scannerJob.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | -| scannerJob.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | -| scannerJob.extraVolumeMounts | list | `[]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | -| scannerJob.extraVolumes | list | `[]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | -| scannerJob.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) | -| scannerJob.securityContext | object | `{}` | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) | -| scannerJob.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | +| parser.image.repository | string | `"docker.io/securecodebox/parser-angularjs-csti-scanner"` | Parser image repository | +| parser.image.tag | string | defaults to the charts version | Parser image tag | +| parser.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | +| scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | +| scanner.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | +| scanner.extraVolumeMounts | list | `[]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | +| scanner.extraVolumes | list | `[]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | +| scanner.image.repository | string | `"docker.io/securecodebox/scanner-angularjs-csti-scanner"` | Container Image to run the scan | +| scanner.image.tag | string | `nil` | defaults to the charts version | +| scanner.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) | +| scanner.securityContext | object | `{}` | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) | +| scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | diff --git a/scanners/angularjs-csti-scanner/templates/angularjs-csti-scanner-parse-definition.yaml b/scanners/angularjs-csti-scanner/templates/angularjs-csti-scanner-parse-definition.yaml index ea50b500fb..500df61267 100644 --- a/scanners/angularjs-csti-scanner/templates/angularjs-csti-scanner-parse-definition.yaml +++ b/scanners/angularjs-csti-scanner/templates/angularjs-csti-scanner-parse-definition.yaml @@ -7,5 +7,5 @@ kind: ParseDefinition metadata: name: "acstis-log" spec: - image: "{{ .Values.parserImage.repository }}:{{ .Values.parserImage.tag | default .Chart.Version }}" - ttlSecondsAfterFinished: {{ .Values.parseJob.ttlSecondsAfterFinished }} + image: "{{ .Values.parser.image.repository }}:{{ .Values.parser.image.tag | default .Chart.Version }}" + ttlSecondsAfterFinished: {{ .Values.parser.ttlSecondsAfterFinished }} diff --git a/scanners/angularjs-csti-scanner/templates/angularjs-csti-scanner-scan-type.yaml b/scanners/angularjs-csti-scanner/templates/angularjs-csti-scanner-scan-type.yaml index aca7c9d20a..a7c0285f95 100644 --- a/scanners/angularjs-csti-scanner/templates/angularjs-csti-scanner-scan-type.yaml +++ b/scanners/angularjs-csti-scanner/templates/angularjs-csti-scanner-scan-type.yaml @@ -12,8 +12,8 @@ spec: location: "/home/securecodebox/findings.log" jobTemplate: spec: - {{- if .Values.scannerJob.ttlSecondsAfterFinished }} - ttlSecondsAfterFinished: {{ .Values.scannerJob.ttlSecondsAfterFinished }} + {{- if .Values.scanner.ttlSecondsAfterFinished }} + ttlSecondsAfterFinished: {{ .Values.scanner.ttlSecondsAfterFinished }} {{- end }} backoffLimit: 3 template: @@ -21,22 +21,22 @@ spec: restartPolicy: OnFailure containers: - name: acstis-scanner - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + image: "{{ .Values.scanner.image.repository }}:{{ .Values.scanner.image.tag | default .Chart.AppVersion }}" command: - "sh" - "/wrapper.sh" - "-vrl" - "/home/securecodebox/findings.log" resources: - {{- toYaml .Values.scannerJob.resources | nindent 16 }} + {{- toYaml .Values.scanner.resources | nindent 16 }} securityContext: - {{- toYaml .Values.scannerJob.securityContext | nindent 16 }} + {{- toYaml .Values.scanner.securityContext | nindent 16 }} env: - {{- toYaml .Values.scannerJob.env | nindent 16 }} + {{- toYaml .Values.scanner.env | nindent 16 }} volumeMounts: - {{- toYaml .Values.scannerJob.extraVolumeMounts | nindent 16 }} - {{- if .Values.scannerJob.extraContainers }} - {{- toYaml .Values.scannerJob.extraContainers | nindent 12 }} + {{- toYaml .Values.scanner.extraVolumeMounts | nindent 16 }} + {{- if .Values.scanner.extraContainers }} + {{- toYaml .Values.scanner.extraContainers | nindent 12 }} {{- end }} volumes: - {{- toYaml .Values.scannerJob.extraVolumes | nindent 12 }} + {{- toYaml .Values.scanner.extraVolumes | nindent 12 }} diff --git a/scanners/angularjs-csti-scanner/values.yaml b/scanners/angularjs-csti-scanner/values.yaml index 5d41cc232e..fe8820b2a1 100644 --- a/scanners/angularjs-csti-scanner/values.yaml +++ b/scanners/angularjs-csti-scanner/values.yaml @@ -2,29 +2,27 @@ # # SPDX-License-Identifier: Apache-2.0 -image: - # image.repository -- Container Image to run the scan - repository: docker.io/securecodebox/scanner-angularjs-csti-scanner - # image.tag -- defaults to the charts version - tag: null - -parserImage: - # parserImage.tag - defaults to the charts version - # parserImage.repository -- Parser image repository - repository: docker.io/securecodebox/parser-angularjs-csti-scanner - # parserImage.tag -- Parser image tag - # @default -- defaults to the charts version - tag: null - -parseJob: - # parseJob.ttlSecondsAfterFinished -- seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ +parser: + image: + # parser.image.repository -- Parser image repository + repository: docker.io/securecodebox/parser-angularjs-csti-scanner + # parser.image.tag -- Parser image tag + # @default -- defaults to the charts version + tag: null + # parser.ttlSecondsAfterFinished -- seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ ttlSecondsAfterFinished: null -scannerJob: -# scannerJob.ttlSecondsAfterFinished -- seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ +scanner: + image: + # scanner.image.repository -- Container Image to run the scan + repository: docker.io/securecodebox/scanner-angularjs-csti-scanner + # scanner.image.tag -- defaults to the charts version + tag: null + + # scanner.ttlSecondsAfterFinished -- seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ ttlSecondsAfterFinished: null - # scannerJob.resources -- CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) + # scanner.resources -- CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) resources: {} # resources: # requests: @@ -34,17 +32,17 @@ scannerJob: # memory: "512Mi" # cpu: "500m" - # scannerJob.env -- Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) + # scanner.env -- Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) env: [] - # scannerJob.extraVolumes -- Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) + # scanner.extraVolumes -- Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) extraVolumes: [] - # scannerJob.extraVolumeMounts -- Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) + # scanner.extraVolumeMounts -- Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) extraVolumeMounts: [] - # scannerJob.extraContainers -- Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) + # scanner.extraContainers -- Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) extraContainers: [] - # scannerJob.securityContext -- Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) + # scanner.securityContext -- Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) securityContext: {} From dab7a376c3ac7632c7bcf497d0dde8c734085dec Mon Sep 17 00:00:00 2001 From: Jop Zitman Date: Wed, 9 Jun 2021 14:14:03 +0200 Subject: [PATCH 03/19] Git Repo Scanner: refactor values according to new spec Signed-off-by: Jop Zitman --- scanners/git-repo-scanner/README.md | 26 +++++----- .../git-repo-scanner-parse-definition.yaml | 4 +- .../templates/git-repo-scanner-scan-type.yaml | 22 ++++---- scanners/git-repo-scanner/values.yaml | 50 +++++++++---------- 4 files changed, 51 insertions(+), 51 deletions(-) diff --git a/scanners/git-repo-scanner/README.md b/scanners/git-repo-scanner/README.md index e740240a3d..42b33d1974 100644 --- a/scanners/git-repo-scanner/README.md +++ b/scanners/git-repo-scanner/README.md @@ -65,16 +65,16 @@ on the Gitlab server are going to be discovered. | Key | Type | Default | Description | |-----|------|---------|-------------| -| image.repository | string | `"docker.io/securecodebox/scanner-git-repo-scanner"` | Container Image to run the scan | -| image.tag | string | `nil` | defaults to the charts version | -| parseJob.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | -| parserImage.repository | string | `"docker.io/securecodebox/parser-git-repo-scanner"` | Parser image repository | -| parserImage.tag | string | defaults to the charts version | Parser image tag | -| scannerJob.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | -| scannerJob.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | -| scannerJob.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | -| scannerJob.extraVolumeMounts | list | `[]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | -| scannerJob.extraVolumes | list | `[]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | -| scannerJob.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) | -| scannerJob.securityContext | object | `{}` | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) | -| scannerJob.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | +| parser.image.repository | string | `"docker.io/securecodebox/parser-git-repo-scanner"` | Parser image repository | +| parser.image.tag | string | defaults to the charts version | Parser image tag | +| parser.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | +| scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | +| scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | +| scanner.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | +| scanner.extraVolumeMounts | list | `[]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | +| scanner.extraVolumes | list | `[]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | +| scanner.image.repository | string | `"docker.io/securecodebox/scanner-git-repo-scanner"` | Container Image to run the scan | +| scanner.image.tag | string | `nil` | defaults to the charts version | +| scanner.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) | +| scanner.securityContext | object | `{}` | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) | +| scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | diff --git a/scanners/git-repo-scanner/templates/git-repo-scanner-parse-definition.yaml b/scanners/git-repo-scanner/templates/git-repo-scanner-parse-definition.yaml index 42f860d998..5f779687f1 100644 --- a/scanners/git-repo-scanner/templates/git-repo-scanner-parse-definition.yaml +++ b/scanners/git-repo-scanner/templates/git-repo-scanner-parse-definition.yaml @@ -7,5 +7,5 @@ kind: ParseDefinition metadata: name: "git-repo-scanner-json" spec: - image: "{{ .Values.parserImage.repository }}:{{ .Values.parserImage.tag | default .Chart.Version }}" - ttlSecondsAfterFinished: {{ .Values.parseJob.ttlSecondsAfterFinished }} + image: "{{ .Values.parser.image.repository }}:{{ .Values.parser.image.tag | default .Chart.Version }}" + ttlSecondsAfterFinished: {{ .Values.parser.ttlSecondsAfterFinished }} diff --git a/scanners/git-repo-scanner/templates/git-repo-scanner-scan-type.yaml b/scanners/git-repo-scanner/templates/git-repo-scanner-scan-type.yaml index b98c322c4b..5707bb6e50 100644 --- a/scanners/git-repo-scanner/templates/git-repo-scanner-scan-type.yaml +++ b/scanners/git-repo-scanner/templates/git-repo-scanner-scan-type.yaml @@ -12,16 +12,16 @@ spec: location: "/home/securecodebox/git-repo-scanner-findings.json" jobTemplate: spec: - {{- if .Values.scannerJob.ttlSecondsAfterFinished }} - ttlSecondsAfterFinished: {{ .Values.scannerJob.ttlSecondsAfterFinished }} + {{- if .Values.scanner.ttlSecondsAfterFinished }} + ttlSecondsAfterFinished: {{ .Values.scanner.ttlSecondsAfterFinished }} {{- end }} - backoffLimit: {{ .Values.scannerJob.backoffLimit }} + backoffLimit: {{ .Values.scanner.backoffLimit }} template: spec: restartPolicy: OnFailure containers: - name: git-repo-scanner - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.Version }}" + image: "{{ .Values.scanner.image.repository }}:{{ .Values.scanner.image.tag | default .Chart.Version }}" command: - "python" - "-m" @@ -29,15 +29,15 @@ spec: - "--file-output" - "/home/securecodebox" resources: - {{- toYaml .Values.scannerJob.resources | nindent 16 }} + {{- toYaml .Values.scanner.resources | nindent 16 }} securityContext: - {{- toYaml .Values.scannerJob.securityContext | nindent 16 }} + {{- toYaml .Values.scanner.securityContext | nindent 16 }} env: - {{- toYaml .Values.scannerJob.env | nindent 16 }} + {{- toYaml .Values.scanner.env | nindent 16 }} volumeMounts: - {{- toYaml .Values.scannerJob.extraVolumeMounts | nindent 16 }} - {{- if .Values.scannerJob.extraContainers }} - {{- toYaml .Values.scannerJob.extraContainers | nindent 12 }} + {{- toYaml .Values.scanner.extraVolumeMounts | nindent 16 }} + {{- if .Values.scanner.extraContainers }} + {{- toYaml .Values.scanner.extraContainers | nindent 12 }} {{- end }} volumes: - {{- toYaml .Values.scannerJob.extraVolumes | nindent 12 }} + {{- toYaml .Values.scanner.extraVolumes | nindent 12 }} diff --git a/scanners/git-repo-scanner/values.yaml b/scanners/git-repo-scanner/values.yaml index c040e3ceee..733bb62b2e 100644 --- a/scanners/git-repo-scanner/values.yaml +++ b/scanners/git-repo-scanner/values.yaml @@ -2,32 +2,32 @@ # # SPDX-License-Identifier: Apache-2.0 -image: - # image.repository -- Container Image to run the scan - repository: docker.io/securecodebox/scanner-git-repo-scanner - # image.tag -- defaults to the charts version - tag: null - -parserImage: - # parserImage.tag - defaults to the charts version - # parserImage.repository -- Parser image repository - repository: docker.io/securecodebox/parser-git-repo-scanner - # parserImage.tag -- Parser image tag - # @default -- defaults to the charts version - tag: null - -parseJob: - # parseJob.ttlSecondsAfterFinished -- seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ +parser: + image: + # parser.image.tag - defaults to the charts version + # parser.image.repository -- Parser image repository + repository: docker.io/securecodebox/parser-git-repo-scanner + # parser.image.tag -- Parser image tag + # @default -- defaults to the charts version + tag: null + + # parser.ttlSecondsAfterFinished -- seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ ttlSecondsAfterFinished: null -scannerJob: - # scannerJob.ttlSecondsAfterFinished -- seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ +scanner: + image: + # scanner.image.repository -- Container Image to run the scan + repository: docker.io/securecodebox/scanner-git-repo-scanner + # scanner.image.tag -- defaults to the charts version + tag: null + + # scanner.ttlSecondsAfterFinished -- seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ ttlSecondsAfterFinished: null - # scannerJob.backoffLimit -- There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) + # scanner.backoffLimit -- There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) # @default -- 3 backoffLimit: 3 - # scannerJob.resources -- CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) + # scanner.resources -- CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) resources: {} # resources: # requests: @@ -37,17 +37,17 @@ scannerJob: # memory: "512Mi" # cpu: "500m" - # scannerJob.env -- Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) + # scanner.env -- Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) env: [] - # scannerJob.extraVolumes -- Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) + # scanner.extraVolumes -- Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) extraVolumes: [] - # scannerJob.extraVolumeMounts -- Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) + # scanner.extraVolumeMounts -- Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) extraVolumeMounts: [] - # scannerJob.extraContainers -- Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) + # scanner.extraContainers -- Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) extraContainers: [] - # scannerJob.securityContext -- Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) + # scanner.securityContext -- Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) securityContext: {} From e24e88c7dd853230863aab0fb45b014eba8a7273 Mon Sep 17 00:00:00 2001 From: Jop Zitman Date: Wed, 9 Jun 2021 14:21:53 +0200 Subject: [PATCH 04/19] Gitleaks: refactor values according to new spec Signed-off-by: Jop Zitman --- scanners/gitleaks/README.md | 26 +++++----- .../templates/gitleaks-parse-definition.yaml | 4 +- .../templates/gitleaks-scan-type.yaml | 22 ++++----- scanners/gitleaks/values.yaml | 49 +++++++++---------- 4 files changed, 50 insertions(+), 51 deletions(-) diff --git a/scanners/gitleaks/README.md b/scanners/gitleaks/README.md index 70dd2e477f..1db60e3af1 100644 --- a/scanners/gitleaks/README.md +++ b/scanners/gitleaks/README.md @@ -130,16 +130,16 @@ For more information on how to use cascades take a look at | Key | Type | Default | Description | |-----|------|---------|-------------| | cascadingRules.enabled | bool | `true` | Enables or disables the installation of the default cascading rules for this scanner | -| image.repository | string | `"docker.io/securecodebox/scanner-gitleaks"` | Container Image to run the scan | -| image.tag | string | `nil` | defaults to the app version | -| parseJob.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | -| parserImage.repository | string | `"docker.io/securecodebox/parser-gitleaks"` | Parser image repository | -| parserImage.tag | string | defaults to the charts version | Parser image tag | -| scannerJob.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | -| scannerJob.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | -| scannerJob.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | -| scannerJob.extraVolumeMounts | list | `[{"mountPath":"/home/","name":"gitleaks-config"}]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | -| scannerJob.extraVolumes | list | `[{"configMap":{"name":"gitleaks-config"},"name":"gitleaks-config"}]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | -| scannerJob.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) | -| scannerJob.securityContext | object | `{}` | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) | -| scannerJob.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | +| parser.image.repository | string | `"docker.io/securecodebox/parser-gitleaks"` | Parser image repository | +| parser.image.tag | string | defaults to the charts version | Parser image tag | +| parser.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | +| scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | +| scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | +| scanner.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | +| scanner.extraVolumeMounts | list | `[{"mountPath":"/home/","name":"gitleaks-config"}]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | +| scanner.extraVolumes | list | `[{"configMap":{"name":"gitleaks-config"},"name":"gitleaks-config"}]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | +| scanner.image.repository | string | `"docker.io/securecodebox/scanner-gitleaks"` | Container Image to run the scan | +| scanner.image.tag | string | `nil` | defaults to the app version | +| scanner.