From 50ae83cb3998bcf92d9bf5ad39027c64b17c32cf Mon Sep 17 00:00:00 2001 From: Smaine Kahlouch Date: Fri, 14 Jun 2024 09:39:44 +0200 Subject: [PATCH] feat(ci): add dagger yamllint and kubeconform tasks --- .github/workflows/dagger.yaml | 36 ++ .github/workflows/manifests.yaml | 23 - .github/workflows/pr-agent.yaml | 2 +- .yamllint | 14 + scripts/validate.sh | 66 --- security/base/epis/cert-manager.yaml | 64 +-- security/base/epis/external-dns.yaml | 68 +-- security/base/epis/external-secrets.yaml | 52 +- security/base/epis/harbor.yaml | 70 +-- .../base/epis/load-balancer-controller.yaml | 502 +++++++++--------- security/base/epis/loki.yaml | 68 +-- security/base/epis/vault-snapshot.yaml | 88 +-- .../base/kyverno/helmrelease-controller.yaml | 2 +- taskfile.yaml | 6 +- 14 files changed, 509 insertions(+), 552 deletions(-) create mode 100644 .github/workflows/dagger.yaml delete mode 100644 .github/workflows/manifests.yaml create mode 100644 .yamllint delete mode 100755 scripts/validate.sh diff --git a/.github/workflows/dagger.yaml b/.github/workflows/dagger.yaml new file mode 100644 index 00000000..3e9812c6 --- /dev/null +++ b/.github/workflows/dagger.yaml @@ -0,0 +1,36 @@ +name: dagger +on: + push: + branches: ["*"] + +jobs: + build: + name: build + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + + # - name: Yaml lint + # uses: dagger/dagger-for-github@v5 + # with: + # version: "latest" + # verb: call + # module: github.com/tsirysndr/daggerverse/yamllint + # args: lint --src . + + - name: Validate Flux clusters manifests + uses: dagger/dagger-for-github@v5 + with: + version: "latest" + verb: call + module: github.com/Smana/daggerverse/kubeconform@kubeconform/v0.0.4 + args: validate --manifests "./clusters" --catalog + + - name: Validate Kubernetes manifests (Kustomize directories) + uses: dagger/dagger-for-github@v5 + with: + version: "latest" + verb: call + module: github.com/Smana/daggerverse/kubeconform@kubeconform/v0.0.4 + args: validate --manifests "." --kustomize --flux --env="cluster_name:foobar,region:eu-west-3,domain_name:example.com" --catalog --crds https://github.com/kubernetes-sigs/gateway-api/tree/main/config/crd diff --git a/.github/workflows/manifests.yaml b/.github/workflows/manifests.yaml deleted file mode 100644 index 8c882f12..00000000 --- a/.github/workflows/manifests.yaml +++ /dev/null @@ -1,23 +0,0 @@ -name: manifests - -on: - workflow_dispatch: - pull_request: - push: - branches: [ '*' ] - tags-ignore: [ '*' ] - -jobs: - validate: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v4 - - name: Setup yq - uses: fluxcd/pkg/actions/yq@main - - name: Setup kubeconform - uses: fluxcd/pkg/actions/kubeconform@main - - name: Setup kustomize - uses: fluxcd/pkg/actions/kustomize@main - - name: Validate manifests - run: ./scripts/validate.sh \ No newline at end of file diff --git a/.github/workflows/pr-agent.yaml b/.github/workflows/pr-agent.yaml index d2ecd142..ec7ef893 100644 --- a/.github/workflows/pr-agent.yaml +++ b/.github/workflows/pr-agent.yaml @@ -15,4 +15,4 @@ jobs: uses: Codium-ai/pr-agent@main env: OPENAI_KEY: ${{ secrets.OPENAI_KEY }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.yamllint b/.yamllint new file mode 100644 index 00000000..d1cc53a2 --- /dev/null +++ b/.yamllint @@ -0,0 +1,14 @@ +--- +extends: default + +rules: + comments-indentation: + level: error + indentation: + indent-sequences: consistent + spaces: 2 + check-multi-line-strings: false + line-length: disable + document-start: disable + comments: disable + truthy: disable diff --git a/scripts/validate.sh b/scripts/validate.sh deleted file mode 100755 index 7e216850..00000000 --- a/scripts/validate.sh +++ /dev/null @@ -1,66 +0,0 @@ -#!