diff --git a/.codespellrc b/.codespellrc index 014984d38..50ac37787 100644 --- a/.codespellrc +++ b/.codespellrc @@ -1,5 +1,5 @@ # Lint Codespell configurations [codespell] skip = .codespellrc,.git,node_modules,build,dist,*.zst,CHANGELOG.md -ignore-words-list = NotIn,AKS +ignore-words-list = NotIn,AKS,LICENS enable-colors = \ No newline at end of file diff --git a/.github/actions/debug-output/action.yaml b/.github/actions/debug-output/action.yaml index 106319e4a..1fe4ae4bf 100644 --- a/.github/actions/debug-output/action.yaml +++ b/.github/actions/debug-output/action.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + name: debug-output description: "Print out basic debug info for a k8s cluster" diff --git a/.github/actions/lint-check/action.yaml b/.github/actions/lint-check/action.yaml index cfcb7798b..40b43c5d0 100644 --- a/.github/actions/lint-check/action.yaml +++ b/.github/actions/lint-check/action.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + name: lint-check description: "Check Project for Linting Errors" @@ -12,7 +15,7 @@ runs: uses: Homebrew/actions/setup-homebrew@master - name: Install UDS CLI # renovate: datasource=github-tags depName=defenseunicorns/uds-cli versioning=semver - run: brew install defenseunicorns/tap/uds@0.16.0 + run: brew install defenseunicorns/tap/uds@0.17.0 shell: bash - name: Run Formatting Checks run: uds run lint-check --no-progress diff --git a/.github/actions/notify-lula/action.yaml b/.github/actions/notify-lula/action.yaml index c3e978a0d..7534d6d78 100644 --- a/.github/actions/notify-lula/action.yaml +++ b/.github/actions/notify-lula/action.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + name: Notify Lula description: "Comment on PR to notify Lula Team" diff --git a/.github/actions/save-logs/action.yaml b/.github/actions/save-logs/action.yaml index 88ed686e8..01aa42225 100644 --- a/.github/actions/save-logs/action.yaml +++ b/.github/actions/save-logs/action.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + name: save-logs description: "Save debug logs" @@ -34,7 +37,7 @@ runs: sudo chown $USER /tmp/uds-*.log || echo "" shell: bash - - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 + - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: debug-log${{ inputs.suffix }} path: | diff --git a/.github/actions/setup/action.yaml b/.github/actions/setup/action.yaml index 9220d70af..76fdcb24e 100644 --- a/.github/actions/setup/action.yaml +++ b/.github/actions/setup/action.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + # action.yml name: "Setup Environment" description: "UDS Environment Setup" @@ -28,19 +31,17 @@ runs: # renovate: datasource=github-tags depName=k3d-io/k3d versioning=semver run: curl -s https://raw.githubusercontent.com/k3d-io/k3d/main/install.sh | TAG=v5.7.4 bash - - name: Set up Homebrew - uses: Homebrew/actions/setup-homebrew@master - - name: Install UDS CLI - shell: bash - # renovate: datasource=github-tags depName=defenseunicorns/uds-cli versioning=semver - run: brew install defenseunicorns/tap/uds@0.16.0 + uses: defenseunicorns/setup-uds@b987a32bac3baeb67bfb08f5e1544e2f9076ee8a # v1.0.0 + with: + # renovate: datasource=github-tags depName=defenseunicorns/uds-cli versioning=semver + version: v0.17.0 - name: Install Lula uses: defenseunicorns/lula-action/setup@badad8c4b1570095f57e66ffd62664847698a3b9 # v0.0.1 with: # renovate: datasource=github-tags depName=defenseunicorns/lula versioning=semver-coerced - version: v0.7.0 + version: v0.9.1 - name: Iron Bank Login if: ${{ inputs.registry1Username != '' }} @@ -52,7 +53,7 @@ runs: - name: Chainguard Login if: ${{ inputs.chainguardIdentity != '' }} - uses: chainguard-dev/setup-chainctl@f52718d822dc73d21a04ef2082822c4a203163b3 # v0.2.2 + uses: chainguard-dev/setup-chainctl@598499528905f95b94e62e4831cf42035e768933 # v0.2.3 with: identity: ${{ inputs.chainguardIdentity }} diff --git a/.github/bundles/eks/uds-bundle.yaml b/.github/bundles/eks/uds-bundle.yaml new file mode 100644 index 000000000..ba010c513 --- /dev/null +++ b/.github/bundles/eks/uds-bundle.yaml @@ -0,0 +1,89 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +kind: UDSBundle +metadata: + name: uds-core-eks-nightly + description: A UDS bundle for deploying EKS and UDS Core + # x-release-please-start-version +<<<<<<< HEAD:.github/bundles/eks/uds-bundle.yaml + version: "0.29.0" +======= + version: "0.28.0" +>>>>>>> 62baad3 (chore(main): release 0.28.0 (#795)):.github/bundles/uds-bundle.yaml + # x-release-please-end + +packages: + - name: init + repository: ghcr.io/zarf-dev/packages/init + ref: v0.41.0 + + - name: core + path: ../../../build + # x-release-please-start-version +<<<<<<< HEAD:.github/bundles/eks/uds-bundle.yaml + ref: 0.29.0 +======= + ref: 0.28.0 +>>>>>>> 62baad3 (chore(main): release 0.28.0 (#795)):.github/bundles/uds-bundle.yaml + # x-release-please-end + optionalComponents: + - metrics-server + overrides: + velero: + velero: + variables: + - name: VELERO_USE_SECRET + description: "Toggle use secret off to use IRSA." + path: credentials.useSecret + - name: VELERO_IRSA_ROLE_ARN + description: "IRSA ARN annotation to use for Velero" + path: serviceAccount.server.annotations.eks\.amazonaws\.com/role-arn + loki: + loki: + values: + - path: loki.storage.s3.endpoint + value: "" + - path: loki.storage.s3.secretAccessKey + value: "" + - path: loki.storage.s3.accessKeyId + value: "" + variables: + - name: LOKI_CHUNKS_BUCKET + description: "The object storage bucket for Loki chunks" + path: loki.storage.bucketNames.chunks + - name: LOKI_RULER_BUCKET + description: "The object storage bucket for Loki ruler" + path: loki.storage.bucketNames.ruler + - name: LOKI_ADMIN_BUCKET + description: "The object storage bucket for Loki admin" + path: loki.storage.bucketNames.admin + - name: LOKI_S3_REGION + description: "The S3 region" + path: loki.storage.s3.region + - name: LOKI_IRSA_ROLE_ARN + description: "The irsa role annotation" + path: serviceAccount.annotations.eks\.amazonaws\.com/role-arn + grafana: + grafana: + variables: + - name: GRAFANA_HA + description: Enable HA Grafana + path: autoscaling.enabled + uds-grafana-config: + variables: + - name: GRAFANA_PG_HOST + description: Grafana postgresql host + path: postgresql.host + - name: GRAFANA_PG_PORT + description: Grafana postgresql port + path: postgresql.port + - name: GRAFANA_PG_DATABASE + description: Grafana postgresql database + path: postgresql.database + - name: GRAFANA_PG_PASSWORD + description: Grafana postgresql password + path: postgresql.password + - name: GRAFANA_PG_USER + description: Grafana postgresql username + path: postgresql.user diff --git a/.github/bundles/eks/uds-config.yaml b/.github/bundles/eks/uds-config.yaml new file mode 100644 index 000000000..12adfdd49 --- /dev/null +++ b/.github/bundles/eks/uds-config.yaml @@ -0,0 +1,27 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +# Overwritten by ci-iac-aws package +options: + architecture: amd64 + +variables: + core: + loki_chunks_bucket: ${ZARF_VAR_LOKI_S3_BUCKET} + loki_ruler_bucket: ${ZARF_VAR_LOKI_S3_BUCKET} + loki_admin_bucket: ${ZARF_VAR_LOKI_S3_BUCKET} + loki_s3_region: ${ZARF_VAR_LOKI_S3_AWS_REGION} + loki_irsa_role_arn: ${ZARF_VAR_LOKI_S3_ROLE_ARN} + velero_use_secret: false + velero_irsa_role_arn: "${ZARF_VAR_VELERO_S3_ROLE_ARN}" + velero_bucket: ${ZARF_VAR_VELERO_S3_BUCKET} + velero_bucket_region: ${ZARF_VAR_VELERO_S3_AWS_REGION} + velero_bucket_provider_url: "" + velero_bucket_credential_name: "" + velero_bucket_credential_key: "" + grafana_ha: true + grafana_pg_host: ${ZARF_VAR_GRAFANA_PG_HOST} + grafana_pg_port: ${ZARF_VAR_GRAFANA_PG_PORT} + grafana_pg_database: ${ZARF_VAR_GRAFANA_PG_DATABASE} + grafana_pg_password: ${ZARF_VAR_GRAFANA_PG_PASSWORD} + grafana_pg_user: ${ZARF_VAR_GRAFANA_PG_USER} diff --git a/.github/bundles/uds-bundle.yaml b/.github/bundles/rke2/uds-bundle.yaml similarity index 58% rename from .github/bundles/uds-bundle.yaml rename to .github/bundles/rke2/uds-bundle.yaml index d299988e2..8298a0dc6 100644 --- a/.github/bundles/uds-bundle.yaml +++ b/.github/bundles/rke2/uds-bundle.yaml @@ -1,20 +1,44 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + kind: UDSBundle metadata: - name: uds-core-eks-nightly - description: A UDS bundle for deploying EKS and UDS Core + name: uds-core-rke2-nightly + description: A UDS bundle for deploying RKE2 and UDS Core # x-release-please-start-version - version: "0.28.0" + version: "0.29.0" # x-release-please-end packages: + - name: pod-identity-webhook + repository: ghcr.io/defenseunicorns/packages/uds/pod-identity-webhook + ref: 0.3.1-upstream + - name: init repository: ghcr.io/zarf-dev/packages/init - ref: v0.40.1 + ref: v0.41.0 + overrides: + zarf-registry: + docker-registry: + variables: + - path: affinity.custom + name: REGISTRY_AFFINITY_CUSTOM_UDS + - path: persistence.accessMode + name: REGISTRY_PVC_ACCESS_MODE + default: ReadWriteMany + zarf-seed-registry: + docker-registry: + variables: + - path: affinity.custom + name: REGISTRY_AFFINITY_CUSTOM_UDS + - path: persistence.accessMode + name: REGISTRY_PVC_ACCESS_MODE + default: ReadWriteMany - name: core - path: ../../build/ + path: ../../../build # x-release-please-start-version - ref: 0.28.0 + ref: 0.29.0 # x-release-please-end optionalComponents: - metrics-server @@ -25,7 +49,7 @@ packages: - name: VELERO_USE_SECRET description: "Toggle use secret off to use IRSA." path: credentials.useSecret - - name: VELERO_IRSA_ANNOTATION + - name: VELERO_IRSA_ROLE_ARN description: "IRSA ARN annotation to use for Velero" path: serviceAccount.server.annotations.eks\.amazonaws\.com/role-arn loki: @@ -37,6 +61,8 @@ packages: value: "" - path: loki.storage.s3.accessKeyId value: "" + - path: global.dnsService + value: rke2-coredns-rke2-coredns variables: - name: LOKI_CHUNKS_BUCKET description: "The object storage bucket for Loki chunks" @@ -50,6 +76,6 @@ packages: - name: LOKI_S3_REGION description: "The S3 region" path: loki.storage.s3.region - - name: LOKI_IRSA_ANNOTATION + - name: LOKI_IRSA_ROLE_ARN description: "The irsa role annotation" path: serviceAccount.annotations.eks\.amazonaws\.com/role-arn diff --git a/.github/bundles/uds-config.yaml b/.github/bundles/rke2/uds-config.yaml similarity index 69% rename from .github/bundles/uds-config.yaml rename to .github/bundles/rke2/uds-config.yaml index 722dd3689..b55faf5a8 100644 --- a/.github/bundles/uds-config.yaml +++ b/.github/bundles/rke2/uds-config.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + # Overwritten by ci-iac-aws package options: architecture: amd64 @@ -8,9 +11,9 @@ variables: loki_ruler_bucket: ${ZARF_VAR_LOKI_S3_BUCKET} loki_admin_bucket: ${ZARF_VAR_LOKI_S3_BUCKET} loki_s3_region: ${ZARF_VAR_LOKI_S3_AWS_REGION} - loki_irsa_annotation: ${ZARF_VAR_LOKI_S3_ROLE_ARN} + loki_irsa_role_arn: ${ZARF_VAR_LOKI_S3_ROLE_ARN} velero_use_secret: false - velero_irsa_annotation: "${ZARF_VAR_VELERO_S3_ROLE_ARN}" + velero_irsa_role_arn: "${ZARF_VAR_VELERO_S3_ROLE_ARN}" velero_bucket: ${ZARF_VAR_VELERO_S3_BUCKET} velero_bucket_region: ${ZARF_VAR_VELERO_S3_AWS_REGION} velero_bucket_provider_url: "" diff --git a/.github/filters.yaml b/.github/filters.yaml index 77ec1bba8..a047ff952 100644 --- a/.github/filters.yaml +++ b/.github/filters.yaml @@ -1,72 +1,46 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + all: - "**" -authservice: - - "src/authservice/**" - - "!**/*.md" - - "!**/*.jpg" - - "!**/*.png" - - "!**/*.gif" - - "!**/*.svg" - -grafana: - - "src/grafana/**" - - "!**/*.md" - - "!**/*.jpg" - - "!**/*.png" - - "!**/*.gif" - - "!**/*.svg" - -istio: +base: + - "packages/base/**" - "src/istio/**" - - "!**/*.md" - - "!**/*.jpg" - - "!**/*.png" - - "!**/*.gif" - - "!**/*.svg" + - "src/pepr/**" -keycloak: +identity-authorization: + - "packages/identity-authorization/**" - "src/keycloak/**" - - "!**/*.md" - - "!**/*.jpg" - - "!**/*.png" - - "!**/*.gif" - - "!**/*.svg" - -kiali: - - "src/kiali/**" - - "!**/*.md" - - "!**/*.jpg" - - "!**/*.png" - - "!**/*.gif" - - "!**/*.svg" + - "src/authservice/**" -loki: +logging: + - "packages/logging/**" - "src/loki/**" - - "!**/*.md" - - "!**/*.jpg" - - "!**/*.png" - - "!**/*.gif" - - "!**/*.svg" + - "src/vector/**" -metrics-server: - - "src/metrics-server/**" - - "!**/*.md" - - "!**/*.jpg" - - "!**/*.png" - - "!**/*.gif" - - "!**/*.svg" +ui: + - "packages/ui/**" + - "src/runtime/**" -neuvector: +runtime-security: + - "packages/runtime-security/**" - "src/neuvector/**" - - "!**/*.md" - - "!**/*.jpg" - - "!**/*.png" - - "!**/*.gif" - - "!**/*.svg" -prometheus-stack: +backup-restore: + - "packages/backup-restore/**" + - "src/velero/**" + +metrics-server: + - "packages/metrics-server/**" + - "src/metrics-server/**" + +monitoring: + - "packages/monitoring/**" - "src/prometheus-stack/**" +<<<<<<< HEAD + - "src/grafana/**" +======= - "!**/*.md" - "!**/*.jpg" - "!**/*.png" @@ -96,3 +70,4 @@ velero: - "!**/*.png" - "!**/*.gif" - "!**/*.svg" +>>>>>>> 2f6ed02 (feat!: switch from promtail to vector (#724)) diff --git a/.github/test-infra/buckets-iac/loki.tf b/.github/test-infra/aws/eks/loki.tf similarity index 87% rename from .github/test-infra/buckets-iac/loki.tf rename to .github/test-infra/aws/eks/loki.tf index 3defd0ca9..756b95017 100644 --- a/.github/test-infra/buckets-iac/loki.tf +++ b/.github/test-infra/aws/eks/loki.tf @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + resource "aws_iam_policy" "loki_policy" { name = "${local.bucket_configurations.loki.name}-irsa-${random_id.unique_id.hex}" path = "/" @@ -25,4 +28,4 @@ resource "aws_iam_policy" "loki_policy" { } ] }) -} +} \ No newline at end of file diff --git a/.github/test-infra/buckets-iac/main.tf b/.github/test-infra/aws/eks/main.tf similarity index 89% rename from .github/test-infra/buckets-iac/main.tf rename to .github/test-infra/aws/eks/main.tf index 6e4094b0f..07d5821a5 100644 --- a/.github/test-infra/buckets-iac/main.tf +++ b/.github/test-infra/aws/eks/main.tf @@ -1,29 +1,6 @@ -provider "aws" { - region = var.region +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial - default_tags { - tags = { - PermissionsBoundary = var.permissions_boundary_name - } - } -} - -terraform { - required_version = ">= 1.8.0" - backend "s3" { - } - required_providers { - aws = { - source = "hashicorp/aws" - version = ">= 4.0" - } - - random = { - source = "hashicorp/random" - version = "3.6.3" - } - } -} resource "random_id" "default" { byte_length = 2 @@ -127,4 +104,4 @@ resource "aws_s3_bucket_policy" "bucket_policy" { } ] }) -} +} \ No newline at end of file diff --git a/.github/test-infra/aws/eks/outputs.tf b/.github/test-infra/aws/eks/outputs.tf new file mode 100644 index 000000000..f0e4e6224 --- /dev/null +++ b/.github/test-infra/aws/eks/outputs.tf @@ -0,0 +1,60 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +output "aws_region" { + value = data.aws_region.current.name +} + +output "loki_irsa_role_arn" { + value = module.irsa["loki"].role_arn +} + +output "loki_s3" { + value = module.S3["loki"] +} + +output "loki_s3_bucket" { + value = module.S3["loki"].bucket_name +} + +output "velero_irsa_role_arn" { + value = module.irsa["velero"].role_arn +} + +output "velero_s3" { + value = module.S3["velero"] +} + +output "velero_s3_bucket" { + value = module.S3["velero"].bucket_name +} + +output "grafana_pg_host" { + description = "RDS Endpoint for Grafana" + value = element(split(":", module.db.db_instance_endpoint), 0) +} + +output "grafana_pg_port" { + description = "RDS Port for Grafana" + value = var.db_port +} + +output "grafana_pg_database" { + description = "Database name for Grafana" + value = var.db_name +} + +output "grafana_pg_user" { + description = "Database username for Grafana" + value = var.username +} + +output "grafana_pg_password" { + description = "RDS Password for Grafana" + value = random_password.db_password.result + sensitive = true +} + +output "grafana_ha" { + value = true +} \ No newline at end of file diff --git a/.github/test-infra/aws/eks/rds.tf b/.github/test-infra/aws/eks/rds.tf new file mode 100644 index 000000000..ce432a324 --- /dev/null +++ b/.github/test-infra/aws/eks/rds.tf @@ -0,0 +1,92 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +resource "random_password" "db_password" { + length = 16 + special = false +} + +resource "aws_secretsmanager_secret" "db_secret" { + name = "${var.db_name}-db-secret-${random_id.unique_id.hex}" + description = "DB authentication token for ${var.db_name}" + recovery_window_in_days = var.recovery_window +} + +resource "aws_secretsmanager_secret_version" "db_secret_value" { + depends_on = [aws_secretsmanager_secret.db_secret] + secret_id = aws_secretsmanager_secret.db_secret.id + secret_string = random_password.db_password.result +} + +module "db" { + source = "terraform-aws-modules/rds/aws" + version = "6.10.0" + + identifier = "${var.db_name}-db" + instance_use_identifier_prefix = true + + allocated_storage = var.db_allocated_storage + backup_retention_period = 1 + backup_window = "03:00-06:00" + maintenance_window = "Mon:00:00-Mon:03:00" + + engine = "postgres" + engine_version = var.db_engine_version + major_engine_version = split(".", var.db_engine_version)[0] + family = "postgres15" + instance_class = var.db_instance_class + + db_name = var.db_name + username = var.username + port = var.db_port + + subnet_ids = data.aws_subnets.subnets.ids + create_db_subnet_group = true + manage_master_user_password = false + password = random_password.db_password.result + + vpc_security_group_ids = [aws_security_group.rds_sg.id] + + depends_on = [ + aws_security_group.rds_sg + ] +} + +resource "aws_security_group" "rds_sg" { + vpc_id = local.vpc_id + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + ipv6_cidr_blocks = ["::/0"] + } +} + +resource "aws_vpc_security_group_ingress_rule" "rds_ingress" { + security_group_id = aws_security_group.rds_sg.id + + cidr_ipv4 = "0.0.0.0/0" + ip_protocol = "tcp" + from_port = 0 + to_port = 5432 +} + +data "aws_vpc" "vpc" { + filter { + name = "tag:Name" + values = ["eksctl-${var.name}-cluster/VPC"] + } +} + +data "aws_subnets" "subnets" { + filter { + name = "vpc-id" + values = [data.aws_vpc.vpc.id] + } +} + +locals { + vpc_id = data.aws_vpc.vpc.id +} diff --git a/.github/test-infra/aws/eks/variables.tf b/.github/test-infra/aws/eks/variables.tf new file mode 100644 index 000000000..94bcb7e15 --- /dev/null +++ b/.github/test-infra/aws/eks/variables.tf @@ -0,0 +1,104 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +variable "region" { + description = "AWS region" + type = string +} + +variable "name" { + description = "Name for cluster" + type = string +} + +variable "permissions_boundary_name" { + description = "The name of the permissions boundary for IAM resources. This will be used for tagging and to build out the ARN." + type = string + default = null +} + +variable "use_permissions_boundary" { + description = "Whether to use IAM permissions boundary for resources." + type = bool + default = true +} + +variable "key_owner_arns" { + description = "ARNS of KMS key owners, needed for use of key" + type = list(string) + default = [] +} + +# taken from zarf bb repo +variable "kms_key_deletion_window" { + description = "Waiting period for scheduled KMS Key deletion. Can be 7-30 days." + type = number + default = 7 +} + +variable "bucket_configurations" { + type = map(object({ + name = string + service_account = string + namespace = string + })) + default = { + loki = { + name = "loki" + service_account = "loki" + namespace = "loki" + } + velero = { + name = "velero" + service_account = "velero-server" + namespace = "velero" + } + } +} + +variable "recovery_window" { + default = 7 + type = number +} + +variable "db_name" { + description = "The name to give the database" + type = string + default = "grafana" +} + +variable "db_port" { + description = "The database port" + type = number + default = 5432 +} + +variable "username" { + description = "The username to use to login to the DB" + type = string + default = "grafana" +} + +variable "db_engine_version" { + description = "The Postgres engine version to use for the DB" + type = string + default = "15.7" +} + +variable "db_allocated_storage" { + description = "Storage allocated to RDS instance" + type = number + default = 20 +} + +variable "db_storage_type" { + description = "The type of storage (e.g., gp2, io1)" + type = string + default = "gp2" +} + +variable "db_instance_class" { + description = "The class of RDS instance (e.g., db.t4g.large)" + type = string + default = "db.t4g.large" +} diff --git a/.github/test-infra/buckets-iac/velero.tf b/.github/test-infra/aws/eks/velero.tf similarity index 92% rename from .github/test-infra/buckets-iac/velero.tf rename to .github/test-infra/aws/eks/velero.tf index 96e6ed627..cba3d9307 100644 --- a/.github/test-infra/buckets-iac/velero.tf +++ b/.github/test-infra/aws/eks/velero.tf @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + resource "aws_iam_policy" "velero_policy" { name = "${local.bucket_configurations.velero.name}-irsa-${random_id.unique_id.hex}" path = "/" @@ -56,4 +59,3 @@ resource "aws_iam_policy" "velero_policy" { ] }) } - diff --git a/.github/test-infra/aws/eks/versions.tf b/.github/test-infra/aws/eks/versions.tf new file mode 100644 index 000000000..0a4588878 --- /dev/null +++ b/.github/test-infra/aws/eks/versions.tf @@ -0,0 +1,28 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +provider "aws" { + region = var.region + + default_tags { + tags = { + PermissionsBoundary = var.permissions_boundary_name + } + } +} +terraform { + required_version = ">= 1.8.0" + backend "s3" { + } + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 4.0" + } + + random = { + source = "hashicorp/random" + version = "3.6.3" + } + } +} \ No newline at end of file diff --git a/.github/test-infra/aws/rke2/data.tf b/.github/test-infra/aws/rke2/data.tf new file mode 100644 index 000000000..80518887f --- /dev/null +++ b/.github/test-infra/aws/rke2/data.tf @@ -0,0 +1,25 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +data "aws_vpc" "vpc" { + filter { + name = "tag:Name" + values = [var.vpc_name] + } +} + +data "aws_subnet" "rke2_ci_subnet" { + vpc_id = data.aws_vpc.vpc.id + availability_zone = "${var.region}c" + + filter { + name = "tag:Name" + values = [var.subnet_name] + } +} + +data "aws_ami" "rhel_rke2" { + most_recent = true + name_regex = "^uds-rhel-rke2-v${var.rke2_version}" + owners = ["self"] +} \ No newline at end of file diff --git a/.github/test-infra/aws/rke2/iam.tf b/.github/test-infra/aws/rke2/iam.tf new file mode 100644 index 000000000..c07666942 --- /dev/null +++ b/.github/test-infra/aws/rke2/iam.tf @@ -0,0 +1,124 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +# required iam roles for irsa +data "aws_partition" "current" {} + +data "aws_iam_policy_document" "ec2_access" { + statement { + effect = "Allow" + actions = ["sts:AssumeRole"] + principals { + identifiers = ["ec2.amazonaws.com"] + type = "Service" + } + } +} + +resource "aws_iam_role" "rke2_server" { + name = "${local.cluster_name}-server" + + assume_role_policy = data.aws_iam_policy_document.ec2_access.json + permissions_boundary = local.iam_role_permissions_boundary + + tags = { + PermissionsBoundary = var.permissions_boundary_name + } +} + +resource "aws_iam_instance_profile" "rke2_server" { + name = "${local.cluster_name}-server" + role = aws_iam_role.rke2_server.name +} + +# Permissions to get token from S3 +data "aws_iam_policy_document" "s3_token" { + statement { + effect = "Allow" + resources = ["arn:${data.aws_partition.current.partition}:s3:::${local.cluster_name}-*"] + actions = [ + "s3:GetObject", + "s3:PutObject" + ] + } +} + +# Permissions to get OIDC keys from secrets manager +data "aws_iam_policy_document" "oidc_secrets" { + statement { + effect = "Allow" + resources = [ + aws_secretsmanager_secret.public_key.arn, + aws_secretsmanager_secret.private_key.arn, + ] + actions = [ + "secretsmanager:GetSecretValue" + ] + } +} + +# Cloud controller permissions from upstream - https://github.com/rancherfederal/rke2-aws-tf/blob/d65cb1d0543264f3170d077a2a0527fd95bfd1ae/data.tf#L80 +data "aws_iam_policy_document" "aws_ccm" { + statement { + effect = "Allow" + resources = ["*"] + actions = [ + "ec2:DescribeInstances", + "ec2:DescribeSubnets", + "ec2:DescribeRouteTables", + "ec2:DescribeAvailabilityZones", + "ec2:DescribeSecurityGroups", + "ec2:CreateSecurityGroup", + "elasticloadbalancing:DescribeLoadBalancers", + "ec2:CreateTags", + "iam:CreateServiceLinkedRole", + "kms:DescribeKey", + ] + } +} + +resource "aws_iam_role_policy" "s3_token" { + name = "${local.cluster_name}-server-token" + role = aws_iam_role.rke2_server.id + policy = data.aws_iam_policy_document.s3_token.json +} + + +resource "aws_iam_role_policy" "oidc_secrets" { + name = "${local.cluster_name}-server-oidc" + role = aws_iam_role.rke2_server.id + policy = data.aws_iam_policy_document.oidc_secrets.json +} + +resource "aws_iam_role_policy" "server_ccm" { + name = "${local.cluster_name}-server-ccm" + role = aws_iam_role.rke2_server.id + policy = data.aws_iam_policy_document.aws_ccm.json +} + +module "rke2_kms_key" { + source = "github.com/defenseunicorns/terraform-aws-uds-kms?ref=v0.0.6" + + kms_key_alias_name_prefix = "rke2-${local.cluster_name}-server" + kms_key_deletion_window = 7 + kms_key_description = "RKE2 Key" + kms_key_policy_default_identities = [aws_iam_role.rke2_server.arn] +} + +resource "random_string" "ssm" { + length = 4 + special = false + upper = false + numeric = false +} + +resource "aws_secretsmanager_secret" "rke2_kms_key_arn" { + name = "rke2/${local.cluster_name}-server/kms-key-arn" + description = "Stores the ARN of the KMS key for RKE2 in the ${var.environment} environment" + recovery_window_in_days = var.recovery_window +} + +resource "aws_secretsmanager_secret_version" "rke2_kms_key_arn_value" { + secret_id = aws_secretsmanager_secret.rke2_kms_key_arn.id + secret_string = module.rke2_kms_key.kms_key_arn +} \ No newline at end of file diff --git a/.github/test-infra/aws/rke2/irsa.tf b/.github/test-infra/aws/rke2/irsa.tf new file mode 100644 index 000000000..8ab35fea6 --- /dev/null +++ b/.github/test-infra/aws/rke2/irsa.tf @@ -0,0 +1,146 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +# setting up irsa for the rke2 cluster +# Keypair for signing, added as secrets in AWS Secrets Manager +resource "tls_private_key" "keypair" { + algorithm = "RSA" + rsa_bits = 2048 +} + +resource "aws_secretsmanager_secret" "public_key" { + name = "${var.environment}-${random_string.ssm.result}-oidc-public-key" + description = "Public Key for OIDC/IRSA for ${var.environment}" + recovery_window_in_days = var.recovery_window +} + +resource "aws_secretsmanager_secret_version" "public_key" { + depends_on = [aws_secretsmanager_secret.public_key] + secret_id = aws_secretsmanager_secret.public_key.name + secret_string = tls_private_key.keypair.public_key_pem +} + +resource "aws_secretsmanager_secret" "private_key" { + name = "${var.environment}-${random_string.ssm.result}-oidc-private-key" + description = "Private Key for OIDC/IRSA for ${var.environment}" + recovery_window_in_days = var.recovery_window +} + +resource "aws_secretsmanager_secret_version" "private_key" { + depends_on = [aws_secretsmanager_secret.private_key] + secret_id = aws_secretsmanager_secret.private_key.name + secret_string = tls_private_key.keypair.private_key_pem +} + + +# Public bucket to host OIDC files +module "oidc_bucket" { + source = "terraform-aws-modules/s3-bucket/aws" + version = "4.2.1" + + bucket = "${var.environment}-oidc-${random_string.ssm.result}" + force_destroy = var.force_destroy + + # Allow our objects to be public + control_object_ownership = true + object_ownership = "BucketOwnerPreferred" + block_public_acls = false + block_public_policy = false + ignore_public_acls = false + restrict_public_buckets = false +} + + +# OIDC file creation +resource "local_file" "oidc_config" { + content = < { + name = "${var.cluster_name}-${instance.name}" + bucket_prefix = instance.name + service_account = instance.service_account + namespace = instance.namespace + } + } +} + +# Create KMS keys for each bucket +module "generate_kms" { + for_each = local.bucket_configurations + source = "github.com/defenseunicorns/terraform-aws-uds-kms?ref=v0.0.6" + + key_owners = var.key_owner_arns + # A list of IAM ARNs for those who will have full key permissions (`kms:*`) + kms_key_alias_name_prefix = "${each.value.name}-" # Prefix for KMS key alias. + kms_key_deletion_window = var.kms_key_deletion_window + kms_key_description = "${var.cluster_name}-${each.value.name} nightly ci s3 KMS key" # Description for the KMS key. + tags = var.tags +} + +# Create s3 buckets and encrypt using keys from generate_kms module +module "s3" { + for_each = local.bucket_configurations + source = "github.com/defenseunicorns/terraform-aws-uds-s3?ref=v0.0.6" + name_prefix = "${each.value.name}-${each.value.bucket_prefix}-" + kms_key_arn = module.generate_kms[each.key].kms_key_arn + force_destroy = "true" + create_bucket_lifecycle = true + + depends_on = [ + module.generate_kms + ] +} + +module "irsa" { + #merge the keys from module.generate_kms into `bucket_configurations` + for_each = { for k, v in local.bucket_configurations : k => merge(v, module.generate_kms[k], module.s3[k]) } + source = "./irsa" + cluster_name = var.cluster_name + name = each.value.name + environment = var.environment + resource_prefix = "${each.value.name}-" + use_permissions_boundary = var.use_permissions_boundary + permissions_boundary = var.permissions_boundary + bucket_service_account = each.value.service_account + bucket_name = each.value.bucket_name + namespace = each.value.namespace + kms_key_arn = each.value.kms_key_arn + + oidc_bucket_attributes = var.oidc_bucket_attributes + + depends_on = [ + module.s3 + ] +} \ No newline at end of file diff --git a/.github/test-infra/aws/rke2/modules/storage/outputs.tf b/.github/test-infra/aws/rke2/modules/storage/outputs.tf new file mode 100644 index 000000000..f0414ad1e --- /dev/null +++ b/.github/test-infra/aws/rke2/modules/storage/outputs.tf @@ -0,0 +1,10 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +output "s3_buckets" { + value = { for k, v in module.s3 : k => v } +} + +output "irsa" { + value = { for k, v in module.irsa : k => v } +} diff --git a/.github/test-infra/aws/rke2/modules/storage/variables.tf b/.github/test-infra/aws/rke2/modules/storage/variables.tf new file mode 100644 index 000000000..f51b9c4e3 --- /dev/null +++ b/.github/test-infra/aws/rke2/modules/storage/variables.tf @@ -0,0 +1,61 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +variable "cluster_name" { + description = "Name of the Kubernetes Cluster." + type = string +} + +variable "ci_bucket_configurations" { + type = map(object({ + name = string + service_account = string + namespace = string + })) +} + +variable "key_owner_arns" { + description = "ARNS of KMS key owners, needed for use of key" + type = list(string) + default = [] +} + +variable "kms_key_deletion_window" { + description = "Waiting period for scheduled KMS Key deletion. Can be 7-30 days." + type = number + default = 7 +} + +#irsa variables +variable "support_irsa" { + description = "When enabled, provisions necessary resources to support accessing the s3 bucket using IRSA." + default = true + type = bool +} + +variable "use_permissions_boundary" { + description = "Whether to use IAM permissions boundary for resources." + type = bool + default = true +} + +variable "permissions_boundary" { + description = "The ARN of the Permissions Boundary" + type = string + default = null +} + +variable "tags" { + description = "A map of tags to apply to resources." + default = {} + type = map(string) +} + +variable "environment" { + type = string +} + +variable "oidc_bucket_attributes" { + description = "All attributes of the cluster OIDC bucket" + default = {} +} \ No newline at end of file diff --git a/.github/test-infra/aws/rke2/modules/storage/versions.tf b/.github/test-infra/aws/rke2/modules/storage/versions.tf new file mode 100644 index 000000000..bd25115e5 --- /dev/null +++ b/.github/test-infra/aws/rke2/modules/storage/versions.tf @@ -0,0 +1,15 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +terraform { + required_providers { + aws = { + version = ">= 5.52.0" + } + random = { + version = "~> 3.6.2" + } + } + + required_version = ">= 1.8.0" +} diff --git a/.github/test-infra/aws/rke2/outputs.tf b/.github/test-infra/aws/rke2/outputs.tf new file mode 100644 index 000000000..5ae696ab7 --- /dev/null +++ b/.github/test-infra/aws/rke2/outputs.tf @@ -0,0 +1,54 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +output "aws_region" { + value = data.aws_region.current.name +} + +output "private_key" { + value = tls_private_key.control_plane_private_key.private_key_pem + description = "Generated SSH private key that can be used to connect to a cluster node." + sensitive = true +} + +output "bootstrap_ip" { + sensitive = true + value = aws_instance.rke2_ci_bootstrap_node.public_ip + description = "Public IP address of the bootstrap control plane node." +} + +output "node_user" { + sensitive = true + value = var.default_user + description = "User to use when connecting to a cluster node." +} + +output "cluster_hostname" { + sensitive = true + value = var.cluster_hostname + description = "Hostname used to connect to cluster." +} + +output "loki_s3_bucket" { + sensitive = true + value = module.storage.s3_buckets["loki"].bucket_name +} + +output "velero_s3_bucket" { + sensitive = true + value = module.storage.s3_buckets["velero"].bucket_name +} + +output "loki_irsa_role_arn" { + sensitive = true + value = module.storage.irsa["loki"].bucket_role.arn +} + +output "velero_irsa_role_arn" { + sensitive = true + value = module.storage.irsa["velero"].bucket_role.arn +} + +output "grafana_ha" { + value = false +} \ No newline at end of file diff --git a/.github/test-infra/aws/rke2/scripts/get-kubeconfig.sh b/.github/test-infra/aws/rke2/scripts/get-kubeconfig.sh new file mode 100644 index 000000000..dc002bab1 --- /dev/null +++ b/.github/test-infra/aws/rke2/scripts/get-kubeconfig.sh @@ -0,0 +1,53 @@ +#!/bin/bash +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + + + +# Utility script that can be called from a uds task after tofu has deployed the e2e test module + +echo "tofu version: $(tofu --version)" + +# Get required outputs from tofu +tofu output -raw private_key > key.pem +chmod 600 key.pem + +bootstrap_ip=$(tofu output -raw bootstrap_ip) +node_user=$(tofu output -raw node_user) +cluster_hostname=$(tofu output -raw cluster_hostname) + +# Try ssh up to 20 times waiting 15 seconds between tries +for i in $(seq 1 20); do + echo "Waiting on cloud-init to finish running on cluster node" + ssh -o StrictHostKeyChecking=no -i key.pem ${node_user}@${bootstrap_ip} "cloud-init status --wait" > /dev/null && break + sleep 15 +done + +# Make sure .kube directory exists +mkdir -p ~/.kube + +# Copy kubectl from cluster node +ssh -o StrictHostKeyChecking=no -i key.pem ${node_user}@${bootstrap_ip} "mkdir -p /home/${node_user}/.kube && sudo cp /etc/rancher/rke2/rke2.yaml /home/${node_user}/.kube/config && sudo chown ${node_user} /home/${node_user}/.kube/config" > /dev/null +scp -o StrictHostKeyChecking=no -i key.pem ${node_user}@${bootstrap_ip}:/home/${node_user}/.kube/config ./rke2-config > /dev/null + +# Replace the loopback address with the cluster hostname +sed -i "s/127.0.0.1/${bootstrap_ip}/g" ./rke2-config > /dev/null +export KUBECONFIG=$(pwd)/rke2-config + +# find existing host record in the host file and save the line numbers +matches_in_hosts="$(grep -n $cluster_hostname /etc/hosts | cut -f1 -d:)" +host_entry="${bootstrap_ip} ${cluster_hostname}" + +# Add or update /etc/hosts file record +if [ ! -z "$matches_in_hosts" ] +then + echo "Updating existing hosts entry." + # iterate over the line numbers on which matches were found + while read -r line_number; do + # replace the text of each line with the desired host entry + sudo sed -i "${line_number}s/.*/${host_entry} /" /etc/hosts > /dev/null + done <<< "$matches_in_hosts" +else + echo "Adding new hosts entry." + echo "$host_entry" | sudo tee -a /etc/hosts > /dev/null +fi \ No newline at end of file diff --git a/.github/test-infra/aws/rke2/scripts/key_id.sh b/.github/test-infra/aws/rke2/scripts/key_id.sh new file mode 100644 index 000000000..cce17dafb --- /dev/null +++ b/.github/test-infra/aws/rke2/scripts/key_id.sh @@ -0,0 +1,22 @@ +#!/bin/bash +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + + + +set -e +PUBLIC_KEY="$1" + +key_id=$(echo "$PUBLIC_KEY" |\ + openssl rsa -pubin -inform PEM -outform der 2>/dev/null |\ + openssl dgst -sha256 -binary |\ + basenc --base64url -w 0 |\ + tr -d '=') + +# Adds a check to ensure that the key_id is not empty +if [ -z "$key_id" ]; then + echo "Error: key_id is not set, make sure you have openssl, basenc, and tr installed." >&2 + exit 1 +fi + +jq -n --arg key_id "$key_id" '{"key_id":$key_id}' \ No newline at end of file diff --git a/.github/test-infra/aws/rke2/scripts/key_modulus.sh b/.github/test-infra/aws/rke2/scripts/key_modulus.sh new file mode 100644 index 000000000..391a5ebd6 --- /dev/null +++ b/.github/test-infra/aws/rke2/scripts/key_modulus.sh @@ -0,0 +1,16 @@ +#!/bin/bash +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + + + +PUBLIC_KEY="$1" + +modulus=$(echo "$PUBLIC_KEY" |\ + openssl rsa -pubin -noout -modulus |\ + awk -F'=' '{print $2}' |\ + xxd -r -p |\ + basenc --base64url -w 0 |\ + tr -d '=') + +jq -n --arg modulus "$modulus" '{"modulus":$modulus}' \ No newline at end of file diff --git a/.github/test-infra/aws/rke2/scripts/user_data.sh b/.github/test-infra/aws/rke2/scripts/user_data.sh new file mode 100644 index 000000000..82b9b7cc6 --- /dev/null +++ b/.github/test-infra/aws/rke2/scripts/user_data.sh @@ -0,0 +1,123 @@ +#!/bin/bash +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + + + +info() { + echo "[INFO] " "$@" +} + +export CCM="${ccm}" +export CCM_EXTERNAL="${ccm_external}" + +############################### +### pre userdata +############################### +pre_userdata() { +info "Beginning user defined pre userdata" + +# add aws cloud controller +info "Adding AWS cloud provider manifest." +mkdir -p /var/lib/rancher/rke2/server/manifests +cat > /var/lib/rancher/rke2/server/manifests/00-aws-ccm.yaml << EOM +apiVersion: helm.cattle.io/v1 +kind: HelmChart +metadata: + name: aws-cloud-controller-manager + namespace: kube-system +spec: + chart: aws-cloud-controller-manager + repo: https://kubernetes.github.io/cloud-provider-aws + version: 0.0.8 + targetNamespace: kube-system + bootstrap: true + valuesContent: |- + nodeSelector: + node-role.kubernetes.io/control-plane: "true" + hostNetworking: true + args: + - --configure-cloud-routes=false + - --v=2 + - --cloud-provider=aws +EOM + +#longhorn helm values: https://github.com/longhorn/longhorn/tree/master/chart +cat > /var/lib/rancher/rke2/server/manifests/01-longhorn.yaml << EOM +apiVersion: helm.cattle.io/v1 +kind: HelmChart +metadata: + name: longhorn + namespace: kube-system +spec: + chart: longhorn + repo: https://charts.longhorn.io + version: 1.7.1 + targetNamespace: kube-system +EOM + +#metallb helm values: https://github.com/metallb/metallb/tree/main/charts/metallb +cat > /var/lib/rancher/rke2/server/manifests/02-metallb.yaml << EOM +apiVersion: helm.cattle.io/v1 +kind: HelmChart +metadata: + name: metallb + namespace: kube-system +spec: + chart: metallb + repo: https://metallb.github.io/metallb + version: 0.14.8 + targetNamespace: kube-system +EOM + +info "Installing awscli" +yum install -y unzip jq || apt-get -y install unzip jq +curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" +unzip awscliv2.zip +sudo ./aws/install + +echo "Getting OIDC keypair" +sudo mkdir /irsa +sudo chown ec2-user:ec2-user /irsa +aws secretsmanager get-secret-value --secret-id ${secret_prefix}-oidc-private-key | jq -r '.SecretString' > /irsa/signer.key +aws secretsmanager get-secret-value --secret-id ${secret_prefix}-oidc-public-key | jq -r '.SecretString' > /irsa/signer.key.pub +chcon -t svirt_sandbox_file_t /irsa/* + +info "Setting up RKE2 config file" +curl -L https://github.com/mikefarah/yq/releases/download/v4.40.4/yq_linux_amd64 -o yq +chmod +x yq +./yq -i '.cloud-provider-name += "external"' /etc/rancher/rke2/config.yaml +./yq -i '.disable-cloud-controller += "true"' /etc/rancher/rke2/config.yaml +./yq -i '.kube-apiserver-arg += "service-account-key-file=/irsa/signer.key.pub"' /etc/rancher/rke2/config.yaml +./yq -i '.kube-apiserver-arg += "service-account-key-file=/irsa/signer.key.pub"' /etc/rancher/rke2/config.yaml +./yq -i '.kube-apiserver-arg += "service-account-signing-key-file=/irsa/signer.key"' /etc/rancher/rke2/config.yaml +./yq -i '.kube-apiserver-arg += "api-audiences=kubernetes.svc.default"' /etc/rancher/rke2/config.yaml +./yq -i '.kube-apiserver-arg += "service-account-issuer=https://${BUCKET_REGIONAL_DOMAIN_NAME}"' /etc/rancher/rke2/config.yaml +./yq -i '.kube-apiserver-arg += "audit-log-path=/var/log/kubernetes/audit/audit.log"' /etc/rancher/rke2/config.yaml +rm -rf ./yq + + +} + +pre_userdata + +# If no bootstrap IP is provided then start RKE2 as single node/bootstrap +if [[ "${BOOTSTRAP_IP}" == "" ]]; then + bootstrap_ip=$(ip route get $(ip route show 0.0.0.0/0 | grep -oP 'via \K\S+') | grep -oP 'src \K\S+') +else + bootstrap_ip=${BOOTSTRAP_IP} +fi + +if [[ "${CLUSTER_SANS}" ]]; then + echo "Passing SANs to RKE2 startup script: ${CLUSTER_SANS}" + public_ipv4=$(curl http://169.254.169.254/latest/meta-data/public-ipv4) + # Use array to properly handle cluster_sans containing multiple values + san_options=(-T "$${public_ipv4} ${CLUSTER_SANS}") +fi + +if [[ "${AGENT_NODE}" == "true" ]]; then + /root/rke2-startup.sh -t ${RKE2_JOIN_TOKEN} "$${san_options[@]}" -s $${bootstrap_ip} -a +else + /root/rke2-startup.sh -t ${RKE2_JOIN_TOKEN} "$${san_options[@]}" -s $${bootstrap_ip} +fi + diff --git a/.github/test-infra/aws/rke2/storage.tf b/.github/test-infra/aws/rke2/storage.tf new file mode 100644 index 000000000..aa1d742eb --- /dev/null +++ b/.github/test-infra/aws/rke2/storage.tf @@ -0,0 +1,32 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +####################################### +# Storage +####################################### +locals { + #define workloads that need irsa configured. this will create s3 buckets and associated iam roles and policy attachments for irsa + irsa_buckets = { + loki = { + name = "loki" + service_account = "loki" + namespace = "loki" + } + velero = { + name = "velero" + service_account = "velero-server" + namespace = "velero" + } + } +} + +module "storage" { + # this module assumes by default that you are only setting up external storage for velero and loki. modify the the irsa_buckets local above to add more. creates s3 buckets and irsa roles + source = "./modules/storage" + cluster_name = local.cluster_name + permissions_boundary = local.iam_role_permissions_boundary + use_permissions_boundary = var.use_permissions_boundary + environment = var.environment + ci_bucket_configurations = local.irsa_buckets + oidc_bucket_attributes = merge({ s3_bucket_id = module.oidc_bucket.s3_bucket_id, bucket_regional_domain_name = module.oidc_bucket.s3_bucket_bucket_regional_domain_name }) +} \ No newline at end of file diff --git a/.github/test-infra/aws/rke2/terraform.tfvars b/.github/test-infra/aws/rke2/terraform.tfvars new file mode 100644 index 000000000..53ff1f7dd --- /dev/null +++ b/.github/test-infra/aws/rke2/terraform.tfvars @@ -0,0 +1,7 @@ +default_user = "ec2-user" +ssh_key_name = "packer-rke2-rhel-key" +os_distro = "rhel" +# Need to allow in from internet for github runner to connect to node +allowed_in_cidrs = ["0.0.0.0/0"] + +rke2_version = "1.30" \ No newline at end of file diff --git a/.github/test-infra/aws/rke2/variables.tf b/.github/test-infra/aws/rke2/variables.tf new file mode 100644 index 000000000..59ac1e4bb --- /dev/null +++ b/.github/test-infra/aws/rke2/variables.tf @@ -0,0 +1,109 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +variable "environment" { + description = "Environment/account that this is deployed to" + default = "ci" +} + +variable "vpc_name" { + type = string + description = "VPC ID to deploy into" + default = "uds-ci-commercial-*" +} + +variable "subnet_name" { + type = string + description = "Name of subnet tobrew install libtool use for testing. Can use a wildcard as long as it only matches one subnet per az." + default = "uds-ci-commercial-*-public*" +} + +variable "region" { + type = string + description = "Region to use for deployment" +} + +variable "agent_instance_type" { + type = string + description = "Instance type to use for agent nodes. Defaults to c5.xlarge to match RKE2 recommended specs." + default = "m5.2xlarge" +} + +variable "control_plane_instance_type" { + type = string + description = "Instance type to use for control plane nodes. Defaults to c5.xlarge to match RKE2 recommended specs." + default = "m5.2xlarge" +} + +variable "control_plane_node_count" { + type = number + description = "How many control plane nodes to spin up. Total control plane nodes will be n+1 due to bootstrap node. For HA, there should be an odd number of control plane nodes." + default = 2 +} + +variable "agent_node_count" { + type = number + description = "How many agent nodes to spin up" + default = 1 +} + +variable "allowed_in_cidrs" { + type = list(string) + description = "Optional list of CIDRs that can connect to the cluster in addition to CIDR of VPC cluster is deployed to" + default = [] +} + +variable "cluster_hostname" { + type = string + description = "Hostname to use for connecting to cluster API. cluster.foo.bar default used by CI tests" + default = "cluster.foo.bar" +} + +variable "os_distro" { + type = string + description = "OS distribution used to distinguish test infra based on which test created it" +} + +variable "rke2_version" { + type = string + description = "RKE2 version used to distinguish test infra based on which test created it" +} + +variable "default_user" { + type = string + description = "Default user of AMI" +} + +variable "ssh_key_name" { + type = string + description = "What to name generated SSH key pair in AWS" +} + +variable "use_permissions_boundary" { + description = "Whether to use IAM permissions boundary for resources." + type = bool +} + +variable "permissions_boundary_name" { + description = "The name of the permissions boundary for IAM resources. This will be used for tagging and to build out the ARN." +} + +variable "recovery_window" { + default = 7 + type = number +} + +variable "force_destroy" { + type = bool + default = true +} + +variable "client_id_list" { + description = "Comma separated list of client IDs (audiences) for the provider" + type = list(string) + default = ["irsa"] +} + +variable "run_id" { + description = "Github Actions Run ID. Used to tag AWS resources that are created by this workspace." +} \ No newline at end of file diff --git a/.github/test-infra/aws/rke2/versions.tf b/.github/test-infra/aws/rke2/versions.tf new file mode 100644 index 000000000..50949e00e --- /dev/null +++ b/.github/test-infra/aws/rke2/versions.tf @@ -0,0 +1,29 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +terraform { + backend "s3" { + } + required_providers { + aws = { + version = "~> 5.72.0" + } + random = { + version = "~> 3.6.0" + } + tls = { + version = "~> 4.0.0" + } + } + required_version = ">= 1.8.0" +} + +provider "aws" { + region = var.region + + default_tags { + tags = { + PermissionsBoundary = var.permissions_boundary_name + } + } +} \ No newline at end of file diff --git a/.github/test-infra/buckets-iac/output.tf b/.github/test-infra/buckets-iac/output.tf deleted file mode 100644 index 1228df95a..000000000 --- a/.github/test-infra/buckets-iac/output.tf +++ /dev/null @@ -1,27 +0,0 @@ -output "aws_region" { - value = data.aws_region.current.name -} - -output "loki_irsa_role_arn" { - value = module.irsa["loki"].role_arn -} - -output "loki_s3" { - value = module.S3["loki"] -} - -output "loki_s3_bucket" { - value = module.S3["loki"].bucket_name -} - -output "velero_irsa_role_arn" { - value = module.irsa["velero"].role_arn -} - -output "velero_s3" { - value = module.S3["velero"] -} - -output "velero_s3_bucket" { - value = module.S3["velero"].bucket_name -} diff --git a/.github/test-infra/buckets-iac/variables.tf b/.github/test-infra/buckets-iac/variables.tf deleted file mode 100644 index 267ac5421..000000000 --- a/.github/test-infra/buckets-iac/variables.tf +++ /dev/null @@ -1,55 +0,0 @@ -variable "region" { - description = "AWS region" - type = string -} - -variable "name" { - description = "Name for cluster" - type = string -} - -variable "permissions_boundary_name" { - description = "The name of the permissions boundary for IAM resources. This will be used for tagging and to build out the ARN." - type = string - default = null -} - -variable "use_permissions_boundary" { - description = "Whether to use IAM permissions boundary for resources." - type = bool - default = true -} - -variable "key_owner_arns" { - description = "ARNS of KMS key owners, needed for use of key" - type = list(string) - default = [] -} - -# taken from zarf bb repo -variable "kms_key_deletion_window" { - description = "Waiting period for scheduled KMS Key deletion. Can be 7-30 days." - type = number - default = 7 -} - -variable "bucket_configurations" { - type = map(object({ - name = string - service_account = string - namespace = string - })) - default = { - loki = { - name = "loki" - service_account = "loki" - namespace = "loki" - } - velero = { - name = "velero" - service_account = "velero-server" - namespace = "velero" - } - } -} - diff --git a/.github/workflows/commitlint.yaml b/.github/workflows/commitlint.yaml index fd8924140..43c0e331e 100644 --- a/.github/workflows/commitlint.yaml +++ b/.github/workflows/commitlint.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + name: Metadata on: @@ -15,7 +18,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: 0 diff --git a/.github/workflows/compliance.yaml b/.github/workflows/compliance.yaml index 74b8d54d3..7c9a1ab3d 100644 --- a/.github/workflows/compliance.yaml +++ b/.github/workflows/compliance.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + name: Compliance Evaluation on: @@ -25,12 +28,10 @@ jobs: runs-on: ubuntu-latest name: Evaluate continue-on-error: true - # env: - # UDS_PKG: ${{ inputs.package }} steps: # Used to execute the uds run command - name: Checkout repository - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - name: Environment setup uses: ./.github/actions/setup @@ -68,7 +69,7 @@ jobs: ghToken: ${{ secrets.GITHUB_TOKEN }} - name: Upload Evaluated Assessment - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: ${{ inputs.flavor }}-assessment-results path: ./compliance/oscal-assessment-results.yaml diff --git a/.github/workflows/docs-shim.yaml b/.github/workflows/docs-shim.yaml index 2ae466cc6..cc6416c44 100644 --- a/.github/workflows/docs-shim.yaml +++ b/.github/workflows/docs-shim.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + name: CI Docs on: @@ -23,7 +26,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - name: lint-check uses: ./.github/actions/lint-check diff --git a/.github/workflows/lint-oscal.yaml b/.github/workflows/lint-oscal.yaml index 4f1501e1b..806da851b 100644 --- a/.github/workflows/lint-oscal.yaml +++ b/.github/workflows/lint-oscal.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + name: Lint OSCAL Files on: @@ -6,6 +9,7 @@ on: types: [milestoned, opened, reopened, synchronize] paths: - '**/*oscal*.yaml' + - '!.github/workflows/lint-oscal.yaml' permissions: contents: read @@ -20,7 +24,7 @@ jobs: oscal_files: ${{ steps.path-filter.outputs.oscal_files }} steps: - name: Checkout the code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 # Uses a custom action to filter paths for source packages. - name: Check src paths @@ -47,7 +51,7 @@ jobs: shell: bash # checkout for access to the oscal files targeted for linting - name: Checkout the code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - name: Environment setup uses: ./.github/actions/setup # lint the oscal files diff --git a/.github/workflows/nightly-testing.yaml b/.github/workflows/nightly-testing.yaml index 526dd2ab6..cb7fb10c0 100644 --- a/.github/workflows/nightly-testing.yaml +++ b/.github/workflows/nightly-testing.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + name: Nightly Testing on: @@ -7,8 +10,11 @@ on: paths: - tasks/iac.yaml - .github/workflows/test-eks.yaml - - .github/bundles/* - - .github/test-infra/buckets-iac/* + - .github/workflows/test-rke2.yaml + - .github/bundles/eks/* + - .github/bundles/rke2/* + - .github/test-infra/aws/eks/* + - .github/test-infra/aws/rke2/* # Abort prior jobs in the same workflow / PR concurrency: @@ -16,7 +22,7 @@ concurrency: cancel-in-progress: true jobs: - nightly-testing: + nightly-testing-eks: name: Test Core on EKS uses: ./.github/workflows/test-eks.yaml strategy: @@ -26,3 +32,13 @@ jobs: with: flavor: ${{ matrix.flavor }} secrets: inherit + nightly-testing-rke2: + name: Test Core on RKE2 + uses: ./.github/workflows/test-rke2.yaml + strategy: + matrix: + flavor: [upstream, registry1, unicorn] + fail-fast: false + with: + flavor: ${{ matrix.flavor }} + secrets: inherit diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index bfb1d49dd..3ffbaeaee 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + name: Publish UDS Core on: @@ -23,7 +26,7 @@ jobs: id-token: write # This is needed for OIDC federation. steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - name: Environment setup uses: ./.github/actions/setup @@ -45,22 +48,22 @@ jobs: if: ${{ inputs.snapshot }} run: | yq -ei '.metadata.version=env(SNAPSHOT_VERSION), (.packages[]|select(has("ref"))|select(.name=="core")).ref=env(SNAPSHOT_VERSION)' bundles/k3d-standard/uds-bundle.yaml - yq -ei '.metadata.version=env(SNAPSHOT_VERSION), (.packages[]|select(has("ref"))|select(.name=="core-slim-dev")).ref=env(SNAPSHOT_VERSION)' bundles/k3d-slim-dev/uds-bundle.yaml + yq -ei '.metadata.version=env(SNAPSHOT_VERSION), (.packages[]|select(has("ref"))|select(.name=="core-base")).ref=env(SNAPSHOT_VERSION)' bundles/k3d-slim-dev/uds-bundle.yaml + yq -ei '.metadata.version=env(SNAPSHOT_VERSION), (.packages[]|select(has("ref"))|select(.name=="core-identity-authorization")).ref=env(SNAPSHOT_VERSION)' bundles/k3d-slim-dev/uds-bundle.yaml yq -ei '.metadata.version=env(SNAPSHOT_VERSION)' packages/standard/zarf.yaml - yq -ei '.metadata.version=env(SNAPSHOT_VERSION)' packages/slim-dev/zarf.yaml + yq -ei '.metadata.version=env(SNAPSHOT_VERSION)' packages/base/zarf.yaml + yq -ei '.metadata.version=env(SNAPSHOT_VERSION)' packages/identity-authorization/zarf.yaml - name: Create Packages and Bundles run: | ZARF_ARCHITECTURE=amd64 uds run -f tasks/create.yaml standard-package --no-progress --set FLAVOR=${{ matrix.flavor }} ZARF_ARCHITECTURE=amd64 uds run -f tasks/create.yaml k3d-standard-bundle --no-progress - ZARF_ARCHITECTURE=amd64 uds run -f tasks/create.yaml slim-dev-package --no-progress --set FLAVOR=${{ matrix.flavor }} - ZARF_ARCHITECTURE=amd64 uds run -f tasks/create.yaml k3d-slim-dev-bundle --no-progress + ZARF_ARCHITECTURE=amd64 uds run -f tasks/create.yaml k3d-slim-dev-bundle --no-progress --set FLAVOR=${{ matrix.flavor }} if [ "${{ matrix.flavor }}" != "registry1" ]; then ZARF_ARCHITECTURE=arm64 uds run -f tasks/create.yaml standard-package --no-progress --set FLAVOR=${{ matrix.flavor }} ZARF_ARCHITECTURE=arm64 uds run -f tasks/create.yaml k3d-standard-bundle --no-progress - ZARF_ARCHITECTURE=arm64 uds run -f tasks/create.yaml slim-dev-package --no-progress --set FLAVOR=${{ matrix.flavor }} - ZARF_ARCHITECTURE=arm64 uds run -f tasks/create.yaml k3d-slim-dev-bundle --no-progress + ZARF_ARCHITECTURE=arm64 uds run -f tasks/create.yaml k3d-slim-dev-bundle --no-progress --set FLAVOR=${{ matrix.flavor }} fi # Standard Package by default tests full core @@ -87,3 +90,45 @@ jobs: uses: ./.github/actions/save-logs with: suffix: -${{ matrix.flavor }} + + publish-uds-core-layers: + if: ${{ !inputs.snapshot }} + strategy: + matrix: + flavor: [upstream, registry1, unicorn] + layer: [base, identity-authorization, ui, runtime-security, backup-restore, logging, metrics-server, monitoring] + arch: [amd64, arm64] + exclude: + - flavor: registry1 + arch: arm64 + runs-on: ${{ matrix.arch == 'arm64' && 'uds-ubuntu-arm64-4-core' || 'uds-ubuntu-big-boy-4-core' }} + name: Publish package layers + + permissions: + contents: read + packages: write + id-token: write # This is needed for OIDC federation. + + steps: + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + + - name: Environment setup + uses: ./.github/actions/setup + with: + registry1Username: ${{ secrets.IRON_BANK_ROBOT_USERNAME }} + registry1Password: ${{ secrets.IRON_BANK_ROBOT_PASSWORD }} + ghToken: ${{ secrets.GITHUB_TOKEN }} + chainguardIdentity: ${{ secrets.CHAINGUARD_IDENTITY }} + + - name: Test and Publish Core Package Layer + run: uds run -f tasks/publish.yaml single-layer --set FLAVOR=${{ matrix.flavor }} --set LAYER=${{ matrix.layer }} --no-progress + + - name: Debug Output + if: ${{ always() && !inputs.snapshot }} + uses: ./.github/actions/debug-output + + - name: Save logs + if: always() + uses: ./.github/actions/save-logs + with: + suffix: -${{ matrix.flavor }}-${{ matrix.layer }}-${{ matrix.arch }} diff --git a/.github/workflows/pull-request-conditionals.yaml b/.github/workflows/pull-request-conditionals.yaml index cc0a879d4..22b81fa7b 100644 --- a/.github/workflows/pull-request-conditionals.yaml +++ b/.github/workflows/pull-request-conditionals.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + name: Filter # This workflow is triggered on pull requests @@ -42,7 +45,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - name: lint-check uses: ./.github/actions/lint-check @@ -56,7 +59,7 @@ jobs: steps: - name: Checkout the code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 # Uses a custom action to filter paths for source packages. - name: Check src paths @@ -64,7 +67,6 @@ jobs: uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3 with: filters: .github/filters.yaml - predicate-quantifier: every # This job triggers a separate workflow for each changed source package, if any. run-package-test: diff --git a/.github/workflows/slim-dev-test.yaml b/.github/workflows/slim-dev-test.yaml index 89c72e8c6..b1c4e85fa 100644 --- a/.github/workflows/slim-dev-test.yaml +++ b/.github/workflows/slim-dev-test.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + name: Slim Dev # This workflow is triggered on pull requests @@ -8,9 +11,11 @@ on: paths: - src/pepr/** - src/keycloak/** + - src/authservice/** - src/istio/** - src/prometheus-stack/** - - packages/slim-dev/** + - packages/base/** + - packages/identity-authorization/** - bundles/k3d-slim-dev/** - .github/workflows/slim-dev** - "!**/*.md" @@ -42,7 +47,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout the code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - name: Environment setup uses: ./.github/actions/setup - name: Deploy Slim Dev Bundle diff --git a/.github/workflows/snapshot-release.yaml b/.github/workflows/snapshot-release.yaml index 5ea5da234..caca1060b 100644 --- a/.github/workflows/snapshot-release.yaml +++ b/.github/workflows/snapshot-release.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + name: Release UDS Core Snapshot on: @@ -24,7 +27,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-tags: 'true' - name: Update snapshot-latest tag diff --git a/.github/workflows/tag-and-release.yaml b/.github/workflows/tag-and-release.yaml index b601a46d9..56d4294a7 100644 --- a/.github/workflows/tag-and-release.yaml +++ b/.github/workflows/tag-and-release.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + name: Release UDS Core on: diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index acaded852..727e35022 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + name: Test Core On EKS on: @@ -26,14 +29,14 @@ jobs: - name: Set ENV run: | echo "UDS_CLUSTER_NAME=uds-ci-${{ inputs.flavor }}-${SHA:0:7}" >> $GITHUB_ENV - echo "UDS_STATE_KEY="tfstate/ci/install/${SHA:0:7}-core-${{ inputs.flavor }}-aws.tfstate >> $GITHUB_ENV + echo "UDS_STATE_KEY="tfstate/ci/install/${SHA:0:7}-eks-core-${{ inputs.flavor }}-aws.tfstate >> $GITHUB_ENV echo "TF_VAR_region=${UDS_REGION}" >> $GITHUB_ENV echo "TF_VAR_name=uds-ci-${{ inputs.flavor }}-${SHA:0:7}" >> $GITHUB_ENV echo "TF_VAR_use_permissions_boundary=true" >> $GITHUB_ENV echo "TF_VAR_permissions_boundary_name=${UDS_PERMISSIONS_BOUNDARY_NAME}" >> $GITHUB_ENV - name: Checkout repository - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4 - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4 @@ -57,43 +60,43 @@ jobs: - name: Setup Tofu uses: opentofu/setup-opentofu@12f4debbf681675350b6cd1f0ff8ecfbda62027b # v1.0.4 with: - tofu_version: 1.8.1 + tofu_version: 1.8.2 tofu_wrapper: false - name: Create UDS Core Package run: ZARF_ARCHITECTURE=amd64 uds run -f tasks/create.yaml standard-package --no-progress --set FLAVOR=${{ inputs.flavor }} - name: Create Core Bundle - run: uds create .github/bundles --confirm + run: uds create .github/bundles/eks --confirm - name: Create Cluster run: uds run -f tasks/iac.yaml create-cluster --no-progress timeout-minutes: 60 - name: Create IAC - run: uds run -f tasks/iac.yaml create-iac --no-progress + run: uds run -f tasks/iac.yaml create-iac --no-progress --set K8S_DISTRO=eks timeout-minutes: 20 - name: Deploy Core Bundle env: - UDS_CONFIG: .github/bundles/uds-config.yaml - run: uds deploy .github/bundles/uds-bundle-uds-core-eks-nightly-*.tar.zst --confirm + UDS_CONFIG: .github/bundles/eks/uds-config.yaml + run: uds deploy .github/bundles/eks/uds-bundle-uds-core-eks-nightly-*.tar.zst --confirm timeout-minutes: 20 - name: Remove UDS Core if: always() - run: uds remove .github/bundles/uds-bundle-uds-core-eks-*.tar.zst --confirm + run: uds remove .github/bundles/eks/uds-bundle-uds-core-eks-*.tar.zst --confirm timeout-minutes: 10 continue-on-error: true - name: Remove IAC if: always() - run: uds run -f tasks/iac.yaml destroy-iac --no-progress + run: uds run -f tasks/iac.yaml destroy-iac --no-progress --set K8S_DISTRO=eks timeout-minutes: 10 continue-on-error: true - name: Teardown EKS cluster if: always() - run: uds run -f tasks/iac.yaml destroy-cluster --no-progress + run: uds run -f tasks/iac.yaml destroy-cluster --no-progress --set K8S_DISTRO=eks timeout-minutes: 30 continue-on-error: true diff --git a/.github/workflows/test-rke2.yaml b/.github/workflows/test-rke2.yaml new file mode 100644 index 000000000..8bd6480b2 --- /dev/null +++ b/.github/workflows/test-rke2.yaml @@ -0,0 +1,105 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +name: Test Core On RKE2 + +on: + # triggered by nightly-testing.yaml + workflow_call: + inputs: + flavor: + required: true + type: string + +permissions: + id-token: write + contents: read + +jobs: + test-rke2-install: + runs-on: ubuntu-latest + env: + SHA: ${{ github.sha }} + UDS_REGION: us-west-2 + UDS_PERMISSIONS_BOUNDARY_ARN: ${{ secrets.PERMISSIONS_BOUNDARY_ARN }} + UDS_PERMISSIONS_BOUNDARY_NAME: ${{ secrets.PERMISSIONS_BOUNDARY_NAME }} + UDS_STATE_BUCKET_NAME: uds-aws-ci-commercial-us-west-2-5246-tfstate + UDS_STATE_DYNAMODB_TABLE_NAME: uds-aws-ci-commercial-org-us-west-2-5246-tfstate-lock + steps: + - name: Set ENV + run: | + echo "UDS_CLUSTER_NAME=uds-ci-${{ inputs.flavor }}-${SHA:0:7}" >> $GITHUB_ENV + echo "UDS_STATE_KEY="tfstate/ci/install/${SHA:0:7}-rke2-core-${{ inputs.flavor }}-aws.tfstate >> $GITHUB_ENV + echo "TF_VAR_region=${UDS_REGION}" >> $GITHUB_ENV + echo "TF_VAR_run_id=$GITHUB_RUN_ID" >> $GITHUB_ENV + echo "TF_VAR_use_permissions_boundary=true" >> $GITHUB_ENV + echo "TF_VAR_permissions_boundary_name=${UDS_PERMISSIONS_BOUNDARY_NAME}" >> $GITHUB_ENV + + - name: Checkout repository + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4 + + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4 + with: + role-to-assume: ${{ secrets.AWS_COMMERCIAL_ROLE_TO_ASSUME }} + role-session-name: ${{ github.job || github.event.client_payload.pull_request.head.sha || github.sha }} + aws-region: ${{ env.UDS_REGION }} + role-duration-seconds: 21600 + + - name: Environment setup + uses: ./.github/actions/setup + with: + registry1Username: ${{ secrets.IRON_BANK_ROBOT_USERNAME }} + registry1Password: ${{ secrets.IRON_BANK_ROBOT_PASSWORD }} + ghToken: ${{ secrets.GITHUB_TOKEN }} + chainguardIdentity: ${{ secrets.CHAINGUARD_IDENTITY }} + + # - name: Install eksctl + # run: uds run -f tasks/iac.yaml install-eksctl --no-progress + + - name: Setup Tofu + uses: opentofu/setup-opentofu@12f4debbf681675350b6cd1f0ff8ecfbda62027b # v1.0.4 + with: + tofu_version: 1.8.2 + tofu_wrapper: false + + - name: Create UDS Core Package + run: ZARF_ARCHITECTURE=amd64 uds run -f tasks/create.yaml standard-package --no-progress --set FLAVOR=${{ inputs.flavor }} + + - name: Create Core Bundle + run: uds create .github/bundles/rke2 --confirm + + - name: Create IAC + run: uds run -f tasks/iac.yaml create-iac --no-progress --set K8S_DISTRO=rke2 + timeout-minutes: 20 + + - name: Get Kubeconfig + run: uds run -f tasks/iac.yaml rke2-get-kubeconfig --no-progress + timeout-minutes: 20 + + - name: Wait for RKE2 Cluster + run: uds run -f tasks/iac.yaml rke2-cluster-ready --no-progress + env: + KUBECONFIG: ".github/test-infra/aws/rke2/rke2-config" + timeout-minutes: 20 + + - name: Deploy Core Bundle + env: + KUBECONFIG: ".github/test-infra/aws/rke2/rke2-config" + UDS_CONFIG: .github/bundles/rke2/uds-config.yaml + run: uds deploy .github/bundles/rke2/uds-bundle-uds-core-rke2-nightly-*.tar.zst --confirm + timeout-minutes: 60 + + - name: Remove UDS Core + if: always() + run: uds remove .github/bundles/rke2/uds-bundle-uds-core-rke2-*.tar.zst --confirm + env: + KUBECONFIG: ".github/test-infra/aws/rke2/rke2-config" + timeout-minutes: 20 + continue-on-error: true + + - name: Remove IAC + if: always() + run: uds run -f tasks/iac.yaml destroy-iac --no-progress --set K8S_DISTRO=rke2 + timeout-minutes: 10 + continue-on-error: true diff --git a/.github/workflows/test-shim.yaml b/.github/workflows/test-shim.yaml index 2b443233d..bdc662027 100644 --- a/.github/workflows/test-shim.yaml +++ b/.github/workflows/test-shim.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + name: Test Shim on: diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index fca5ce590..bafb1b939 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + name: Test packages on: @@ -21,7 +24,7 @@ on: inputs: package: type: string - description: "The name of the source package to test" + description: "The name of the core package layer to test" required: true flavor: type: string @@ -39,15 +42,16 @@ permissions: jobs: test: - runs-on: "${{ inputs.package == 'all' && 'uds-ubuntu-big-boy-8-core' || 'ubuntu-latest'}}" + # Use the 8 core runner for full-core or 4 core runner (with larger disk) for func layers tests + runs-on: "${{ inputs.package == 'all' && 'uds-ubuntu-big-boy-8-core' || 'uds-ubuntu-big-boy-4-core'}}" timeout-minutes: 30 name: Test env: - UDS_PKG: ${{ inputs.package }} + UDS_LAYER: ${{ inputs.package }} steps: - name: Checkout repository - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - name: Environment setup uses: ./.github/actions/setup @@ -57,9 +61,9 @@ jobs: ghToken: ${{ secrets.GITHUB_TOKEN }} chainguardIdentity: ${{ secrets.CHAINGUARD_IDENTITY }} - - name: Test a single source package + - name: Test a single layer package if: ${{ inputs.package != 'all' && inputs.test_type == 'install' }} - run: uds run test-single-package --set FLAVOR=${{ inputs.flavor }} --no-progress + run: uds run test-single-layer --set FLAVOR=${{ inputs.flavor }} --set LAYER=${{ inputs.package }} --no-progress - name: Test UDS Core Install if: ${{ inputs.package == 'all' && inputs.test_type == 'install' }} @@ -71,7 +75,7 @@ jobs: - name: Upload Assessment if: ${{ inputs.package == 'all' && inputs.test_type == 'install' }} - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: ${{ inputs.flavor }}-assessment-results path: ./compliance/oscal-assessment-results.yaml diff --git a/.gitignore b/.gitignore index ad3474a0f..30014e1cd 100644 --- a/.gitignore +++ b/.gitignore @@ -6,7 +6,7 @@ build/ zarf-sbom tmp/ env.ts -node_modules +node_modules/** dist insecure* .env @@ -18,3 +18,4 @@ extract-terraform.sh **/.terraform* cluster-config.yaml **.tfstate +**.backup diff --git a/.husky/pre-commit b/.husky/pre-commit index 031993ec4..b1f1ff9d9 100755 --- a/.husky/pre-commit +++ b/.husky/pre-commit @@ -1,12 +1,35 @@ #!