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) | +| scanner.securityContext | object | `{}` | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) | +| scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | diff --git a/scanners/gitleaks/templates/gitleaks-parse-definition.yaml b/scanners/gitleaks/templates/gitleaks-parse-definition.yaml index e857ab13ef..d31592889f 100644 --- a/scanners/gitleaks/templates/gitleaks-parse-definition.yaml +++ b/scanners/gitleaks/templates/gitleaks-parse-definition.yaml @@ -7,5 +7,5 @@ kind: ParseDefinition metadata: name: "gitleaks-json" spec: - image: "{{ .Values.parserImage.repository }}:{{ .Values.parserImage.tag | default .Chart.Version }}" - ttlSecondsAfterFinished: {{ .Values.parseJob.ttlSecondsAfterFinished }} + image: "{{ .Values.parser.image.repository }}:{{ .Values.parser.image.tag | default .Chart.Version }}" + ttlSecondsAfterFinished: {{ .Values.parser.ttlSecondsAfterFinished }} diff --git a/scanners/gitleaks/templates/gitleaks-scan-type.yaml b/scanners/gitleaks/templates/gitleaks-scan-type.yaml index 51596bc784..3bb7fbf643 100644 --- a/scanners/gitleaks/templates/gitleaks-scan-type.yaml +++ b/scanners/gitleaks/templates/gitleaks-scan-type.yaml @@ -12,16 +12,16 @@ spec: location: "/home/securecodebox/report.json" jobTemplate: spec: - {{- if .Values.scannerJob.ttlSecondsAfterFinished }} - ttlSecondsAfterFinished: {{ .Values.scannerJob.ttlSecondsAfterFinished }} + {{- if .Values.scanner.ttlSecondsAfterFinished }} + ttlSecondsAfterFinished: {{ .Values.scanner.ttlSecondsAfterFinished }} {{- end }} - backoffLimit: {{ .Values.scannerJob.backoffLimit }} + backoffLimit: {{ .Values.scanner.backoffLimit }} template: spec: restartPolicy: OnFailure containers: - name: gitleaks - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + image: "{{ .Values.scanner.image.repository }}:{{ .Values.scanner.image.tag | default .Chart.AppVersion }}" command: - 'sh' - '/wrapper.sh' @@ -31,18 +31,18 @@ spec: - "--report" - "/home/securecodebox/report.json" resources: - {{- toYaml .Values.scannerJob.resources | nindent 16 }} + {{- toYaml .Values.scanner.resources | nindent 16 }} securityContext: - {{- toYaml .Values.scannerJob.securityContext | nindent 16 }} + {{- toYaml .Values.scanner.securityContext | nindent 16 }} env: - {{- toYaml .Values.scannerJob.env | nindent 16 }} + {{- toYaml .Values.scanner.env | nindent 16 }} volumeMounts: - {{- toYaml .Values.scannerJob.extraVolumeMounts | nindent 16 }} - {{- if .Values.scannerJob.extraContainers }} - {{- toYaml .Values.scannerJob.extraContainers | nindent 12 }} + {{- toYaml .Values.scanner.extraVolumeMounts | nindent 16 }} + {{- if .Values.scanner.extraContainers }} + {{- toYaml .Values.scanner.extraContainers | nindent 12 }} {{- end }} volumes: - {{- toYaml .Values.scannerJob.extraVolumes | nindent 12 }} + {{- toYaml .Values.scanner.extraVolumes | nindent 12 }} --- apiVersion: v1 kind: ConfigMap diff --git a/scanners/gitleaks/values.yaml b/scanners/gitleaks/values.yaml index 09785507cb..e0ab599b43 100644 --- a/scanners/gitleaks/values.yaml +++ b/scanners/gitleaks/values.yaml @@ -2,32 +2,31 @@ # # SPDX-License-Identifier: Apache-2.0 -image: - # image.repository -- Container Image to run the scan - repository: docker.io/securecodebox/scanner-gitleaks - # image.tag -- defaults to the app version - tag: null - -parserImage: - # parserImage.tag - defaults to the charts version - # parserImage.repository -- Parser image repository - repository: docker.io/securecodebox/parser-gitleaks - # parserImage.tag -- Parser image tag - # @default -- defaults to the charts version - tag: null - -parseJob: - # parseJob.ttlSecondsAfterFinished -- seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ +parser: + image: + # parser.image.tag - defaults to the charts version + # parser.image.repository -- Parser image repository + repository: docker.io/securecodebox/parser-gitleaks + # parser.image.tag -- Parser image tag + # @default -- defaults to the charts version + tag: null + # parser.ttlSecondsAfterFinished -- seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ ttlSecondsAfterFinished: null -scannerJob: - # scannerJob.ttlSecondsAfterFinished -- seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ +scanner: + image: + # scanner.image.repository -- Container Image to run the scan + repository: docker.io/securecodebox/scanner-gitleaks + # scanner.image.tag -- defaults to the app version + tag: null + + # scanner.ttlSecondsAfterFinished -- seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ ttlSecondsAfterFinished: null - # scannerJob.backoffLimit -- There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) + # scanner.backoffLimit -- There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) # @default -- 3 backoffLimit: 3 - # scannerJob.resources -- CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) + # scanner.resources -- CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) resources: {} # resources: # requests: @@ -37,24 +36,24 @@ scannerJob: # memory: "512Mi" # cpu: "500m" - # scannerJob.env -- Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) + # scanner.env -- Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) env: [] - # scannerJob.extraVolumes -- Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) + # scanner.extraVolumes -- Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) extraVolumes: - name: "gitleaks-config" configMap: name: "gitleaks-config" - # scannerJob.extraVolumeMounts -- Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) + # scanner.extraVolumeMounts -- Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) extraVolumeMounts: - name: "gitleaks-config" mountPath: "/home/" - # scannerJob.extraContainers -- Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) + # scanner.extraContainers -- Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) extraContainers: [] - # scannerJob.securityContext -- Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) + # scanner.securityContext -- Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) securityContext: {} cascadingRules: From d613f2f81779745bf468464799632ca246888dd5 Mon Sep 17 00:00:00 2001 From: Jop Zitman Date: Wed, 9 Jun 2021 14:23:49 +0200 Subject: [PATCH 05/19] Kube Hunter: refactor values according to new spec Signed-off-by: Jop Zitman --- scanners/kube-hunter/README.md | 26 +++++----- .../kube-hunter-parse-definition.yaml | 4 +- .../templates/kubehunter-scan-type.yaml | 22 ++++----- scanners/kube-hunter/values.yaml | 48 +++++++++---------- 4 files changed, 50 insertions(+), 50 deletions(-) diff --git a/scanners/kube-hunter/README.md b/scanners/kube-hunter/README.md index 97f6b73375..3233ea467a 100644 --- a/scanners/kube-hunter/README.md +++ b/scanners/kube-hunter/README.md @@ -34,19 +34,19 @@ The following security scan configuration example are based on the [kube-hunter | Key | Type | Default | Description | |-----|------|---------|-------------| | cascadingRules.enabled | bool | `true` | Enables or disables the installation of the default cascading rules for this scanner | -| image.repository | string | `"docker.io/securecodebox/scanner-kube-hunter"` | Container Image to run the scan | -| image.tag | string | `nil` | defaults to the charts version | -| parseJob.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | -| parserImage.repository | string | `"docker.io/securecodebox/parser-kube-hunter"` | Parser image repository | -| parserImage.tag | string | defaults to the charts version | Parser image tag | -| scannerJob.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | -| scannerJob.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | -| scannerJob.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | -| scannerJob.extraVolumeMounts | list | `[]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | -| scannerJob.extraVolumes | list | `[]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | -| scannerJob.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) | -| scannerJob.securityContext | object | `{}` | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) | -| scannerJob.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | +| parser.image.repository | string | `"docker.io/securecodebox/parser-kube-hunter"` | Parser image repository | +| parser.image.tag | string | defaults to the charts version | Parser image tag | +| parser.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | +| scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | +| scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | +| scanner.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | +| scanner.extraVolumeMounts | list | `[]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | +| scanner.extraVolumes | list | `[]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | +| scanner.image.repository | string | `"docker.io/securecodebox/scanner-kube-hunter"` | Container Image to run the scan | +| scanner.image.tag | string | `nil` | defaults to the charts version | +| scanner.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) | +| scanner.securityContext | object | `{}` | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) | +| scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | [kube-hunter Website]: https://kube-hunter.aquasec.com/ [kube-hunter GitHub]: https://github.com/aquasecurity/kube-hunter diff --git a/scanners/kube-hunter/templates/kube-hunter-parse-definition.yaml b/scanners/kube-hunter/templates/kube-hunter-parse-definition.yaml index 8dc8c1ac1b..597be78317 100644 --- a/scanners/kube-hunter/templates/kube-hunter-parse-definition.yaml +++ b/scanners/kube-hunter/templates/kube-hunter-parse-definition.yaml @@ -7,5 +7,5 @@ kind: ParseDefinition metadata: name: "kube-hunter-json" spec: - image: "{{ .Values.parserImage.repository }}:{{ .Values.parserImage.tag | default .Chart.Version }}" - ttlSecondsAfterFinished: {{ .Values.parseJob.ttlSecondsAfterFinished }} + image: "{{ .Values.parser.image.repository }}:{{ .Values.parser.image.tag | default .Chart.Version }}" + ttlSecondsAfterFinished: {{ .Values.parser.image.ttlSecondsAfterFinished }} diff --git a/scanners/kube-hunter/templates/kubehunter-scan-type.yaml b/scanners/kube-hunter/templates/kubehunter-scan-type.yaml index 6ce2d11353..974f21f2d9 100644 --- a/scanners/kube-hunter/templates/kubehunter-scan-type.yaml +++ b/scanners/kube-hunter/templates/kubehunter-scan-type.yaml @@ -12,31 +12,31 @@ spec: location: '/home/securecodebox/kube-hunter-results.json' jobTemplate: spec: - {{- if .Values.scannerJob.ttlSecondsAfterFinished }} - ttlSecondsAfterFinished: {{ .Values.scannerJob.ttlSecondsAfterFinished }} + {{- if .Values.scanner.ttlSecondsAfterFinished }} + ttlSecondsAfterFinished: {{ .Values.scanner.ttlSecondsAfterFinished }} {{- end }} - backoffLimit: {{ .Values.scannerJob.backoffLimit }} + backoffLimit: {{ .Values.scanner.backoffLimit }} template: spec: restartPolicy: Never containers: - name: kube-hunter - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + image: "{{ .Values.scanner.image.repository }}:{{ .Values.scanner.image.tag | default .Chart.AppVersion }}" command: - 'sh' - '/wrapper.sh' - '--report' - 'json' resources: - {{- toYaml .Values.scannerJob.resources | nindent 16 }} + {{- toYaml .Values.scanner.resources | nindent 16 }} securityContext: - {{- toYaml .Values.scannerJob.securityContext | nindent 16 }} + {{- toYaml .Values.scanner.securityContext | nindent 16 }} env: - {{- toYaml .Values.scannerJob.env | nindent 16 }} + {{- toYaml .Values.scanner.env | nindent 16 }} volumeMounts: - {{- toYaml .Values.scannerJob.extraVolumeMounts | nindent 16 }} - {{- if .Values.scannerJob.extraContainers }} - {{- toYaml .Values.scannerJob.extraContainers | nindent 12 }} + {{- toYaml .Values.scanner.extraVolumeMounts | nindent 16 }} + {{- if .Values.scanner.extraContainers }} + {{- toYaml .Values.scanner.extraContainers | nindent 12 }} {{- end }} volumes: - {{- toYaml .Values.scannerJob.extraVolumes | nindent 12 }} + {{- toYaml .Values.scanner.extraVolumes | nindent 12 }} diff --git a/scanners/kube-hunter/values.yaml b/scanners/kube-hunter/values.yaml index de0d364586..b3d7acbed3 100644 --- a/scanners/kube-hunter/values.yaml +++ b/scanners/kube-hunter/values.yaml @@ -2,31 +2,31 @@ # # SPDX-License-Identifier: Apache-2.0 -image: - # image.repository -- Container Image to run the scan - repository: docker.io/securecodebox/scanner-kube-hunter - # image.tag -- defaults to the charts version - tag: null - -parserImage: - # parserImage.repository -- Parser image repository - repository: docker.io/securecodebox/parser-kube-hunter - # parserImage.tag -- Parser image tag - # @default -- defaults to the charts version - tag: null - -parseJob: - # parseJob.ttlSecondsAfterFinished -- seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ +parser: + image: + # parser.image.repository -- Parser image repository + repository: docker.io/securecodebox/parser-kube-hunter + # parser.image.tag -- Parser image tag + # @default -- defaults to the charts version + tag: null + + # parser.ttlSecondsAfterFinished -- seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ ttlSecondsAfterFinished: null -scannerJob: - # scannerJob.ttlSecondsAfterFinished -- seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ +scanner: + image: + # scanner.image.repository -- Container Image to run the scan + repository: docker.io/securecodebox/scanner-kube-hunter + # scanner.image.tag -- defaults to the charts version + tag: null + + # scanner.ttlSecondsAfterFinished -- seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ ttlSecondsAfterFinished: null - # scannerJob.backoffLimit -- There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) + # scanner.backoffLimit -- There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) # @default -- 3 backoffLimit: 3 - # scannerJob.resources -- CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) + # scanner.resources -- CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) resources: {} # resources: # requests: @@ -36,19 +36,19 @@ scannerJob: # memory: "512Mi" # cpu: "500m" - # scannerJob.env -- Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) + # scanner.env -- Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) env: [] - # scannerJob.extraVolumes -- Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) + # scanner.extraVolumes -- Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) extraVolumes: [] - # scannerJob.extraVolumeMounts -- Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) + # scanner.extraVolumeMounts -- Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) extraVolumeMounts: [] - # scannerJob.extraContainers -- Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) + # scanner.extraContainers -- Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) extraContainers: [] - # scannerJob.securityContext -- Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) + # scanner.securityContext -- Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) securityContext: {} cascadingRules: From d72ae2762447772d4e04795206aef8f365ee06ec Mon Sep 17 00:00:00 2001 From: Jop Zitman Date: Wed, 9 Jun 2021 14:34:12 +0200 Subject: [PATCH 06/19] Kubeaudit: refactor values according to new spec Signed-off-by: Jop Zitman --- scanners/kubeaudit/README.md | 32 ++++++------- .../templates/kubeaudit-parse-definition.yaml | 4 +- .../templates/kubeaudit-scan-type.yaml | 20 ++++---- scanners/kubeaudit/values.yaml | 48 +++++++++---------- 4 files changed, 52 insertions(+), 52 deletions(-) diff --git a/scanners/kubeaudit/README.md b/scanners/kubeaudit/README.md index db43922726..4ca2d200cd 100644 --- a/scanners/kubeaudit/README.md +++ b/scanners/kubeaudit/README.md @@ -29,21 +29,21 @@ helm upgrade --install kubeaudit secureCodeBox/kubeaudit | Key | Type | Default | Description | |-----|------|---------|-------------| | kubeauditScope | string | `"namespace"` | Automatically sets up rbac roles for kubeaudit to access the resources it scans. Can be either "cluster" (ClusterRole) or "namespace" (Role) | -| parseJob.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | -| parserImage.repository | string | `"docker.io/securecodebox/parser-kubeaudit"` | Parser image repository | -| parserImage.tag | string | defaults to the charts version | Parser image tag | -| scannerJob.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | -| scannerJob.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | -| scannerJob.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | -| scannerJob.extraVolumeMounts | list | `[]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | -| scannerJob.extraVolumes | list | `[]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | -| scannerJob.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) | -| scannerJob.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["all"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true}` | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) | -| scannerJob.securityContext.allowPrivilegeEscalation | bool | `false` | Ensure that users privileges cannot be escalated | -| scannerJob.securityContext.capabilities.drop[0] | string | `"all"` | This drops all linux privileges from the container. | -| scannerJob.securityContext.privileged | bool | `false` | Ensures that the scanner container is not run in privileged mode | -| scannerJob.securityContext.readOnlyRootFilesystem | bool | `true` | Prevents write access to the containers file system | -| scannerJob.securityContext.runAsNonRoot | bool | `true` | Enforces that the scanner image is run as a non root user | -| scannerJob.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | +| parser.image.repository | string | `"docker.io/securecodebox/parser-kubeaudit"` | Parser image repository | +| parser.image.tag | string | defaults to the charts version | Parser image tag | +| parser.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | +| scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | +| scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | +| scanner.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | +| scanner.extraVolumeMounts | list | `[]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | +| scanner.extraVolumes | list | `[]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | +| scanner.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) | +| scanner.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["all"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true}` | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) | +| scanner.securityContext.allowPrivilegeEscalation | bool | `false` | Ensure that users privileges cannot be escalated | +| scanner.securityContext.capabilities.drop[0] | string | `"all"` | This drops all linux privileges from the container. | +| scanner.securityContext.privileged | bool | `false` | Ensures that the scanner container is not run in privileged mode | +| scanner.securityContext.readOnlyRootFilesystem | bool | `true` | Prevents write access to the containers file system | +| scanner.securityContext.runAsNonRoot | bool | `true` | Enforces that the scanner image is run as a non root user | +| scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | [kubeaudit GitHub]: https://github.com/Shopify/kubeaudit/ diff --git a/scanners/kubeaudit/templates/kubeaudit-parse-definition.yaml b/scanners/kubeaudit/templates/kubeaudit-parse-definition.yaml index 6d65492080..117545ec56 100644 --- a/scanners/kubeaudit/templates/kubeaudit-parse-definition.yaml +++ b/scanners/kubeaudit/templates/kubeaudit-parse-definition.yaml @@ -7,5 +7,5 @@ kind: ParseDefinition metadata: name: "kubeaudit-jsonl" spec: - image: "{{ .Values.parserImage.repository }}:{{ .Values.parserImage.tag | default .Chart.Version }}" - ttlSecondsAfterFinished: {{ .Values.parseJob.ttlSecondsAfterFinished }} + image: "{{ .Values.parser.image.repository }}:{{ .Values.parser.image.tag | default .Chart.Version }}" + ttlSecondsAfterFinished: {{ .Values.parser.ttlSecondsAfterFinished }} diff --git a/scanners/kubeaudit/templates/kubeaudit-scan-type.yaml b/scanners/kubeaudit/templates/kubeaudit-scan-type.yaml index d2a6744270..9d398ade59 100644 --- a/scanners/kubeaudit/templates/kubeaudit-scan-type.yaml +++ b/scanners/kubeaudit/templates/kubeaudit-scan-type.yaml @@ -12,10 +12,10 @@ spec: location: "/home/securecodebox/kubeaudit.jsonl" jobTemplate: spec: - {{- if .Values.scannerJob.ttlSecondsAfterFinished }} - ttlSecondsAfterFinished: {{ .Values.scannerJob.ttlSecondsAfterFinished }} + {{- if .Values.scanner.ttlSecondsAfterFinished }} + ttlSecondsAfterFinished: {{ .Values.scanner.ttlSecondsAfterFinished }} {{- end }} - backoffLimit: {{ .Values.scannerJob.backoffLimit }} + backoffLimit: {{ .Values.scanner.backoffLimit }} template: spec: restartPolicy: OnFailure @@ -31,16 +31,16 @@ spec: - "--format" - "json" resources: - {{- toYaml .Values.scannerJob.resources | nindent 16 }} + {{- toYaml .Values.scanner.resources | nindent 16 }} securityContext: - {{- toYaml .Values.scannerJob.securityContext | nindent 16 }} + {{- toYaml .Values.scanner.securityContext | nindent 16 }} env: - {{- toYaml .Values.scannerJob.env | nindent 16 }} + {{- toYaml .Values.scanner.env | nindent 16 }} volumeMounts: - {{- toYaml .Values.scannerJob.extraVolumeMounts | nindent 16 }} - {{- if .Values.scannerJob.extraContainers }} - {{- toYaml .Values.scannerJob.extraContainers | nindent 12 }} + {{- toYaml .Values.scanner.extraVolumeMounts | nindent 16 }} + {{- if .Values.scanner.extraContainers }} + {{- toYaml .Values.scanner.extraContainers | nindent 12 }} {{- end }} volumes: - {{- toYaml .Values.scannerJob.extraVolumeMounts | nindent 12 }} + {{- toYaml .Values.scanner.extraVolumeMounts | nindent 12 }} serviceAccountName: kubeaudit diff --git a/scanners/kubeaudit/values.yaml b/scanners/kubeaudit/values.yaml index f778de56b7..6a21963f88 100644 --- a/scanners/kubeaudit/values.yaml +++ b/scanners/kubeaudit/values.yaml @@ -2,26 +2,26 @@ # # SPDX-License-Identifier: Apache-2.0 -parserImage: - # parserImage.tag - defaults to the charts version - # parserImage.repository -- Parser image repository - repository: docker.io/securecodebox/parser-kubeaudit - # parserImage.tag -- Parser image tag - # @default -- defaults to the charts version - tag: null - -parseJob: - # parseJob.ttlSecondsAfterFinished -- seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ +parser: + image: + # parser.image.tag - defaults to the charts version + # parser.image.repository -- Parser image repository + repository: docker.io/securecodebox/parser-kubeaudit + # parser.image.tag -- Parser image tag + # @default -- defaults to the charts version + tag: null + + # parser.ttlSecondsAfterFinished -- seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ ttlSecondsAfterFinished: null -scannerJob: - # scannerJob.ttlSecondsAfterFinished -- seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ +scanner: + # scanner.ttlSecondsAfterFinished -- seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ ttlSecondsAfterFinished: null - # scannerJob.backoffLimit -- There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) + # scanner.backoffLimit -- There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) # @default -- 3 backoffLimit: 3 - # scannerJob.resources -- CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) + # scanner.resources -- CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) resources: {} # resources: # requests: @@ -31,31 +31,31 @@ scannerJob: # memory: "512Mi" # cpu: "500m" - # scannerJob.env -- Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) + # scanner.env -- Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) env: [] - # scannerJob.extraVolumes -- Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) + # scanner.extraVolumes -- Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) extraVolumes: [] - # scannerJob.extraVolumeMounts -- Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) + # scanner.extraVolumeMounts -- Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) extraVolumeMounts: [] - # scannerJob.extraContainers -- Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) + # scanner.extraContainers -- Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) extraContainers: [] - # scannerJob.securityContext -- Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) + # scanner.securityContext -- Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) securityContext: - # scannerJob.securityContext.runAsNonRoot -- Enforces that the scanner image is run as a non root user + # scanner.securityContext.runAsNonRoot -- Enforces that the scanner image is run as a non root user runAsNonRoot: true - # scannerJob.securityContext.readOnlyRootFilesystem -- Prevents write access to the containers file system + # scanner.securityContext.readOnlyRootFilesystem -- Prevents write access to the containers file system readOnlyRootFilesystem: true - # scannerJob.securityContext.allowPrivilegeEscalation -- Ensure that users privileges cannot be escalated + # scanner.securityContext.allowPrivilegeEscalation -- Ensure that users privileges cannot be escalated allowPrivilegeEscalation: false - # scannerJob.securityContext.privileged -- Ensures that the scanner container is not run in privileged mode + # scanner.securityContext.privileged -- Ensures that the scanner container is not run in privileged mode privileged: false capabilities: drop: - # scannerJob.securityContext.capabilities.drop[0] -- This drops all linux privileges from the container. + # scanner.securityContext.capabilities.drop[0] -- This drops all linux privileges from the container. - all # kubeauditScope -- Automatically sets up rbac roles for kubeaudit to access the resources it scans. Can be either "cluster" (ClusterRole) or "namespace" (Role) From ff05fd5fd79dd429030fa008c3da358eb7a5b3d3 Mon Sep 17 00:00:00 2001 From: Jop Zitman Date: Wed, 9 Jun 2021 14:37:32 +0200 Subject: [PATCH 07/19] Ncrack: refactor values according to new spec Signed-off-by: Jop Zitman --- scanners/ncrack/README.md | 26 +++++------ .../templates/ncrack-parse-definition.yaml | 4 +- .../ncrack/templates/ncrack-scan-type.yaml | 22 ++++----- scanners/ncrack/values.yaml | 46 +++++++++---------- 4 files changed, 49 insertions(+), 49 deletions(-) diff --git a/scanners/ncrack/README.md b/scanners/ncrack/README.md index 120d9e5551..71b9cceab7 100644 --- a/scanners/ncrack/README.md +++ b/scanners/ncrack/README.md @@ -173,19 +173,19 @@ base64 encryptedPassword -d | openssl rsautl -decrypt -inkey key.pem -out decryp | cascadingRules.enabled | bool | `true` | Enables or disables the installation of the default cascading rules for this scanner | | encryptPasswords.existingSecret | string | `nil` | secret name with a pem encoded rsa public key to encrypt identified passwords | | encryptPasswords.key | string | `"public.key"` | name of the property in the secret with the pem encoded rsa public key | -| image.repository | string | `"docker.io/securecodebox/scanner-ncrack"` | Container Image to run the scan | -| image.tag | string | `nil` | defaults to the charts appVersion | -| parseJob.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | -| parserImage.repository | string | `"docker.io/securecodebox/parser-ncrack"` | Parser image repository | -| parserImage.tag | string | defaults to the charts version | Parser image tag | -| scannerJob.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | -| scannerJob.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | -| scannerJob.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | -| scannerJob.extraVolumeMounts | list | `[]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | -| scannerJob.extraVolumes | list | `[]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | -| scannerJob.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) | -| scannerJob.securityContext | object | `{}` | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) | -| scannerJob.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | +| parser.image.repository | string | `"docker.io/securecodebox/parser-ncrack"` | | +| parser.image.tag | string | `nil` | | +| parser.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | +| scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | +| scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | +| scanner.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | +| scanner.extraVolumeMounts | list | `[]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | +| scanner.extraVolumes | list | `[]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | +| scanner.image.repository | string | `"docker.io/securecodebox/scanner-ncrack"` | Container Image to run the scan | +| scanner.image.tag | string | `nil` | defaults to the charts appVersion | +| scanner.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) | +| scanner.securityContext | object | `{}` | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) | +| scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | --- diff --git a/scanners/ncrack/templates/ncrack-parse-definition.yaml b/scanners/ncrack/templates/ncrack-parse-definition.yaml index 4ebdce006c..68f3c629f8 100644 --- a/scanners/ncrack/templates/ncrack-parse-definition.yaml +++ b/scanners/ncrack/templates/ncrack-parse-definition.yaml @@ -7,8 +7,8 @@ kind: ParseDefinition metadata: name: "ncrack-xml" spec: - image: "{{ .Values.parserImage.repository }}:{{ .Values.parserImage.tag | default .Chart.Version }}" - ttlSecondsAfterFinished: {{ .Values.parseJob.ttlSecondsAfterFinished }} + image: "{{ .Values.parser.image.repository }}:{{ .Values.parser.image.tag | default .Chart.Version }}" + ttlSecondsAfterFinished: {{ .Values.parser.image.ttlSecondsAfterFinished }} {{- if .Values.encryptPasswords.existingSecret }} volumes: - name: "ncrack-secret" diff --git a/scanners/ncrack/templates/ncrack-scan-type.yaml b/scanners/ncrack/templates/ncrack-scan-type.yaml index 3079d46741..51c839ca9b 100644 --- a/scanners/ncrack/templates/ncrack-scan-type.yaml +++ b/scanners/ncrack/templates/ncrack-scan-type.yaml @@ -12,28 +12,28 @@ spec: location: "/home/securecodebox/ncrack-results.xml" jobTemplate: spec: - {{- if .Values.scannerJob.ttlSecondsAfterFinished }} - ttlSecondsAfterFinished: {{ .Values.scannerJob.ttlSecondsAfterFinished }} + {{- if .Values.scanner.ttlSecondsAfterFinished }} + ttlSecondsAfterFinished: {{ .Values.scanner.ttlSecondsAfterFinished }} {{- end }} - backoffLimit: {{ .Values.scannerJob.backoffLimit }} + backoffLimit: {{ .Values.scanner.backoffLimit }} template: spec: restartPolicy: OnFailure containers: - name: ncrack - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + image: "{{ .Values.scanner.image.repository }}:{{ .Values.scanner.image.tag | default .Chart.AppVersion }}" command: ["ncrack", "-oX", "/home/securecodebox/ncrack-results.xml"] resources: - {{- toYaml .Values.scannerJob.resources | nindent 16 }} + {{- toYaml .Values.scanner.resources | nindent 16 }} securityContext: - {{- toYaml .Values.scannerJob.securityContext | nindent 16 }} + {{- toYaml .Values.scanner.securityContext | nindent 16 }} env: - {{- toYaml .Values.scannerJob.env | nindent 16 }} + {{- toYaml .Values.scanner.env | nindent 16 }} volumeMounts: - {{- toYaml .Values.scannerJob.extraVolumeMounts | nindent 16 }} - {{- if .Values.scannerJob.extraContainers }} - {{- toYaml .Values.scannerJob.extraContainers | nindent 12 }} + {{- toYaml .Values.scanner.extraVolumeMounts | nindent 16 }} + {{- if .Values.scanner.extraContainers }} + {{- toYaml .Values.scanner.extraContainers | nindent 12 }} {{- end }} volumes: - {{- toYaml .Values.scannerJob.extraVolumes | nindent 12 }} + {{- toYaml .Values.scanner.extraVolumes | nindent 12 }} diff --git a/scanners/ncrack/values.yaml b/scanners/ncrack/values.yaml index dfff165c2b..23024b7512 100644 --- a/scanners/ncrack/values.yaml +++ b/scanners/ncrack/values.yaml @@ -2,18 +2,6 @@ # # SPDX-License-Identifier: Apache-2.0 -image: - # image.repository -- Container Image to run the scan - repository: docker.io/securecodebox/scanner-ncrack - # image.tag -- defaults to the charts appVersion - tag: null - -parserImage: - # parserImage.repository -- Parser image repository - repository: docker.io/securecodebox/parser-ncrack - # parserImage.tag -- Parser image tag - # @default -- defaults to the charts version - tag: null encryptPasswords: # encryptPasswords.existingSecret -- secret name with a pem encoded rsa public key to encrypt identified passwords @@ -21,18 +9,30 @@ encryptPasswords: # encryptPasswords.key -- name of the property in the secret with the pem encoded rsa public key key: "public.key" -parseJob: - # parseJob.ttlSecondsAfterFinished -- seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ +parser: + image: + # parser.repository -- Parser image repository + repository: docker.io/securecodebox/parser-ncrack + # parser.tag -- Parser image tag + # @default -- defaults to the charts version + tag: null + # parser.ttlSecondsAfterFinished -- seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ ttlSecondsAfterFinished: null -scannerJob: - # scannerJob.ttlSecondsAfterFinished -- seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ +scanner: + image: + # scanner.image.repository -- Container Image to run the scan + repository: docker.io/securecodebox/scanner-ncrack + # scanner.image.tag -- defaults to the charts appVersion + tag: null + + # scanner.ttlSecondsAfterFinished -- seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ ttlSecondsAfterFinished: null - # scannerJob.backoffLimit -- There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) + # scanner.backoffLimit -- There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) # @default -- 3 backoffLimit: 3 - # scannerJob.resources -- CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) + # scanner.resources -- CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) resources: {} # resources: # requests: @@ -42,19 +42,19 @@ scannerJob: # memory: "512Mi" # cpu: "500m" - # scannerJob.env -- Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) + # scanner.env -- Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) env: [] - # scannerJob.extraVolumes -- Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) + # scanner.extraVolumes -- Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) extraVolumes: [] - # scannerJob.extraVolumeMounts -- Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) + # scanner.extraVolumeMounts -- Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) extraVolumeMounts: [] - # scannerJob.extraContainers -- Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) + # scanner.extraContainers -- Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) extraContainers: [] - # scannerJob.securityContext -- Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) + # scanner.securityContext -- Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) securityContext: {} cascadingRules: From c8c72d2cd2dcdfbbcf0c6233745a2c11b0e56178 Mon Sep 17 00:00:00 2001 From: Jop Zitman Date: Wed, 9 Jun 2021 14:40:43 +0200 Subject: [PATCH 08/19] Nikto: refactor values according to new spec Signed-off-by: Jop Zitman --- scanners/nikto/README.md | 26 +++++----- .../templates/nikto-parse-definition.yaml | 4 +- scanners/nikto/templates/nikto-scan-type.yaml | 22 ++++----- scanners/nikto/values.yaml | 47 +++++++++---------- 4 files changed, 49 insertions(+), 50 deletions(-) diff --git a/scanners/nikto/README.md b/scanners/nikto/README.md index 4cef2af09f..68e9e60d71 100644 --- a/scanners/nikto/README.md +++ b/scanners/nikto/README.md @@ -53,19 +53,19 @@ Nikto also has a comprehensive list of [command line options documented](https:/ | Key | Type | Default | Description | |-----|------|---------|-------------| | cascadingRules.enabled | bool | `true` | Enables or disables the installation of the default cascading rules for this scanner | -| image.repository | string | `"docker.io/securecodebox/scanner-nikto"` | Container Image to run the scan | -| image.tag | string | `nil` | defaults to the charts appVersion | -| parseJob.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | -| parserImage.repository | string | `"docker.io/securecodebox/parser-nikto"` | Parser image repository | -| parserImage.tag | string | defaults to the charts version | Parser image tag | -| scannerJob.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | -| scannerJob.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | -| scannerJob.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | -| scannerJob.extraVolumeMounts | list | `[]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | -| scannerJob.extraVolumes | list | `[]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | -| scannerJob.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) | -| scannerJob.securityContext | object | `{}` | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) | -| scannerJob.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | +| parser.image.repository | string | `"docker.io/securecodebox/parser-nikto"` | Parser image repository | +| parser.image.tag | string | defaults to the charts version | Parser image tag | +| parser.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | +| scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | +| scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | +| scanner.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | +| scanner.extraVolumeMounts | list | `[]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | +| scanner.extraVolumes | list | `[]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | +| scanner.image.repository | string | `"docker.io/securecodebox/scanner-nikto"` | Container Image to run the scan | +| scanner.image.tag | string | `nil` | defaults to the charts appVersion | +| scanner.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) | +| scanner.securityContext | object | `{}` | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) | +| scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | [cirt.net]: https://cirt.net/ [nikto github]: https://github.com/sullo/nikto diff --git a/scanners/nikto/templates/nikto-parse-definition.yaml b/scanners/nikto/templates/nikto-parse-definition.yaml index 6740386c82..0b4b13ecfa 100644 --- a/scanners/nikto/templates/nikto-parse-definition.yaml +++ b/scanners/nikto/templates/nikto-parse-definition.yaml @@ -7,5 +7,5 @@ kind: ParseDefinition metadata: name: "nikto-json" spec: - image: "{{ .Values.parserImage.repository }}:{{ .Values.parserImage.tag | default .Chart.Version }}" - ttlSecondsAfterFinished: {{ .Values.parseJob.ttlSecondsAfterFinished }} + image: "{{ .Values.parser.repository }}:{{ .Values.parser.tag | default .Chart.Version }}" + ttlSecondsAfterFinished: {{ .Values.parser.ttlSecondsAfterFinished }} diff --git a/scanners/nikto/templates/nikto-scan-type.yaml b/scanners/nikto/templates/nikto-scan-type.yaml index 8004ffb03a..91cb055afe 100644 --- a/scanners/nikto/templates/nikto-scan-type.yaml +++ b/scanners/nikto/templates/nikto-scan-type.yaml @@ -12,16 +12,16 @@ spec: location: '/home/securecodebox/nikto-results.json' jobTemplate: spec: - {{- if .Values.scannerJob.ttlSecondsAfterFinished }} - ttlSecondsAfterFinished: {{ .Values.scannerJob.ttlSecondsAfterFinished }} + {{- if .Values.scanner.ttlSecondsAfterFinished }} + ttlSecondsAfterFinished: {{ .Values.scanner.ttlSecondsAfterFinished }} {{- end }} - backoffLimit: {{ .Values.scannerJob.backoffLimit }} + backoffLimit: {{ .Values.scanner.backoffLimit }} template: spec: restartPolicy: Never containers: - name: nikto - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + image: "{{ .Values.scanner.image.repository }}:{{ .Values.scanner.image.tag | default .Chart.AppVersion }}" command: # Nikto Entrypoint Script to avoid problems nikto exiting with a non zero exit code # This would cause the kubernetes job to fail no matter what @@ -30,15 +30,15 @@ spec: - '-o' - '/home/securecodebox/nikto-results.json' resources: - {{- toYaml .Values.scannerJob.resources | nindent 16 }} + {{- toYaml .Values.scanner.resources | nindent 16 }} securityContext: - {{- toYaml .Values.scannerJob.securityContext | nindent 16 }} + {{- toYaml .Values.scanner.securityContext | nindent 16 }} env: - {{- toYaml .Values.scannerJob.env | nindent 16 }} + {{- toYaml .Values.scanner.env | nindent 16 }} volumeMounts: - {{- toYaml .Values.scannerJob.extraVolumeMounts | nindent 16 }} - {{- if .Values.scannerJob.extraContainers }} - {{- toYaml .Values.scannerJob.extraContainers | nindent 12 }} + {{- toYaml .Values.scanner.extraVolumeMounts | nindent 16 }} + {{- if .Values.scanner.extraContainers }} + {{- toYaml .Values.scanner.extraContainers | nindent 12 }} {{- end }} volumes: - {{- toYaml .Values.scannerJob.extraVolumes | nindent 12 }} + {{- toYaml .Values.scanner.extraVolumes | nindent 12 }} diff --git a/scanners/nikto/values.yaml b/scanners/nikto/values.yaml index af764c07b2..29e3efceb9 100644 --- a/scanners/nikto/values.yaml +++ b/scanners/nikto/values.yaml @@ -2,31 +2,30 @@ # # SPDX-License-Identifier: Apache-2.0 -image: - # image.repository -- Container Image to run the scan - repository: docker.io/securecodebox/scanner-nikto - # image.tag -- defaults to the charts appVersion - tag: null - -parserImage: - # parserImage.repository -- Parser image repository - repository: docker.io/securecodebox/parser-nikto - # parserImage.tag -- Parser image tag - # @default -- defaults to the charts version - tag: null - -parseJob: - # parseJob.ttlSecondsAfterFinished -- seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ +parser: + image: + # parser.image.repository -- Parser image repository + repository: docker.io/securecodebox/parser-nikto + # parser.image.tag -- Parser image tag + # @default -- defaults to the charts version + tag: null + # parser.ttlSecondsAfterFinished -- seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ ttlSecondsAfterFinished: null -scannerJob: - # scannerJob.ttlSecondsAfterFinished -- seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ +scanner: + image: + # scanner.image.repository -- Container Image to run the scan + repository: docker.io/securecodebox/scanner-nikto + # scanner.image.tag -- defaults to the charts appVersion + tag: null + + # scanner.ttlSecondsAfterFinished -- seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ ttlSecondsAfterFinished: null - # scannerJob.backoffLimit -- There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) + # scanner.backoffLimit -- There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) # @default -- 3 backoffLimit: 3 - # scannerJob.resources -- CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) + # scanner.resources -- CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) resources: {} # resources: # requests: @@ -36,19 +35,19 @@ scannerJob: # memory: "512Mi" # cpu: "500m" - # scannerJob.env -- Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) + # scanner.env -- Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) env: [] - # scannerJob.extraVolumes -- Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) + # scanner.extraVolumes -- Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) extraVolumes: [] - # scannerJob.extraVolumeMounts -- Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) + # scanner.extraVolumeMounts -- Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) extraVolumeMounts: [] - # scannerJob.extraContainers -- Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) + # scanner.extraContainers -- Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) extraContainers: [] - # scannerJob.securityContext -- Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) + # scanner.securityContext -- Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) securityContext: {} cascadingRules: From 2c52eeb659146c6926f5de26549f031565b5e8b4 Mon Sep 17 00:00:00 2001 From: Jop Zitman Date: Wed, 9 Jun 2021 14:42:52 +0200 Subject: [PATCH 09/19] Nmap: refactor values according to new spec Signed-off-by: Jop Zitman --- scanners/nmap/README.md | 36 ++++++------ .../nmap/templates/nmap-parse-definition.yaml | 4 +- scanners/nmap/templates/nmap-scan-type.yaml | 22 +++---- scanners/nmap/values.yaml | 57 +++++++++---------- 4 files changed, 59 insertions(+), 60 deletions(-) diff --git a/scanners/nmap/README.md b/scanners/nmap/README.md index bc3b97f97c..9ede99a12a 100644 --- a/scanners/nmap/README.md +++ b/scanners/nmap/README.md @@ -87,21 +87,21 @@ spec: | Key | Type | Default | Description | |-----|------|---------|-------------| | cascadingRules.enabled | bool | `true` | Enables or disables the installation of the default cascading rules for this scanner | -| image.repository | string | `"docker.io/securecodebox/scanner-nmap"` | Container Image to run the scan | -| image.tag | string | `nil` | defaults to the charts version | -| parseJob.