/usr/bin/env bash - -# This script downloads the Flux OpenAPI schemas, then it validates the -# Flux custom resources and the kustomize overlays using kubeconform. -# This script is meant to be run locally and in CI before the changes -# are merged on the main branch that's synced by Flux. - -# Copyright 2023 The Flux authors. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Prerequisites -# - yq v4.34 -# - kustomize v5.0 -# - kubeconform v0.6 - -set -o errexit -set -o pipefail - -# mirror kustomize-controller build options -kustomize_flags=("--load-restrictor=LoadRestrictionsNone") -kustomize_config="kustomization.yaml" - -# skip Kubernetes Secrets due to SOPS fields failing validation -kubeconform_flags=("-skip=Secret") -kubeconform_config=("-strict" "-ignore-missing-schemas" "-schema-location" "default" "-schema-location" "/tmp/flux-crd-schemas" "-verbose") - -echo "INFO - Downloading Flux OpenAPI schemas" -mkdir -p /tmp/flux-crd-schemas/master-standalone-strict -curl -sL https://github.com/fluxcd/flux2/releases/latest/download/crd-schemas.tar.gz | tar zxf - -C /tmp/flux-crd-schemas/master-standalone-strict - -find . -type f -name '*.yaml' -print0 | while IFS= read -r -d $'\0' file; - do - echo "INFO - Validating $file" - yq e 'true' "$file" > /dev/null -done - -echo "INFO - Validating clusters" -find ./clusters -maxdepth 2 -type f -name '*.yaml' -print0 | while IFS= read -r -d $'\0' file; - do - kubeconform "${kubeconform_flags[@]}" "${kubeconform_config[@]}" "${file}" - if [[ ${PIPESTATUS[0]} != 0 ]]; then - exit 1 - fi -done - -echo "INFO - Validating kustomize overlays" -find . -type f -name $kustomize_config -print0 | while IFS= read -r -d $'\0' file; - do - echo "INFO - Validating kustomization ${file/%$kustomize_config}" - kustomize build "${file/%$kustomize_config}" "${kustomize_flags[@]}" | \ - kubeconform "${kubeconform_flags[@]}" "${kubeconform_config[@]}" - if [[ ${PIPESTATUS[0]} != 0 ]]; then - exit 1 - fi -done diff --git a/security/base/epis/cert-manager.yaml b/security/base/epis/cert-manager.yaml index 8747cda3..6e70c9e2 100644 --- a/security/base/epis/cert-manager.yaml +++ b/security/base/epis/cert-manager.yaml @@ -1,36 +1,36 @@ apiVersion: cloud.ogenki.io/v1alpha1 kind: EPI metadata: - name: xplane-cert-manager-${cluster_name} - namespace: security + name: xplane-cert-manager-${cluster_name} + namespace: security spec: - parameters: - clusterName: ${cluster_name} - serviceAccount: - name: cert-manager - namespace: security - # Reference: https://cert-manager.io/docs/configuration/acme/dns01/route53/ - policyDocument: | - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": "route53:GetChange", - "Resource": "arn:aws:route53:::change/*" - }, - { - "Effect": "Allow", - "Action": [ - "route53:ChangeResourceRecordSets", - "route53:ListResourceRecordSets" - ], - "Resource": "arn:aws:route53:::hostedzone/*" - }, - { - "Effect": "Allow", - "Action": "route53:ListHostedZonesByName", - "Resource": "*" - } - ] - } + parameters: + clusterName: ${cluster_name} + serviceAccount: + name: cert-manager + namespace: security + # Reference: https://cert-manager.io/docs/configuration/acme/dns01/route53/ + policyDocument: | + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "route53:GetChange", + "Resource": "arn:aws:route53:::change/*" + }, + { + "Effect": "Allow", + "Action": [ + "route53:ChangeResourceRecordSets", + "route53:ListResourceRecordSets" + ], + "Resource": "arn:aws:route53:::hostedzone/*" + }, + { + "Effect": "Allow", + "Action": "route53:ListHostedZonesByName", + "Resource": "*" + } + ] + } diff --git a/security/base/epis/external-dns.yaml b/security/base/epis/external-dns.yaml index ed30fde1..7cdfa6f2 100644 --- a/security/base/epis/external-dns.yaml +++ b/security/base/epis/external-dns.yaml @@ -1,38 +1,38 @@ apiVersion: cloud.ogenki.io/v1alpha1 kind: EPI metadata: - name: xplane-external-dns-${cluster_name} - namespace: kube-system + name: xplane-external-dns-${cluster_name} + namespace: kube-system spec: - deletionPolicy: Delete - parameters: - clusterName: ${cluster_name} - serviceAccount: - name: external-dns - namespace: kube-system - # Reference: https://kubernetes-sigs.github.io/external-dns/v0.13.4/tutorials/aws/#iam-policy - policyDocument: | - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "route53:ChangeResourceRecordSets" - ], - "Resource": [ - "arn:aws:route53:::hostedzone/*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "route53:ListHostedZones", - "route53:ListResourceRecordSets" - ], - "Resource": [ - "*" - ] - } - ] - } + deletionPolicy: Delete + parameters: + clusterName: ${cluster_name} + serviceAccount: + name: external-dns + namespace: kube-system + # Reference: https://kubernetes-sigs.github.io/external-dns/v0.13.4/tutorials/aws/#iam-policy + policyDocument: | + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "route53:ChangeResourceRecordSets" + ], + "Resource": [ + "arn:aws:route53:::hostedzone/*" + ] + }, + { + "Effect": "Allow", + "Action": [ + "route53:ListHostedZones", + "route53:ListResourceRecordSets" + ], + "Resource": [ + "*" + ] + } + ] + } diff --git a/security/base/epis/external-secrets.yaml b/security/base/epis/external-secrets.yaml index 2975d748..9b07d573 100644 --- a/security/base/epis/external-secrets.yaml +++ b/security/base/epis/external-secrets.yaml @@ -1,30 +1,30 @@ apiVersion: cloud.ogenki.io/v1alpha1 kind: EPI metadata: - name: xplane-external-secrets-${cluster_name} - namespace: security + name: xplane-external-secrets-${cluster_name} + namespace: security spec: - parameters: - clusterName: ${cluster_name} - serviceAccount: - name: external-secrets - namespace: security - # Reference: https://github.com/external-secrets/external-secrets/blob/main/terraform/aws/modules/cluster/irsa.tf - policyDocument: | - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "secretsmanager:GetResourcePolicy", - "secretsmanager:GetSecretValue", - "secretsmanager:DescribeSecret", - "secretsmanager:ListSecretVersionIds" - ], - "Resource": [ - "*" - ] - } - ] - } + parameters: + clusterName: ${cluster_name} + serviceAccount: + name: external-secrets + namespace: security + # Reference: https://github.com/external-secrets/external-secrets/blob/main/terraform/aws/modules/cluster/irsa.tf + policyDocument: | + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "secretsmanager:GetResourcePolicy", + "secretsmanager:GetSecretValue", + "secretsmanager:DescribeSecret", + "secretsmanager:ListSecretVersionIds" + ], + "Resource": [ + "*" + ] + } + ] + } diff --git a/security/base/epis/harbor.yaml b/security/base/epis/harbor.yaml index f5ca03e9..b8ddd96a 100644 --- a/security/base/epis/harbor.yaml +++ b/security/base/epis/harbor.yaml @@ -1,39 +1,39 @@ apiVersion: cloud.ogenki.io/v1alpha1 kind: EPI metadata: - name: xplane-harbor-${cluster_name} - namespace: tooling + name: xplane-harbor-${cluster_name} + namespace: tooling spec: - deletionPolicy: Delete - parameters: - clusterName: ${cluster_name} - serviceAccount: - name: harbor - namespace: tooling - policyDocument: | - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "ReadPermissions", - "Effect": "Allow", - "Action": [ - "s3:GetObject", - "s3:ListBucket" - ], - "Resource": [ - "arn:aws:s3:::${region}-ogenki-harbor", - "arn:aws:s3:::${region}-ogenki-harbor/*" - ] - }, - { - "Sid": "WritePermissions", - "Effect": "Allow", - "Action": [ - "s3:PutObject", - "s3:DeleteObject" - ], - "Resource": "arn:aws:s3:::${region}-ogenki-harbor/*" - } - ] - } + deletionPolicy: Delete + parameters: + clusterName: ${cluster_name} + serviceAccount: + name: harbor + namespace: tooling + policyDocument: | + { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "ReadPermissions", + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucket" + ], + "Resource": [ + "arn:aws:s3:::${region}-ogenki-harbor", + "arn:aws:s3:::${region}-ogenki-harbor/*" + ] + }, + { + "Sid": "WritePermissions", + "Effect": "Allow", + "Action": [ + "s3:PutObject", + "s3:DeleteObject" + ], + "Resource": "arn:aws:s3:::${region}-ogenki-harbor/*" + } + ] + } diff --git a/security/base/epis/load-balancer-controller.yaml b/security/base/epis/load-balancer-controller.yaml index 45eefaec..ed0438ac 100644 --- a/security/base/epis/load-balancer-controller.yaml +++ b/security/base/epis/load-balancer-controller.yaml @@ -1,255 +1,255 @@ apiVersion: cloud.ogenki.io/v1alpha1 kind: EPI metadata: - name: xplane-loadbalancer-controller-${cluster_name} - namespace: kube-system + name: xplane-loadbalancer-controller-${cluster_name} + namespace: kube-system spec: - deletionPolicy: Delete - parameters: - clusterName: ${cluster_name} - serviceAccount: - name: load-balancer-controller - namespace: kube-system - # Reference: https://github.com/kubernetes-sigs/aws-load-balancer-controller/blob/main/docs/install/iam_policy.json - policyDocument: | - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "iam:CreateServiceLinkedRole" - ], - "Resource": "*", - "Condition": { - "StringEquals": { - "iam:AWSServiceName": "elasticloadbalancing.amazonaws.com" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "ec2:DescribeAccountAttributes", - "ec2:DescribeAddresses", - "ec2:DescribeAvailabilityZones", - "ec2:DescribeInternetGateways", - "ec2:DescribeVpcs", - "ec2:DescribeVpcPeeringConnections", - "ec2:DescribeSubnets", - "ec2:DescribeSecurityGroups", - "ec2:DescribeInstances", - "ec2:DescribeNetworkInterfaces", - "ec2:DescribeTags", - "ec2:GetCoipPoolUsage", - "ec2:DescribeCoipPools", - "elasticloadbalancing:DescribeLoadBalancers", - "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DescribeListeners", - "elasticloadbalancing:DescribeListenerCertificates", - "elasticloadbalancing:DescribeSSLPolicies", - "elasticloadbalancing:DescribeRules", - "elasticloadbalancing:DescribeTargetGroups", - "elasticloadbalancing:DescribeTargetGroupAttributes", - "elasticloadbalancing:DescribeTargetHealth", - "elasticloadbalancing:DescribeTags" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "cognito-idp:DescribeUserPoolClient", - "acm:ListCertificates", - "acm:DescribeCertificate", - "iam:ListServerCertificates", - "iam:GetServerCertificate", - "waf-regional