Compare commits
11 Commits
module-app
...
fix/kvrock
| Author | SHA1 | Date | |
|---|---|---|---|
|
573d60c071 | ||
|
|
0b5f927034 | ||
|
|
605b862937 | ||
|
|
0110413528 | ||
|
|
0726d70b58 | ||
|
|
8abf6d8b65 | ||
|
|
b0f495c37a | ||
|
|
4e9b8d840d | ||
|
|
57579813de | ||
|
|
97dd238c44 | ||
|
|
3095530d0d |
@@ -318,7 +318,7 @@ spec:
|
||||
chown -R 1000:1000 /uploadstemp && \
|
||||
chown -R 1000:1000 /appdata
|
||||
- name: olares-app-init
|
||||
image: beclab/system-frontend:v1.6.15
|
||||
image: beclab/system-frontend:v1.6.16
|
||||
imagePullPolicy: IfNotPresent
|
||||
command:
|
||||
- /bin/sh
|
||||
|
||||
@@ -28,6 +28,7 @@ metadata:
|
||||
kubesphere.io/creator: '{{ .Values.user.name }}'
|
||||
labels:
|
||||
kubesphere.io/workspace: system-workspace
|
||||
openpolicyagent.org/webhook: ignore
|
||||
name: os-framework
|
||||
|
||||
---
|
||||
@@ -38,6 +39,7 @@ metadata:
|
||||
kubesphere.io/creator: '{{ .Values.user.name }}'
|
||||
labels:
|
||||
kubesphere.io/workspace: system-workspace
|
||||
openpolicyagent.org/webhook: ignore
|
||||
name: os-protected
|
||||
|
||||
|
||||
|
||||
@@ -11,5 +11,5 @@ data:
|
||||
notification:
|
||||
endpoint: http://notification-manager-svc.kubesphere-monitoring-system.svc:19093
|
||||
terminal:
|
||||
image: alpine:3.14
|
||||
image: beclab/alpine:3.14
|
||||
timeout: 7200
|
||||
|
||||
@@ -180,7 +180,7 @@ spec:
|
||||
memory: 300Mi
|
||||
|
||||
- name: download-server
|
||||
image: "beclab/download-server:v0.1.14"
|
||||
image: "beclab/download-server:v0.1.15"
|
||||
imagePullPolicy: IfNotPresent
|
||||
securityContext:
|
||||
runAsUser: 0
|
||||
|
||||
@@ -210,7 +210,7 @@ spec:
|
||||
command:
|
||||
- /samba_share
|
||||
- name: files
|
||||
image: beclab/files-server:v0.2.134
|
||||
image: beclab/files-server:v0.2.135
|
||||
imagePullPolicy: IfNotPresent
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: true
|
||||
|
||||
@@ -240,7 +240,7 @@ spec:
|
||||
value: os_framework_search3
|
||||
containers:
|
||||
- name: search3
|
||||
image: beclab/search3:v0.0.79
|
||||
image: beclab/search3:v0.0.84
|
||||
imagePullPolicy: IfNotPresent
|
||||
ports:
|
||||
- containerPort: 8080
|
||||
@@ -301,7 +301,7 @@ spec:
|
||||
priorityClassName: "system-cluster-critical"
|
||||
containers:
|
||||
- name: search3monitor
|
||||
image: beclab/search3monitor:v0.0.79
|
||||
image: beclab/search3monitor:v0.0.84
|
||||
imagePullPolicy: IfNotPresent
|
||||
ports:
|
||||
- containerPort: 8081
|
||||
@@ -326,6 +326,8 @@ spec:
|
||||
fieldRef:
|
||||
apiVersion: v1
|
||||
fieldPath: metadata.namespace
|
||||
- name: LOG_FILE
|
||||
value: "true"
|
||||
- name: NATS_HOST
|
||||
value: nats.os-platform
|
||||
- name: NATS_PORT
|
||||
|
||||
@@ -44,7 +44,7 @@ spec:
|
||||
operator: Exists
|
||||
containers:
|
||||
- name: search3-validation
|
||||
image: beclab/search3validation:v0.0.79
|
||||
image: beclab/search3validation:v0.0.84
|
||||
imagePullPolicy: IfNotPresent
|
||||
ports:
|
||||
- containerPort: 8443
|
||||
|
||||
@@ -26,7 +26,7 @@ spec:
|
||||
spec:
|
||||
containers:
|
||||
- name: provider-proxy
|
||||
image: beclab/provider-proxy:0.1.0
|
||||