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | -| parserImage.repository | string | `"docker.io/securecodebox/parser-nmap"` | Parser image repository | -| parserImage.tag | string | defaults to the charts appVersion | Parser image tag | -| scannerJob.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | -| scannerJob.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | -| scannerJob.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | -| scannerJob.extraVolumeMounts | list | `[]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | -| scannerJob.extraVolumes | list | `[]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | -| scannerJob.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) | -| scannerJob.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["all"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true}` | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) | -| scannerJob.securityContext.allowPrivilegeEscalation | bool | `false` | Ensure that users privileges cannot be escalated | -| scannerJob.securityContext.capabilities.drop[0] | string | `"all"` | This drops all linux privileges from the container. | -| scannerJob.securityContext.privileged | bool | `false` | Ensures that the scanner container is not run in privileged mode | -| scannerJob.securityContext.readOnlyRootFilesystem | bool | `true` | Prevents write access to the containers file system | -| scannerJob.securityContext.runAsNonRoot | bool | `true` | Enforces that the scanner image is run as a non root user | -| scannerJob.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | +| parser.image.repository | string | `"docker.io/securecodebox/parser-nmap"` | Parser image repository | +| parser.image.tag | string | defaults to the charts appVersion | Parser image tag | +| parser.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | +| scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | +| scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | +| scanner.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | +| scanner.extraVolumeMounts | list | `[]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | +| scanner.extraVolumes | list | `[]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | +| scanner.image.repository | string | `"docker.io/securecodebox/scanner-nmap"` | Container Image to run the scan | +| scanner.image.tag | string | `nil` | defaults to the charts version | +| scanner.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) | +| scanner.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["all"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true}` | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) | +| scanner.securityContext.allowPrivilegeEscalation | bool | `false` | Ensure that users privileges cannot be escalated | +| scanner.securityContext.capabilities.drop[0] | string | `"all"` | This drops all linux privileges from the container. | +| scanner.securityContext.privileged | bool | `false` | Ensures that the scanner container is not run in privileged mode | +| scanner.securityContext.readOnlyRootFilesystem | bool | `true` | Prevents write access to the containers file system | +| scanner.securityContext.runAsNonRoot | bool | `true` | Enforces that the scanner image is run as a non root user | +| scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | diff --git a/scanners/nmap/templates/nmap-parse-definition.yaml b/scanners/nmap/templates/nmap-parse-definition.yaml index 2492438424..c002c6e97a 100644 --- a/scanners/nmap/templates/nmap-parse-definition.yaml +++ b/scanners/nmap/templates/nmap-parse-definition.yaml @@ -7,5 +7,5 @@ kind: ParseDefinition metadata: name: "nmap-xml" spec: - image: "{{ .Values.parserImage.repository }}:{{ .Values.parserImage.tag | default .Chart.Version }}" - ttlSecondsAfterFinished: {{ .Values.parseJob.ttlSecondsAfterFinished }} \ No newline at end of file + image: "{{ .Values.parser.repository }}:{{ .Values.parser.tag | default .Chart.Version }}" + ttlSecondsAfterFinished: {{ .Values.parser.ttlSecondsAfterFinished }} diff --git a/scanners/nmap/templates/nmap-scan-type.yaml b/scanners/nmap/templates/nmap-scan-type.yaml index 1107323cee..69f8dbd98c 100644 --- a/scanners/nmap/templates/nmap-scan-type.yaml +++ b/scanners/nmap/templates/nmap-scan-type.yaml @@ -12,27 +12,27 @@ spec: location: "/home/securecodebox/nmap-results.xml" jobTemplate: spec: - {{- if .Values.scannerJob.ttlSecondsAfterFinished }} - ttlSecondsAfterFinished: {{ .Values.scannerJob.ttlSecondsAfterFinished }} + {{- if .Values.scanner.ttlSecondsAfterFinished }} + ttlSecondsAfterFinished: {{ .Values.scanner.ttlSecondsAfterFinished }} {{- end }} - backoffLimit: {{ .Values.scannerJob.backoffLimit }} + backoffLimit: {{ .Values.scanner.backoffLimit }} template: spec: restartPolicy: OnFailure containers: - name: nmap - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + image: "{{ .Values.scanner.image.repository }}:{{ .Values.scanner.image.tag | default .Chart.AppVersion }}" command: ["nmap", "-oX", "/home/securecodebox/nmap-results.xml"] resources: - {{- toYaml .Values.scannerJob.resources | nindent 16 }} + {{- toYaml .Values.scanner.resources | nindent 16 }} securityContext: - {{- toYaml .Values.scannerJob.securityContext | nindent 16 }} + {{- toYaml .Values.scanner.securityContext | nindent 16 }} env: - {{- toYaml .Values.scannerJob.env | nindent 16 }} + {{- toYaml .Values.scanner.env | nindent 16 }} volumeMounts: - {{- toYaml .Values.scannerJob.extraVolumeMounts | nindent 16 }} - {{- if .Values.scannerJob.extraContainers }} - {{- toYaml .Values.scannerJob.extraContainers | nindent 12 }} + {{- toYaml .Values.scanner.extraVolumeMounts | nindent 16 }} + {{- if .Values.scanner.extraContainers }} + {{- toYaml .Values.scanner.extraContainers | nindent 12 }} {{- end }} volumes: - {{- toYaml .Values.scannerJob.extraVolumes | nindent 12 }} + {{- toYaml .Values.scanner.extraVolumes | nindent 12 }} diff --git a/scanners/nmap/values.yaml b/scanners/nmap/values.yaml index ff7f8513f2..c76246b64a 100644 --- a/scanners/nmap/values.yaml +++ b/scanners/nmap/values.yaml @@ -2,31 +2,30 @@ # # SPDX-License-Identifier: Apache-2.0 -image: - # image.repository -- Container Image to run the scan - repository: docker.io/securecodebox/scanner-nmap - # image.tag -- defaults to the charts version - tag: null - -parserImage: - # parserImage.repository -- Parser image repository - repository: docker.io/securecodebox/parser-nmap - # parserImage.tag -- Parser image tag - # @default -- defaults to the charts appVersion - tag: null - -parseJob: - # parseJob.ttlSecondsAfterFinished -- seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ +parser: + image: + # parser.image.repository -- Parser image repository + repository: docker.io/securecodebox/parser-nmap + # parser.image.tag -- Parser image tag + # @default -- defaults to the charts appVersion + tag: null + # parser.ttlSecondsAfterFinished -- seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ ttlSecondsAfterFinished: null -scannerJob: - # scannerJob.ttlSecondsAfterFinished -- seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ +scanner: + image: + # scanner.image.repository -- Container Image to run the scan + repository: docker.io/securecodebox/scanner-nmap + # scanner.image.tag -- defaults to the charts version + tag: null + + # scanner.ttlSecondsAfterFinished -- seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ ttlSecondsAfterFinished: null - # scannerJob.backoffLimit -- There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) + # scanner.backoffLimit -- There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) # @default -- 3 backoffLimit: 3 - # scannerJob.resources -- CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) + # scanner.resources -- CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) resources: {} # resources: # requests: @@ -36,31 +35,31 @@ scannerJob: # memory: "512Mi" # cpu: "500m" - # scannerJob.env -- Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) + # scanner.env -- Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) env: [] - # scannerJob.extraVolumes -- Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) + # scanner.extraVolumes -- Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) extraVolumes: [] - # scannerJob.extraVolumeMounts -- Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) + # scanner.extraVolumeMounts -- Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) extraVolumeMounts: [] - # scannerJob.extraContainers -- Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) + # scanner.extraContainers -- Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) extraContainers: [] - # scannerJob.securityContext -- Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) + # scanner.securityContext -- Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) securityContext: - # scannerJob.securityContext.runAsNonRoot -- Enforces that the scanner image is run as a non root user + # scanner.securityContext.runAsNonRoot -- Enforces that the scanner image is run as a non root user runAsNonRoot: true - # scannerJob.securityContext.readOnlyRootFilesystem -- Prevents write access to the containers file system + # scanner.securityContext.readOnlyRootFilesystem -- Prevents write access to the containers file system readOnlyRootFilesystem: true - # scannerJob.securityContext.allowPrivilegeEscalation -- Ensure that users privileges cannot be escalated + # scanner.securityContext.allowPrivilegeEscalation -- Ensure that users privileges cannot be escalated allowPrivilegeEscalation: false - # scannerJob.securityContext.privileged -- Ensures that the scanner container is not run in privileged mode + # scanner.securityContext.privileged -- Ensures that the scanner container is not run in privileged mode privileged: false capabilities: drop: - # scannerJob.securityContext.capabilities.drop[0] -- This drops all linux privileges from the container. + # scanner.securityContext.capabilities.drop[0] -- This drops all linux privileges from the container. - all cascadingRules: From 7b34166a28c81f217ef779d8faea71ee33937814 Mon Sep 17 00:00:00 2001 From: Jop Zitman Date: Wed, 9 Jun 2021 14:46:39 +0200 Subject: [PATCH 10/19] Screenshooter: refactor values according to new spec & add chart.valuesTable to gotmpl Signed-off-by: Jop Zitman --- scanners/screenshooter/README.md | 19 ++++++++ scanners/screenshooter/README.md.gotmpl | 4 ++ .../screenshooter-parse-definition.yaml | 4 +- .../templates/screenshooter-scan-type.yaml | 22 ++++----- scanners/screenshooter/values.yaml | 46 +++++++++---------- 5 files changed, 58 insertions(+), 37 deletions(-) diff --git a/scanners/screenshooter/README.md b/scanners/screenshooter/README.md index 0af59910a9..a163654bfa 100644 --- a/scanners/screenshooter/README.md +++ b/scanners/screenshooter/README.md @@ -22,3 +22,22 @@ helm upgrade --install screenshooter ./scanners/screenshooter/ You have to provide only the URL to the screenshooter. Be careful, the protocol is mandatory: * `https://secureCodeBox.io` * **not** `secureCodeBox.io` or `www.secureCodeBox.io` + +## Chart Configuration + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| cascadingRules.enabled | bool | `true` | Enables or disables the installation of the default cascading rules for this scanner | +| parser.image.repository | string | `"docker.io/securecodebox/parser-screenshooter"` | Parser image repository | +| parser.image.tag | string | defaults to the charts appVersion | Parser image tag | +| parser.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | +| scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | +| scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | +| scanner.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | +| scanner.extraVolumeMounts | list | `[]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | +| scanner.extraVolumes | list | `[]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | +| scanner.image.repository | string | `"docker.io/securecodebox/scanner-screenshooter"` | Container Image to run the scan | +| scanner.image.tag | string | `nil` | defaults to the charts version | +| scanner.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) | +| scanner.securityContext | object | `{}` | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) | +| scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | diff --git a/scanners/screenshooter/README.md.gotmpl b/scanners/screenshooter/README.md.gotmpl index d414691740..33018993cd 100644 --- a/scanners/screenshooter/README.md.gotmpl +++ b/scanners/screenshooter/README.md.gotmpl @@ -27,3 +27,7 @@ helm upgrade --install screenshooter ./scanners/screenshooter/ You have to provide only the URL to the screenshooter. Be careful, the protocol is mandatory: * `https://secureCodeBox.io` * **not** `secureCodeBox.io` or `www.secureCodeBox.io` + +## Chart Configuration + +{{ template "chart.valuesTable" . }} diff --git a/scanners/screenshooter/templates/screenshooter-parse-definition.yaml b/scanners/screenshooter/templates/screenshooter-parse-definition.yaml index f52a8cec77..8abf402f3e 100644 --- a/scanners/screenshooter/templates/screenshooter-parse-definition.yaml +++ b/scanners/screenshooter/templates/screenshooter-parse-definition.yaml @@ -7,5 +7,5 @@ kind: ParseDefinition metadata: name: "screenshot-png" spec: - image: "{{ .Values.parserImage.repository }}:{{ .Values.parserImage.tag | default .Chart.Version }}" - ttlSecondsAfterFinished: {{ .Values.parseJob.ttlSecondsAfterFinished }} + image: "{{ .Values.parser.image.repository }}:{{ .Values.parser.image.tag | default .Chart.Version }}" + ttlSecondsAfterFinished: {{ .Values.parser.ttlSecondsAfterFinished }} diff --git a/scanners/screenshooter/templates/screenshooter-scan-type.yaml b/scanners/screenshooter/templates/screenshooter-scan-type.yaml index 9991211822..f97c4c4a9b 100644 --- a/scanners/screenshooter/templates/screenshooter-scan-type.yaml +++ b/scanners/screenshooter/templates/screenshooter-scan-type.yaml @@ -12,31 +12,31 @@ spec: location: "/home/securecodebox/screenshot.png" jobTemplate: spec: - {{- if .Values.scannerJob.ttlSecondsAfterFinished }} - ttlSecondsAfterFinished: {{ .Values.scannerJob.ttlSecondsAfterFinished }} + {{- if .Values.scanner.ttlSecondsAfterFinished }} + ttlSecondsAfterFinished: {{ .Values.scanner.ttlSecondsAfterFinished }} {{- end }} - backoffLimit: {{ .Values.scannerJob.backoffLimit }} + backoffLimit: {{ .Values.scanner.backoffLimit }} template: spec: restartPolicy: OnFailure containers: - name: screenshooter - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.Version }}" + image: "{{ .Values.scanner.image.repository }}:{{ .Values.scanner.image.tag | default .Chart.Version }}" command: - 'sh' - '/wrapper.sh' - "-screenshot" - "/home/securecodebox/screenshot.png" resources: - {{- toYaml .Values.scannerJob.resources | nindent 16 }} + {{- toYaml .Values.scanner.resources | nindent 16 }} securityContext: - {{- toYaml .Values.scannerJob.securityContext | nindent 16 }} + {{- toYaml .Values.scanner.securityContext | nindent 16 }} env: - {{- toYaml .Values.scannerJob.env | nindent 16 }} + {{- toYaml .Values.scanner.env | nindent 16 }} volumeMounts: - {{- toYaml .Values.scannerJob.extraVolumeMounts | nindent 16 }} - {{- if .Values.scannerJob.extraContainers }} - {{- toYaml .Values.scannerJob.extraContainers | nindent 12 }} + {{- toYaml .Values.scanner.extraVolumeMounts | nindent 16 }} + {{- if .Values.scanner.extraContainers }} + {{- toYaml .Values.scanner.extraContainers | nindent 12 }} {{- end }} volumes: - {{- toYaml .Values.scannerJob.extraVolumes | nindent 12 }} + {{- toYaml .Values.scanner.extraVolumes | nindent 12 }} diff --git a/scanners/screenshooter/values.yaml b/scanners/screenshooter/values.yaml index d2796e0c9c..632b2f3a8d 100644 --- a/scanners/screenshooter/values.yaml +++ b/scanners/screenshooter/values.yaml @@ -2,31 +2,29 @@ # # SPDX-License-Identifier: Apache-2.0 -image: - # image.repository -- Container Image to run the scan - repository: docker.io/securecodebox/scanner-screenshooter - # image.tag -- defaults to the charts version - tag: null - -parserImage: - # parserImage.repository -- Parser image repository - repository: docker.io/securecodebox/parser-screenshooter - # parserImage.tag -- Parser image tag - # @default -- defaults to the charts appVersion - tag: null - -parseJob: - # parseJob.ttlSecondsAfterFinished -- seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ +parser: + image: + # parser.image.repository -- Parser image repository + repository: docker.io/securecodebox/parser-screenshooter + # parser.image.tag -- Parser image tag + # @default -- defaults to the charts appVersion + tag: null + # parser.ttlSecondsAfterFinished -- seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ ttlSecondsAfterFinished: null -scannerJob: - # scannerJob.ttlSecondsAfterFinished -- seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ +scanner: + image: + # scanner.image.repository -- Container Image to run the scan + repository: docker.io/securecodebox/scanner-screenshooter + # scanner.image.tag -- defaults to the charts version + tag: null + # scanner.ttlSecondsAfterFinished -- seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ ttlSecondsAfterFinished: null - # scannerJob.backoffLimit -- There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) + # scanner.backoffLimit -- There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) # @default -- 3 backoffLimit: 3 - # scannerJob.resources -- CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) + # scanner.resources -- CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) resources: {} # resources: # requests: @@ -36,19 +34,19 @@ scannerJob: # memory: "512Mi" # cpu: "500m" - # scannerJob.env -- Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) + # scanner.env -- Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) env: [] - # scannerJob.extraVolumes -- Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) + # scanner.extraVolumes -- Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) extraVolumes: [] - # scannerJob.extraVolumeMounts -- Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) + # scanner.extraVolumeMounts -- Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) extraVolumeMounts: [] - # scannerJob.extraContainers -- Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) + # scanner.extraContainers -- Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) extraContainers: [] - # scannerJob.securityContext -- Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) + # scanner.securityContext -- Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) securityContext: {} cascadingRules: From 2b7cd09fcc482be76763c10a8aa2738fb18d0dcb Mon Sep 17 00:00:00 2001 From: Jop Zitman Date: Wed, 9 Jun 2021 14:49:16 +0200 Subject: [PATCH 11/19] Ssh-scan: refactor values according to new spec Signed-off-by: Jop Zitman --- scanners/ssh-scan/README.md | 26 +++++------ .../templates/ssh-scan-parse-definition.yaml | 4 +- .../templates/ssh-scan-scan-type.yaml | 22 ++++----- scanners/ssh-scan/values.yaml | 46 +++++++++---------- 4 files changed, 48 insertions(+), 50 deletions(-) diff --git a/scanners/ssh-scan/README.md b/scanners/ssh-scan/README.md index 36ef3ee5e4..20a1b3d79f 100644 --- a/scanners/ssh-scan/README.md +++ b/scanners/ssh-scan/README.md @@ -66,19 +66,19 @@ Examples: | Key | Type | Default | Description | |-----|------|---------|-------------| | cascadingRules.enabled | bool | `true` | Enables or disables the installation of the default cascading rules for this scanner | -| image.repository | string | `"mozilla/ssh_scan"` | Container Image to run the scan | -| image.tag | string | `"latest@sha256:d6f41c2c328223931b97a4ae5d35d3bb91b5c8d91871ced3d2e0cde06b1edf1f"` | defaults to the charts appVersion | -| parseJob.