/usr/bin/env sh . "$(dirname -- "$0")/_/husky.sh" +echo "\nRunning YAML Lint Check" + +# Run yamllint globally, which will respect the .yamllint config, including ignores +yamllint -c .yamllint . --no-warnings + +# Capture yamllint +YAMLLINT_EXIT=$? + +if [ $YAMLLINT_EXIT -ne 0 ]; then + echo "\n❌ YAMLLint failed. Please fix the YAML issues before committing. ❌\n" + exit 1 +fi + +echo "YAML Lint Check Passed - ✅\n" + +echo "\nRunning License Lint Check. Use \`uds run -f tasks/lint.yaml fix-license\` to resolve any issues.\n" + +# Run license linting +uds run -f tasks/lint.yaml license + +echo "\nRunning Pepr Format and Codespell Lint Checks\n" + +# Run lint-staged for other linting tasks OUTPUT=$(npx lint-staged > /dev/null && echo $? || echo $?) if [ $OUTPUT -eq 0 ]; then - echo "\n\n✅ Lint Check Passed. ✅\n\n" + echo "\nAll Lints Check Passed - ✅\n" exit 0 else - echo "\n\n❌ Lint Check failed... Run \`uds run lint-fix\` to resolve issues and re-commit. ❌\n\n" + echo "❌ Pepr Format and Codespell Lint Check failed... Run \`uds run lint-fix\` to resolve issues and re-commit. ❌\n" exit 1 -fi +fi \ No newline at end of file diff --git a/.lintstagedrc.json b/.lintstagedrc.json index abbc42c11..3cdd4ff8b 100644 --- a/.lintstagedrc.json +++ b/.lintstagedrc.json @@ -2,10 +2,7 @@ "*": [ "codespell" ], - "*.yaml": [ - "yamllint -c .yamllint --no-warnings" - ], "*.ts": [ "npx pepr format --validate-only" ] -} +} \ No newline at end of file diff --git a/.release-please-manifest.json b/.release-please-manifest.json index d25a5019b..130edc2c5 100644 --- a/.release-please-manifest.json +++ b/.release-please-manifest.json @@ -1,3 +1,7 @@ { +<<<<<<< HEAD + ".": "0.29.0" +======= ".": "0.28.0" +>>>>>>> 62baad3 (chore(main): release 0.28.0 (#795)) } diff --git a/.vscode/settings.json b/.vscode/settings.json index 97ec6433e..ca840bae4 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -9,17 +9,17 @@ }, "yaml.schemas": { // renovate: datasource=github-tags depName=defenseunicorns/uds-cli versioning=semver - "https://raw.githubusercontent.com/defenseunicorns/uds-cli/v0.16.0/uds.schema.json": [ + "https://raw.githubusercontent.com/defenseunicorns/uds-cli/v0.17.0/uds.schema.json": [ "uds-bundle.yaml" ], // renovate: datasource=github-tags depName=defenseunicorns/uds-cli versioning=semver - "https://raw.githubusercontent.com/defenseunicorns/uds-cli/v0.16.0/tasks.schema.json": [ + "https://raw.githubusercontent.com/defenseunicorns/uds-cli/v0.17.0/tasks.schema.json": [ "tasks.yaml", "tasks/**/*.yaml", "src/**/validate.yaml" ], // renovate: datasource=github-tags depName=defenseunicorns/uds-cli versioning=semver - "https://raw.githubusercontent.com/defenseunicorns/uds-cli/v0.16.0/zarf.schema.json": [ + "https://raw.githubusercontent.com/defenseunicorns/uds-cli/v0.17.0/zarf.schema.json": [ "zarf.yaml" ] }, @@ -48,4 +48,5 @@ "source.organizeImports": "always" } }, + "sarif-viewer.connectToGithubCodeScanning": "off", } diff --git a/.yamllint b/.yamllint index e9a3eff30..29231c902 100644 --- a/.yamllint +++ b/.yamllint @@ -6,10 +6,10 @@ yaml-files: ignore: - 'k3d/local/manifests/metallb/metallb-native.yaml' - '**/.terraform/**' - - '**/chart/templates**' + - '**/chart/templates/**' - 'node_modules/**' - 'dist/**' - - 'src/pepr/uds-operator-config/templates**' + - 'src/pepr/uds-operator-config/templates/**' - '.codespellrc' - '.lintstagedrc.json' diff --git a/CHANGELOG.md b/CHANGELOG.md index 7711ac21f..fe1db1bc2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,62 @@ All notable changes to this project will be documented in this file. +<<<<<<< HEAD +## [0.29.0](https://github.com/defenseunicorns/uds-core/compare/v0.28.0...v0.29.0) (2024-10-11) + + +### Features + +* add base and identity layers ([#853](https://github.com/defenseunicorns/uds-core/issues/853)) ([b3f532a](https://github.com/defenseunicorns/uds-core/commit/b3f532a4fe49e00b2cbcfb8bd4555a807355e8dd)) +* add logging functional layer ([#861](https://github.com/defenseunicorns/uds-core/issues/861)) ([c1a67b9](https://github.com/defenseunicorns/uds-core/commit/c1a67b968116570f81c570f51145d3183c386d14)) +* add metrics-server functional layer ([#865](https://github.com/defenseunicorns/uds-core/issues/865)) ([290367a](https://github.com/defenseunicorns/uds-core/commit/290367af2251c45fdc2ebb0b8f394b2c1ac2f0d8)) +* add monitoring layer ([#872](https://github.com/defenseunicorns/uds-core/issues/872)) ([5ecb040](https://github.com/defenseunicorns/uds-core/commit/5ecb040bb27d8fed2a15617830cc6805df9c6ec7)) +* add nightly testing for rke2 ([#808](https://github.com/defenseunicorns/uds-core/issues/808)) ([c401419](https://github.com/defenseunicorns/uds-core/commit/c4014197b19483657ccc1951d062263433e8b4af)) +* add service accounts options to sso ([#852](https://github.com/defenseunicorns/uds-core/issues/852)) ([1029162](https://github.com/defenseunicorns/uds-core/commit/102916223bbfe4f6d555f72fd8d3a9593853d160)) +* backup and restore layer, ui layer, runtime security layer ([#862](https://github.com/defenseunicorns/uds-core/issues/862)) ([b1d8015](https://github.com/defenseunicorns/uds-core/commit/b1d8015f61b984441578a860d29043d52013082a)) +* grafana-ha ([#838](https://github.com/defenseunicorns/uds-core/issues/838)) ([d532d76](https://github.com/defenseunicorns/uds-core/commit/d532d76f8242a68cf39b5aac7c3b4a8c241d56b3)) + + +### Bug Fixes + +* broken readme link ([#899](https://github.com/defenseunicorns/uds-core/issues/899)) ([6e47b11](https://github.com/defenseunicorns/uds-core/commit/6e47b11f85075c3942c1ca193d5e9d90747b6109)) +* **ci:** switch to larger runners to resolve ci disk space issues ([#882](https://github.com/defenseunicorns/uds-core/issues/882)) ([1af0401](https://github.com/defenseunicorns/uds-core/commit/1af040142babd141441a87ae74fd3c3a530f4fae)) +* snapshot ci version modification and tasks for publish ([#877](https://github.com/defenseunicorns/uds-core/issues/877)) ([f01e5bd](https://github.com/defenseunicorns/uds-core/commit/f01e5bdd65edbdfe2088cdc1bb9d62fb8e5c1b04)) +* support for anywhere network policies in cilium ([#884](https://github.com/defenseunicorns/uds-core/issues/884)) ([5df0737](https://github.com/defenseunicorns/uds-core/commit/5df073768eb9f8c8f00433413039918bdb85d362)) + + +### Miscellaneous + +* cleanup license parsing for github ([#881](https://github.com/defenseunicorns/uds-core/issues/881)) ([43c98ce](https://github.com/defenseunicorns/uds-core/commit/43c98cee6957a3ca155f7fb7e9d3b604c8c5caa7)) +* **deps:** update chainctl action to v0.2.3 ([#864](https://github.com/defenseunicorns/uds-core/issues/864)) ([d782b59](https://github.com/defenseunicorns/uds-core/commit/d782b59363184de07c7546c04ad7edb6fa9e6449)) +* **deps:** update checkout action to v4.2.0 ([#825](https://github.com/defenseunicorns/uds-core/issues/825)) ([29d1c98](https://github.com/defenseunicorns/uds-core/commit/29d1c98069c73869951878372f7ca1ac842bb87d)) +* **deps:** update dependency defenseunicorns/lula to v0.8.0 ([#841](https://github.com/defenseunicorns/uds-core/issues/841)) ([fe36150](https://github.com/defenseunicorns/uds-core/commit/fe36150bceb69155d4aec8d7298fcc19dbca8c36)) +* **deps:** update githubactions ([#866](https://github.com/defenseunicorns/uds-core/issues/866)) ([44f8ea5](https://github.com/defenseunicorns/uds-core/commit/44f8ea5f12b9d0bda9d9231564b95c6a49fd8e83)) +* **deps:** update grafana to 11.2.1 ([#836](https://github.com/defenseunicorns/uds-core/issues/836)) ([11383c1](https://github.com/defenseunicorns/uds-core/commit/11383c188e4f799b5e8e09dc67e5b6f6ebfdca3e)) +* **deps:** update grafana to v11.2.2 ([#867](https://github.com/defenseunicorns/uds-core/issues/867)) ([06ed2c3](https://github.com/defenseunicorns/uds-core/commit/06ed2c323a3f1e895d6f3f87e5388f7a06197b1c)) +* **deps:** update loki nginx image to v1.27.2 ([#894](https://github.com/defenseunicorns/uds-core/issues/894)) ([df7d427](https://github.com/defenseunicorns/uds-core/commit/df7d427cf8f830d7590a144ff9e902245433460b)) +* **deps:** update loki to v3.2.0 ([#791](https://github.com/defenseunicorns/uds-core/issues/791)) ([d3c60b5](https://github.com/defenseunicorns/uds-core/commit/d3c60b5678982d774a721838cf75e06c20087c73)) +* **deps:** update metrics-server chart to v3.12.2 ([#873](https://github.com/defenseunicorns/uds-core/issues/873)) ([e2e61ce](https://github.com/defenseunicorns/uds-core/commit/e2e61ce3319aa9ac48762afe097d72f97175bbce)) +* **deps:** update pepr to v0.37.1 ([#843](https://github.com/defenseunicorns/uds-core/issues/843)) ([68abcb2](https://github.com/defenseunicorns/uds-core/commit/68abcb2df5b7e2097a56e949624790445bc02b41)) +* **deps:** update pepr to v0.37.2 ([#850](https://github.com/defenseunicorns/uds-core/issues/850)) ([b51f659](https://github.com/defenseunicorns/uds-core/commit/b51f659ffbb3880a5da74aa90b62c5ef4a7a05cc)) +* **deps:** update prometheus operator to 0.77.1 ([#819](https://github.com/defenseunicorns/uds-core/issues/819)) ([0864b33](https://github.com/defenseunicorns/uds-core/commit/0864b33b2ecde7f73d28c3bad6dab10275969346)) +* **deps:** update prometheus-stack ([#855](https://github.com/defenseunicorns/uds-core/issues/855)) ([c791c24](https://github.com/defenseunicorns/uds-core/commit/c791c24de4d27678778225f8487629e6353a2d64)) +* **deps:** update prometheus-stack helm-charts to v64.0.0 ([#849](https://github.com/defenseunicorns/uds-core/issues/849)) ([50a2588](https://github.com/defenseunicorns/uds-core/commit/50a258860f79bb291450afbe48a6f61a6650bb9c)) +* **deps:** update runtime to v0.6.0 ([#897](https://github.com/defenseunicorns/uds-core/issues/897)) ([89ae6e2](https://github.com/defenseunicorns/uds-core/commit/89ae6e255f32eadf871096bafe0cc1958b1c6e34)) +* **deps:** update support-deps ([#890](https://github.com/defenseunicorns/uds-core/issues/890)) ([26ea612](https://github.com/defenseunicorns/uds-core/commit/26ea612bec9ece132509b5ef0d4d1807debbbb62)) +* **deps:** update test-infra ([#875](https://github.com/defenseunicorns/uds-core/issues/875)) ([583f07c](https://github.com/defenseunicorns/uds-core/commit/583f07cbf57c2c839b8f6d00bbd098cafe4198a8)) +* **deps:** update test-infra to v6.9.0 ([#848](https://github.com/defenseunicorns/uds-core/issues/848)) ([ef9d317](https://github.com/defenseunicorns/uds-core/commit/ef9d317198acedc2007d683b5d169e1f333be433)) +* **deps:** update uds to v0.17.0 ([#859](https://github.com/defenseunicorns/uds-core/issues/859)) ([1489fef](https://github.com/defenseunicorns/uds-core/commit/1489fef6d666c54f122373dcdaabda37c3cfafe5)) +* **deps:** update zarf to v0.41.0 ([#857](https://github.com/defenseunicorns/uds-core/issues/857)) ([a390c3d](https://github.com/defenseunicorns/uds-core/commit/a390c3d4744ac8cccd4079928844f3568d3caf9f)) +* **docs:** update doc structure for site refresh ([#895](https://github.com/defenseunicorns/uds-core/issues/895)) ([1946a9a](https://github.com/defenseunicorns/uds-core/commit/1946a9a8144a0cd383c3af29c33bb828283ef81d)) +* fix broken link in docs ([#845](https://github.com/defenseunicorns/uds-core/issues/845)) ([3078a5b](https://github.com/defenseunicorns/uds-core/commit/3078a5b48506a4acb7660f9929279690bcb00984)) +* fix license header references ([#901](https://github.com/defenseunicorns/uds-core/issues/901)) ([cf38b82](https://github.com/defenseunicorns/uds-core/commit/cf38b827da351af5b610a064eb0d8fe885b66d89)) +* handle upgrade path for functional layers, add doc for usage ([#896](https://github.com/defenseunicorns/uds-core/issues/896)) ([70d6b1b](https://github.com/defenseunicorns/uds-core/commit/70d6b1b943e0e9fc3a36fc7a7600afa0e3f2b511)) +* regroup 'support dependencies' in renovate config ([#885](https://github.com/defenseunicorns/uds-core/issues/885)) ([640d859](https://github.com/defenseunicorns/uds-core/commit/640d859a50de6c7d49afec3283fac2a249d04dd7)) +* update license ([#878](https://github.com/defenseunicorns/uds-core/issues/878)) ([b086170](https://github.com/defenseunicorns/uds-core/commit/b086170f415c82916a6e493517ac5bc62b2b7aea)) + +======= +>>>>>>> 62baad3 (chore(main): release 0.28.0 (#795)) ## [0.28.0](https://github.com/defenseunicorns/uds-core/compare/v0.27.3...v0.28.0) (2024-09-27) diff --git a/CODEOWNERS b/CODEOWNERS index 573eee029..3ca746737 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -2,4 +2,5 @@ # Additional privileged files /CODEOWNERS @jeff-mccoy @daveworth -/LICENSE @jeff-mccoy @daveworth +# NOTE: No E to catch LICENSE and LICENSING +/LICENS* @jeff-mccoy @austenbryan diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 340dddd87..82bfa2e6b 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -48,7 +48,35 @@ We apply these general principles to all User Stories and activities contributin ## Getting Started -TBD +### Development of UDS Operator / Pepr capabilities + +For development of the UDS Operator, a development cluster is required. You can +run one w/ the `dev-setup` UDS Task. Note that this will create a k3d cluster +on your local machine. Ensure you have an up-to-date version of k3d installed, +as older versions can cause failure of the UDS Core development environment. + +```bash +uds run dev-setup +``` + +This will create a cluster and then print instructions for further development +of the UDS Operator Pepr module. + +### Development of UDS Core Zarf sub-packages + +For development of individual components within the UDS Core Zarf package, the +`test-uds-core` UDS Task can be used to build and run the tests for the UDS Core +Zarf package. This will run the tests for the UDS Core Zarf package in a local +environment. + +```bash +uds run test-uds-core +``` + +If iterating on Helm values or templates (and not modifying upstream images), +running `dev-deploy` can be used _after_ the initial `test-uds-core` because the +images are already loaded, so this will essentially just do a quick Helm upgrade +for rapid iteration. ## Submitting a Pull Request diff --git a/LICENSE b/LICENSE deleted file mode 100644 index 261eeb9e9..000000000 --- a/LICENSE +++ /dev/null @@ -1,201 +0,0 @@ - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "[]" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - - Copyright [yyyy] [name of copyright owner] - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. diff --git a/LICENSE.md b/LICENSE.md new file mode 100644 index 000000000..0ad25db4b --- /dev/null +++ b/LICENSE.md @@ -0,0 +1,661 @@ + GNU AFFERO GENERAL PUBLIC LICENSE + Version 3, 19 November 2007 + + Copyright (C) 2007 Free Software Foundation, Inc. + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The GNU Affero General Public License is a free, copyleft license for +software and other kinds of works, specifically designed to ensure +cooperation with the community in the case of network server software. + + The licenses for most software and other practical works are designed +to take away your freedom to share and change the works. By contrast, +our General Public Licenses are intended to guarantee your freedom to +share and change all versions of a program--to make sure it remains free +software for all its users. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +them if you wish), that you receive source code or can get it if you +want it, that you can change the software or use pieces of it in new +free programs, and that you know you can do these things. + + Developers that use our General Public Licenses protect your rights +with two steps: (1) assert copyright on the software, and (2) offer +you this License which gives you legal permission to copy, distribute +and/or modify the software. + + A secondary benefit of defending all users' freedom is that +improvements made in alternate versions of the program, if they +receive widespread use, become available for other developers to +incorporate. Many developers of free software are heartened and +encouraged by the resulting cooperation. However, in the case of +software used on network servers, this result may fail to come about. +The GNU General Public License permits making a modified version and +letting the public access it on a server without ever releasing its +source code to the public. + + The GNU Affero General Public License is designed specifically to +ensure that, in such cases, the modified source code becomes available +to the community. It requires the operator of a network server to +provide the source code of the modified version running there to the +users of that server. Therefore, public use of a modified version, on +a publicly accessible server, gives the public access to the source +code of the modified version. + + An older license, called the Affero General Public License and +published by Affero, was designed to accomplish similar goals. This is +a different license, not a version of the Affero GPL, but Affero has +released a new version of the Affero GPL which permits relicensing under +this license. + + The precise terms and conditions for copying, distribution and +modification follow. + + TERMS AND CONDITIONS + + 0. Definitions. + + "This License" refers to version 3 of the GNU Affero General Public License. + + "Copyright" also means copyright-like laws that apply to other kinds of +works, such as semiconductor masks. + + "The Program" refers to any copyrightable work licensed under this +License. Each licensee is addressed as "you". "Licensees" and +"recipients" may be individuals or organizations. + + To "modify" a work means to copy from or adapt all or part of the work +in a fashion requiring copyright permission, other than the making of an +exact copy. The resulting work is called a "modified version" of the +earlier work or a work "based on" the earlier work. + + A "covered work" means either the unmodified Program or a work based +on the Program. + + To "propagate" a work means to do anything with it that, without +permission, would make you directly or secondarily liable for +infringement under applicable copyright law, except executing it on a +computer or modifying a private copy. Propagation includes copying, +distribution (with or without modification), making available to the +public, and in some countries other activities as well. + + To "convey" a work means any kind of propagation that enables other +parties to make or receive copies. Mere interaction with a user through +a computer network, with no transfer of a copy, is not conveying. + + An interactive user interface displays "Appropriate Legal Notices" +to the extent that it includes a convenient and prominently visible +feature that (1) displays an appropriate copyright notice, and (2) +tells the user that there is no warranty for the work (except to the +extent that warranties are provided), that licensees may convey the +work under this License, and how to view a copy of this License. If +the interface presents a list of user commands or options, such as a +menu, a prominent item in the list meets this criterion. + + 1. Source Code. + + The "source code" for a work means the preferred form of the work +for making modifications to it. "Object code" means any non-source +form of a work. + + A "Standard Interface" means an interface that either is an official +standard defined by a recognized standards body, or, in the case of +interfaces specified for a particular programming language, one that +is widely used among developers working in that language. + + The "System Libraries" of an executable work include anything, other +than the work as a whole, that (a) is included in the normal form of +packaging a Major Component, but which is not part of that Major +Component, and (b) serves only to enable use of the work with that +Major Component, or to implement a Standard Interface for which an +implementation is available to the public in source code form. A +"Major Component", in this context, means a major essential component +(kernel, window system, and so on) of the specific operating system +(if any) on which the executable work runs, or a compiler used to +produce the work, or an object code interpreter used to run it. + + The "Corresponding Source" for a work in object code form means all +the source code needed to generate, install, and (for an executable +work) run the object code and to modify the work, including scripts to +control those activities. However, it does not include the work's +System Libraries, or general-purpose tools or generally available free +programs which are used unmodified in performing those activities but +which are not part of the work. For example, Corresponding Source +includes interface definition files associated with source files for +the work, and the source code for shared libraries and dynamically +linked subprograms that the work is specifically designed to require, +such as by intimate data communication or control flow between those +subprograms and other parts of the work. + + The Corresponding Source need not include anything that users +can regenerate automatically from other parts of the Corresponding +Source. + + The Corresponding Source for a work in source code form is that +same work. + + 2. Basic Permissions. + + All rights granted under this License are granted for the term of +copyright on the Program, and are irrevocable provided the stated +conditions are met. This License explicitly affirms your unlimited +permission to run the unmodified Program. The output from running a +covered work is covered by this License only if the output, given its +content, constitutes a covered work. This License acknowledges your +rights of fair use or other equivalent, as provided by copyright law. + + You may make, run and propagate covered works that you do not +convey, without conditions so long as your license otherwise remains +in force. You may convey covered works to others for the sole purpose +of having them make modifications exclusively for you, or provide you +with facilities for running those works, provided that you comply with +the terms of this License in conveying all material for which you do +not control copyright. Those thus making or running the covered works +for you must do so exclusively on your behalf, under your direction +and control, on terms that prohibit them from making any copies of +your copyrighted material outside their relationship with you. + + Conveying under any other circumstances is permitted solely under +the conditions stated below. Sublicensing is not allowed; section 10 +makes it unnecessary. + + 3. Protecting Users' Legal Rights From Anti-Circumvention Law. + + No covered work shall be deemed part of an effective technological +measure