:GetWebACL", - "waf-regional:GetWebACLForResource", - "waf-regional:AssociateWebACL", - "waf-regional:DisassociateWebACL", - "wafv2:GetWebACL", - "wafv2:GetWebACLForResource", - "wafv2:AssociateWebACL", - "wafv2:DisassociateWebACL", - "shield:GetSubscriptionState", - "shield:DescribeProtection", - "shield:CreateProtection", - "shield:DeleteProtection" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "ec2:AuthorizeSecurityGroupIngress", - "ec2:RevokeSecurityGroupIngress" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "ec2:CreateSecurityGroup" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "ec2:CreateTags" - ], - "Resource": "arn:aws:ec2:*:*:security-group/*", - "Condition": { - "StringEquals": { - "ec2:CreateAction": "CreateSecurityGroup" - }, - "Null": { - "aws:RequestTag/elbv2.k8s.aws/cluster": "false" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "ec2:CreateTags", - "ec2:DeleteTags" - ], - "Resource": "arn:aws:ec2:*:*:security-group/*", - "Condition": { - "Null": { - "aws:RequestTag/elbv2.k8s.aws/cluster": "true", - "aws:ResourceTag/elbv2.k8s.aws/cluster": "false" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "ec2:AuthorizeSecurityGroupIngress", - "ec2:RevokeSecurityGroupIngress", - "ec2:DeleteSecurityGroup" - ], - "Resource": "*", - "Condition": { - "Null": { - "aws:ResourceTag/elbv2.k8s.aws/cluster": "false" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateTargetGroup" - ], - "Resource": "*", - "Condition": { - "Null": { - "aws:RequestTag/elbv2.k8s.aws/cluster": "false" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:CreateRule", - "elasticloadbalancing:DeleteRule" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "elasticloadbalancing:AddTags", - "elasticloadbalancing:RemoveTags" - ], - "Resource": [ - "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*", - "arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*", - "arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*" - ], - "Condition": { - "Null": { - "aws:RequestTag/elbv2.k8s.aws/cluster": "true", - "aws:ResourceTag/elbv2.k8s.aws/cluster": "false" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "elasticloadbalancing:AddTags", - "elasticloadbalancing:RemoveTags" - ], - "Resource": [ - "arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*", - "arn:aws:elasticloadbalancing:*:*:listener/app/*/*/*", - "arn:aws:elasticloadbalancing:*:*:listener-rule/net/*/*/*", - "arn:aws:elasticloadbalancing:*:*:listener-rule/app/*/*/*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:SetIpAddressType", - "elasticloadbalancing:SetSecurityGroups", - "elasticloadbalancing:SetSubnets", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:ModifyTargetGroup", - "elasticloadbalancing:ModifyTargetGroupAttributes", - "elasticloadbalancing:DeleteTargetGroup" - ], - "Resource": "*", - "Condition": { - "Null": { - "aws:ResourceTag/elbv2.k8s.aws/cluster": "false" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "elasticloadbalancing:AddTags" - ], - "Resource": [ - "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*", - "arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*", - "arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*" - ], - "Condition": { - "StringEquals": { - "elasticloadbalancing:CreateAction": [ - "CreateTargetGroup", - "CreateLoadBalancer" - ] - }, - "Null": { - "aws:RequestTag/elbv2.k8s.aws/cluster": "false" - } - } - }, - { - "Effect": "Allow", - "Action": [ - "elasticloadbalancing:RegisterTargets", - "elasticloadbalancing:DeregisterTargets" - ], - "Resource": "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*" - }, - { - "Effect": "Allow", - "Action": [ - "elasticloadbalancing:SetWebAcl", - "elasticloadbalancing:ModifyListener", - "elasticloadbalancing:AddListenerCertificates", - "elasticloadbalancing:RemoveListenerCertificates", - "elasticloadbalancing:ModifyRule" - ], - "Resource": "*" - } - ] - } + deletionPolicy: Delete + parameters: + clusterName: ${cluster_name} + serviceAccount: + name: load-balancer-controller + namespace: kube-system + # Reference: https://github.com/kubernetes-sigs/aws-load-balancer-controller/blob/main/docs/install/iam_policy.json + policyDocument: | + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "iam:CreateServiceLinkedRole" + ], + "Resource": "*", + "Condition": { + "StringEquals": { + "iam:AWSServiceName": "elasticloadbalancing.amazonaws.com" + } + } + }, + { + "Effect": "Allow", + "Action": [ + "ec2:DescribeAccountAttributes", + "ec2:DescribeAddresses", + "ec2:DescribeAvailabilityZones", + "ec2:DescribeInternetGateways", + "ec2:DescribeVpcs", + "ec2:DescribeVpcPeeringConnections", + "ec2:DescribeSubnets", + "ec2:DescribeSecurityGroups", + "ec2:DescribeInstances", + "ec2:DescribeNetworkInterfaces", + "ec2:DescribeTags", + "ec2:GetCoipPoolUsage", + "ec2:DescribeCoipPools", + "elasticloadbalancing:DescribeLoadBalancers", + "elasticloadbalancing:DescribeLoadBalancerAttributes", + "elasticloadbalancing:DescribeListeners", + "elasticloadbalancing:DescribeListenerCertificates", + "elasticloadbalancing:DescribeSSLPolicies", + "elasticloadbalancing:DescribeRules", + "elasticloadbalancing:DescribeTargetGroups", + "elasticloadbalancing:DescribeTargetGroupAttributes", + "elasticloadbalancing:DescribeTargetHealth", + "elasticloadbalancing:DescribeTags" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "cognito-idp:DescribeUserPoolClient", + "acm:ListCertificates", + "acm:DescribeCertificate", + "iam:ListServerCertificates", + "iam:GetServerCertificate", + "waf-regional:GetWebACL", + "waf-regional:GetWebACLForResource", + "waf-regional:AssociateWebACL", + "waf-regional:DisassociateWebACL", + "wafv2:GetWebACL", + "wafv2:GetWebACLForResource", + "wafv2:AssociateWebACL", + "wafv2:DisassociateWebACL", + "shield:GetSubscriptionState", + "shield:DescribeProtection", + "shield:CreateProtection", + "shield:DeleteProtection" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "ec2:AuthorizeSecurityGroupIngress", + "ec2:RevokeSecurityGroupIngress" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "ec2:CreateSecurityGroup" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "ec2:CreateTags" + ], + "Resource": "arn:aws:ec2:*:*:security-group/*", + "Condition": { + "StringEquals": { + "ec2:CreateAction": "CreateSecurityGroup" + }, + "Null": { + "aws:RequestTag/elbv2.k8s.aws/cluster": "false" + } + } + }, + { + "Effect": "Allow", + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Resource": "arn:aws:ec2:*:*:security-group/*", + "Condition": { + "Null": { + "aws:RequestTag/elbv2.k8s.aws/cluster": "true", + "aws:ResourceTag/elbv2.k8s.aws/cluster": "false" + } + } + }, + { + "Effect": "Allow", + "Action": [ + "ec2:AuthorizeSecurityGroupIngress", + "ec2:RevokeSecurityGroupIngress", + "ec2:DeleteSecurityGroup" + ], + "Resource": "*", + "Condition": { + "Null": { + "aws:ResourceTag/elbv2.k8s.aws/cluster": "false" + } + } + }, + { + "Effect": "Allow", + "Action": [ + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateTargetGroup" + ], + "Resource": "*", + "Condition": { + "Null": { + "aws:RequestTag/elbv2.k8s.aws/cluster": "false" + } + } + }, + { + "Effect": "Allow", + "Action": [ + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:CreateRule", + "elasticloadbalancing:DeleteRule" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "elasticloadbalancing:AddTags", + "elasticloadbalancing:RemoveTags" + ], + "Resource": [ + "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*", + "arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*", + "arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*" + ], + "Condition": { + "Null": { + "aws:RequestTag/elbv2.k8s.aws/cluster": "true", + "aws:ResourceTag/elbv2.k8s.aws/cluster": "false" + } + } + }, + { + "Effect": "Allow", + "Action": [ + "elasticloadbalancing:AddTags", + "elasticloadbalancing:RemoveTags" + ], + "Resource": [ + "arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*", + "arn:aws:elasticloadbalancing:*:*:listener/app/*/*/*", + "arn:aws:elasticloadbalancing:*:*:listener-rule/net/*/*/*", + "arn:aws:elasticloadbalancing:*:*:listener-rule/app/*/*/*" + ] + }, + { + "Effect": "Allow", + "Action": [ + "elasticloadbalancing:ModifyLoadBalancerAttributes", + "elasticloadbalancing:SetIpAddressType", + "elasticloadbalancing:SetSecurityGroups", + "elasticloadbalancing:SetSubnets", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:ModifyTargetGroup", + "elasticloadbalancing:ModifyTargetGroupAttributes", + "elasticloadbalancing:DeleteTargetGroup" + ], + "Resource": "*", + "Condition": { + "Null": { + "aws:ResourceTag/elbv2.k8s.aws/cluster": "false" + } + } + }, + { + "Effect": "Allow", + "Action": [ + "elasticloadbalancing:AddTags" + ], + "Resource": [ + "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*", + "arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*", + "arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*" + ], + "Condition": { + "StringEquals": { + "elasticloadbalancing:CreateAction": [ + "CreateTargetGroup", + "CreateLoadBalancer" + ] + }, + "Null": { + "aws:RequestTag/elbv2.k8s.aws/cluster": "false" + } + } + }, + { + "Effect": "Allow", + "Action": [ + "elasticloadbalancing:RegisterTargets", + "elasticloadbalancing:DeregisterTargets" + ], + "Resource": "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*" + }, + { + "Effect": "Allow", + "Action": [ + "elasticloadbalancing:SetWebAcl", + "elasticloadbalancing:ModifyListener", + "elasticloadbalancing:AddListenerCertificates", + "elasticloadbalancing:RemoveListenerCertificates", + "elasticloadbalancing:ModifyRule" + ], + "Resource": "*" + } + ] + } diff --git a/security/base/epis/loki.yaml b/security/base/epis/loki.yaml index 9569c312..428d5816 100644 --- a/security/base/epis/loki.yaml +++ b/security/base/epis/loki.yaml @@ -1,38 +1,38 @@ apiVersion: cloud.ogenki.io/v1alpha1 kind: EPI metadata: - name: xplane-loki-${cluster_name} - namespace: observability + name: xplane-loki-${cluster_name} + namespace: observability spec: - parameters: - clusterName: ${cluster_name} - serviceAccount: - name: loki - namespace: observability - policyDocument: | - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "ReadPermissions", - "Effect": "Allow", - "Action": [ - "s3:GetObject", - "s3:ListBucket" - ], - "Resource": [ - "arn:aws:s3:::${region}-ogenki-loki", - "arn:aws:s3:::${region}-ogenki-loki/*" - ] - }, - { - "Sid": "WritePermissions", - "Effect": "Allow", - "Action": [ - "s3:PutObject", - "s3:DeleteObject" - ], - "Resource": "arn:aws:s3:::${region}-ogenki-loki/*" - } - ] - } + parameters: + clusterName: ${cluster_name} + serviceAccount: + name: loki + namespace: observability + policyDocument: | + { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "ReadPermissions", + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucket" + ], + "Resource": [ + "arn:aws:s3:::${region}-ogenki-loki", + "arn:aws:s3:::${region}-ogenki-loki/*" + ] + }, + { + "Sid": "WritePermissions", + "Effect": "Allow", + "Action": [ + "s3:PutObject", + "s3:DeleteObject" + ], + "Resource": "arn:aws:s3:::${region}-ogenki-loki/*" + } + ] + } diff --git a/security/base/epis/vault-snapshot.yaml b/security/base/epis/vault-snapshot.yaml index 5cf2ab3f..3faf6461 100644 --- a/security/base/epis/vault-snapshot.yaml +++ b/security/base/epis/vault-snapshot.yaml @@ -1,48 +1,48 @@ apiVersion: cloud.ogenki.io/v1alpha1 kind: EPI metadata: - name: xplane-vault-snapshot-${cluster_name} - namespace: security + name: xplane-vault-snapshot-${cluster_name} + namespace: security spec: - parameters: - clusterName: ${cluster_name} - serviceAccount: - name: vault-snapshot - namespace: security - policyDocument: | - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "ReadPermissions", - "Effect": "Allow", - "Action": [ - "s3:GetObject", - "s3:ListBucket" - ], - "Resource": [ - "arn:aws:s3:::${region}-ogenki-vault-snapshot", - "arn:aws:s3:::${region}-ogenki-vault-snapshot/*" - ] - }, - { - "Sid": "WritePermissions", - "Effect": "Allow", - "Action": [ - "s3:PutObject" - ], - "Resource": "arn:aws:s3:::${region}-ogenki-vault-snapshot/*" - }, - { - "Sid": "AllowKMSUsage", - "Effect": "Allow", - "Action": [ - "kms:Decrypt", - "kms:Encrypt", - "kms:ReEncrypt*", - "kms:GenerateDataKey*" - ], - "Resource": "*" - } - ] - } + parameters: + clusterName: ${cluster_name} + serviceAccount: + name: vault-snapshot + namespace: security + policyDocument: | + { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "ReadPermissions", + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucket" + ], + "Resource": [ + "arn:aws:s3:::${region}-ogenki-vault-snapshot", + "arn:aws:s3:::${region}-ogenki-vault-snapshot/*" + ] + }, + { + "Sid": "WritePermissions", + "Effect": "Allow", + "Action": [ + "s3:PutObject" + ], + "Resource": "arn:aws:s3:::${region}-ogenki-vault-snapshot/*" + }, + { + "Sid": "AllowKMSUsage", + "Effect": "Allow", + "Action": [ + "kms:Decrypt", + "kms:Encrypt", + "kms:ReEncrypt*", + "kms:GenerateDataKey*" + ], + "Resource": "*" + } + ] + } diff --git a/security/base/kyverno/helmrelease-controller.yaml b/security/base/kyverno/helmrelease-controller.yaml index 10d358d4..0483b218 100644 --- a/security/base/kyverno/helmrelease-controller.yaml +++ b/security/base/kyverno/helmrelease-controller.yaml @@ -21,4 +21,4 @@ spec: fullnameOverride: kyverno crds: install: false - # Need to set at least resources limits in a near future +# Need to set at least resources limits in a near future diff --git a/taskfile.yaml b/taskfile.yaml index 1c09c423..79c71348 100644 --- a/taskfile.yaml +++ b/taskfile.yaml @@ -18,12 +18,8 @@ tasks: pre-commit: deps: [clean] cmds: - - defer: { task: clean } + - defer: {task: clean} - | USERID=$(id -u) GROUPID=$(id -g) docker run -e "USER=${USERID}:${GROUPID}" -v {{.USER_WORKING_DIR}}:/lint -w /lint $DOCKER_IMG:$DOCKER_TAG run -a - - flux-validate: - cmds: - - ./scripts/validate.sh