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | -| parserImage.repository | string | `"docker.io/securecodebox/parser-ssh-scan"` | Parser image repository | -| parserImage.tag | string | defaults to the charts version | Parser image tag | -| scannerJob.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | -| scannerJob.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | -| scannerJob.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | -| scannerJob.extraVolumeMounts | list | `[]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | -| scannerJob.extraVolumes | list | `[]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | -| scannerJob.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) | -| scannerJob.securityContext | object | `{}` | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) | -| scannerJob.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | +| parser.image.repository | string | `"docker.io/securecodebox/parser-ssh-scan"` | Parser image repository | +| parser.image.tag | string | defaults to the charts version | Parser image tag | +| parser.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | +| scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | +| scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | +| scanner.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | +| scanner.extraVolumeMounts | list | `[]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | +| scanner.extraVolumes | list | `[]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | +| scanner.image.repository | string | `"mozilla/ssh_scan"` | Container Image to run the scan | +| scanner.image.tag | string | `"latest@sha256:d6f41c2c328223931b97a4ae5d35d3bb91b5c8d91871ced3d2e0cde06b1edf1f"` | defaults to the charts appVersion | +| scanner.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) | +| scanner.securityContext | object | `{}` | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) | +| scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | [ssh_scan GitHub]: https://github.com/mozilla/ssh_scan [ssh_scan Documentation]: https://github.com/mozilla/ssh_scan#example-command-line-usage diff --git a/scanners/ssh-scan/templates/ssh-scan-parse-definition.yaml b/scanners/ssh-scan/templates/ssh-scan-parse-definition.yaml index c0a4422e39..17e52a9785 100644 --- a/scanners/ssh-scan/templates/ssh-scan-parse-definition.yaml +++ b/scanners/ssh-scan/templates/ssh-scan-parse-definition.yaml @@ -7,5 +7,5 @@ kind: ParseDefinition metadata: name: "ssh-scan-json" spec: - image: "{{ .Values.parserImage.repository }}:{{ .Values.parserImage.tag | default .Chart.Version }}" - ttlSecondsAfterFinished: {{ .Values.parseJob.ttlSecondsAfterFinished }} + image: "{{ .Values.parser.image.repository }}:{{ .Values.parser.image.tag | default .Chart.Version }}" + ttlSecondsAfterFinished: {{ .Values.parser.image.ttlSecondsAfterFinished }} diff --git a/scanners/ssh-scan/templates/ssh-scan-scan-type.yaml b/scanners/ssh-scan/templates/ssh-scan-scan-type.yaml index 088edb71f5..ccbeadbe85 100644 --- a/scanners/ssh-scan/templates/ssh-scan-scan-type.yaml +++ b/scanners/ssh-scan/templates/ssh-scan-scan-type.yaml @@ -12,30 +12,30 @@ spec: location: "/home/securecodebox/ssh-scan-results.json" jobTemplate: spec: - {{- if .Values.scannerJob.ttlSecondsAfterFinished }} - ttlSecondsAfterFinished: {{ .Values.scannerJob.ttlSecondsAfterFinished }} + {{- if .Values.scanner.ttlSecondsAfterFinished }} + ttlSecondsAfterFinished: {{ .Values.scanner.ttlSecondsAfterFinished }} {{- end }} - backoffLimit: {{ .Values.scannerJob.backoffLimit }} + backoffLimit: {{ .Values.scanner.backoffLimit }} template: spec: restartPolicy: OnFailure containers: - name: ssh-scan - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + image: "{{ .Values.scanner.image.repository }}:{{ .Values.scanner.image.tag | default .Chart.AppVersion }}" command: - "/app/bin/ssh_scan" - "--output" - "/home/securecodebox/ssh-scan-results.json" resources: - {{- toYaml .Values.scannerJob.resources | nindent 16 }} + {{- toYaml .Values.scanner.resources | nindent 16 }} securityContext: - {{- toYaml .Values.scannerJob.securityContext | nindent 16 }} + {{- toYaml .Values.scanner.securityContext | nindent 16 }} env: - {{- toYaml .Values.scannerJob.env | nindent 16 }} + {{- toYaml .Values.scanner.env | nindent 16 }} volumeMounts: - {{- toYaml .Values.scannerJob.extraVolumeMounts | nindent 16 }} - {{- if .Values.scannerJob.extraContainers }} - {{- toYaml .Values.scannerJob.extraContainers | nindent 12 }} + {{- toYaml .Values.scanner.extraVolumeMounts | nindent 16 }} + {{- if .Values.scanner.extraContainers }} + {{- toYaml .Values.scanner.extraContainers | nindent 12 }} {{- end }} volumes: - {{- toYaml .Values.scannerJob.extraVolumes | nindent 12 }} + {{- toYaml .Values.scanner.extraVolumes | nindent 12 }} diff --git a/scanners/ssh-scan/values.yaml b/scanners/ssh-scan/values.yaml index 14a8221fa8..d70079d081 100644 --- a/scanners/ssh-scan/values.yaml +++ b/scanners/ssh-scan/values.yaml @@ -2,31 +2,29 @@ # # SPDX-License-Identifier: Apache-2.0 -image: - # image.repository -- Container Image to run the scan - repository: mozilla/ssh_scan - # image.tag -- defaults to the charts appVersion - tag: "latest@sha256:d6f41c2c328223931b97a4ae5d35d3bb91b5c8d91871ced3d2e0cde06b1edf1f" - -parserImage: - # parserImage.repository -- Parser image repository - repository: docker.io/securecodebox/parser-ssh-scan - # parserImage.tag -- Parser image tag - # @default -- defaults to the charts version - tag: null - -parseJob: - # parseJob.ttlSecondsAfterFinished -- seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ +parser: + image: + # parser.image.repository -- Parser image repository + repository: docker.io/securecodebox/parser-ssh-scan + # parser.image.tag -- Parser image tag + # @default -- defaults to the charts version + tag: null + # parser.ttlSecondsAfterFinished -- seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ ttlSecondsAfterFinished: null -scannerJob: - # scannerJob.ttlSecondsAfterFinished -- seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ +scanner: + image: + # scanner.image.repository -- Container Image to run the scan + repository: mozilla/ssh_scan + # scanner.image.tag -- defaults to the charts appVersion + tag: "latest@sha256:d6f41c2c328223931b97a4ae5d35d3bb91b5c8d91871ced3d2e0cde06b1edf1f" + # scanner.ttlSecondsAfterFinished -- seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ ttlSecondsAfterFinished: null - # scannerJob.backoffLimit -- There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) + # scanner.backoffLimit -- There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) # @default -- 3 backoffLimit: 3 - # scannerJob.resources -- CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) + # scanner.resources -- CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) resources: {} # resources: # requests: @@ -36,19 +34,19 @@ scannerJob: # memory: "512Mi" # cpu: "500m" - # scannerJob.env -- Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) + # scanner.env -- Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) env: [] - # scannerJob.extraVolumes -- Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) + # scanner.extraVolumes -- Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) extraVolumes: [] - # scannerJob.extraVolumeMounts -- Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) + # scanner.extraVolumeMounts -- Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) extraVolumeMounts: [] - # scannerJob.extraContainers -- Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) + # scanner.extraContainers -- Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) extraContainers: [] - # scannerJob.securityContext -- Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) + # scanner.securityContext -- Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) securityContext: {} cascadingRules: From f17f715e5c8dd623403f871e7bf9e3dbf53ef311 Mon Sep 17 00:00:00 2001 From: Jop Zitman Date: Wed, 9 Jun 2021 14:51:29 +0200 Subject: [PATCH 12/19] Sslyze: refactor values according to new spec Signed-off-by: Jop Zitman --- scanners/sslyze/README.md | 26 +++++----- .../templates/sslyze-parse-definition.yaml | 4 +- .../sslyze/templates/sslyze-scan-type.yaml | 22 ++++----- scanners/sslyze/values.yaml | 48 +++++++++---------- 4 files changed, 50 insertions(+), 50 deletions(-) diff --git a/scanners/sslyze/README.md b/scanners/sslyze/README.md index 92da51b267..23fce62b00 100644 --- a/scanners/sslyze/README.md +++ b/scanners/sslyze/README.md @@ -133,19 +133,19 @@ Options: | Key | Type | Default | Description | |-----|------|---------|-------------| | cascadingRules.enabled | bool | `true` | Enables or disables the installation of the default cascading rules for this scanner | -| image.repository | string | `"nablac0d3/sslyze"` | Container Image to run the scan | -| image.tag | string | `"latest@sha256:ff2c5c626401b1961736a5b2ae6e35a41d213e8b2712102100abf5ee46dcca71"` | defaults to the charts appVersion | -| parseJob.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | -| parserImage.repository | string | `"docker.io/securecodebox/parser-sslyze"` | Parser image repository | -| parserImage.tag | string | defaults to the charts version | Parser image tag | -| scannerJob.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | -| scannerJob.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | -| scannerJob.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | -| scannerJob.extraVolumeMounts | list | `[]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | -| scannerJob.extraVolumes | list | `[]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | -| scannerJob.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) | -| scannerJob.securityContext | object | `{}` | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) | -| scannerJob.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | +| parser.image.repository | string | `"docker.io/securecodebox/parser-sslyze"` | Parser image repository | +| parser.image.tag | string | defaults to the charts version | Parser image tag | +| parser.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | +| scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | +| scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | +| scanner.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | +| scanner.extraVolumeMounts | list | `[]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | +| scanner.extraVolumes | list | `[]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | +| scanner.image.repository | string | `"nablac0d3/sslyze"` | Container Image to run the scan | +| scanner.image.tag | string | `"latest@sha256:ff2c5c626401b1961736a5b2ae6e35a41d213e8b2712102100abf5ee46dcca71"` | defaults to the charts appVersion | +| scanner.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) | +| scanner.securityContext | object | `{}` | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) | +| scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | [SSLyze GitHub]: https://github.com/nabla-c0d3/sslyze [SSLyze Documentation]: https://nabla-c0d3.github.io/sslyze/documentation/ diff --git a/scanners/sslyze/templates/sslyze-parse-definition.yaml b/scanners/sslyze/templates/sslyze-parse-definition.yaml index ad27a3d54c..00b8eadcff 100644 --- a/scanners/sslyze/templates/sslyze-parse-definition.yaml +++ b/scanners/sslyze/templates/sslyze-parse-definition.yaml @@ -7,5 +7,5 @@ kind: ParseDefinition metadata: name: "sslyze-json" spec: - image: "{{ .Values.parserImage.repository }}:{{ .Values.parserImage.tag | default .Chart.Version }}" - ttlSecondsAfterFinished: {{ .Values.parseJob.ttlSecondsAfterFinished }} + image: "{{ .Values.parser.image.repository }}:{{ .Values.parser.image.tag | default .Chart.Version }}" + ttlSecondsAfterFinished: {{ .Values.parser.ttlSecondsAfterFinished }} diff --git a/scanners/sslyze/templates/sslyze-scan-type.yaml b/scanners/sslyze/templates/sslyze-scan-type.yaml index 47a6ca144a..923952a65a 100644 --- a/scanners/sslyze/templates/sslyze-scan-type.yaml +++ b/scanners/sslyze/templates/sslyze-scan-type.yaml @@ -12,30 +12,30 @@ spec: location: '/home/securecodebox/sslyze-results.json' jobTemplate: spec: - {{- if .Values.scannerJob.ttlSecondsAfterFinished }} - ttlSecondsAfterFinished: {{ .Values.scannerJob.ttlSecondsAfterFinished }} + {{- if .Values.scanner.ttlSecondsAfterFinished }} + ttlSecondsAfterFinished: {{ .Values.scanner.ttlSecondsAfterFinished }} {{- end }} - backoffLimit: {{ .Values.scannerJob.backoffLimit }} + backoffLimit: {{ .Values.scanner.backoffLimit }} template: spec: restartPolicy: OnFailure containers: - name: sslyze - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + image: "{{ .Values.scanner.image.repository }}:{{ .Values.scanner.image.tag | default .Chart.AppVersion }}" command: - 'sslyze' - '--json_out' - '/home/securecodebox/sslyze-results.json' resources: - {{- toYaml .Values.scannerJob.resources | nindent 16 }} + {{- toYaml .Values.scanner.resources | nindent 16 }} securityContext: - {{- toYaml .Values.scannerJob.securityContext | nindent 16 }} + {{- toYaml .Values.scanner.securityContext | nindent 16 }} env: - {{- toYaml .Values.scannerJob.env | nindent 16 }} + {{- toYaml .Values.scanner.env | nindent 16 }} volumeMounts: - {{- toYaml .Values.scannerJob.extraVolumeMounts | nindent 16 }} - {{- if .Values.scannerJob.extraContainers }} - {{- toYaml .Values.scannerJob.extraContainers | nindent 12 }} + {{- toYaml .Values.scanner.extraVolumeMounts | nindent 16 }} + {{- if .Values.scanner.extraContainers }} + {{- toYaml .Values.scanner.extraContainers | nindent 12 }} {{- end }} volumes: - {{- toYaml .Values.scannerJob.extraVolumes | nindent 12 }} + {{- toYaml .Values.scanner.extraVolumes | nindent 12 }} diff --git a/scanners/sslyze/values.yaml b/scanners/sslyze/values.yaml index 8e01b26b82..67a2e49ed7 100644 --- a/scanners/sslyze/values.yaml +++ b/scanners/sslyze/values.yaml @@ -2,31 +2,31 @@ # # SPDX-License-Identifier: Apache-2.0 -image: - # image.repository -- Container Image to run the scan - repository: nablac0d3/sslyze - # image.tag -- defaults to the charts appVersion - tag: "latest@sha256:ff2c5c626401b1961736a5b2ae6e35a41d213e8b2712102100abf5ee46dcca71" - -parserImage: - # parserImage.repository -- Parser image repository - repository: docker.io/securecodebox/parser-sslyze - # parserImage.tag -- Parser image tag - # @default -- defaults to the charts version - tag: null - -parseJob: - # parseJob.ttlSecondsAfterFinished -- seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ +parser: + image: + # parser.image.repository -- Parser image repository + repository: docker.io/securecodebox/parser-sslyze + # parser.image.tag -- Parser image tag + # @default -- defaults to the charts version + tag: null + + # parser.ttlSecondsAfterFinished -- seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ ttlSecondsAfterFinished: null -scannerJob: - # scannerJob.ttlSecondsAfterFinished -- seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ +scanner: + image: + # scanner.image.repository -- Container Image to run the scan + repository: nablac0d3/sslyze + # scanner.image.tag -- defaults to the charts appVersion + tag: "latest@sha256:ff2c5c626401b1961736a5b2ae6e35a41d213e8b2712102100abf5ee46dcca71" + + # scanner.ttlSecondsAfterFinished -- seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ ttlSecondsAfterFinished: null - # scannerJob.backoffLimit -- There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) + # scanner.backoffLimit -- There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) # @default -- 3 backoffLimit: 3 - # scannerJob.resources -- CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) + # scanner.resources -- CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) resources: {} # resources: # requests: @@ -36,19 +36,19 @@ scannerJob: # memory: "512Mi" # cpu: "500m" - # scannerJob.env -- Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) + # scanner.env -- Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) env: [] - # scannerJob.extraVolumes -- Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) + # scanner.extraVolumes -- Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) extraVolumes: [] - # scannerJob.extraVolumeMounts -- Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) + # scanner.extraVolumeMounts -- Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) extraVolumeMounts: [] - # scannerJob.extraContainers -- Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) + # scanner.extraContainers -- Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) extraContainers: [] - # scannerJob.securityContext -- Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) + # scanner.securityContext -- Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) securityContext: {} cascadingRules: From 241e54c26bef706eab27abb02fe243dc1d607794 Mon Sep 17 00:00:00 2001 From: Jop Zitman Date: Wed, 9 Jun 2021 14:54:11 +0200 Subject: [PATCH 13/19] Test-scan: refactor values according to new spec Signed-off-by: Jop Zitman --- scanners/test-scan/README.md | 26 +++++------ .../templates/test-scan-parse-definition.yaml | 4 +- .../templates/test-scan-scan-type.yaml | 22 ++++----- scanners/test-scan/values.yaml | 45 +++++++++---------- 4 files changed, 48 insertions(+), 49 deletions(-) diff --git a/scanners/test-scan/README.md b/scanners/test-scan/README.md index 94835648c2..6362a77b90 100644 --- a/scanners/test-scan/README.md +++ b/scanners/test-scan/README.md @@ -12,16 +12,16 @@ It's rather unlikely that you'll need this outside of testing usecases, as it do | Key | Type | Default | Description | |-----|------|---------|-------------| -| image.repository | string | `"docker.io/securecodebox/scanner-test-scan"` | | -| image.tag | string | `nil` | | -| parseJob.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | -| parserImage.repository | string | `"docker.io/securecodebox/parser-test-scan"` | Parser image repository | -| parserImage.tag | string | defaults to the charts version | Parser image tag | -| scannerJob.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | -| scannerJob.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | -| scannerJob.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | -| scannerJob.extraVolumeMounts | list | `[]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | -| scannerJob.extraVolumes | list | `[]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | -| scannerJob.