image: beclab/provider-proxy:0.1.1
|
||||
imagePullPolicy: IfNotPresent
|
||||
args:
|
||||
- --logtostderr
|
||||
|
||||
@@ -82,7 +82,7 @@ spec:
|
||||
priorityClassName: "system-cluster-critical"
|
||||
containers:
|
||||
- name: system-server
|
||||
image: beclab/system-server:0.1.32
|
||||
image: beclab/system-server:0.1.33
|
||||
imagePullPolicy: IfNotPresent
|
||||
ports:
|
||||
- containerPort: 80
|
||||
|
||||
@@ -23,7 +23,7 @@ output:
|
||||
-
|
||||
name: liangjw/kube-webhook-certgen:v1.1.1
|
||||
-
|
||||
name: alpine:3.14
|
||||
name: beclab/alpine:3.14
|
||||
-
|
||||
name: beclab/kube-rbac-proxy:0.19.0
|
||||
-
|
||||
|
||||
@@ -3,8 +3,8 @@ target: prebuilt
|
||||
output:
|
||||
containers:
|
||||
-
|
||||
name: apecloud-registry.cn-zhangjiakou.cr.aliyuncs.com/apecloud/kubeblocks-tools:1.0.1
|
||||
name: beclab/apecloud-kubeblocks-tools:1.0.1
|
||||
-
|
||||
name: apecloud-registry.cn-zhangjiakou.cr.aliyuncs.com/apecloud/kubeblocks:1.0.1
|
||||
name: beclab/apecloud-kubeblocks:1.0.1
|
||||
-
|
||||
name: beclab/kubeblock-addon-charts:v1.0.1
|
||||
|
||||
@@ -29,7 +29,7 @@ spec:
|
||||
runAsNonRoot: true
|
||||
initContainers: # only download tools image to local
|
||||
- name: tools
|
||||
image: apecloud-registry.cn-zhangjiakou.cr.aliyuncs.com/apecloud/kubeblocks-tools:1.0.1
|
||||
image: beclab/apecloud-kubeblocks-tools:1.0.1
|
||||
imagePullPolicy: IfNotPresent
|
||||
command:
|
||||
- /bin/true
|
||||
@@ -61,7 +61,7 @@ spec:
|
||||
- name: KUBEBLOCKS_IMAGE_PULL_POLICY
|
||||
value: IfNotPresent
|
||||
- name: KUBEBLOCKS_TOOLS_IMAGE
|
||||
value: apecloud-registry.cn-zhangjiakou.cr.aliyuncs.com/apecloud/kubeblocks-tools:1.0.1
|
||||
value: beclab/apecloud-kubeblocks-tools:1.0.1
|
||||
- name: KUBEBLOCKS_SERVICEACCOUNT_NAME
|
||||
value: kubeblocks
|
||||
- name: VOLUMESNAPSHOT_API_BETA
|
||||
@@ -98,7 +98,7 @@ spec:
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
image: apecloud-registry.cn-zhangjiakou.cr.aliyuncs.com/apecloud/kubeblocks:1.0.1
|
||||
image: beclab/apecloud-kubeblocks:1.0.1
|
||||
imagePullPolicy: IfNotPresent
|
||||
ports:
|
||||
- name: webhook-server
|
||||
@@ -231,7 +231,7 @@ spec:
|
||||
restartPolicy: Never
|
||||
containers:
|
||||
- name: pre-upgrade-job
|
||||
image: apecloud-registry.cn-zhangjiakou.cr.aliyuncs.com/apecloud/kubeblocks-tools:1.0.1
|
||||
image: beclab/apecloud-kubeblocks-tools:1.0.1
|
||||
imagePullPolicy: IfNotPresent
|
||||
command:
|
||||
- sh
|
||||
|
||||
@@ -72,6 +72,14 @@ spec:
|
||||
name: opa
|
||||
spec:
|
||||
serviceAccountName: opa-sa
|
||||
priorityClassName: "system-cluster-critical"
|
||||
affinity:
|
||||
nodeAffinity:
|
||||
requiredDuringSchedulingIgnoredDuringExecution:
|
||||
nodeSelectorTerms:
|
||||
- matchExpressions:
|
||||
- key: node-role.kubernetes.io/control-plane
|
||||
operator: Exists
|
||||
containers:
|
||||
- name: opa
|
||||
image: openpolicyagent/opa:1.11.0
|
||||
@@ -120,6 +128,7 @@ webhooks:
|
||||
- os-network
|
||||
- os-platform
|
||||
- os-protected
|
||||
- kubesphere-controls-system
|
||||
- key: bytetrade.io/ns-type
|
||||
operator: NotIn
|
||||
values:
|
||||
@@ -160,12 +169,79 @@ metadata:
|
||||
data:
|
||||
main: |
|
||||
package system
|
||||
|
||||
default uid := ""
|
||||
uid := input.request.uid
|
||||
|
||||
main = {
|
||||
import data.kubernetes.admission
|
||||
|
||||
main := {
|
||||
"apiVersion": "admission.k8s.io/v1",
|
||||
"kind": "AdmissionReview",
|
||||
"response": {"allowed": true, "uid": uid},
|
||||
"response": response,
|
||||
}
|
||||
|
||||
default uid := ""
|
||||
|
||||
uid := input.request.uid
|
||||
|
||||
response := {
|
||||
"allowed": false,
|
||||
"uid": uid,
|
||||
"status": {"message": reason},
|
||||
} if {
|
||||
reason := concat(", ", admission.deny)
|
||||
reason != ""
|
||||
}
|
||||
else := {"allowed": true, "uid": uid}
|
||||
|
||||
---
|
||||
kind: ConfigMap
|
||||
apiVersion: v1
|
||||
metadata:
|
||||
name: untrusted-pod-check
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
openpolicyagent.org/policy: rego
|
||||
data:
|
||||
main: |
|
||||
package kubernetes.admission
|
||||
|
||||
deny contains msg if {
|
||||
some container
|
||||
input_containers[container]
|
||||
not startswith(container.image, "beclab/")
|
||||
|
||||
is_root_user(container.securityContext)
|
||||
|
||||
msg := sprintf("Container '%s' uses an untrusted image registry and is configured to run as root user (UID 0) or privileged. This is not allowed.", [container.name])
|
||||
}
|
||||
|
||||
deny contains msg if {
|
||||
some container
|
||||
input_containers[container]
|
||||
not startswith(container.image, "beclab/")
|
||||
not startswith(container.image, "docker.io/beclab/")
|
||||
|
||||
is_root_user(input.request.object.spec.securityContext)
|
||||
|
||||
msg := sprintf("Pod '%s' uses an untrusted image registry and is configured to run as root user (UID 0) or privileged. This is not allowed.", [input.request.object.metadata.name])
|
||||
}
|
||||
|
||||
input_containers contains container if {
|
||||
container := input.request.object.spec.containers[_]
|
||||
}
|
||||
|
||||
input_containers contains container if {
|
||||
container := input.request.object.spec.initContainers[_]
|
||||
}
|
||||
|
||||
is_root_user(ctx) if {
|
||||
ctx.runAsNonRoot == false
|
||||
}
|
||||
|
||||
is_root_user(ctx) if {
|
||||
ctx.runAsUser == 0
|
||||
}
|
||||
|
||||
is_root_user(ctx) if {
|
||||
ctx.privileged == true
|
||||
}
|
||||
|
||||
|
||||
@@ -3,7 +3,7 @@ target: prebuilt
|
||||
output:
|
||||
containers:
|
||||
-
|
||||
name: beclab/kvrocks:0.1.0
|
||||
name: beclab/kvrocks:0.1.1
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -57,7 +57,7 @@ spec:
|
||||
path: '{{ $dbbackup_rootpath }}/pg_backup'
|
||||
containers:
|
||||
- name: operator-api
|
||||
image: beclab/middleware-operator:0.2.22
|
||||
image: beclab/middleware-operator:0.2.28
|
||||
imagePullPolicy: IfNotPresent
|
||||
ports:
|
||||
- containerPort: 9080
|
||||
|
||||
@@ -64,7 +64,7 @@ spec:
|
||||
kvrocks:
|
||||
owner: system
|
||||
backupStorage: '{{ $redix_backuppath }}/kvrocks_backup'
|
||||
image: beclab/kvrocks:0.1.0
|
||||
image: beclab/kvrocks:0.1.1
|
||||
imagePullPolicy: IfNotPresent
|
||||
password:
|
||||
valueFrom:
|
||||
|
||||
Reference in New Issue
Block a user