KropCloud/cert-manager-webhook-example
1
0
Fork 1
mirror of https://github.com/cert-manager/webhook-example.git synced 2025-07-02 23:05:48 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat: misc security improvements

Browse source
This commit is contained in:
James Reeve 2023-12-16 09:20:52 -05:00
parent 9420237c3c
commit 9e0ffef4a1
No known key found for this signature in database
6 changed files with 80 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
Dockerfile
View file

@ -17,8 +17,12 @@ RUN CGO_ENABLED=0 go build -o webhook -ldflags '-w -extldflags "-static"' .
FROM alpine:3.18 as final FROM alpine:3.18 as final
RUN addgroup -g 1000 appgroup && adduser -u 1000 -G appgroup -D webhook
RUN apk add --no-cache ca-certificates RUN apk add --no-cache ca-certificates
USER 1000
COPY --from=build /workspace/webhook /usr/local/bin/webhook COPY --from=build /workspace/webhook /usr/local/bin/webhook
ENTRYPOINT ["webhook"] ENTRYPOINT ["webhook"]

2
deploy/cert-manager-ibm-cis-webhook/Chart.yaml
View file

@ -2,4 +2,4 @@ apiVersion: v1
appVersion: "1.0" appVersion: "1.0"
description: A Helm chart for Kubernetes description: A Helm chart for Kubernetes
name: cert-manager-ibm-cis-webhook name: cert-manager-ibm-cis-webhook
version: 1.0.0 version: 1.1.0

19
deploy/cert-manager-ibm-cis-webhook/templates/deployment.yaml
View file

@ -19,7 +19,12 @@ spec:
labels: labels:
app: {{ include "cert-manager-ibm-cis-webhook.name" . }} app: {{ include "cert-manager-ibm-cis-webhook.name" . }}
release: {{ .Release.Name }} release: {{ .Release.Name }}
annotations:
checksum/secrets: {{ include (print $.Template.BasePath "/secret.yaml") $ | sha256sum }}
spec: spec:
securityContext:
runAsNonRoot: true
serviceAccountName: {{ include "cert-manager-ibm-cis-webhook.fullname" . }} serviceAccountName: {{ include "cert-manager-ibm-cis-webhook.fullname" . }}
imagePullSecrets: imagePullSecrets:
{{- range .Values.imagePullSecrets }} {{- range .Values.imagePullSecrets }}
@ -30,16 +35,20 @@ spec:
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }} imagePullPolicy: {{ .Values.image.pullPolicy }}
args: args:
- --secure-port={{ .Values.containerPort }}
- --tls-cert-file=/tls/tls.crt - --tls-cert-file=/tls/tls.crt
- --tls-private-key-file=/tls/tls.key - --tls-private-key-file=/tls/tls.key
env: env:
- name: GROUP_NAME - name: GROUP_NAME
value: {{ .Values.groupName | quote }} value: {{ .Values.groupName | quote }}
- name: IBMCLOUD_API_KEY - name: IBMCLOUD_API_KEY
value: {{ .Values.ibmCloudApiKey | quote }} valueFrom:
secretKeyRef:
name: {{ include "cert-manager-ibm-cis-webhook.fullname" . }}-ibmcis-credentials
key: api-token
ports: ports:
- name: https - name: https
containerPort: 443 containerPort: {{ .Values.containerPort }}
protocol: TCP protocol: TCP
livenessProbe: livenessProbe:
httpGet: httpGet:
@ -51,6 +60,12 @@ spec:
scheme: HTTPS scheme: HTTPS
path: /healthz path: /healthz
port: https port: https
securityContext:
runAsNonRoot: true
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
volumeMounts: volumeMounts:
- name: certs - name: certs
mountPath: /tls mountPath: /tls

52
deploy/cert-manager-ibm-cis-webhook/templates/networkpolicies.yaml Normal file
View file

@ -0,0 +1,52 @@
{{- if .Values.networkPolicies.enabled }}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ include "cert-manager-ibm-cis-webhook.fullname" . }}-allow-dns
spec:
podSelector:
matchLabels:
app: {{ include "cert-manager-ibm-cis-webhook.name" . }}
policyTypes:
- Egress
egress:
- to:
- namespaceSelector: {}
podSelector:
matchLabels:
k8s-app: kube-dns
ports:
- protocol: UDP
port: 53
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ include "cert-manager-ibm-cis-webhook.fullname" . }}-allow-ingress
spec:
podSelector:
matchLabels:
app: {{ include "cert-manager-ibm-cis-webhook.name" . }}
policyTypes:
- Ingress
ingress:
- from:
- podSelector: {}
ports:
- protocol: TCP
port: {{ .Values.containerPort }}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-egress-to-k8s-api
spec:
podSelector:
matchLabels:
app: {{ include "cert-manager-ibm-cis-webhook.name" . }}
policyTypes:
- Egress
egress:
- {}
{{- end }}

2
deploy/cert-manager-ibm-cis-webhook/templates/secret.yaml
View file

@ -1,7 +1,7 @@
apiVersion: v1 apiVersion: v1
kind: Secret kind: Secret
metadata: metadata:
name: ibmcis-credentials name: {{ include "cert-manager-ibm-cis-webhook.fullname" . }}-ibmcis-credentials
type: Opaque type: Opaque
stringData: stringData:
api-token: {{ .Values.ibmCloudApiKey | quote }} api-token: {{ .Values.ibmCloudApiKey | quote }}

5
deploy/cert-manager-ibm-cis-webhook/values.yaml
View file

@ -10,6 +10,9 @@ groupName: acme.skills.network
ibmCloudApiKey: "" ibmCloudApiKey: ""
networkPolicies:
enabled: false
certManager: certManager:
namespace: cert-manager namespace: cert-manager
serviceAccountName: cert-manager serviceAccountName: cert-manager
@ -25,6 +28,8 @@ imagePullSecrets: []
nameOverride: "" nameOverride: ""
fullnameOverride: "" fullnameOverride: ""
containerPort: 8443
service: service:
type: ClusterIP type: ClusterIP
port: 443 port: 443