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) | -| scannerJob.securityContext | object | `{}` | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) | -| scannerJob.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | +| parser.image.repository | string | `"docker.io/securecodebox/parser-test-scan"` | Parser image repository | +| parser.image.tag | string | defaults to the charts version | Parser image tag | +| parser.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | +| scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | +| scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | +| scanner.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | +| scanner.extraVolumeMounts | list | `[]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | +| scanner.extraVolumes | list | `[]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | +| scanner.image.repository | string | `"docker.io/securecodebox/scanner-test-scan"` | Container Image to run the scan | +| scanner.image.tag | string | `nil` | | +| scanner.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) | +| scanner.securityContext | object | `{}` | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) | +| scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | diff --git a/scanners/test-scan/templates/test-scan-parse-definition.yaml b/scanners/test-scan/templates/test-scan-parse-definition.yaml index 7f07c9b5c0..51d39da8f1 100644 --- a/scanners/test-scan/templates/test-scan-parse-definition.yaml +++ b/scanners/test-scan/templates/test-scan-parse-definition.yaml @@ -7,5 +7,5 @@ kind: ParseDefinition metadata: name: "test-txt" spec: - image: "{{ .Values.parserImage.repository }}:{{ .Values.parserImage.tag | default .Chart.Version }}" - ttlSecondsAfterFinished: {{ .Values.parseJob.ttlSecondsAfterFinished }} + image: "{{ .Values.parser.image.repository }}:{{ .Values.parser.image.tag | default .Chart.Version }}" + ttlSecondsAfterFinished: {{ .Values.parser.ttlSecondsAfterFinished }} diff --git a/scanners/test-scan/templates/test-scan-scan-type.yaml b/scanners/test-scan/templates/test-scan-scan-type.yaml index ed070f3199..62cc4328e5 100644 --- a/scanners/test-scan/templates/test-scan-scan-type.yaml +++ b/scanners/test-scan/templates/test-scan-scan-type.yaml @@ -12,27 +12,27 @@ spec: location: "/home/securecodebox/hello-world.txt" jobTemplate: spec: - {{- if .Values.scannerJob.ttlSecondsAfterFinished }} - ttlSecondsAfterFinished: {{ .Values.scannerJob.ttlSecondsAfterFinished }} + {{- if .Values.scanner.ttlSecondsAfterFinished }} + ttlSecondsAfterFinished: {{ .Values.scanner.ttlSecondsAfterFinished }} {{- end }} - backoffLimit: {{ .Values.scannerJob.backoffLimit }} + backoffLimit: {{ .Values.scanner.backoffLimit }} template: spec: restartPolicy: OnFailure containers: - name: test-scan - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.Version }}" + image: "{{ .Values.scanner.image.repository }}:{{ .Values.scanner.image.tag | default .Chart.Version }}" command: ["touch", "/home/securecodebox/hello-world.txt"] resources: - {{- toYaml .Values.scannerJob.resources | nindent 16 }} + {{- toYaml .Values.scanner.resources | nindent 16 }} securityContext: - {{- toYaml .Values.scannerJob.securityContext | nindent 16 }} + {{- toYaml .Values.scanner.securityContext | nindent 16 }} env: - {{- toYaml .Values.scannerJob.env | nindent 16 }} + {{- toYaml .Values.scanner.env | nindent 16 }} volumeMounts: - {{- toYaml .Values.scannerJob.extraVolumeMounts | nindent 16 }} - {{- if .Values.scannerJob.extraContainers }} - {{- toYaml .Values.scannerJob.extraContainers | nindent 12 }} + {{- toYaml .Values.scanner.extraVolumeMounts | nindent 16 }} + {{- if .Values.scanner.extraContainers }} + {{- toYaml .Values.scanner.extraContainers | nindent 12 }} {{- end }} volumes: - {{- toYaml .Values.scannerJob.extraVolumes | nindent 12 }} + {{- toYaml .Values.scanner.extraVolumes | nindent 12 }} diff --git a/scanners/test-scan/values.yaml b/scanners/test-scan/values.yaml index 42d44ea1d3..a7c851075e 100644 --- a/scanners/test-scan/values.yaml +++ b/scanners/test-scan/values.yaml @@ -2,30 +2,29 @@ # # SPDX-License-Identifier: Apache-2.0 -parserImage: - # parserImage.repository -- Parser image repository - repository: docker.io/securecodebox/parser-test-scan - # parserImage.tag -- Parser image tag - # @default -- defaults to the charts version - tag: null - -image: - repository: docker.io/securecodebox/scanner-test-scan - # image.tag - defaults to the charts version - tag: null - -parseJob: - # parseJob.ttlSecondsAfterFinished -- seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ +parser: + image: + # parser.image.repository -- Parser image repository + repository: docker.io/securecodebox/parser-test-scan + # parser.image.tag -- Parser image tag + # @default -- defaults to the charts version + tag: null + # parser.ttlSecondsAfterFinished -- seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ ttlSecondsAfterFinished: null -scannerJob: - # scannerJob.ttlSecondsAfterFinished -- seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ +scanner: + image: + # scanner.image.repository -- Container Image to run the scan + repository: docker.io/securecodebox/scanner-test-scan + # scanner.image.tag - defaults to the charts version + tag: null + # scanner.ttlSecondsAfterFinished -- seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ ttlSecondsAfterFinished: null - # scannerJob.backoffLimit -- There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) + # scanner.backoffLimit -- There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) # @default -- 3 backoffLimit: 3 - # scannerJob.resources -- CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) + # scanner.resources -- CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) resources: {} # resources: # requests: @@ -35,17 +34,17 @@ scannerJob: # memory: "512Mi" # cpu: "500m" - # scannerJob.env -- Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) + # scanner.env -- Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) env: [] - # scannerJob.extraVolumes -- Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) + # scanner.extraVolumes -- Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) extraVolumes: [] - # scannerJob.extraVolumeMounts -- Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) + # scanner.extraVolumeMounts -- Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) extraVolumeMounts: [] - # scannerJob.extraContainers -- Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) + # scanner.extraContainers -- Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) extraContainers: [] - # scannerJob.securityContext -- Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) + # scanner.securityContext -- Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) securityContext: {} From 5fca6e44d569c0d7d24d38cd4ddea97a936a4447 Mon Sep 17 00:00:00 2001 From: Jop Zitman Date: Wed, 9 Jun 2021 14:56:39 +0200 Subject: [PATCH 14/19] Trivy: refactor values according to new spec Signed-off-by: Jop Zitman --- scanners/trivy/README.md | 26 +++++----- .../templates/trivy-parse-definition.yaml | 4 +- scanners/trivy/templates/trivy-scan-type.yaml | 22 ++++----- scanners/trivy/values.yaml | 48 +++++++++---------- 4 files changed, 50 insertions(+), 50 deletions(-) diff --git a/scanners/trivy/README.md b/scanners/trivy/README.md index 442b12e8f0..b3afd1bf65 100644 --- a/scanners/trivy/README.md +++ b/scanners/trivy/README.md @@ -37,16 +37,16 @@ The following security scan configuration example are based on the [Trivy Docume | Key | Type | Default | Description | |-----|------|---------|-------------| -| image.repository | string | `"docker.io/aquasec/trivy"` | Container Image to run the scan | -| image.tag | string | `nil` | defaults to the charts appVersion | -| parseJob.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | -| parserImage.repository | string | `"docker.io/securecodebox/parser-trivy"` | Parser image repository | -| parserImage.tag | string | defaults to the charts version | Parser image tag | -| scannerJob.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | -| scannerJob.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | -| scannerJob.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | -| scannerJob.extraVolumeMounts | list | `[]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | -| scannerJob.extraVolumes | list | `[]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | -| scannerJob.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) | -| scannerJob.securityContext | object | `{}` | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) | -| scannerJob.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | +| parser.image.repository | string | `"docker.io/securecodebox/parser-trivy"` | Parser image repository | +| parser.image.tag | string | defaults to the charts version | Parser image tag | +| parser.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | +| scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | +| scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | +| scanner.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | +| scanner.extraVolumeMounts | list | `[]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | +| scanner.extraVolumes | list | `[]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | +| scanner.image.repository | string | `"docker.io/aquasec/trivy"` | Container Image to run the scan | +| scanner.image.tag | string | `nil` | defaults to the charts appVersion | +| scanner.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) | +| scanner.securityContext | object | `{}` | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) | +| scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | diff --git a/scanners/trivy/templates/trivy-parse-definition.yaml b/scanners/trivy/templates/trivy-parse-definition.yaml index 220de4a2c3..09341ad393 100644 --- a/scanners/trivy/templates/trivy-parse-definition.yaml +++ b/scanners/trivy/templates/trivy-parse-definition.yaml @@ -7,5 +7,5 @@ kind: ParseDefinition metadata: name: "trivy-json" spec: - image: "{{ .Values.parserImage.repository }}:{{ .Values.parserImage.tag | default .Chart.Version }}" - ttlSecondsAfterFinished: {{ .Values.parseJob.ttlSecondsAfterFinished }} + image: "{{ .Values.parser.image.repository }}:{{ .Values.parser.image.tag | default .Chart.Version }}" + ttlSecondsAfterFinished: {{ .Values.parser.ttlSecondsAfterFinished }} diff --git a/scanners/trivy/templates/trivy-scan-type.yaml b/scanners/trivy/templates/trivy-scan-type.yaml index f4c4e9f65b..8085a35524 100644 --- a/scanners/trivy/templates/trivy-scan-type.yaml +++ b/scanners/trivy/templates/trivy-scan-type.yaml @@ -13,16 +13,16 @@ spec: location: "/home/securecodebox/trivy-results.json" jobTemplate: spec: - {{- if .Values.scannerJob.ttlSecondsAfterFinished }} - ttlSecondsAfterFinished: {{ .Values.scannerJob.ttlSecondsAfterFinished }} + {{- if .Values.scanner.ttlSecondsAfterFinished }} + ttlSecondsAfterFinished: {{ .Values.scanner.ttlSecondsAfterFinished }} {{- end }} - backoffLimit: {{ .Values.scannerJob.backoffLimit }} + backoffLimit: {{ .Values.scanner.backoffLimit }} template: spec: restartPolicy: OnFailure containers: - name: trivy - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + image: "{{ .Values.scanner.image.repository }}:{{ .Values.scanner.image.tag | default .Chart.AppVersion }}" command: - "trivy" # Suppress progress bar, as it pollutes non interactive terminal logs @@ -32,15 +32,15 @@ spec: - "--output" - "/home/securecodebox/trivy-results.json" resources: - {{- toYaml .Values.scannerJob.resources | nindent 16 }} + {{- toYaml .Values.scanner.resources | nindent 16 }} securityContext: - {{- toYaml .Values.scannerJob.securityContext | nindent 16 }} + {{- toYaml .Values.scanner.securityContext | nindent 16 }} env: - {{- toYaml .Values.scannerJob.env | nindent 16 }} + {{- toYaml .Values.scanner.env | nindent 16 }} volumeMounts: - {{- toYaml .Values.scannerJob.extraVolumeMounts | nindent 16 }} - {{- if .Values.scannerJob.extraContainers }} - {{- toYaml .Values.scannerJob.extraContainers | nindent 12 }} + {{- toYaml .Values.scanner.extraVolumeMounts | nindent 16 }} + {{- if .Values.scanner.extraContainers }} + {{- toYaml .Values.scanner.extraContainers | nindent 12 }} {{- end }} volumes: - {{- toYaml .Values.scannerJob.extraVolumes | nindent 12 }} + {{- toYaml .Values.scanner.extraVolumes | nindent 12 }} diff --git a/scanners/trivy/values.yaml b/scanners/trivy/values.yaml index cea52b8036..df0f068cb0 100644 --- a/scanners/trivy/values.yaml +++ b/scanners/trivy/values.yaml @@ -2,31 +2,31 @@ # # SPDX-License-Identifier: Apache-2.0 -image: - # image.repository -- Container Image to run the scan - repository: docker.io/aquasec/trivy - # image.tag -- defaults to the charts appVersion - tag: null - -parserImage: - # parserImage.repository -- Parser image repository - repository: docker.io/securecodebox/parser-trivy - # parserImage.tag -- Parser image tag - # @default -- defaults to the charts version - tag: null - -parseJob: - # parseJob.ttlSecondsAfterFinished -- seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ +parser: + image: + # parser.image.repository -- Parser image repository + repository: docker.io/securecodebox/parser-trivy + # parser.image.tag -- Parser image tag + # @default -- defaults to the charts version + tag: null + + # parser.ttlSecondsAfterFinished -- seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ ttlSecondsAfterFinished: null -scannerJob: - # scannerJob.ttlSecondsAfterFinished -- seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ +scanner: + image: + # scanner.image.repository -- Container Image to run the scan + repository: docker.io/aquasec/trivy + # scanner.image.tag -- defaults to the charts appVersion + tag: null + + # scanner.ttlSecondsAfterFinished -- seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ ttlSecondsAfterFinished: null - # scannerJob.backoffLimit -- There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) + # scanner.backoffLimit -- There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) # @default -- 3 backoffLimit: 3 - # scannerJob.resources -- CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) + # scanner.resources -- CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) resources: {} # resources: # requests: @@ -36,17 +36,17 @@ scannerJob: # memory: "512Mi" # cpu: "500m" - # scannerJob.env -- Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) + # scanner.env -- Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) env: [] - # scannerJob.extraVolumes -- Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) + # scanner.extraVolumes -- Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) extraVolumes: [] - # scannerJob.extraVolumeMounts -- Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) + # scanner.extraVolumeMounts -- Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) extraVolumeMounts: [] - # scannerJob.extraContainers -- Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) + # scanner.extraContainers -- Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) extraContainers: [] - # scannerJob.securityContext -- Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) + # scanner.securityContext -- Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) securityContext: {} From a54f88a682af7ac30ebafd89bd045edbcb6ae491 Mon Sep 17 00:00:00 2001 From: Jop Zitman Date: Wed, 9 Jun 2021 14:58:39 +0200 Subject: [PATCH 15/19] Wpscan: refactor values according to new spec Signed-off-by: Jop Zitman --- scanners/wpscan/README.md | 26 +++++----- .../templates/wpscan-parse-definition.yaml | 4 +- .../wpscan/templates/wpscan-scan-type.yaml | 22 ++++----- scanners/wpscan/values.yaml | 48 +++++++++---------- 4 files changed, 50 insertions(+), 50 deletions(-) diff --git a/scanners/wpscan/README.md b/scanners/wpscan/README.md index af5079951b..99d686a1ce 100644 --- a/scanners/wpscan/README.md +++ b/scanners/wpscan/README.md @@ -72,19 +72,19 @@ Incompatible choices (only one of each group/s can be used): | Key | Type | Default | Description | |-----|------|---------|-------------| -| image.repository | string | `"wpscanteam/wpscan"` | Container Image to run the scan | -| image.tag | string | `nil` | defaults to the charts appVersion | -| parseJob.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | -| parserImage.repository | string | `"docker.io/securecodebox/parser-wpscan"` | Parser image repository | -| parserImage.tag | string | defaults to the charts version | Parser image tag | -| scannerJob.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | -| scannerJob.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | -| scannerJob.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | -| scannerJob.extraVolumeMounts | list | `[]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | -| scannerJob.extraVolumes | list | `[]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | -| scannerJob.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) | -| scannerJob.securityContext | object | `{}` | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) | -| scannerJob.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | +| parser.image.repository | string | `"docker.io/securecodebox/parser-wpscan"` | Parser image repository | +| parser.image.tag | string | defaults to the charts version | Parser image tag | +| parser.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | +| scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | +| scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | +| scanner.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | +| scanner.extraVolumeMounts | list | `[]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | +| scanner.extraVolumes | list | `[]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | +| scanner.image.repository | string | `"wpscanteam/wpscan"` | Container Image to run the scan | +| scanner.image.tag | string | `nil` | defaults to the charts appVersion | +| scanner.