diff --git a/.github/workflows/kyverno-json-scan-pulumi.yaml b/.github/workflows/kyverno-json-scan-pulumi.yaml new file mode 100644 index 0000000..d6f774a --- /dev/null +++ b/.github/workflows/kyverno-json-scan-pulumi.yaml @@ -0,0 +1,33 @@ +name: Kyverno JSON Scan Pulumi Demo +run-name: ${{ github.actor }} has triggered Scan Action 🚀 +on: + pull_request: + branches: + - "main" + push: + branches: + - "main" + +jobs: + Kyverno-JSON-Scan-Pulumi: + runs-on: ubuntu-latest + steps: + - run: echo "🎉 The job was automatically triggered by a ${{ github.event_name }} event." + + - name: Check out repository code + uses: actions/checkout@v4 + + - name: Install kyverno-json + uses: kyverno/action-install-kyverno-json@main + + - run: echo "🖥️ The workflow is now ready to test your code on the runner." + + - name: Check install + run: kyverno-json version + + - name: Kyverno JSON Scan - Pulumi + # cd config-files/pulumi/deployment + # pulumi preview -j > pulumi.json + run: kyverno-json scan --policy controls/pulumi-best-practices --payload config-files/pulumi/deployment/pulumi.json + + - run: echo "🍏 This job's status is ${{ job.status }}." diff --git a/.github/workflows/nctl-scan-terraform.yaml b/.github/workflows/nctl-scan-terraform.yaml index 4a59495..1a9d24b 100644 --- a/.github/workflows/nctl-scan-terraform.yaml +++ b/.github/workflows/nctl-scan-terraform.yaml @@ -30,6 +30,6 @@ jobs: # terraform init # terraform plan -out tfplan.binary # terraform show -json tfplan.binary | jq > payload.json - run: nctl scan terraform --policies controls/s3-best-practices --resources config-files/terraform/payload.json + run: nctl scan terraform --policies controls/terraform-best-practices --resources config-files/terraform/payload.json - run: echo "🍏 This job's status is ${{ job.status }}." diff --git a/config-files/pulumi/deployment/__main__.py b/config-files/pulumi/deployment/__main__.py new file mode 100644 index 0000000..cecb003 --- /dev/null +++ b/config-files/pulumi/deployment/__main__.py @@ -0,0 +1,21 @@ +"""A Kubernetes Python Pulumi program""" + +import pulumi +from pulumi_kubernetes.apps.v1 import Deployment, DeploymentSpecArgs +from pulumi_kubernetes.meta.v1 import LabelSelectorArgs, ObjectMetaArgs +from pulumi_kubernetes.core.v1 import ContainerArgs, PodSpecArgs, PodTemplateSpecArgs + +app_labels = { "app": "nginx" } + +deployment = Deployment( + "nginx", + spec=DeploymentSpecArgs( + selector=LabelSelectorArgs(match_labels=app_labels), + replicas=1, + template=PodTemplateSpecArgs( + metadata=ObjectMetaArgs(labels=app_labels), + spec=PodSpecArgs(containers=[ContainerArgs(name="nginx", image="nginx")]) + ), + )) + +pulumi.export("name", deployment.metadata["name"]) \ No newline at end of file diff --git a/config-files/pulumi/deployment/pulumi.json b/config-files/pulumi/deployment/pulumi.json new file mode 100644 index 0000000..3a66102 --- /dev/null +++ b/config-files/pulumi/deployment/pulumi.json @@ -0,0 +1,75 @@ +{ + "config": { + "pulumi:tags": "{\"pulumi:template\":\"kubernetes-python\"}" + }, + "steps": [ + { + "op": "create", + "urn": "urn:pulumi:test::quickstart::pulumi:pulumi:Stack::quickstart-test", + "newState": { + "urn": "urn:pulumi:test::quickstart::pulumi:pulumi:Stack::quickstart-test", + "custom": false, + "type": "pulumi:pulumi:Stack", + "sourcePosition": "project:///venv/lib/python3.11/site-packages/pulumi/runtime/stack.py#139" + }, + "detailedDiff": null + }, + { + "op": "create", + "urn": "urn:pulumi:test::quickstart::kubernetes:apps/v1:Deployment::nginx", + "provider": "urn:pulumi:test::quickstart::pulumi:providers:kubernetes::default_4_7_1::04da6b54-80e4-46f7-96ec-b56ff0331ba9", + "newState": { + "urn": "urn:pulumi:test::quickstart::kubernetes:apps/v1:Deployment::nginx", + "custom": true, + "type": "kubernetes:apps/v1:Deployment", + "inputs": { + "apiVersion": "apps/v1", + "kind": "Deployment", + "metadata": { + "annotations": { + "pulumi.com/autonamed": "true" + }, + "name": "nginx-1026bcfa", + "namespace": "default" + }, + "spec": { + "replicas": 3, + "selector": { + "matchLabels": { + "app": "nginx" + } + }, + "template": { + "metadata": { + "labels": { + "app": "nginx" + } + }, + "spec": { + "containers": [ + { + "image": "nginx", + "name": "nginx" + } + ] + } + } + } + }, + "parent": "urn:pulumi:test::quickstart::pulumi:pulumi:Stack::quickstart-test", + "provider": "urn:pulumi:test::quickstart::pulumi:providers:kubernetes::default_4_7_1::04da6b54-80e4-46f7-96ec-b56ff0331ba9", + "propertyDependencies": { + "apiVersion": null, + "kind": null, + "spec": null + }, + "sourcePosition": "project:///venv/lib/python3.11/site-packages/pulumi_kubernetes/apps/v1/Deployment.py#323" + }, + "detailedDiff": null + } + ], + "duration": 673330292, + "changeSummary": { + "create": 2 + } +} \ No newline at end of file diff --git a/controls/pulumi-best-practices/check-deployment-replicas.yaml b/controls/pulumi-best-practices/check-deployment-replicas.yaml new file mode 100644 index 0000000..2e438b1 --- /dev/null +++ b/controls/pulumi-best-practices/check-deployment-replicas.yaml @@ -0,0 +1,22 @@ +apiVersion: json.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: check-replicas + annotations: + policies.kyverno.io/description: >- + This policy checks for replicas greater than or equal to 3 +spec: + rules: + - name: check-replicas + match: + all: + - (steps[?newState.type=='kubernetes:apps/v1:Deployment'] | length(@) > `0` ): true + assert: + all: + - message: Replicas should be greater or equal to 3 + check: + ~.(steps[?newState.type=='kubernetes:apps/v1:Deployment']): + newState: + inputs: + spec: + (replicas >= `3`): true diff --git a/controls/s3-best-practices/enable-s3-versioning.yaml b/controls/terraform-best-practices/enable-s3-versioning.yaml similarity index 100% rename from controls/s3-best-practices/enable-s3-versioning.yaml rename to controls/terraform-best-practices/enable-s3-versioning.yaml