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) | +| scanner.securityContext | object | `{}` | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) | +| scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | [wpscan.io]: https://wpscan.io/ [wpscan.org]: https://wpscan.org/ diff --git a/scanners/wpscan/templates/wpscan-parse-definition.yaml b/scanners/wpscan/templates/wpscan-parse-definition.yaml index 2f6d700fec..8afecb5d01 100644 --- a/scanners/wpscan/templates/wpscan-parse-definition.yaml +++ b/scanners/wpscan/templates/wpscan-parse-definition.yaml @@ -7,5 +7,5 @@ kind: ParseDefinition metadata: name: "wpscan-json" spec: - image: "{{ .Values.parserImage.repository }}:{{ .Values.parserImage.tag | default .Chart.Version }}" - ttlSecondsAfterFinished: {{ .Values.parseJob.ttlSecondsAfterFinished }} + image: "{{ .Values.parser.image.repository }}:{{ .Values.parser.image.tag | default .Chart.Version }}" + ttlSecondsAfterFinished: {{ .Values.parser.ttlSecondsAfterFinished }} diff --git a/scanners/wpscan/templates/wpscan-scan-type.yaml b/scanners/wpscan/templates/wpscan-scan-type.yaml index eb835651d4..7b48e5acc7 100644 --- a/scanners/wpscan/templates/wpscan-scan-type.yaml +++ b/scanners/wpscan/templates/wpscan-scan-type.yaml @@ -12,16 +12,16 @@ spec: location: "/home/securecodebox/wpscan-results.json" jobTemplate: spec: - {{- if .Values.scannerJob.ttlSecondsAfterFinished }} - ttlSecondsAfterFinished: {{ .Values.scannerJob.ttlSecondsAfterFinished }} + {{- if .Values.scanner.ttlSecondsAfterFinished }} + ttlSecondsAfterFinished: {{ .Values.scanner.ttlSecondsAfterFinished }} {{- end }} - backoffLimit: {{ .Values.scannerJob.backoffLimit }} + backoffLimit: {{ .Values.scanner.backoffLimit }} template: spec: restartPolicy: OnFailure containers: - name: wpscan - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + image: "{{ .Values.scanner.image.repository }}:{{ .Values.scanner.image.tag | default .Chart.AppVersion }}" command: - "wpscan" - "-o" @@ -29,15 +29,15 @@ spec: - "-f" - json resources: - {{- toYaml .Values.scannerJob.resources | nindent 16 }} + {{- toYaml .Values.scanner.resources | nindent 16 }} securityContext: - {{- toYaml .Values.scannerJob.securityContext | nindent 16 }} + {{- toYaml .Values.scanner.securityContext | nindent 16 }} env: - {{- toYaml .Values.scannerJob.env | nindent 16 }} + {{- toYaml .Values.scanner.env | nindent 16 }} volumeMounts: - {{- toYaml .Values.scannerJob.extraVolumeMounts | nindent 16 }} - {{- if .Values.scannerJob.extraContainers }} - {{- toYaml .Values.scannerJob.extraContainers | nindent 12 }} + {{- toYaml .Values.scanner.extraVolumeMounts | nindent 16 }} + {{- if .Values.scanner.extraContainers }} + {{- toYaml .Values.scanner.extraContainers | nindent 12 }} {{- end }} volumes: - {{- toYaml .Values.scannerJob.extraVolumes | nindent 12 }} + {{- toYaml .Values.scanner.extraVolumes | nindent 12 }} diff --git a/scanners/wpscan/values.yaml b/scanners/wpscan/values.yaml index bed1019a6a..ca9beec707 100644 --- a/scanners/wpscan/values.yaml +++ b/scanners/wpscan/values.yaml @@ -2,31 +2,31 @@ # # SPDX-License-Identifier: Apache-2.0 -image: - # image.repository -- Container Image to run the scan - repository: wpscanteam/wpscan - # image.tag -- defaults to the charts appVersion - tag: null - -parserImage: - # parserImage.repository -- Parser image repository - repository: docker.io/securecodebox/parser-wpscan - # parserImage.tag -- Parser image tag - # @default -- defaults to the charts version - tag: null - -parseJob: - # parseJob.ttlSecondsAfterFinished -- seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ +parser: + image: + # parser.image.repository -- Parser image repository + repository: docker.io/securecodebox/parser-wpscan + # parser.image.tag -- Parser image tag + # @default -- defaults to the charts version + tag: null + + # parser.ttlSecondsAfterFinished -- seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ ttlSecondsAfterFinished: null -scannerJob: - # scannerJob.ttlSecondsAfterFinished -- seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ +scanner: + image: + # scanner.image.repository -- Container Image to run the scan + repository: wpscanteam/wpscan + # scanner.image.tag -- defaults to the charts appVersion + tag: null + + # scanner.ttlSecondsAfterFinished -- seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ ttlSecondsAfterFinished: null - # scannerJob.backoffLimit -- There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) + # scanner.backoffLimit -- There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) # @default -- 3 backoffLimit: 3 - # scannerJob.resources -- CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) + # scanner.resources -- CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) resources: {} # resources: # requests: @@ -36,17 +36,17 @@ scannerJob: # memory: "512Mi" # cpu: "500m" - # scannerJob.env -- Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) + # scanner.env -- Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) env: [] - # scannerJob.extraVolumes -- Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) + # scanner.extraVolumes -- Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) extraVolumes: [] - # scannerJob.extraVolumeMounts -- Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) + # scanner.extraVolumeMounts -- Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) extraVolumeMounts: [] - # scannerJob.extraContainers -- Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) + # scanner.extraContainers -- Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) extraContainers: [] - # scannerJob.securityContext -- Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) + # scanner.securityContext -- Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) securityContext: {} From ba946421d7cb54001e4c11e4843655f5b32ed8af Mon Sep 17 00:00:00 2001 From: Jop Zitman Date: Wed, 9 Jun 2021 15:01:26 +0200 Subject: [PATCH 16/19] Zap: refactor values according to new spec Signed-off-by: Jop Zitman --- scanners/zap/README.md | 28 ++++---- .../zap/templates/zap-parse-definition.yaml | 4 +- scanners/zap/templates/zap-scan-type.yaml | 68 +++++++++---------- scanners/zap/values.yaml | 49 +++++++------ 4 files changed, 74 insertions(+), 75 deletions(-) diff --git a/scanners/zap/README.md b/scanners/zap/README.md index aa2a3aae85..87c334ff91 100644 --- a/scanners/zap/README.md +++ b/scanners/zap/README.md @@ -63,17 +63,17 @@ Options: | Key | Type | Default | Description | |-----|------|---------|-------------| | cascadingRules.enabled | bool | `true` | Enables or disables the installation of the default cascading rules for this scanner | -| image.repository | string | `"owasp/zap2docker-stable"` | Container Image to run the scan | -| image.tag | string | `nil` | defaults to the charts appVersion | -| parseJob.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | -| parserImage.repository | string | `"docker.io/securecodebox/parser-zap"` | Parser image repository | -| parserImage.tag | string | defaults to the charts version | Parser image tag | -| scannerJob.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | -| scannerJob.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | -| scannerJob.envFrom | list | `[]` | Optional mount environment variables from configMaps or secrets (see: https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#configure-all-key-value-pairs-in-a-secret-as-container-environment-variables) | -| scannerJob.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | -| scannerJob.extraVolumeMounts | list | `[{"mountPath":"/zap/wrk","name":"zap-workdir"}]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | -| scannerJob.extraVolumes | list | `[{"emptyDir":{},"name":"zap-workdir"}]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | -| scannerJob.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) | -| scannerJob.securityContext | object | `{}` | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) | -| scannerJob.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | +| parser.image.repository | string | `"docker.io/securecodebox/parser-zap"` | Parser image repository | +| parser.image.tag | string | defaults to the charts version | Parser image tag | +| parser.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | +| scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | +| scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | +| scanner.envFrom | list | `[]` | Optional mount environment variables from configMaps or secrets (see: https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#configure-all-key-value-pairs-in-a-secret-as-container-environment-variables) | +| scanner.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | +| scanner.extraVolumeMounts | list | `[{"mountPath":"/zap/wrk","name":"zap-workdir"}]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | +| scanner.extraVolumes | list | `[{"emptyDir":{},"name":"zap-workdir"}]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | +| scanner.image.repository | string | `"owasp/zap2docker-stable"` | Container Image to run the scan | +| scanner.image.tag | string | `nil` | defaults to the charts appVersion | +| scanner.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) | +| scanner.securityContext | object | `{}` | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) | +| scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | diff --git a/scanners/zap/templates/zap-parse-definition.yaml b/scanners/zap/templates/zap-parse-definition.yaml index 4326b75d9c..4ac9936526 100644 --- a/scanners/zap/templates/zap-parse-definition.yaml +++ b/scanners/zap/templates/zap-parse-definition.yaml @@ -7,5 +7,5 @@ kind: ParseDefinition metadata: name: "zap-xml" spec: - image: "{{ .Values.parserImage.repository }}:{{ .Values.parserImage.tag | default .Chart.Version }}" - ttlSecondsAfterFinished: {{ .Values.parseJob.ttlSecondsAfterFinished }} + image: "{{ .Values.parser.image.repository }}:{{ .Values.parser.image.tag | default .Chart.Version }}" + ttlSecondsAfterFinished: {{ .Values.parser.ttlSecondsAfterFinished }} diff --git a/scanners/zap/templates/zap-scan-type.yaml b/scanners/zap/templates/zap-scan-type.yaml index 65f5054257..f2b4d07d56 100644 --- a/scanners/zap/templates/zap-scan-type.yaml +++ b/scanners/zap/templates/zap-scan-type.yaml @@ -12,16 +12,16 @@ spec: location: "/home/securecodebox/zap-results.xml" jobTemplate: spec: - {{- if .Values.scannerJob.ttlSecondsAfterFinished }} - ttlSecondsAfterFinished: {{ .Values.scannerJob.ttlSecondsAfterFinished }} + {{- if .Values.scanner.ttlSecondsAfterFinished }} + ttlSecondsAfterFinished: {{ .Values.scanner.ttlSecondsAfterFinished }} {{- end }} - backoffLimit: {{ .Values.scannerJob.backoffLimit }} + backoffLimit: {{ .Values.scanner.backoffLimit }} template: spec: restartPolicy: Never containers: - name: zap-baseline-scan - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + image: "{{ .Values.scanner.image.repository }}:{{ .Values.scanner.image.tag | default .Chart.AppVersion }}" command: - "zap-baseline.py" # Force Zap to always return a zero exit code. k8s would otherwise try to restart zap. @@ -31,20 +31,20 @@ spec: # Hacky workaround: specify a relative path to the `/zap/wrk` base dir. - "../../home/securecodebox/zap-results.xml" resources: - {{- toYaml .Values.scannerJob.resources | nindent 16 }} + {{- toYaml .Values.scanner.resources | nindent 16 }} securityContext: - {{- toYaml .Values.scannerJob.securityContext | nindent 16 }} + {{- toYaml .Values.scanner.securityContext | nindent 16 }} env: - {{- toYaml .Values.scannerJob.env | nindent 16 }} + {{- toYaml .Values.scanner.env | nindent 16 }} envFrom: - {{- toYaml .Values.scannerJob.envFrom | nindent 16 }} + {{- toYaml .Values.scanner.envFrom | nindent 16 }} volumeMounts: - {{- toYaml .Values.scannerJob.extraVolumeMounts | nindent 16 }} - {{- if .Values.scannerJob.extraContainers }} - {{- toYaml .Values.scannerJob.extraContainers | nindent 12 }} + {{- toYaml .Values.scanner.extraVolumeMounts | nindent 16 }} + {{- if .Values.scanner.extraContainers }} + {{- toYaml .Values.scanner.extraContainers | nindent 12 }} {{- end }} volumes: - {{- toYaml .Values.scannerJob.extraVolumes | nindent 12 }} + {{- toYaml .Values.scanner.extraVolumes | nindent 12 }} --- apiVersion: "execution.securecodebox.io/v1" kind: ScanType @@ -56,15 +56,15 @@ spec: location: "/home/securecodebox/zap-results.xml" jobTemplate: spec: - {{- if .Values.scannerJob.ttlSecondsAfterFinished }} - ttlSecondsAfterFinished: {{ .Values.scannerJob.ttlSecondsAfterFinished }} + {{- if .Values.scanner.ttlSecondsAfterFinished }} + ttlSecondsAfterFinished: {{ .Values.scanner.ttlSecondsAfterFinished }} {{- end }} template: spec: restartPolicy: Never containers: - name: zap-api-scan - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + image: "{{ .Values.scanner.image.repository }}:{{ .Values.scanner.image.tag | default .Chart.AppVersion }}" command: - "zap-api-scan.py" # Force Zap to always return a zero exit code. k8s would otherwise try to restart zap. @@ -74,20 +74,20 @@ spec: # Hacky workaround: specify a relative path to the `/zap/wrk` base dir. - "../../home/securecodebox/zap-results.xml" resources: - {{- toYaml .Values.scannerJob.resources | nindent 16 }} + {{- toYaml .Values.scanner.resources | nindent 16 }} securityContext: - {{- toYaml .Values.scannerJob.securityContext | nindent 16 }} + {{- toYaml .Values.scanner.securityContext | nindent 16 }} env: - {{- toYaml .Values.scannerJob.env | nindent 16 }} + {{- toYaml .Values.scanner.env | nindent 16 }} envFrom: - {{- toYaml .Values.scannerJob.envFrom | nindent 16 }} + {{- toYaml .Values.scanner.envFrom | nindent 16 }} volumeMounts: - {{- toYaml .Values.scannerJob.extraVolumeMounts | nindent 16 }} - {{- if .Values.scannerJob.extraContainers }} - {{- toYaml .Values.scannerJob.extraContainers | nindent 12 }} + {{- toYaml .Values.scanner.extraVolumeMounts | nindent 16 }} + {{- if .Values.scanner.extraContainers }} + {{- toYaml .Values.scanner.extraContainers | nindent 12 }} {{- end }} volumes: - {{- toYaml .Values.scannerJob.extraVolumes | nindent 12 }} + {{- toYaml .Values.scanner.extraVolumes | nindent 12 }} --- apiVersion: "execution.securecodebox.io/v1" kind: ScanType @@ -99,15 +99,15 @@ spec: location: "/home/securecodebox/zap-results.xml" jobTemplate: spec: - {{- if .Values.scannerJob.ttlSecondsAfterFinished }} - ttlSecondsAfterFinished: {{ .Values.scannerJob.ttlSecondsAfterFinished }} + {{- if .Values.scanner.ttlSecondsAfterFinished }} + ttlSecondsAfterFinished: {{ .Values.scanner.ttlSecondsAfterFinished }} {{- end }} template: spec: restartPolicy: Never containers: - name: zap-full-scan - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + image: "{{ .Values.scanner.image.repository }}:{{ .Values.scanner.image.tag | default .Chart.AppVersion }}" command: - "zap-full-scan.py" # Force Zap to always return a zero exit code. k8s would otherwise try to restart zap. @@ -117,17 +117,17 @@ spec: # Hacky workaround: specify a relative path to the `/zap/wrk` base dir. - "../../home/securecodebox/zap-results.xml" resources: - {{- toYaml .Values.scannerJob.resources | nindent 16 }} + {{- toYaml .Values.scanner.resources | nindent 16 }} securityContext: - {{- toYaml .Values.scannerJob.securityContext | nindent 16 }} + {{- toYaml .Values.scanner.securityContext | nindent 16 }} env: - {{- toYaml .Values.scannerJob.env | nindent 16 }} + {{- toYaml .Values.scanner.env | nindent 16 }} envFrom: - {{- toYaml .Values.scannerJob.envFrom | nindent 16 }} + {{- toYaml .Values.scanner.envFrom | nindent 16 }} volumeMounts: - {{- toYaml .Values.scannerJob.extraVolumeMounts | nindent 16 }} - {{- if .Values.scannerJob.extraContainers }} - {{- toYaml .Values.scannerJob.extraContainers | nindent 12 }} + {{- toYaml .Values.scanner.extraVolumeMounts | nindent 16 }} + {{- if .Values.scanner.extraContainers }} + {{- toYaml .Values.scanner.extraContainers | nindent 12 }} {{- end }} volumes: - {{- toYaml .Values.scannerJob.extraVolumes | nindent 12 }} + {{- toYaml .Values.scanner.extraVolumes | nindent 12 }} diff --git a/scanners/zap/values.yaml b/scanners/zap/values.yaml index 0b7dd69de9..3069aa1562 100644 --- a/scanners/zap/values.yaml +++ b/scanners/zap/values.yaml @@ -2,31 +2,30 @@ # # SPDX-License-Identifier: Apache-2.0 -image: - # image.repository -- Container Image to run the scan - repository: owasp/zap2docker-stable - # image.tag -- defaults to the charts appVersion - tag: null - -parserImage: - # parserImage.repository -- Parser image repository - repository: docker.io/securecodebox/parser-zap - # parserImage.tag -- Parser image tag - # @default -- defaults to the charts version - tag: null - -parseJob: - # parseJob.ttlSecondsAfterFinished -- seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ +parser: + image: + # parser.image.repository -- Parser image repository + repository: docker.io/securecodebox/parser-zap + # parser.image.tag -- Parser image tag + # @default -- defaults to the charts version + tag: null + # parser.ttlSecondsAfterFinished -- seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ ttlSecondsAfterFinished: null -scannerJob: - # scannerJob.ttlSecondsAfterFinished -- seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ +scanner: + image: + # scanner.image.repository -- Container Image to run the scan + repository: owasp/zap2docker-stable + # scanner.image.tag -- defaults to the charts appVersion + tag: null + + # scanner.ttlSecondsAfterFinished -- seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ ttlSecondsAfterFinished: null - # scannerJob.backoffLimit -- There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) + # scanner.backoffLimit -- There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) # @default -- 3 backoffLimit: 3 - # scannerJob.resources -- CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) + # scanner.resources -- CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) resources: {} # resources: # requests: @@ -36,26 +35,26 @@ scannerJob: # memory: "512Mi" # cpu: "500m" - # scannerJob.env -- Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) + # scanner.env -- Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) env: [] - # scannerJob.envFrom -- Optional mount environment variables from configMaps or secrets (see: https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#configure-all-key-value-pairs-in-a-secret-as-container-environment-variables) + # scanner.envFrom -- Optional mount environment variables from configMaps or secrets (see: https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#configure-all-key-value-pairs-in-a-secret-as-container-environment-variables) envFrom: [] - # scannerJob.extraVolumes -- Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) + # scanner.extraVolumes -- Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) extraVolumes: - name: zap-workdir emptyDir: {} - # scannerJob.extraVolumeMounts -- Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) + # scanner.extraVolumeMounts -- Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) extraVolumeMounts: - mountPath: /zap/wrk name: zap-workdir - # scannerJob.extraContainers -- Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) + # scanner.extraContainers -- Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) extraContainers: [] - # scannerJob.securityContext -- Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) + # scanner.securityContext -- Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) securityContext: {} cascadingRules: From 58159f7be0e720897987f74892f9cf608a43897b Mon Sep 17 00:00:00 2001 From: Jop Zitman Date: Wed, 9 Jun 2021 15:07:24 +0200 Subject: [PATCH 17/19] Zap-advanced: refactor values according to new spec Signed-off-by: Jop Zitman --- scanners/zap-advanced/README.md | 33 +++++++++---------- .../zap-advanced-parse-definition.yaml | 4 +-- .../templates/zap-advanced-scan-type.yaml | 26 +++++++-------- scanners/zap-advanced/values.yaml | 11 +++---- 4 files changed, 35 insertions(+), 39 deletions(-) diff --git a/scanners/zap-advanced/README.md b/scanners/zap-advanced/README.md index 6524d7e810..e059dd4d68 100644 --- a/scanners/zap-advanced/README.md +++ b/scanners/zap-advanced/README.md @@ -461,23 +461,22 @@ optional arguments: |-----|------|---------|-------------| | cascadingRules | object | `{"enabled":true}` | Configurations regarding the cascading scan | | cascadingRules.enabled | bool | `true` | Enables or disables the installation of the default cascading rules for this scanner | -| parseJob.backoffLimit | int | `3` | | -| parseJob.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | -| parseJob.image.repository | string | `"docker.io/securecodebox/parser-zap"` | Parser image repository | -| parseJob.image.tag | string | `nil` | Parser image tag | -| parseJob.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | -| scannerJob.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | -| scannerJob.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | -| scannerJob.envFrom | list | `[]` | Optional mount environment variables from configMaps or secrets (see: https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#configure-all-key-value-pairs-in-a-secret-as-container-environment-variables) | -| scannerJob.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | -| scannerJob.extraVolumeMounts | list | `[{"mountPath":"/home/securecodebox/configs/1-zap-advanced-scantype.yaml","name":"zap-advanced-scantype-config","readOnly":true,"subPath":"1-zap-advanced-scantype.yaml"}]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | -| scannerJob.extraVolumes | list | `[{"configMap":{"name":"zap-advanced-scantype-config"},"name":"zap-advanced-scantype-config"},{"configMap":{"name":"zap-scripts-authentication"},"name":"zap-scripts-authentication"},{"configMap":{"name":"zap-scripts-session"},"name":"zap-scripts-session"}]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | -| scannerJob.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | -| scannerJob.image.repository | string | `"docker.io/securecodebox/scanner-zap-advanced"` | Container Image to run the scan | -| scannerJob.image.tag | string | `nil` | defaults to the charts appVersion | -| scannerJob.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) | -| scannerJob.securityContext | object | `{}` | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) | -| scannerJob.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | +| parser.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | +| parser.image.repository | string | `"docker.io/securecodebox/parser-zap"` | Parser image repository | +| parser.image.tag | string | `nil` | Parser image tag | +| parser.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | +| scanner.backoffLimit | int | 3 | There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) | +| scanner.env | list | `[]` | Optional environment variables mapped into each scanJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | +| scanner.envFrom | list | `[]` | Optional mount environment variables from configMaps or secrets (see: https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#configure-all-key-value-pairs-in-a-secret-as-container-environment-variables) | +| scanner.extraContainers | list | `[]` | Optional additional Containers started with each scanJob (see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) | +| scanner.extraVolumeMounts | list | `[{"mountPath":"/home/securecodebox/configs/1-zap-advanced-scantype.yaml","name":"zap-advanced-scantype-config","readOnly":true,"subPath":"1-zap-advanced-scantype.yaml"}]` | Optional VolumeMounts mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | +| scanner.extraVolumes | list | `[{"configMap":{"name":"zap-advanced-scantype-config"},"name":"zap-advanced-scantype-config"},{"configMap":{"name":"zap-scripts-authentication"},"name":"zap-scripts-authentication"},{"configMap":{"name":"zap-scripts-session"},"name":"zap-scripts-session"}]` | Optional Volumes mapped into each scanJob (see: https://kubernetes.io/docs/concepts/storage/volumes/) | +| scanner.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | +| scanner.image.repository | string | `"docker.io/securecodebox/scanner-zap-advanced"` | Container Image to run the scan | +| scanner.image.tag | string | `nil` | defaults to the charts appVersion | +| scanner.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) | +| scanner.securityContext | object | `{}` | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) | +| scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | | zapConfiguration | object | `{"global":{"addonInstall":["pscanrulesBeta","ascanrulesBeta","pscanrulesAlpha","ascanrulesAlpha"],"addonUpdate":true,"sessionName":"secureCodeBox"}}` | All `scanType` specific configuration options. Feel free to add more configuration options. All configuration options can be overriden by scan specific configurations if defined. Please have a look into the README.md to find more configuration options. | | zapConfiguration.global | object | `{"addonInstall":["pscanrulesBeta","ascanrulesBeta","pscanrulesAlpha","ascanrulesAlpha"],"addonUpdate":true,"sessionName":"secureCodeBox"}` | Optional general ZAP Configurations settings. | | zapConfiguration.global.addonInstall | list | `["pscanrulesBeta","ascanrulesBeta","pscanrulesAlpha","ascanrulesAlpha"]` | Installs additional ZAP AddOns on startup, listed by their name: | diff --git a/scanners/zap-advanced/templates/zap-advanced-parse-definition.yaml b/scanners/zap-advanced/templates/zap-advanced-parse-definition.yaml index 0b112d4f7f..c31b682e01 100644 --- a/scanners/zap-advanced/templates/zap-advanced-parse-definition.yaml +++ b/scanners/zap-advanced/templates/zap-advanced-parse-definition.yaml @@ -9,5 +9,5 @@ metadata: labels: {{- include "zap.labels" . | nindent 4 }} spec: - image: "{{ .Values.parseJob.image.repository }}:{{ .Values.parseJob.image.tag | default .Chart.Version }}" - ttlSecondsAfterFinished: {{ .Values.parseJob.ttlSecondsAfterFinished }} + image: "{{ .Values.parser.image.repository }}:{{ .Values.parser.image.tag | default .Chart.Version }}" + ttlSecondsAfterFinished: {{ .Values.parser.ttlSecondsAfterFinished }} diff --git a/scanners/zap-advanced/templates/zap-advanced-scan-type.yaml b/scanners/zap-advanced/templates/zap-advanced-scan-type.yaml index 74625bbaf8..54a9e99217 100644 --- a/scanners/zap-advanced/templates/zap-advanced-scan-type.yaml +++ b/scanners/zap-advanced/templates/zap-advanced-scan-type.yaml @@ -26,17 +26,17 @@ spec: location: "/home/securecodebox/results/zap-results.xml" jobTemplate: spec: - {{- if .Values.scannerJob.ttlSecondsAfterFinished }} - ttlSecondsAfterFinished: {{ .Values.scannerJob.ttlSecondsAfterFinished }} + {{- if .Values.scanner.ttlSecondsAfterFinished }} + ttlSecondsAfterFinished: {{ .Values.scanner.ttlSecondsAfterFinished }} {{- end }} - backoffLimit: {{ .Values.scannerJob.backoffLimit }} + backoffLimit: {{ .Values.scanner.backoffLimit }} template: spec: restartPolicy: Never containers: - name: zap-advanced-scan - image: "{{ .Values.scannerJob.image.repository }}:{{ .Values.scannerJob.image.tag | default .Chart.Version }}" - imagePullPolicy: {{ .Values.scannerJob.image.pullPolicy }} + image: "{{ .Values.scanner.image.repository }}:{{ .Values.scanner.image.tag | default .Chart.Version }}" + imagePullPolicy: {{ .Values.scanner.image.pullPolicy }} command: - "python3" - "-m" @@ -52,17 +52,17 @@ spec: - "--output-folder" - "/home/securecodebox/results/" resources: - {{- toYaml .Values.scannerJob.resources | nindent 16 }} + {{- toYaml .Values.scanner.resources | nindent 16 }} securityContext: - {{- toYaml .Values.scannerJob.securityContext | nindent 16 }} + {{- toYaml .Values.scanner.securityContext | nindent 16 }} env: - {{- toYaml .Values.scannerJob.env | nindent 16 }} + {{- toYaml .Values.scanner.env | nindent 16 }} envFrom: - {{- toYaml .Values.scannerJob.envFrom | nindent 16 }} + {{- toYaml .Values.scanner.envFrom | nindent 16 }} volumeMounts: - {{- toYaml .Values.scannerJob.extraVolumeMounts | nindent 16 }} - {{- if .Values.scannerJob.extraContainers }} - {{- toYaml .Values.scannerJob.extraContainers | nindent 12 }} + {{- toYaml .Values.scanner.extraVolumeMounts | nindent 16 }} + {{- if .Values.scanner.extraContainers }} + {{- toYaml .Values.scanner.extraContainers | nindent 12 }} {{- end }} - name: zap-sidecar image: "{{ .Values.zapContainer.image.repository }}:{{ .Values.zapContainer.image.tag | default .Chart.AppVersion }}" @@ -103,4 +103,4 @@ spec: ports: - containerPort: 8080 volumes: - {{- toYaml .Values.scannerJob.extraVolumes | nindent 12 }} + {{- toYaml .Values.scanner.extraVolumes | nindent 12 }} diff --git a/scanners/zap-advanced/values.yaml b/scanners/zap-advanced/values.yaml index c527831d4b..7e36928529 100644 --- a/scanners/zap-advanced/values.yaml +++ b/scanners/zap-advanced/values.yaml @@ -2,7 +2,7 @@ # # SPDX-License-Identifier: Apache-2.0 -parseJob: +parser: image: # -- Parser image repository repository: docker.io/securecodebox/parser-zap @@ -12,13 +12,10 @@ parseJob: # -- Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images pullPolicy: IfNotPresent - # parseJob.ttlSecondsAfterFinished -- seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ + # -- seconds after which the kubernetes job for the parser will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ ttlSecondsAfterFinished: null - # scannerJob.backoffLimit -- There are situations where you want to fail a scan Job after some amount of retries due to a logical error in configuration etc. To do so, set backoffLimit to specify the number of retries before considering a scan Job as failed. (see: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy) - # @default -- 3 - backoffLimit: 3 -scannerJob: +scanner: image: # -- Container Image to run the scan repository: docker.io/securecodebox/scanner-zap-advanced @@ -129,4 +126,4 @@ zapConfiguration: # -- Configurations regarding the cascading scan cascadingRules: # -- Enables or disables the installation of the default cascading rules for this scanner - enabled: true \ No newline at end of file + enabled: true From db6d53eb604860e5b5c1685df9adaaccf99745d7 Mon Sep 17 00:00:00 2001 From: Jop Zitman Date: Wed, 9 Jun 2021 15:17:40 +0200 Subject: [PATCH 18/19] Docs: update docs where old spec is referenced Signed-off-by: Jop Zitman --- scanners/ncrack/README.md | 2 +- scanners/ncrack/README.md.gotmpl | 2 +- scanners/ncrack/examples/dummy-ssh/README.md | 2 +- scanners/nmap/README.md | 2 +- scanners/nmap/README.md.gotmpl | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/scanners/ncrack/README.md b/scanners/ncrack/README.md index 71b9cceab7..7d240bcdc2 100644 --- a/scanners/ncrack/README.md +++ b/scanners/ncrack/README.md @@ -29,7 +29,7 @@ Before we can use the files, we have to install the Ncrack ScanType: ```bash cat < Date: Wed, 9 Jun 2021 15:26:05 +0200 Subject: [PATCH 19/19] CI: refactor scanner setting values Signed-off-by: Jop Zitman --- .github/workflows/ci.yaml | 130 +++++++++++++++++++------------------- 1 file changed, 65 insertions(+), 65 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index e3a26372a4..187229d529 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -623,10 +623,10 @@ jobs: --set="attribute.name=severity" \ --set="attribute.value=high" helm -n integration-tests install test-scan ./scanners/test-scan/ \ - --set="image.repository=docker.io/${{ env.DOCKER_NAMESPACE }}/scanner-test-scan" \ - --set="parserImage.repository=docker.io/${{ env.DOCKER_NAMESPACE }}/parser-test-scan" \ - --set="parserImage.tag=sha-$(git rev-parse --short HEAD)" \ - --set="image.tag=sha-$(git rev-parse --short HEAD)" + --set="scanner.image.repository=docker.io/${{ env.DOCKER_NAMESPACE }}/scanner-test-scan" \ + --set="parser.image.repository=docker.io/${{ env.DOCKER_NAMESPACE }}/parser-test-scan" \ + --set="parser.image.tag=sha-$(git rev-parse --short HEAD)" \ + --set="scanner.image.tag=sha-$(git rev-parse --short HEAD)" cd tests/integration/ npx jest --ci --color generic/read-write-hook.test.js helm -n integration-tests uninstall test-scan update-category update-severity @@ -636,10 +636,10 @@ jobs: - name: "Hooks (ReadOnly) Integration Tests" run: | helm -n integration-tests install test-scan ./scanners/test-scan/ \ - --set="image.repository=docker.io/${{ env.DOCKER_NAMESPACE }}/scanner-test-scan" \ - --set="parserImage.repository=docker.io/${{ env.DOCKER_NAMESPACE }}/parser-test-scan" \ - --set="parserImage.tag=sha-$(git rev-parse --short HEAD)" \ - --set="image.tag=sha-$(git rev-parse --short HEAD)" + --set="scanner.image.repository=docker.io/${{ env.DOCKER_NAMESPACE }}/scanner-test-scan" \ + --set="parser.image.repository=docker.io/${{ env.DOCKER_NAMESPACE }}/parser-test-scan" \ + --set="parser.image.tag=sha-$(git rev-parse --short HEAD)" \ + --set="scanner.image.tag=sha-$(git rev-parse --short HEAD)" helm -n integration-tests install http-webhook ./demo-apps/http-webhook helm -n integration-tests install ro-hook ./hooks/generic-webhook/ \ --set="image.repository=docker.io/${{ env.DOCKER_NAMESPACE }}/generic-webhook" \ @@ -675,8 +675,8 @@ jobs: run: | kubectl -n integration-tests delete scans --all helm -n integration-tests install amass ./scanners/amass/ \ - --set="parserImage.repository=docker.io/${{ env.DOCKER_NAMESPACE }}/parser-amass" \ - --set="parserImage.tag=sha-$(git rev-parse --short HEAD)" + --set="parser.image.repository=docker.io/${{ env.DOCKER_NAMESPACE }}/parser-amass" \ + --set="parser.image.tag=sha-$(git rev-parse --short HEAD)" cd tests/integration/ npx jest --ci --color scanner/amass.test.js @@ -686,10 +686,10 @@ jobs: run: | kubectl -n integration-tests delete scans --all helm -n integration-tests install gitleaks ./scanners/gitleaks/ \ - --set="image.repository=docker.io/${{ env.DOCKER_NAMESPACE }}/scanner-gitleaks" \ - --set="image.tag=sha-$(git rev-parse --short HEAD)" \ - --set="parserImage.repository=docker.io/${{ env.DOCKER_NAMESPACE }}/parser-gitleaks" \ - --set="parserImage.tag=sha-$(git rev-parse --short HEAD)" + --set="scanner.image.repository=docker.io/${{ env.DOCKER_NAMESPACE }}/scanner-gitleaks" \ + --set="scanner.image.tag=sha-$(git rev-parse --short HEAD)" \ + --set="parser.image.repository=docker.io/${{ env.DOCKER_NAMESPACE }}/parser-gitleaks" \ + --set="parser.image.tag=sha-$(git rev-parse --short HEAD)" cd tests/integration/ npx jest --ci --color scanner/gitleaks.test.js @@ -698,10 +698,10 @@ jobs: - name: "kube-hunter Integration Tests" run: | helm -n integration-tests install kube-hunter ./scanners/kube-hunter/ \ - --set="image.repository=docker.io/${{ env.DOCKER_NAMESPACE }}/scanner-kube-hunter" \ - --set="image.tag=sha-$(git rev-parse --short HEAD)" \ - --set="parserImage.repository=docker.io/${{ env.DOCKER_NAMESPACE }}/parser-kube-hunter" \ - --set="parserImage.tag=sha-$(git rev-parse --short HEAD)" + --set="scanner.image.repository=docker.io/${{ env.DOCKER_NAMESPACE }}/scanner-kube-hunter" \ + --set="scanner.image.tag=sha-$(git rev-parse --short HEAD)" \ + --set="parser.image.repository=docker.io/${{ env.DOCKER_NAMESPACE }}/parser-kube-hunter" \ + --set="parser.image.tag=sha-$(git rev-parse --short HEAD)" cd tests/integration/ npx jest --ci --color scanner/kube-hunter.test.js @@ -712,10 +712,10 @@ jobs: kubectl create namespace kubeaudit-tests helm -n kubeaudit-tests install juice-shop ./demo-apps/juice-shop/ --wait helm -n integration-tests install kubeaudit ./scanners/kubeaudit/ \ - --set="image.repository=docker.io/${{ env.DOCKER_NAMESPACE }}/scanner-kubeaudit" \ - --set="image.tag=sha-$(git rev-parse --short HEAD)" \ - --set="parserImage.repository=docker.io/${{ env.DOCKER_NAMESPACE }}/parser-kubeaudit" \ - --set="parserImage.tag=sha-$(git rev-parse --short HEAD)" \ + --set="scanner.image.repository=docker.io/${{ env.DOCKER_NAMESPACE }}/scanner-kubeaudit" \ + --set="scanner.image.tag=sha-$(git rev-parse --short HEAD)" \ + --set="parser.image.repository=docker.io/${{ env.DOCKER_NAMESPACE }}/parser-kubeaudit" \ + --set="parser.image.tag=sha-$(git rev-parse --short HEAD)" \ --set="kubeauditScope=cluster" cd tests/integration/ npx jest --ci --color scanner/kubeaudit.test.js @@ -727,10 +727,10 @@ jobs: run: | kubectl -n integration-tests delete scans --all helm -n integration-tests install ncrack ./scanners/ncrack/ \ - --set="image.repository=docker.io/${{ env.DOCKER_NAMESPACE }}/scanner-ncrack" \ - --set="image.tag=sha-$(git rev-parse --short HEAD)" \ - --set="parserImage.repository=docker.io/${{ env.DOCKER_NAMESPACE }}/parser-ncrack" \ - --set="parserImage.tag=sha-$(git rev-parse --short HEAD)" + --set="scanner.image.repository=docker.io/${{ env.DOCKER_NAMESPACE }}/scanner-ncrack" \ + --set="scanner.image.tag=sha-$(git rev-parse --short HEAD)" \ + --set="parser.image.repository=docker.io/${{ env.DOCKER_NAMESPACE }}/parser-ncrack" \ + --set="parser.image.tag=sha-$(git rev-parse --short HEAD)" cd tests/integration/ npx jest --ci --color scanner/ncrack.test.js @@ -740,10 +740,10 @@ jobs: run: | kubectl -n integration-tests delete scans --all helm -n integration-tests install nikto ./scanners/nikto/ \ - --set="image.repository=docker.io/${{ env.DOCKER_NAMESPACE }}/scanner-nikto" \ - --set="image.tag=sha-$(git rev-parse --short HEAD)" \ - --set="parserImage.repository=docker.io/${{ env.DOCKER_NAMESPACE }}/parser-nikto" \ - --set="parserImage.tag=sha-$(git rev-parse --short HEAD)" + --set="scanner.image.repository=docker.io/${{ env.DOCKER_NAMESPACE }}/scanner-nikto" \ + --set="scanner.image.tag=sha-$(git rev-parse --short HEAD)" \ + --set="parser.image.repository=docker.io/${{ env.DOCKER_NAMESPACE }}/parser-nikto" \ + --set="parser.image.tag=sha-$(git rev-parse --short HEAD)" cd tests/integration/ npx jest --ci --color scanner/nikto.test.js @@ -753,10 +753,10 @@ jobs: run: | kubectl -n integration-tests delete scans --all helm -n integration-tests install nmap ./scanners/nmap/ \ - --set="image.repository=docker.io/${{ env.DOCKER_NAMESPACE }}/scanner-nmap" \ - --set="image.tag=sha-$(git rev-parse --short HEAD)" \ - --set="parserImage.repository=docker.io/${{ env.DOCKER_NAMESPACE }}/parser-nmap" \ - --set="parserImage.tag=sha-$(git rev-parse --short HEAD)" + --set="scanner.image.repository=docker.io/${{ env.DOCKER_NAMESPACE }}/scanner-nmap" \ + --set="scanner.image.tag=sha-$(git rev-parse --short HEAD)" \ + --set="parser.image.repository=docker.io/${{ env.DOCKER_NAMESPACE }}/parser-nmap" \ + --set="parser.image.tag=sha-$(git rev-parse --short HEAD)" cd tests/integration/ npx jest --ci --color scanner/nmap.test.js @@ -765,10 +765,10 @@ jobs: - name: "Notification Hook Tests" run: | helm -n integration-tests install test-scan ./scanners/test-scan/ \ - --set="image.repository=docker.io/${{ env.DOCKER_NAMESPACE }}/scanner-test-scan" \ - --set="parserImage.repository=docker.io/${{ env.DOCKER_NAMESPACE }}/parser-test-scan" \ - --set="parserImage.tag=sha-$(git rev-parse --short HEAD)" \ - --set="image.tag=sha-$(git rev-parse --short HEAD)" + --set="scanner.image.repository=docker.io/${{ env.DOCKER_NAMESPACE }}/scanner-test-scan" \ + --set="parser.image.repository=docker.io/${{ env.DOCKER_NAMESPACE }}/parser-test-scan" \ + --set="parser.image.tag=sha-$(git rev-parse --short HEAD)" \ + --set="scanner.image.tag=sha-$(git rev-parse --short HEAD)" helm -n integration-tests install http-webhook ./demo-apps/http-webhook --wait helm -n integration-tests install notification-hook ./hooks/notification-hook --values tests/integration/hooks/__testFiles__/notification-hook-values.yaml \ @@ -785,8 +785,8 @@ jobs: run: | kubectl -n integration-tests delete scans --all helm -n integration-tests install ssh-scan ./scanners/ssh-scan/ \ - --set="parserImage.tag=sha-$(git rev-parse --short HEAD)" \ - --set="parserImage.repository=docker.io/${{ env.DOCKER_NAMESPACE }}/parser-ssh-scan" + --set="parser.image.tag=sha-$(git rev-parse --short HEAD)" \ + --set="parser.image.repository=docker.io/${{ env.DOCKER_NAMESPACE }}/parser-ssh-scan" cd tests/integration/ npx jest --ci --color scanner/ssh-scan.test.js @@ -796,8 +796,8 @@ jobs: run: | kubectl -n integration-tests delete scans --all helm -n integration-tests install sslyze ./scanners/sslyze/ \ - --set="parserImage.tag=sha-$(git rev-parse --short HEAD)" \ - --set="parserImage.repository=docker.io/${{ env.DOCKER_NAMESPACE }}/parser-sslyze" + --set="parser.image.tag=sha-$(git rev-parse --short HEAD)" \ + --set="parser.image.repository=docker.io/${{ env.DOCKER_NAMESPACE }}/parser-sslyze" cd tests/integration/ npx jest --ci --color scanner/sslyze.test.js @@ -807,8 +807,8 @@ jobs: run: | kubectl -n integration-tests delete scans --all helm -n integration-tests install wpscan ./scanners/wpscan/ \ - --set="parserImage.repository=docker.io/${{ env.DOCKER_NAMESPACE }}/parser-wpscan" \ - --set="parserImage.tag=sha-$(git rev-parse --short HEAD)" + --set="parser.image.repository=docker.io/${{ env.DOCKER_NAMESPACE }}/parser-wpscan" \ + --set="parser.image.tag=sha-$(git rev-parse --short HEAD)" cd tests/integration/ npx jest --ci --color scanner/wpscan.test.js @@ -818,8 +818,8 @@ jobs: run: | kubectl -n integration-tests delete scans --all helm -n integration-tests install zap ./scanners/zap/ \ - --set="parserImage.tag=sha-$(git rev-parse --short HEAD)" \ - --set="parserImage.repository=docker.io/${{ env.DOCKER_NAMESPACE }}/parser-zap" + --set="parser.image.tag=sha-$(git rev-parse --short HEAD)" \ + --set="parser.image.repository=docker.io/${{ env.DOCKER_NAMESPACE }}/parser-zap" cd tests/integration/ npx jest --ci --color scanner/zap.test.js @@ -831,10 +831,10 @@ jobs: run: | kubectl -n integration-tests delete scans --all helm -n integration-tests install zap-advanced ./scanners/zap-advanced/ \ - --set="parseJob.image.repository=docker.io/${{ env.DOCKER_NAMESPACE }}/parser-zap" \ - --set="parseJob.image.tag=sha-$(git rev-parse --short HEAD)" \ - --set="scannerJob.image.repository=docker.io/${{ env.DOCKER_NAMESPACE }}/scanner-zap-advanced" \ - --set="scannerJob.image.tag=sha-$(git rev-parse --short HEAD)" + --set="parser.image.repository=docker.io/${{ env.DOCKER_NAMESPACE }}/parser-zap" \ + --set="parser.image.tag=sha-$(git rev-parse --short HEAD)" \ + --set="scanner.image.repository=docker.io/${{ env.DOCKER_NAMESPACE }}/scanner-zap-advanced" \ + --set="scanner.image.tag=sha-$(git rev-parse --short HEAD)" kubectl apply -f ./scanners/zap-advanced/examples/integration-tests/scantype-configMap.yaml -n integration-tests cd tests/integration/ npx jest --ci --color scanner/zap-advanced.test.js @@ -852,21 +852,21 @@ jobs: --set="image.tag=sha-$(git rev-parse --short HEAD)" # Install nmap helm -n cascading-tests install nmap ./scanners/nmap/ \ - --set="image.repository=docker.io/${{ env.DOCKER_NAMESPACE }}/scanner-nmap" \ - --set="image.tag=sha-$(git rev-parse --short HEAD)" \ - --set="parserImage.repository=docker.io/${{ env.DOCKER_NAMESPACE }}/parser-nmap" \ - --set="parserImage.tag=sha-$(git rev-parse --short HEAD)" + --set="scanner.image.repository=docker.io/${{ env.DOCKER_NAMESPACE }}/scanner-nmap" \ + --set="scanner.image.tag=sha-$(git rev-parse --short HEAD)" \ + --set="parser.image.repository=docker.io/${{ env.DOCKER_NAMESPACE }}/parser-nmap" \ + --set="parser.image.tag=sha-$(git rev-parse --short HEAD)" # Install ncrack printf "root\nadmin\n" > users.txt printf "THEPASSWORDYOUCREATED\n123456\npassword\n" > passwords.txt kubectl create secret generic --from-file users.txt --from-file passwords.txt ncrack-lists -n cascading-tests cat <