under any applicable law fulfilling obligations under article +11 of the WIPO copyright treaty adopted on 20 December 1996, or +similar laws prohibiting or restricting circumvention of such +measures. + + When you convey a covered work, you waive any legal power to forbid +circumvention of technological measures to the extent such circumvention +is effected by exercising rights under this License with respect to +the covered work, and you disclaim any intention to limit operation or +modification of the work as a means of enforcing, against the work's +users, your or third parties' legal rights to forbid circumvention of +technological measures. + + 4. Conveying Verbatim Copies. + + You may convey verbatim copies of the Program's source code as you +receive it, in any medium, provided that you conspicuously and +appropriately publish on each copy an appropriate copyright notice; +keep intact all notices stating that this License and any +non-permissive terms added in accord with section 7 apply to the code; +keep intact all notices of the absence of any warranty; and give all +recipients a copy of this License along with the Program. + + You may charge any price or no price for each copy that you convey, +and you may offer support or warranty protection for a fee. + + 5. Conveying Modified Source Versions. + + You may convey a work based on the Program, or the modifications to +produce it from the Program, in the form of source code under the +terms of section 4, provided that you also meet all of these conditions: + + a) The work must carry prominent notices stating that you modified + it, and giving a relevant date. + + b) The work must carry prominent notices stating that it is + released under this License and any conditions added under section + 7. This requirement modifies the requirement in section 4 to + "keep intact all notices". + + c) You must license the entire work, as a whole, under this + License to anyone who comes into possession of a copy. This + License will therefore apply, along with any applicable section 7 + additional terms, to the whole of the work, and all its parts, + regardless of how they are packaged. This License gives no + permission to license the work in any other way, but it does not + invalidate such permission if you have separately received it. + + d) If the work has interactive user interfaces, each must display + Appropriate Legal Notices; however, if the Program has interactive + interfaces that do not display Appropriate Legal Notices, your + work need not make them do so. + + A compilation of a covered work with other separate and independent +works, which are not by their nature extensions of the covered work, +and which are not combined with it such as to form a larger program, +in or on a volume of a storage or distribution medium, is called an +"aggregate" if the compilation and its resulting copyright are not +used to limit the access or legal rights of the compilation's users +beyond what the individual works permit. Inclusion of a covered work +in an aggregate does not cause this License to apply to the other +parts of the aggregate. + + 6. Conveying Non-Source Forms. + + You may convey a covered work in object code form under the terms +of sections 4 and 5, provided that you also convey the +machine-readable Corresponding Source under the terms of this License, +in one of these ways: + + a) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by the + Corresponding Source fixed on a durable physical medium + customarily used for software interchange. + + b) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by a + written offer, valid for at least three years and valid for as + long as you offer spare parts or customer support for that product + model, to give anyone who possesses the object code either (1) a + copy of the Corresponding Source for all the software in the + product that is covered by this License, on a durable physical + medium customarily used for software interchange, for a price no + more than your reasonable cost of physically performing this + conveying of source, or (2) access to copy the + Corresponding Source from a network server at no charge. + + c) Convey individual copies of the object code with a copy of the + written offer to provide the Corresponding Source. This + alternative is allowed only occasionally and noncommercially, and + only if you received the object code with such an offer, in accord + with subsection 6b. + + d) Convey the object code by offering access from a designated + place (gratis or for a charge), and offer equivalent access to the + Corresponding Source in the same way through the same place at no + further charge. You need not require recipients to copy the + Corresponding Source along with the object code. If the place to + copy the object code is a network server, the Corresponding Source + may be on a different server (operated by you or a third party) + that supports equivalent copying facilities, provided you maintain + clear directions next to the object code saying where to find the + Corresponding Source. Regardless of what server hosts the + Corresponding Source, you remain obligated to ensure that it is + available for as long as needed to satisfy these requirements. + + e) Convey the object code using peer-to-peer transmission, provided + you inform other peers where the object code and Corresponding + Source of the work are being offered to the general public at no + charge under subsection 6d. + + A separable portion of the object code, whose source code is excluded +from the Corresponding Source as a System Library, need not be +included in conveying the object code work. + + A "User Product" is either (1) a "consumer product", which means any +tangible personal property which is normally used for personal, family, +or household purposes, or (2) anything designed or sold for incorporation +into a dwelling. In determining whether a product is a consumer product, +doubtful cases shall be resolved in favor of coverage. For a particular +product received by a particular user, "normally used" refers to a +typical or common use of that class of product, regardless of the status +of the particular user or of the way in which the particular user +actually uses, or expects or is expected to use, the product. A product +is a consumer product regardless of whether the product has substantial +commercial, industrial or non-consumer uses, unless such uses represent +the only significant mode of use of the product. + + "Installation Information" for a User Product means any methods, +procedures, authorization keys, or other information required to install +and execute modified versions of a covered work in that User Product from +a modified version of its Corresponding Source. The information must +suffice to ensure that the continued functioning of the modified object +code is in no case prevented or interfered with solely because +modification has been made. + + If you convey an object code work under this section in, or with, or +specifically for use in, a User Product, and the conveying occurs as +part of a transaction in which the right of possession and use of the +User Product is transferred to the recipient in perpetuity or for a +fixed term (regardless of how the transaction is characterized), the +Corresponding Source conveyed under this section must be accompanied +by the Installation Information. But this requirement does not apply +if neither you nor any third party retains the ability to install +modified object code on the User Product (for example, the work has +been installed in ROM). + + The requirement to provide Installation Information does not include a +requirement to continue to provide support service, warranty, or updates +for a work that has been modified or installed by the recipient, or for +the User Product in which it has been modified or installed. Access to a +network may be denied when the modification itself materially and +adversely affects the operation of the network or violates the rules and +protocols for communication across the network. + + Corresponding Source conveyed, and Installation Information provided, +in accord with this section must be in a format that is publicly +documented (and with an implementation available to the public in +source code form), and must require no special password or key for +unpacking, reading or copying. + + 7. Additional Terms. + + "Additional permissions" are terms that supplement the terms of this +License by making exceptions from one or more of its conditions. +Additional permissions that are applicable to the entire Program shall +be treated as though they were included in this License, to the extent +that they are valid under applicable law. If additional permissions +apply only to part of the Program, that part may be used separately +under those permissions, but the entire Program remains governed by +this License without regard to the additional permissions. + + When you convey a copy of a covered work, you may at your option +remove any additional permissions from that copy, or from any part of +it. (Additional permissions may be written to require their own +removal in certain cases when you modify the work.) You may place +additional permissions on material, added by you to a covered work, +for which you have or can give appropriate copyright permission. + + Notwithstanding any other provision of this License, for material you +add to a covered work, you may (if authorized by the copyright holders of +that material) supplement the terms of this License with terms: + + a) Disclaiming warranty or limiting liability differently from the + terms of sections 15 and 16 of this License; or + + b) Requiring preservation of specified reasonable legal notices or + author attributions in that material or in the Appropriate Legal + Notices displayed by works containing it; or + + c) Prohibiting misrepresentation of the origin of that material, or + requiring that modified versions of such material be marked in + reasonable ways as different from the original version; or + + d) Limiting the use for publicity purposes of names of licensors or + authors of the material; or + + e) Declining to grant rights under trademark law for use of some + trade names, trademarks, or service marks; or + + f) Requiring indemnification of licensors and authors of that + material by anyone who conveys the material (or modified versions of + it) with contractual assumptions of liability to the recipient, for + any liability that these contractual assumptions directly impose on + those licensors and authors. + + All other non-permissive additional terms are considered "further +restrictions" within the meaning of section 10. If the Program as you +received it, or any part of it, contains a notice stating that it is +governed by this License along with a term that is a further +restriction, you may remove that term. If a license document contains +a further restriction but permits relicensing or conveying under this +License, you may add to a covered work material governed by the terms +of that license document, provided that the further restriction does +not survive such relicensing or conveying. + + If you add terms to a covered work in accord with this section, you +must place, in the relevant source files, a statement of the +additional terms that apply to those files, or a notice indicating +where to find the applicable terms. + + Additional terms, permissive or non-permissive, may be stated in the +form of a separately written license, or stated as exceptions; +the above requirements apply either way. + + 8. Termination. + + You may not propagate or modify a covered work except as expressly +provided under this License. Any attempt otherwise to propagate or +modify it is void, and will automatically terminate your rights under +this License (including any patent licenses granted under the third +paragraph of section 11). + + However, if you cease all violation of this License, then your +license from a particular copyright holder is reinstated (a) +provisionally, unless and until the copyright holder explicitly and +finally terminates your license, and (b) permanently, if the copyright +holder fails to notify you of the violation by some reasonable means +prior to 60 days after the cessation. + + Moreover, your license from a particular copyright holder is +reinstated permanently if the copyright holder notifies you of the +violation by some reasonable means, this is the first time you have +received notice of violation of this License (for any work) from that +copyright holder, and you cure the violation prior to 30 days after +your receipt of the notice. + + Termination of your rights under this section does not terminate the +licenses of parties who have received copies or rights from you under +this License. If your rights have been terminated and not permanently +reinstated, you do not qualify to receive new licenses for the same +material under section 10. + + 9. Acceptance Not Required for Having Copies. + + You are not required to accept this License in order to receive or +run a copy of the Program. Ancillary propagation of a covered work +occurring solely as a consequence of using peer-to-peer transmission +to receive a copy likewise does not require acceptance. However, +nothing other than this License grants you permission to propagate or +modify any covered work. These actions infringe copyright if you do +not accept this License. Therefore, by modifying or propagating a +covered work, you indicate your acceptance of this License to do so. + + 10. Automatic Licensing of Downstream Recipients. + + Each time you convey a covered work, the recipient automatically +receives a license from the original licensors, to run, modify and +propagate that work, subject to this License. You are not responsible +for enforcing compliance by third parties with this License. + + An "entity transaction" is a transaction transferring control of an +organization, or substantially all assets of one, or subdividing an +organization, or merging organizations. If propagation of a covered +work results from an entity transaction, each party to that +transaction who receives a copy of the work also receives whatever +licenses to the work the party's predecessor in interest had or could +give under the previous paragraph, plus a right to possession of the +Corresponding Source of the work from the predecessor in interest, if +the predecessor has it or can get it with reasonable efforts. + + You may not impose any further restrictions on the exercise of the +rights granted or affirmed under this License. For example, you may +not impose a license fee, royalty, or other charge for exercise of +rights granted under this License, and you may not initiate litigation +(including a cross-claim or counterclaim in a lawsuit) alleging that +any patent claim is infringed by making, using, selling, offering for +sale, or importing the Program or any portion of it. + + 11. Patents. + + A "contributor" is a copyright holder who authorizes use under this +License of the Program or a work on which the Program is based. The +work thus licensed is called the contributor's "contributor version". + + A contributor's "essential patent claims" are all patent claims +owned or controlled by the contributor, whether already acquired or +hereafter acquired, that would be infringed by some manner, permitted +by this License, of making, using, or selling its contributor version, +but do not include claims that would be infringed only as a +consequence of further modification of the contributor version. For +purposes of this definition, "control" includes the right to grant +patent sublicenses in a manner consistent with the requirements of +this License. + + Each contributor grants you a non-exclusive, worldwide, royalty-free +patent license under the contributor's essential patent claims, to +make, use, sell, offer for sale, import and otherwise run, modify and +propagate the contents of its contributor version. + + In the following three paragraphs, a "patent license" is any express +agreement or commitment, however denominated, not to enforce a patent +(such as an express permission to practice a patent or covenant not to +sue for patent infringement). To "grant" such a patent license to a +party means to make such an agreement or commitment not to enforce a +patent against the party. + + If you convey a covered work, knowingly relying on a patent license, +and the Corresponding Source of the work is not available for anyone +to copy, free of charge and under the terms of this License, through a +publicly available network server or other readily accessible means, +then you must either (1) cause the Corresponding Source to be so +available, or (2) arrange to deprive yourself of the benefit of the +patent license for this particular work, or (3) arrange, in a manner +consistent with the requirements of this License, to extend the patent +license to downstream recipients. "Knowingly relying" means you have +actual knowledge that, but for the patent license, your conveying the +covered work in a country, or your recipient's use of the covered work +in a country, would infringe one or more identifiable patents in that +country that you have reason to believe are valid. + + If, pursuant to or in connection with a single transaction or +arrangement, you convey, or propagate by procuring conveyance of, a +covered work, and grant a patent license to some of the parties +receiving the covered work authorizing them to use, propagate, modify +or convey a specific copy of the covered work, then the patent license +you grant is automatically extended to all recipients of the covered +work and works based on it. + + A patent license is "discriminatory" if it does not include within +the scope of its coverage, prohibits the exercise of, or is +conditioned on the non-exercise of one or more of the rights that are +specifically granted under this License. You may not convey a covered +work if you are a party to an arrangement with a third party that is +in the business of distributing software, under which you make payment +to the third party based on the extent of your activity of conveying +the work, and under which the third party grants, to any of the +parties who would receive the covered work from you, a discriminatory +patent license (a) in connection with copies of the covered work +conveyed by you (or copies made from those copies), or (b) primarily +for and in connection with specific products or compilations that +contain the covered work, unless you entered into that arrangement, +or that patent license was granted, prior to 28 March 2007. + + Nothing in this License shall be construed as excluding or limiting +any implied license or other defenses to infringement that may +otherwise be available to you under applicable patent law. + + 12. No Surrender of Others' Freedom. + + If conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot convey a +covered work so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you may +not convey it at all. For example, if you agree to terms that obligate you +to collect a royalty for further conveying from those to whom you convey +the Program, the only way you could satisfy both those terms and this +License would be to refrain entirely from conveying the Program. + + 13. Remote Network Interaction; Use with the GNU General Public License. + + Notwithstanding any other provision of this License, if you modify the +Program, your modified version must prominently offer all users +interacting with it remotely through a computer network (if your version +supports such interaction) an opportunity to receive the Corresponding +Source of your version by providing access to the Corresponding Source +from a network server at no charge, through some standard or customary +means of facilitating copying of software. This Corresponding Source +shall include the Corresponding Source for any work covered by version 3 +of the GNU General Public License that is incorporated pursuant to the +following paragraph. + + Notwithstanding any other provision of this License, you have +permission to link or combine any covered work with a work licensed +under version 3 of the GNU General Public License into a single +combined work, and to convey the resulting work. The terms of this +License will continue to apply to the part which is the covered work, +but the work with which it is combined will remain governed by version +3 of the GNU General Public License. + + 14. Revised Versions of this License. + + The Free Software Foundation may publish revised and/or new versions of +the GNU Affero General Public License from time to time. Such new versions +will be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + + Each version is given a distinguishing version number. If the +Program specifies that a certain numbered version of the GNU Affero General +Public License "or any later version" applies to it, you have the +option of following the terms and conditions either of that numbered +version or of any later version published by the Free Software +Foundation. If the Program does not specify a version number of the +GNU Affero General Public License, you may choose any version ever published +by the Free Software Foundation. + + If the Program specifies that a proxy can decide which future +versions of the GNU Affero General Public License can be used, that proxy's +public statement of acceptance of a version permanently authorizes you +to choose that version for the Program. + + Later license versions may give you additional or different +permissions. However, no additional obligations are imposed on any +author or copyright holder as a result of your choosing to follow a +later version. + + 15. Disclaimer of Warranty. + + THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY +APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT +HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY +OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, +THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM +IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF +ALL NECESSARY SERVICING, REPAIR OR CORRECTION. + + 16. Limitation of Liability. + + IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS +THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY +GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE +USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF +DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD +PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), +EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF +SUCH DAMAGES. + + 17. Interpretation of Sections 15 and 16. + + If the disclaimer of warranty and limitation of liability provided +above cannot be given local legal effect according to their terms, +reviewing courts shall apply local law that most closely approximates +an absolute waiver of all civil liability in connection with the +Program, unless a warranty or assumption of liability accompanies a +copy of the Program in return for a fee. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +state the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + + Copyright (C) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU Affero General Public License as published + by the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Affero General Public License for more details. + + You should have received a copy of the GNU Affero General Public License + along with this program. If not, see . + +Also add information on how to contact you by electronic and paper mail. + + If your software can interact with users remotely through a computer +network, you should also make sure that it provides a way for users to +get its source. For example, if your program is a web application, its +interface could display a "Source" link that leads users to an archive +of the code. There are many ways you could offer source, and different +solutions will be better for different programs; see section 13 for the +specific requirements. + + You should also get your employer (if you work as a programmer) or school, +if any, to sign a "copyright disclaimer" for the program, if necessary. +For more information on this, and how to apply and follow the GNU AGPL, see +. diff --git a/LICENSING.md b/LICENSING.md new file mode 100644 index 000000000..a439b77d2 --- /dev/null +++ b/LICENSING.md @@ -0,0 +1,18 @@ +# Dual Licensing + +This software is licensed under either of: + +- GNU Affero General Public License v3.0 (AGPLv3), see [LICENSE.md](./LICENSE.md) +- Defense Unicorns Commercial License, see below + +## Defense Unicorns Commercial License + +The use of this software under a commercial license is subject to the individual +terms of the license agreement between the licensee and Defense Unicorns. The +content of this license depends on the specific agreement and may vary. For +more information about obtaining a commercial license, please contact +Defense Unicorns at [defenseunicorns.com](https://defenseunicorns.com). + +To use this software under the commercial license, you must have a valid license +agreement with Defense Unicorns. The terms of the Defense Unicorns, Inc. license +agreement supplant and supersede the terms of the AGPL v3 license. diff --git a/README.md b/README.md index c139b7387..1498ce643 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # Unicorn Delivery Service - Core (UDS Core) -## [UDS Core Docs](https://uds.defenseunicorns.com/core/) +## [UDS Core Overview](https://uds.defenseunicorns.com/reference/uds-core/overview/) UDS Core establishes a secure baseline for cloud-native systems and ships with compliance documentation and first-class support for airgap/egress-limited systems. Based on the work of [Platform One](https://p1.dso.mil), UDS Core expands on the security posture of [Big Bang](https://repo1.dso.mil/big-bang/bigbang) while providing advanced automation with the [UDS Operator](./src/pepr/operator/README.md) and [UDS Policy Engine](./src/pepr/policies/README.md). UDS Core is a collection of several individual applications combined into a single [Zarf](https://zarf.dev) package and we recommend using [UDS CLI](https://github.com/defenseunicorns/uds-cli?tab=readme-ov-file#install) to deploy it as a [UDS Bundle](#using-uds-core-in-production). @@ -56,7 +56,11 @@ If you want to try out UDS Core, you can use the [k3d-core-demo bundle](./bundle ```bash +<<<<<<< HEAD +uds deploy k3d-core-demo:0.29.0 +======= uds deploy k3d-core-demo:0.28.0 +>>>>>>> 62baad3 (chore(main): release 0.28.0 (#795)) ``` @@ -70,7 +74,11 @@ Deploy Istio, Keycloak and Pepr: ```bash +<<<<<<< HEAD +uds deploy k3d-core-slim-dev:0.29.0 +======= uds deploy k3d-core-slim-dev:0.28.0 +>>>>>>> 62baad3 (chore(main): release 0.28.0 (#795)) ``` @@ -78,7 +86,7 @@ uds deploy k3d-core-slim-dev:0.28.0 #### Developing UDS Core -UDS Core development leverages the `uds zarf dev deploy` command. For convenience, a UDS Task is provided to setup the environment. You'll need to have [NodeJS](https://nodejs.org/en/download/) 20 or later installed to continue. Here's an example of a flow developing the [metrics-server package](./src/metrics-server/README.md): +UDS Core development leverages the `uds zarf dev deploy` command. For convenience, a UDS Task is provided to setup the environment. You'll need to have [NodeJS](https://nodejs.org/en/download/) 20 or later installed to continue. Here's an example of a flow developing the [identity-authorization layer](./packages/identity-authorization/README.md): ```bash # Create the dev environment @@ -90,8 +98,8 @@ npx pepr dev # If not developing the Pepr module (can be run multiple times): npx pepr deploy -# Deploy the package (can be run multiple times) -uds run dev-deploy --set PKG=metrics-server +# Deploy the layer (can be run multiple times) +uds run dev-deploy --set LAYER=identity-authorization ``` #### Testing UDS Core @@ -102,10 +110,10 @@ You can perform a complete test of UDS Core by running the following command: uds run test-uds-core ``` -This will create a local k3d cluster, install UDS Core, and run a series of tests against it, the same tests that are run in CI. If you want to run the tests against a specific package, you can use the `PKG` env variable. The following example runs the tests against the metrics-server package: +This will create a local k3d cluster, install UDS Core, and run a series of tests against it, the same tests that are run in CI. If you want to run the tests against a specific core layer, you can use the `LAYER` task variable. The following example runs the tests against the identity-authorization layer: ```bash -UDS_PKG=metrics-server uds run test-single-package +uds run test-single-layer --set LAYER=identity-authorization ``` Note you can specify the `--set FLAVOR=registry1` flag to test using Iron Bank images instead of the upstream images. diff --git a/docs/adrs/.gitkeep b/adrs/.gitkeep similarity index 100% rename from docs/adrs/.gitkeep rename to adrs/.gitkeep diff --git a/docs/adrs/0001-record-architecture-decisions.md b/adrs/0001-record-architecture-decisions.md similarity index 100% rename from docs/adrs/0001-record-architecture-decisions.md rename to adrs/0001-record-architecture-decisions.md diff --git a/docs/adrs/0002-uds-core-functional-layers.md b/adrs/0002-uds-core-functional-layers.md similarity index 100% rename from docs/adrs/0002-uds-core-functional-layers.md rename to adrs/0002-uds-core-functional-layers.md diff --git a/bundles/k3d-slim-dev/uds-bundle.yaml b/bundles/k3d-slim-dev/uds-bundle.yaml index e63b9793d..b1859b7c7 100644 --- a/bundles/k3d-slim-dev/uds-bundle.yaml +++ b/bundles/k3d-slim-dev/uds-bundle.yaml @@ -1,9 +1,16 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + kind: UDSBundle metadata: name: k3d-core-slim-dev description: A UDS bundle for deploying Istio from UDS Core on a development cluster # x-release-please-start-version +<<<<<<< HEAD + version: "0.29.0" +======= version: "0.28.0" +>>>>>>> 62baad3 (chore(main): release 0.28.0 (#795)) # x-release-please-end packages: @@ -29,12 +36,16 @@ packages: - name: init repository: ghcr.io/zarf-dev/packages/init - ref: v0.40.1 + ref: v0.41.0 - - name: core-slim-dev + - name: core-base path: ../../build/ # x-release-please-start-version +<<<<<<< HEAD + ref: 0.29.0 +======= ref: 0.28.0 +>>>>>>> 62baad3 (chore(main): release 0.28.0 (#795)) # x-release-please-end overrides: istio-admin-gateway: @@ -66,6 +77,13 @@ packages: - name: TENANT_SERVICE_PORTS description: "The ports that are exposed from the tenant gateway LoadBalancer (useful for non-HTTP(S) traffic)" path: "service.ports" + + - name: core-identity-authorization + path: ../../build/ + # x-release-please-start-version + ref: 0.29.0 + # x-release-please-end + overrides: keycloak: keycloak: variables: diff --git a/bundles/k3d-standard/README.md b/bundles/k3d-standard/README.md index 23d065d47..0bd7dd692 100644 --- a/bundles/k3d-standard/README.md +++ b/bundles/k3d-standard/README.md @@ -59,6 +59,19 @@ This bundle is used for demonstration, development, and testing of UDS Core. In | `KEYCLOAK_PG_HOST` | Keycloak Postgres host | `postgresql.host` | | `KEYCLOAK_DEVMODE` | Enables Keycloak dev mode | `devMode` | +##### grafana (grafana) +| Variable | Description | Path | +|----------|-------------|------| +| `GRAFANA_HA` | Enable HA Grafana | `autoscaling.enabled` | + +##### grafana (uds-grafana-config) +| Variable | Description | Path | +|----------|-------------|------| +| `GRAFANA_PG_HOST` | Grafana postgresql host | `postgresql.host` | +| `GRAFANA_PG_PORT` | Grafana postgresql port | `postgresql.port` | +| `GRAFANA_PG_PASSWORD` | Grafana postgresql password | `postgresql.password` | +| `GRAFANA_PG_DATABASE` | Grafana postgresql database | `postgresql.database` | +| `GRAFANA_PG_USER` | Grafana postgresql username | `postgresql.user` | ## Override Examples: @@ -96,4 +109,4 @@ variables: LOKI_S3_REGION: us-east-1 LOKI_S3_ACCESS_KEY_ID: LOKI_S3_SECRET_ACCESS_KEY: -``` \ No newline at end of file +``` diff --git a/bundles/k3d-standard/uds-bundle.yaml b/bundles/k3d-standard/uds-bundle.yaml index 8127b5935..7f7b4c40d 100644 --- a/bundles/k3d-standard/uds-bundle.yaml +++ b/bundles/k3d-standard/uds-bundle.yaml @@ -1,9 +1,16 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + kind: UDSBundle metadata: name: k3d-core-demo description: A UDS bundle for deploying the standard UDS Core package on a development cluster # x-release-please-start-version +<<<<<<< HEAD + version: "0.29.0" +======= version: "0.28.0" +>>>>>>> 62baad3 (chore(main): release 0.28.0 (#795)) # x-release-please-end packages: @@ -29,12 +36,16 @@ packages: - name: init repository: ghcr.io/zarf-dev/packages/init - ref: v0.40.1 + ref: v0.41.0 - name: core path: ../../build/ # x-release-please-start-version +<<<<<<< HEAD + ref: 0.29.0 +======= ref: 0.28.0 +>>>>>>> 62baad3 (chore(main): release 0.28.0 (#795)) # x-release-please-end optionalComponents: - istio-passthrough-gateway @@ -140,3 +151,29 @@ packages: GOOGLE_IDP_CORE_ENTITY_ID: "https://sso.uds.dev/realms/uds" GOOGLE_IDP_ADMIN_GROUP: "uds-core-dev-admin" GOOGLE_IDP_AUDITOR_GROUP: "uds-core-dev-auditor" + grafana: + grafana: + variables: + - name: GRAFANA_HA + description: Enable HA Grafana + path: autoscaling.enabled + uds-grafana-config: + variables: + - name: GRAFANA_PG_HOST + description: Grafana postgresql host + path: postgresql.host + - name: GRAFANA_PG_PORT + description: Grafana postgresql port + path: postgresql.port + - name: GRAFANA_PG_DATABASE + description: Grafana postgresql database + path: postgresql.database + - name: GRAFANA_PG_PASSWORD + description: Grafana postgresql password + path: postgresql.password + - name: GRAFANA_PG_USER + description: Grafana postgresql username + path: postgresql.user + - name: GRAFANA_PG_SSL_MODE + description: Grafana postgresql SSL mode + path: postgresql.ssl_mode diff --git a/bundles/k3d-standard/uds-ha-config.yaml b/bundles/k3d-standard/uds-ha-config.yaml index 24b0119cd..018b44c01 100644 --- a/bundles/k3d-standard/uds-ha-config.yaml +++ b/bundles/k3d-standard/uds-ha-config.yaml @@ -1,8 +1,21 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + variables: core: + # Keycloak variables keycloak_ha: true - keycloak_pg_username: keycloak + keycloak_pg_username: postgres keycloak_pg_password: password keycloak_pg_database: keycloak keycloak_pg_host: host.k3d.internal keycloak_devmode: false + + # Grafana variables + grafana_ha: true + grafana_pg_host: host.k3d.internal + grafana_pg_port: 5432 + grafana_pg_database: grafana + grafana_pg_password: password + grafana_pg_user: postgres + grafana_pg_ssl_mode: disable diff --git a/commitlint.config.js b/commitlint.config.js index 8567d51d7..dab58d6ce 100644 --- a/commitlint.config.js +++ b/commitlint.config.js @@ -1 +1,6 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + module.exports = { extends: ["@commitlint/config-conventional"] }; \ No newline at end of file diff --git a/compliance/oscal-assessment-results.yaml b/compliance/oscal-assessment-results.yaml index 98af6a818..836f79b1e 100644 --- a/compliance/oscal-assessment-results.yaml +++ b/compliance/oscal-assessment-results.yaml @@ -1,30 +1,32 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + assessment-results: import-ap: href: "" metadata: - last-modified: 2024-08-06T02:58:07.217393214Z + last-modified: 2024-10-16T20:13:51.735141137Z oscal-version: 1.1.2 published: 2024-06-30T22:27:28.032093229Z remarks: Assessment Results generated from Lula title: '[System Name] Security Assessment Results (SAR)' version: 0.0.1 results: - - description: Assessment results for performing Validations with Lula version v0.4.5 + - description: Assessment results for performing Validations with Lula version v0.9.1 findings: - description: | - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: c8c03abd-244d-4813-a966-3feece1bad6a - # Control Implementation - Istio implements with service to service and provides authorization policies that require authentication to access any non-public features. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 41c51dc3-7db1-4717-b071-83e57897f478 + Istio implements with service to service and provides authorization policies that require authentication to access any non-public features. related-observations: - - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 - - observation-uuid: 3b856533-2206-4ebd-932e-645886b20b10 + - observation-uuid: eb3200f0-0b42-4bab-9987-673684f62d82 + - observation-uuid: 9d69895a-0eed-4052-8102-ff9070d66851 target: status: state: satisfied target-id: ac-14 type: objective-id title: 'Validation Result - Control: ac-14' - uuid: 0bebe1ce-f13d-4bbc-ba5b-a0d92ad5b6fa + uuid: 6bcf8d54-c497-483a-8b02-257d3ad14a13 - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 069521de-43bc-4dce-ac4e-4adc9a559c3f # Control Description "a. Define and document the types of accounts allowed and specifically prohibited for use within the system; b. Assign account managers; c. Require [Assignment: organization-defined prerequisites and criteria] for group and role membership; d. Specify: 1. Authorized users of the system; 2. Group and role membership; and 3. Access authorizations (i.e., privileges) and [Assignment: organization-defined attributes (as required)] for each account; e. Require approvals by [Assignment: organization-defined personnel or roles] for requests to create accounts; f. Create, enable, modify, disable, and remove accounts in accordance with [Assignment: organization-defined policy, procedures, prerequisites, and criteria]; g. Monitor the use of accounts; h. Notify account managers and [Assignment: organization-defined personnel or roles] within: 1. [Assignment: twenty-four (24) hours] when accounts are no longer required; 2. [Assignment: eight (8) hours] when users are terminated or transferred; and 3. [Assignment: eight (8) hours] when system usage or need-to-know changes for an individual; i. Authorize access to the system based on: 1. A valid access authorization; 2. Intended system usage; and 3. [Assignment: organization-defined attributes (as required)]; j. Review accounts for compliance with account management requirements [Assignment: monthly for privileged accessed, every six (6) months for non-privileged access]; k. Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and l. Align account management processes with personnel termination and transfer processes." @@ -35,7 +37,7 @@ assessment-results: target-id: ac-2 type: objective-id title: 'Validation Result - Control: ac-2' - uuid: 57fb27fd-82c5-43d3-8813-7fcc2ceab0ca + uuid: 94067e2e-ca10-4798-8077-c4128c8ad4f2 - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: bf59763a-0c22-4046-ab00-1d2b47dad8df # Control Description Support the management of system accounts using [Assignment: organization-defined automated mechanisms]. @@ -46,7 +48,7 @@ assessment-results: target-id: ac-2.1 type: objective-id title: 'Validation Result - Control: ac-2.1' - uuid: d263ec5d-4ee8-43b2-9705-b0afa44758b5 + uuid: 4c4f8dc5-9be1-44fe-a04b-e369943af6c0 - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 051af8b7-75aa-4c26-9132-0cb46d5965aa # Control Description Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. @@ -57,55 +59,37 @@ assessment-results: target-id: ac-3 type: objective-id title: 'Validation Result - Control: ac-3' - uuid: 10d347a7-e12a-4b05-85e2-77ed4f542fdd + uuid: bd6ddf39-0886-4922-b9d5-8ee80f03fcf4 - description: | - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 9e158525-96bd-4d4f-a674-7e3eab9aea7a - # Control Implementation - Istio encrypts all in-mesh communication at runtime using FIPS verified mTLS in addition to ingress and egress gateways for controlling communication. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 210f730b-7fed-42dd-99b4-42466951b080 + Istio encrypts all in-mesh communication at runtime using FIPS verified mTLS in addition to ingress and egress gateways for controlling communication. related-observations: - - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 - - observation-uuid: dbc9b893-9847-4ffa-8a91-7642f18f9784 - - observation-uuid: 435f54e2-3606-4250-9e16-79326844e82e - - observation-uuid: ff67f994-802a-4668-a261-f0cbfb7982d5 + - observation-uuid: eb3200f0-0b42-4bab-9987-673684f62d82 + - observation-uuid: adb9497f-436d-4862-8043-6691bce1352c + - observation-uuid: f10278ec-5f1b-4307-8709-a3745bf12d36 + - observation-uuid: a9c35339-fc94-4e59-bdf1-a89c1664bac0 target: status: state: satisfied target-id: ac-4 type: objective-id title: 'Validation Result - Control: ac-4' - uuid: 1e16362c-0987-4314-bc1f-a1696344df0e + uuid: 66a85471-6739-4958-ac74-007040a6df48 - description: | - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 6e32feb5-ce43-465f-9422-e3ef3276bf5d - # Control Implementation - Istio is configured to use ingress and egress gateways to provide logical flow separation. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: ee9e5fae-1c95-46c7-9265-dc0035e2bb05 + Istio is configured to use ingress and egress gateways to provide logical flow separation. related-observations: - - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 - - observation-uuid: f25d32b1-4bbd-4309-a96e-99fb8f484c88 - - observation-uuid: 362043c5-ea38-4c11-83e3-35d34b79c938 - - observation-uuid: 610a3b9c-269e-47c7-8b2c-9412bc822e80 + - observation-uuid: eb3200f0-0b42-4bab-9987-673684f62d82 + - observation-uuid: 2c61853a-96af-4195-8dc9-f3313f6035f1 + - observation-uuid: 20f98c91-2308-4356-837b-c253353d7479 + - observation-uuid: 4e1e697c-4a92-4c57-ae95-c75ba272dc1d target: status: state: not-satisfied target-id: ac-4.21 type: objective-id title: 'Validation Result - Control: ac-4.21' - uuid: 00f7dff8-8e83-414b-ab38-6a580e4c9de2 - - description: | - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: c3e13abc-3c19-4f08-a2f8-40fcbef5daa7 - # Control Implementation - All encrypted HTTPS connections are terminated at the Istio ingress gateway. - related-observations: - - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 - - observation-uuid: dbc9b893-9847-4ffa-8a91-7642f18f9784 - - observation-uuid: 435f54e2-3606-4250-9e16-79326844e82e - - observation-uuid: ff67f994-802a-4668-a261-f0cbfb7982d5 - target: - status: - state: satisfied - target-id: ac-4.4 - type: objective-id - title: 'Validation Result - Control: ac-4.4' - uuid: 5d800b2f-1f1e-4b3c-b3ac-7d808f8a175d + uuid: eadbe4cd-7f8b-4ff3-bfd9-beaac5eae67f - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 386fb410-27e5-413d-8e6d-607afa86bb72 # Control Description "a. Identify and document [Assignment: organization-defined duties of individuals requiring separation]; and b. Define system access authorizations to support separation of duties." @@ -116,7 +100,7 @@ assessment-results: target-id: ac-5 type: objective-id title: 'Validation Result - Control: ac-5' - uuid: 688258f8-7f62-4592-858f-08b7c0c3ecc1 + uuid: 5d48147b-ff9e-4752-b015-3588cec166a6 - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 60ad5f60-3852-49a1-961b-b6454edb8319 # Control Description Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks. @@ -130,7 +114,7 @@ assessment-results: target-id: ac-6 type: objective-id title: 'Validation Result - Control: ac-6' - uuid: 390a213d-c344-4f93-8605-3f6552f594c3 + uuid: c24dc3af-b777-4d89-9569-cd57de7981dc - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: f1b66def-f822-4859-a448-5d5f77cd6f75 # Control Description "Authorize access for [Assignment: organization-defined individuals or roles] to: (a) [Assignment: organization-defined all functions not publicly accessible]; and (b) [Assignment: organization-defined all security-relevant information not publicly available]." @@ -144,38 +128,32 @@ assessment-results: target-id: ac-6.1 type: objective-id title: 'Validation Result - Control: ac-6.1' - uuid: bbc392e9-030f-45e4-a400-36e3866d22f4 + uuid: 0016a2a5-efcf-493f-a816-e1fd880c6e41 - description: | - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: e196edcd-fd88-42c2-9a99-0e67e2ba8919 - # Control Description Prevent non-privileged users from executing privileged functions. - # Control Implementation NeuVector supports mapping internal user accounts and roles in addition to LDAP and SSO roles or groups for providing RBAC access. Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: d0ffa50d-d91f-4dc3-8827-24e0f84b49d2 # Control Description Prevent non-privileged users from executing privileged functions. # Control Implementation Loki layers an additional RBAC layer that prohibits non-privileged users from executing privileged functions. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: e196edcd-fd88-42c2-9a99-0e67e2ba8919 + # Control Description Prevent non-privileged users from executing privileged functions. + # Control Implementation NeuVector supports mapping internal user accounts and roles in addition to LDAP and SSO roles or groups for providing RBAC access. target: status: state: not-satisfied target-id: ac-6.10 type: objective-id title: 'Validation Result - Control: ac-6.10' - uuid: 7a22b227-29de-4ab5-a813-0faa2f816709 + uuid: f03df0d2-9c46-420d-9eb0-925367a8e9ce - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 0b3faf98-8a76-4b49-8e4b-c785cf26cfbe # Control Description Authorize network access to [Assignment: all privileged commands] only for [Assignment: organization-defined compelling operational needs] and document the rationale for such access in the security plan for the system. # Control Implementation NeuVector supports mapping internal user accounts and roles in addition to LDAP and SSO roles or groups for providing RBAC access. - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 0081f95a-3233-4e07-a6cd-95cb1905c318 - # Control Implementation - Configured with an "admin" gateway to restrict access to applications that only need administrative access. - related-observations: - - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 - - observation-uuid: 362043c5-ea38-4c11-83e3-35d34b79c938 target: status: state: not-satisfied target-id: ac-6.3 type: objective-id title: 'Validation Result - Control: ac-6.3' - uuid: 18fe653e-eb66-4686-8f2d-6952aac69c6c + uuid: 5f634c21-9332-4242-ae7d-d315cbc8e6fe - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 954ba9c8-452c-4503-a43f-c880a01b828d # Control Description @@ -183,35 +161,34 @@ assessment-results: Auditing the use of privileged functions is one way to detect such misuse, and in doing so, help mitigate the risk from insider threats and the advanced persistent threat (APT). # Control Implementation - Promtail can be configured to collect all logs from Kubernetes and underlying operating systems, allowing the aggregation of privileged function calls. - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 6d8a6c80-2844-4bfd-bc9d-0f5a71e5c979 - # Control Implementation - Istio produces logs for all traffic in the information system. + Vector can be configured to collect all logs from Kubernetes and underlying operating systems, allowing the aggregation of privileged function calls. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: c6d9abd2-0136-468a-908d-181d9bd51962 + Istio produces logs for all traffic in the information system. Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 14db5706-570c-44a2-b430-29a8a8e2d249 # Control Description Log the execution of privileged functions. # Control Implementation Privileged events, including updating the deployment of an application, or use of privileged containers are collected as metrics by prometheus and displayed by Grafana. Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: e36ba9d5-f12d-4524-a777-a041a0203bb6 # Control Description Log the execution of privileged functions. # Control Implementation Privileged events that modify the application are logged in the application itself. - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 4d1f5291-8f3f-429c-af2f-b05455ef30f0 - # Control Description Log the execution of privileged functions. - # Control Implementation Privileged events, including updating the deployment of an application, or use of privileged containers are collected as metrics by prometheus and displayed by Grafana. Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 921ec1c7-923c-4a28-a4dd-b59c1d3d9998 # Control Description Log the execution of privileged functions. # Control Implementation NeuVector provides logging access related audit events. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 4d1f5291-8f3f-429c-af2f-b05455ef30f0 + # Control Description Log the execution of privileged functions. + # Control Implementation Privileged events, including updating the deployment of an application, or use of privileged containers are collected as metrics by prometheus and displayed by Grafana. related-observations: - - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 - - observation-uuid: 9e4a8aa7-2736-4aad-8b08-7fcee4fa2a68 - - observation-uuid: 435f54e2-3606-4250-9e16-79326844e82e - - observation-uuid: a1236290-6057-4695-b4bd-20dd2981d60d - - observation-uuid: af55317a-a3b8-42b9-8ba8-d859748635b5 + - observation-uuid: eb3200f0-0b42-4bab-9987-673684f62d82 + - observation-uuid: a858d60b-5192-41de-bac4-a79479a91f64 + - observation-uuid: f10278ec-5f1b-4307-8709-a3745bf12d36 + - observation-uuid: 39cf41d1-048e-4132-9681-f7274e4be4ea + - observation-uuid: 572f5829-517b-40d0-8b50-6d9bf9c54c77 target: status: state: not-satisfied target-id: ac-6.9 type: objective-id title: 'Validation Result - Control: ac-6.9' - uuid: 784d7def-b9de-495a-ba5d-93733e37a1eb + uuid: 1ee97cb7-b6d8-4319-b031-cd417e313f6f - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 20ecdb48-997e-4958-b74c-21f462049877 # Control Description Retain audit records for [Assignment: at least one (1) year] to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements. @@ -222,39 +199,49 @@ assessment-results: target-id: au-11 type: objective-id title: 'Validation Result - Control: au-11' - uuid: 7e7c4d5e-13be-4768-bf2c-31ca172865a0 + uuid: e4a8f249-89f4-4af5-9928-ab6eabfecdc3 - description: | - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 8f645835-6538-4327-a7aa-453b398f5ef4 - # Control Implementation - Istio provides audit record generation capabilities for a variety of event types, including session, connection, transaction, or activity durations, and the number of bytes received and sent. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 87f99f34-6980-49e1-91cf-c0264fa3407c + Istio provides audit record generation capabilities for a variety of event types, including session, connection, transaction, or activity durations, and the number of bytes received and sent. related-observations: - - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 - - observation-uuid: 9e4a8aa7-2736-4aad-8b08-7fcee4fa2a68 + - observation-uuid: eb3200f0-0b42-4bab-9987-673684f62d82 + - observation-uuid: a858d60b-5192-41de-bac4-a79479a91f64 target: status: state: satisfied target-id: au-12 type: objective-id title: 'Validation Result - Control: au-12' - uuid: 0a4cbea2-493f-4bc2-b0bf-4f88af93e4af + uuid: 527b3d8a-ce49-483d-956e-5931140eeca6 - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 58766714-a477-42b9-bae4-856f14b58cea # Control Description Compile audit records from [Assignment: all network, data storage, and computing devices] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail]. # Control Implementation Provides time-series event compilation capabilities. - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 301093ed-d023-4bf8-a915-e624589acadd - # Control Description Compile audit records from [Assignment: all network, data storage, and computing devices] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail]. - # Control Implementation Compatible metrics endpoints emitted from each application is compiled by Prometheus and displayed through Grafana with associated timestamps of when the data was collected. Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 41a6f729-7ab6-4ffe-8da1-cb60fd35dffd # Control Description Compile audit records from [Assignment: organization-defined system components] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail]. # Control Implementation Compatible metrics endpoints emitted from each application is compiled by Prometheus and displayed through Grafana with associated timestamps of when the data was collected + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 301093ed-d023-4bf8-a915-e624589acadd + # Control Description Compile audit records from [Assignment: all network, data storage, and computing devices] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail]. + # Control Implementation Compatible metrics endpoints emitted from each application is compiled by Prometheus and displayed through Grafana with associated timestamps of when the data was collected. target: status: state: not-satisfied target-id: au-12.1 type: objective-id title: 'Validation Result - Control: au-12.1' - uuid: 0091b443-4532-4b36-99e2-ec9cb1573812 + uuid: 77724c00-0dc6-493c-aed8-c3797f01e94a - description: | + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 49775d12-e0ba-4aa6-85e7-5aedd00e8fbc + # Control Description "a. Identify the types of events that the system is capable of logging in support of the audit function: [Assignment: successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes]; b. Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; c. Specify the following event types for logging within the system: [Assignment: organization-defined subset of the auditable events defined in AU-2a to be audited continually for each identified event.) along with the frequency of (or situation requiring) logging for each identified event type]; d. Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and e. Review and update the event types selected for logging [Assignment: annually or whenever there is a change in the threat environment]." + # Control Implementation API endpoints suitable for capturing application level metrics are present on each of the supported applications running as containers. In addition, system and cluster level metrics are emitted by containers with read only access to host level information. Metrics are captured and stored by Prometheus, an web server capable of scraping endpoints formatted in the appropriate dimensional data format. Metrics information is stored on disk in a time series data base, and later queried through a separate component providing a web interface for the query language: PromQL. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: fc829f66-2354-4546-8e5d-f1e5d0287200 + # Control Description "a. Identify the types of events that the system is capable of logging in support of the audit function: [Assignment: successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes]; b. Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; c. Specify the following event types for logging within the system: [Assignment: organization-defined subset of the auditable events defined in AU-2a to be audited continually for each identified event) along with the frequency of (or situation requiring) logging for each identified event type]; d. Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and e. Review and update the event types selected for logging [Assignment: annually or whenever there is a change in the threat environment]." + # Control Implementation NeuVector provides logging access related audit events. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: b3ed3dba-3164-4785-98db-ef22c96c7c62 + Istio logs all Istio event logs within the system's mesh network. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 7449f733-6809-4a0b-a6f9-7857f46a106e + # Control Description a. Identify the types of events that the system is capable of logging in support of the audit function: [Assignment: successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes]; b. Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; c. Specify the following event types for logging within the system: [Assignment: organization-defined event types (subset of the event types defined in AU-2a.) along with the frequency of (or situation requiring) logging for each identified event type]; d. Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and e. Review and update the event types selected for logging [Assignment: annually or whenever there is a change in the threat environment]. + # Control Implementation API endpoints suitable for capturing application level metrics are present on each of the supported applications running as containers. In addition, system and cluster level metrics are emitted by containers with read only access to host level information. Metrics are captured and stored by Prometheus, an web server capable of scraping endpoints formatted in the appropriate dimensional data format. Metrics information is stored on disk in a time series data base, and later queried through a separate component providing a web interface for the query language: PromQL. Metrics data can be displayed through a Grafana dashboard for visualization. Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 2a25a5a4-4fbc-4fbc-88e3-2e34ddc3fb0e # Control Description An event is any observable occurrence in an organizational information system. @@ -265,33 +252,21 @@ assessment-results: # Control Implementation Logging daemons are present on each node that BigBang is installed on. Out of the box, the following events are captured: - * all containers emitting to STDOUT or STDERR (captured by container runtime translating container logs to /var/log/containers). + * all containers emitting to STDOUT or STDERR (captured by container runtime creating containers logs under /var/log/pods). * all kubernetes api server requests. * all events emitted by the kubelet. - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: fc829f66-2354-4546-8e5d-f1e5d0287200 - # Control Description "a. Identify the types of events that the system is capable of logging in support of the audit function: [Assignment: successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes]; b. Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; c. Specify the following event types for logging within the system: [Assignment: organization-defined subset of the auditable events defined in AU-2a to be audited continually for each identified event) along with the frequency of (or situation requiring) logging for each identified event type]; d. Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and e. Review and update the event types selected for logging [Assignment: annually or whenever there is a change in the threat environment]." - # Control Implementation NeuVector provides logging access related audit events. - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 88f300a6-aa21-41b4-919d-29ef3e4381bb - # Control Implementation - Istio logs all Istio event logs within the system's mesh network. - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 7449f733-6809-4a0b-a6f9-7857f46a106e - # Control Description a. Identify the types of events that the system is capable of logging in support of the audit function: [Assignment: successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes]; b. Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; c. Specify the following event types for logging within the system: [Assignment: organization-defined event types (subset of the event types defined in AU-2a.) along with the frequency of (or situation requiring) logging for each identified event type]; d. Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and e. Review and update the event types selected for logging [Assignment: annually or whenever there is a change in the threat environment]. - # Control Implementation API endpoints suitable for capturing application level metrics are present on each of the supported applications running as containers. In addition, system and cluster level metrics are emitted by containers with read only access to host level information. Metrics are captured and stored by Prometheus, an web server capable of scraping endpoints formatted in the appropriate dimensional data format. Metrics information is stored on disk in a time series data base, and later queried through a separate component providing a web interface for the query language: PromQL. Metrics data can be displayed through a Grafana dashboard for visualization. - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 49775d12-e0ba-4aa6-85e7-5aedd00e8fbc - # Control Description "a. Identify the types of events that the system is capable of logging in support of the audit function: [Assignment: successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes]; b. Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; c. Specify the following event types for logging within the system: [Assignment: organization-defined subset of the auditable events defined in AU-2a to be audited continually for each identified event.) along with the frequency of (or situation requiring) logging for each identified event type]; d. Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and e. Review and update the event types selected for logging [Assignment: annually or whenever there is a change in the threat environment]." - # Control Implementation API endpoints suitable for capturing application level metrics are present on each of the supported applications running as containers. In addition, system and cluster level metrics are emitted by containers with read only access to host level information. Metrics are captured and stored by Prometheus, an web server capable of scraping endpoints formatted in the appropriate dimensional data format. Metrics information is stored on disk in a time series data base, and later queried through a separate component providing a web interface for the query language: PromQL. related-observations: - - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 - - observation-uuid: 9e4a8aa7-2736-4aad-8b08-7fcee4fa2a68 - - observation-uuid: a1236290-6057-4695-b4bd-20dd2981d60d - - observation-uuid: d265b5b6-9306-4c22-ad35-d6f00a41920e + - observation-uuid: 39cf41d1-048e-4132-9681-f7274e4be4ea + - observation-uuid: 0e3f9f2a-c596-4688-8841-0f9d2845f0a2 + - observation-uuid: eb3200f0-0b42-4bab-9987-673684f62d82 + - observation-uuid: a858d60b-5192-41de-bac4-a79479a91f64 target: status: state: not-satisfied target-id: au-2 type: objective-id title: 'Validation Result - Control: au-2' - uuid: 38b71df8-9beb-487d-afac-7d5df701bf0b + uuid: cb369876-9857-41d9-ab42-81d476d6f974 - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 762604db-77ec-415f-8728-c296873ab48b # Control Description @@ -299,66 +274,62 @@ assessment-results: Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the information system after the event occurred). # Control Implementation - Logs are captured by promtail from the node. The node logs will contain the necessary log data from all pods/applications inside the selected nodes. - Validating `logfmt` as the config.logFormat would be the goal. This is currently a secret mounted to /etc/promtail/promtail.yaml in the promtail container. We will ensure the promtail.yaml file is at a minimum the target config. - https://grafana.com/docs/loki/latest/send-data/promtail/stages/logfmt/ + Logs are captured by vector from the node. The node logs will contain the necessary log data from all pods/applications inside the selected nodes as well as Kubernetes audit logs. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 79dee0b0-5848-4b1e-826b-a2e4ec567b90 + Istio logs all Istio event logs within the system's mesh network. Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: e342a5af-b7d4-474b-9416-61e844083531 # Control Description "Ensure that audit records contain information that establishes the following: a. What type of event occurred; b. When the event occurred; c. Where the event occurred; d. Source of the event; e. Outcome of the event; and f. Identity of any individuals, subjects, or objects/entities associated with the event." # Control Implementation NeuVector provides logging access related audit events. - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 52756a01-6f5c-49b1-8a6b-972b74a01da4 - # Control Implementation - Istio logs all Istio event logs within the system's mesh network. related-observations: - - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 - - observation-uuid: 94477b5d-84b7-427c-88b3-71367c501528 - - observation-uuid: a1236290-6057-4695-b4bd-20dd2981d60d - - observation-uuid: 48a7c266-3ce0-4c63-b782-335c2461afc6 + - observation-uuid: eb3200f0-0b42-4bab-9987-673684f62d82 + - observation-uuid: ca312bc9-b8cd-4a30-9b72-50ffee51e828 + - observation-uuid: 39cf41d1-048e-4132-9681-f7274e4be4ea + - observation-uuid: e72b33d8-64ba-4871-ab47-2f0b1a5c18e7 target: status: state: not-satisfied target-id: au-3 type: objective-id title: 'Validation Result - Control: au-3' - uuid: c5a260a3-6fea-42c9-bb28-209ff9e5f9e5 + uuid: e914d51b-58ff-4693-abd5-ea62add986d0 - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: ee431ef9-3a99-42f4-b37c-6334660da2b2 # Control Description Generate audit records containing the following additional information: [Assignment: organizatiosession, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands]. # Control Implementation Grafana has pre-configured dashboards showing the audit records from Cluster Auditor saved in Prometheus. - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 16cc258e-d907-47bb-97d9-4e92677cf075 - # Control Implementation - Istio has been configured to implement event logging within our environment. This includes capturing metrics related to the duration of sessions, connections, transactions, or activities. Specifically, Istio's telemetry features are utilized to capture these metrics, which provide valuable data that can be used to infer the duration of sessions or connections. Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 6700f065-8e51-4224-a5a0-8d3aff9d8d96 # Control Description Generate audit records containing the following additional information: [Assignment: session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands]. # Control Implementation Grafana has pre-configured dashboards showing the audit records from Cluster Auditor saved in Prometheus. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: b855fff0-5f57-4ea0-b9a7-52973e81784d + Istio has been configured to implement event logging within our environment. This includes capturing metrics related to the duration of sessions, connections, transactions, or activities. Specifically, Istio's telemetry features are utilized to capture these metrics, which provide valuable data that can be used to infer the duration of sessions or connections. related-observations: - - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 - - observation-uuid: 06449da5-4cb5-4a5e-922d-5309d5c8f0c8 - - observation-uuid: 435f54e2-3606-4250-9e16-79326844e82e - - observation-uuid: a906a088-3147-44cb-8d7b-69058d1d8484 + - observation-uuid: eb3200f0-0b42-4bab-9987-673684f62d82 + - observation-uuid: 64a22438-eba3-4fcb-bfe8-68ed8bad61ba + - observation-uuid: f10278ec-5f1b-4307-8709-a3745bf12d36 + - observation-uuid: 6e9c7750-ccda-4f25-b8de-89e8e3e3d525 target: status: state: not-satisfied target-id: au-3.1 type: objective-id title: 'Validation Result - Control: au-3.1' - uuid: f7cd3c25-77ef-442c-ae8c-db0e6a4b8b2b + uuid: e645c9b0-2376-4d8c-9792-18a44c6dbdba - description: | - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 7562092e-d076-49f9-8f03-9e5e7908752c - # Control Description Allocate audit log storage capacity to accommodate [Assignment: organization-defined audit log retention requirements]. - # Control Implementation NeuVector can scale elastically based upon actual workload demands to allocate audit log storage capacity. Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 836408b9-1ae9-4c99-8510-6ee35a4d11e9 # Control Description Allocate audit log storage capacity to accommodate [Assignment: organization-defined audit log retention requirements]. # Control Implementation Loki uses scalable object storage. Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: d5d13192-3cae-4a88-8e64-cab44219ab2e # Control Description Allocate audit log storage capacity to accommodate [Assignment: organization-defined audit log retention requirements]. # Control Implementation Prometheus is the log aggregator for audit logs since it is used to scrape/collect violations from ClusterAuditor. The storage capability can be configured in prometheus to use PVCs to ensure metrics have log retention compliance with the org-defined audit-log retention requirements. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 7562092e-d076-49f9-8f03-9e5e7908752c + # Control Description Allocate audit log storage capacity to accommodate [Assignment: organization-defined audit log retention requirements]. + # Control Implementation NeuVector can scale elastically based upon actual workload demands to allocate audit log storage capacity. target: status: state: not-satisfied target-id: au-4 type: objective-id title: 'Validation Result - Control: au-4' - uuid: c4884585-6343-4ada-b034-fb97065b7f23 + uuid: f80f5478-4554-4906-b6e6-599f0847cad8 - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: e2e6d28f-bdf6-462c-8301-bdfa102671ee # Control Description Provide a warning to [Assignment: organization-defined personnel, roles, and/or locations] within [Assignment: organization-defined time period] when allocated audit log storage volume reaches [Assignment: organization-defined percentage] of repository maximum audit log storage capacity. @@ -372,7 +343,7 @@ assessment-results: target-id: au-5.1 type: objective-id title: 'Validation Result - Control: au-5.1' - uuid: c76a2661-2016-4bef-8bce-1194bb70b556 + uuid: 96eb22a4-5e88-431e-9bbf-2285afdecaa1 - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: bea82b61-fbb6-486b-a8fa-50053715b904 # Control Description Provide an alert within [Assignment: real-time] to [Assignment: service provider personnel with authority to address failed audit events] when the following audit failure events occur: [Assignment: audit failure events requiring real-time alerts, as defined by organization audit policy]. @@ -386,7 +357,7 @@ assessment-results: target-id: au-5.2 type: objective-id title: 'Validation Result - Control: au-5.2' - uuid: 92f112fd-db07-4d92-b7f8-95036f30b390 + uuid: 1b355cc0-7a5a-44a1-ae85-cf9079faf888 - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 25477ca3-4607-449e-9d33-a2a67ede0019 # Control Description "a. Review and analyze system audit records [Assignment: at least weekly] for indications of [Assignment: organization-defined inappropriate or unusual activity] and the potential impact of the inappropriate or unusual activity; b. Report findings to [Assignment: organization-defined personnel or roles]; and c. Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information." @@ -397,14 +368,14 @@ assessment-results: target-id: au-6 type: objective-id title: 'Validation Result - Control: au-6' - uuid: 103803bd-85a1-4ead-992c-e9cf6477b41f + uuid: 4114b048-0ef8-4863-9d2c-15ce9585badc - description: | - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 29fdcbbd-02cc-4db1-a24e-5a146cccc254 - # Control Description Integrate audit record review, analysis, and reporting processes using [Assignment: organization-defined automated mechanisms]. - # Control Implementation Provides audit record query and analysis capabilities. Organization will implement record review and analysis. Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 3f8f6178-4c57-4592-8c1c-df79507b21cd # Control Description Integrate audit record review, analysis, and reporting processes using [Assignment: organization-defined automated mechanisms]. # Control Implementation Cluster Auditor Events/Alerts could be exported from Prometheus to an external system. Integration for specific tooling would need to be completed by end user. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 29fdcbbd-02cc-4db1-a24e-5a146cccc254 + # Control Description Integrate audit record review, analysis, and reporting processes using [Assignment: organization-defined automated mechanisms]. + # Control Implementation Provides audit record query and analysis capabilities. Organization will implement record review and analysis. Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 042fae4b-2779-4cfb-b68d-6f2dcbaa10ad # Control Description Integrate audit record review, analysis, and reporting processes using [Assignment: organization-defined automated mechanisms]. # Control Implementation Cluster Auditor Events/Alerts could be exported from Prometheus to an external system. Integration for specific tooling would need to be completed by end user. Metrics data can be displayed through a Grafana dashboard for visualization. @@ -414,12 +385,12 @@ assessment-results: target-id: au-6.1 type: objective-id title: 'Validation Result - Control: au-6.1' - uuid: e9063577-4ee5-48a0-84fb-c052b3d24598 + uuid: 8c4e94bb-1143-4980-8531-c29eb700c13e - description: | - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: c79cf2fa-2081-4034-831f-2c8016a275da + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 35897d1f-3fcd-4a79-b235-f75e2bbd398a # Control Description Analyze and correlate audit records across different repositories to gain organization-wide situational awareness. # Control Implementation Aggregating cluster auditor events across multiple sources (clusters) is possible with a multi-cluster deployment of prometheus/grafana. - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 35897d1f-3fcd-4a79-b235-f75e2bbd398a + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: c79cf2fa-2081-4034-831f-2c8016a275da # Control Description Analyze and correlate audit records across different repositories to gain organization-wide situational awareness. # Control Implementation Aggregating cluster auditor events across multiple sources (clusters) is possible with a multi-cluster deployment of prometheus/grafana. target: @@ -428,35 +399,35 @@ assessment-results: target-id: au-6.3 type: objective-id title: 'Validation Result - Control: au-6.3' - uuid: 1dfdcc6b-92dd-4320-acb1-5efffd9b2bf1 + uuid: 580039a0-f7e7-4279-96cd-d7acb79f3bcf - description: | - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 80de1b87-8288-49ac-8a6b-fc71509df64b - # Control Description Integrate analysis of audit records with analysis of Selection (one or more): vulnerability scanning information; performance data; information system monitoring information; penetration test data; [Assignment: organization-defined data/information collected from other sources]] to further enhance the ability to identify inappropriate or unusual activity. - # Control Implementation Cluster Auditor's audit data is consolidated with system monitoring tooling (node exporters) for consolidated view to enhance inappropriate or unusual activity. Metrics data can be displayed through a Grafana dashboard for visualization. Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 6b0cd4b8-ab38-4012-b637-de2ca4bf5497 # Control Description Integrate analysis of audit records with analysis of [Selection (one or more): vulnerability scanning information; performance data; system monitoring information; [Assignment: organization-defined data/information collected from other sources]] to further enhance the ability to identify inappropriate or unusual activity. # Control Implementation Cluster Auditor's audit data is consolidated with system monitoring tooling (node exporters) for consolidated view to enhance inappropriate or unusual activity. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 80de1b87-8288-49ac-8a6b-fc71509df64b + # Control Description Integrate analysis of audit records with analysis of Selection (one or more): vulnerability scanning information; performance data; information system monitoring information; penetration test data; [Assignment: organization-defined data/information collected from other sources]] to further enhance the ability to identify inappropriate or unusual activity. + # Control Implementation Cluster Auditor's audit data is consolidated with system monitoring tooling (node exporters) for consolidated view to enhance inappropriate or unusual activity. Metrics data can be displayed through a Grafana dashboard for visualization. target: status: state: not-satisfied target-id: au-6.5 type: objective-id title: 'Validation Result - Control: au-6.5' - uuid: 1b5550c6-1891-4f76-8220-3919707110e7 + uuid: 62521aad-6089-45a5-991c-af39844fe2e6 - description: | - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: b8c17326-8821-4536-8409-64d571540e37 - # Control Description Correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity. - # Control Implementation Cluster Auditor data in prometheus would enable this, but would require prometheus to also obtain access to physical metrics. Metrics data can be displayed through a Grafana dashboard for visualization. Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: f6d4527a-d4b6-4141-9272-c2c211b1709f # Control Description Correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity. # Control Implementation Cluster Auditor data in prometheus would enable this, but would require prometheus to also obtain access to physical metrics. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: b8c17326-8821-4536-8409-64d571540e37 + # Control Description Correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity. + # Control Implementation Cluster Auditor data in prometheus would enable this, but would require prometheus to also obtain access to physical metrics. Metrics data can be displayed through a Grafana dashboard for visualization. target: status: state: not-satisfied target-id: au-6.6 type: objective-id title: 'Validation Result - Control: au-6.6' - uuid: 684c4386-ef88-4c58-811e-165172e6a29b + uuid: 05e4c2aa-5b83-415d-a529-c421db846827 - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 8abbc53e-0ec4-49c6-8ef1-a1c237695f96 # Control Description Provide and implement an audit record reduction and report generation capability that: a. Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and b. Does not alter the original content or time ordering of audit records. @@ -470,7 +441,7 @@ assessment-results: target-id: au-7 type: objective-id title: 'Validation Result - Control: au-7' - uuid: a274a97a-1c55-4a1b-9dac-f1849260ad16 + uuid: 22bb2862-f635-4d98-9d47-30d21d6fe72d - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 56d09aae-ab73-49d8-b2a4-1e81db2878eb # Control Description Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: [Assignment: organization-defined fields within audit records]. @@ -484,7 +455,7 @@ assessment-results: target-id: au-7.1 type: objective-id title: 'Validation Result - Control: au-7.1' - uuid: 89a7b3d0-954f-41d5-9230-56a774204c25 + uuid: d002dab9-22bf-471c-af83-98e5c21b567b - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 9ad7ddfb-4701-4c34-88f7-9d85abb13d60 # Control Description @@ -499,75 +470,73 @@ assessment-results: * time of the event (UTC). * source of event (pod, namespace, container id). Applications are responsible for providing all other information. - Validating `logfmt` as the config.logFormat would be the goal. This is currently a secret mounted to /etc/promtail/promtail.yaml in the promtail container. We will ensure the promtail.yaml file is at a minimum the target config. - https://grafana.com/docs/loki/latest/send-data/promtail/stages/logfmt/ - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 9be1e683-93e1-4769-aa7d-951e2c8f8627 - # Control Description a. Use internal system clocks to generate time stamps for audit records; and b. Record time stamps for audit records that meet [Assignment: one second granularity of time measurement] and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp. - # Control Implementation Prometheus stores all data as time-series data, so the timestamps of when those violations were present is part of the data-stream. Metrics data can be displayed through a Grafana dashboard for visualization. Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 689aa5d6-2b4b-40ca-a49f-51df0e220ec5 # Control Description "a. Use internal system clocks to generate time stamps for audit records; and b. Record time stamps for audit records that meet [Assignment: organization-defined granularity of time measurement] and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp." # Control Implementation Prometheus stores all data as time-series data, so the timestamps of when those violations were present is part of the data-stream. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 9be1e683-93e1-4769-aa7d-951e2c8f8627 + # Control Description a. Use internal system clocks to generate time stamps for audit records; and b. Record time stamps for audit records that meet [Assignment: one second granularity of time measurement] and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp. + # Control Implementation Prometheus stores all data as time-series data, so the timestamps of when those violations were present is part of the data-stream. Metrics data can be displayed through a Grafana dashboard for visualization. related-observations: - - observation-uuid: a1236290-6057-4695-b4bd-20dd2981d60d - - observation-uuid: 48a7c266-3ce0-4c63-b782-335c2461afc6 + - observation-uuid: 39cf41d1-048e-4132-9681-f7274e4be4ea + - observation-uuid: e72b33d8-64ba-4871-ab47-2f0b1a5c18e7 target: status: state: not-satisfied target-id: au-8 type: objective-id title: 'Validation Result - Control: au-8' - uuid: 184f3950-22d1-4a6e-a1ad-1d915468f28b + uuid: 09180600-c757-434e-93c5-028bdce2a2be - description: | - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 21879fc4-927e-4ad4-a049-c96cb581e260 + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: bfd070e8-d053-4e48-925a-baf9bcbd9335 # Control Description "a. Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and b. Alert [Assignment: organization-defined personnel or roles] upon detection of unauthorized access, modification, or deletion of audit information." - # Control Implementation Access to metrics can be restricted to org-defined personnel behind a private endpoint and not given to mission owners. + # Control Implementation Grafana has the ability to provide Role Based Access Control to limit the data sources that end users can view by leveraging an identity provider. Grafana can also limit users to subsets of metrics within a datasource by the use of Label Based Access Control when using Grafana Enterprise. Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: f800923b-6367-4468-9f42-1afae4b6d38d # Control Description a. Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and b. Alert [Assignment: organization-defined personnel or roles] upon detection of unauthorized access, modification, or deletion of audit information. # Control Implementation Grafana has the ability to provide Role Based Access Control to limit the data sources that end users can view by leveraging an identity provider. Grafana can also limit users to subsets of metrics within a datasource by the use of Label Based Access Control when using Grafana Enterprise. - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: bfd070e8-d053-4e48-925a-baf9bcbd9335 + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 21879fc4-927e-4ad4-a049-c96cb581e260 # Control Description "a. Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and b. Alert [Assignment: organization-defined personnel or roles] upon detection of unauthorized access, modification, or deletion of audit information." - # Control Implementation Grafana has the ability to provide Role Based Access Control to limit the data sources that end users can view by leveraging an identity provider. Grafana can also limit users to subsets of metrics within a datasource by the use of Label Based Access Control when using Grafana Enterprise. + # Control Implementation Access to metrics can be restricted to org-defined personnel behind a private endpoint and not given to mission owners. target: status: state: not-satisfied target-id: au-9 type: objective-id title: 'Validation Result - Control: au-9' - uuid: 2de6aeb1-66fd-4131-9c75-f376fb7544f6 + uuid: eef40459-0315-41a1-aaae-333cf89990d0 - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 3c4bf1e8-b873-4c43-a912-5f443fc0208f # Control Description Store audit records [Assignment: at least weekly] in a repository that is part of a physically different system or system component than the system or component being audited. # Control Implementation Prometheus can scrape external components outside of the system, but this configuration is not easily supported as part of the current big bang configuration of ClusterAuditor since external access to ClusterAuditor metrics is not exposed via Istio. Metrics data can be displayed through a Grafana dashboard for visualization. - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: b89edef2-5668-407b-b3d5-86ca68862536 - # Control Description Store audit records [Assignment: at least weekly] in a repository that is part of a physically different system or system component than the system or component being audited. - # Control Implementation Supports any object storage. Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 27f26f6a-706e-4514-97c0-45390d6fdf6a # Control Description Store audit records [Assignment: organization-defined frequency] in a repository that is part of a physically different system or system component than the system or component being audited. # Control Implementation Prometheus can scrape external components outside of the system, but this configuration is not easily supported as part of the current UDS Coreg configuration of ClusterAuditor since external access to ClusterAuditor metrics is not exposed via Istio. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: b89edef2-5668-407b-b3d5-86ca68862536 + # Control Description Store audit records [Assignment: at least weekly] in a repository that is part of a physically different system or system component than the system or component being audited. + # Control Implementation Supports any object storage. target: status: state: not-satisfied target-id: au-9.2 type: objective-id title: 'Validation Result - Control: au-9.2' - uuid: e0f75fca-cfe3-43ca-b8ec-c5eb44bde47d + uuid: 3f0dbc02-5d1e-48b9-bcdb-c8d569102724 - description: | + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: f3292e9a-1c10-45cd-9178-aeecbaec0283 + # Control Description Authorize access to management of audit logging functionality to only [Assignment: organization-defined subset of privileged users or roles]. + # Control Implementation Enterprise version (Loki) implements RBAC. Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 3c5ff037-ea46-4e41-b601-a9b223da30a8 # Control Description Authorize access to management of audit logging functionality to only [Assignment: organization-defined subset of privileged users or roles]. # Control Implementation Grafana has the ability to provide Role Based Access Control to limit the data sources that end users can view by leveraging an identity provider. Grafana can also limit users to subsets of metrics within a datasource by the use of Label Based Access Control when using Grafana Enterprise. Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 0fee5118-57c8-4617-97a1-76189bc69ea3 # Control Description Authorize access to management of audit logging functionality to only [Assignment: organization-defined subset of privileged users or roles]. # Control Implementation Grafana has the ability to provide Role Based Access Control to limit the data sources that end users can view by leveraging an identity provider. Grafana can also limit users to subsets of metrics within a datasource by the use of Label Based Access Control when using Grafana Enterprise. - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: f3292e9a-1c10-45cd-9178-aeecbaec0283 - # Control Description Authorize access to management of audit logging functionality to only [Assignment: organization-defined subset of privileged users or roles]. - # Control Implementation Enterprise version (Loki) implements RBAC. target: status: state: not-satisfied target-id: au-9.4 type: objective-id title: 'Validation Result - Control: au-9.4' - uuid: 7cedc012-a643-4097-a647-032c3be3d0ca + uuid: 49e846cc-e1e4-4770-b352-1a674ab7f6ef - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 973c9f19-8c96-4c84-925a-b69f28625962 # Control Description Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: [Assignment: organization-defined fields within audit records]. @@ -578,7 +547,7 @@ assessment-results: target-id: au7.1 type: objective-id title: 'Validation Result - Control: au7.1' - uuid: 4229dc83-0a33-4139-9e62-5d4da8dfc2ba + uuid: 599569ed-dfd0-4f91-b6c3-bd42dd759758 - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 9de67d41-1c18-4ebd-af55-cac2573aa77e # Control Description @@ -592,7 +561,7 @@ assessment-results: target-id: ca-2.2 type: objective-id title: 'Validation Result - Control: ca-2.2' - uuid: eda5cf2e-02ce-4b87-90d8-a321fe49860a + uuid: 76c192e1-0da1-48e9-bed4-26fd5ed64513 - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 2d771492-b5c8-4475-b258-0038287f29e6 # Control Description "Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: a. Establishing the following system-level metrics to be monitored: [Assignment: organization-defined system-level metrics]; b. Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness; c. Ongoing control assessments in accordance with the continuous monitoring strategy; d. Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy; e. Correlation and analysis of information generated by control assessments and monitoring; f. Response actions to address results of the analysis of control assessment and monitoring information; and g. Reporting the security and privacy status of the system to [Assignment: to include JAB/AO] [Assignment: organization-defined frequency]." @@ -603,22 +572,21 @@ assessment-results: target-id: ca-7 type: objective-id title: 'Validation Result - Control: ca-7' - uuid: fbc504e4-0441-4dc9-bdb0-f5ef99155ea1 + uuid: 3669e122-aa7f-4a62-9173-f5b750a091c7 - description: | - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 32e53a18-4b64-4a24-935c-11cbac2c62be - # Control Implementation - Istio enforces logical access restrictions associated with changes to the system. Istio's Role-Based Access Control (RBAC) features are used to define and enforce access controls, ensuring that only approved personnel can make changes to the system. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 80a456cf-c642-4b02-a0fb-18b416e90481 + Istio enforces logical access restrictions associated with changes to the system. Istio's Role-Based Access Control (RBAC) features are used to define and enforce access controls, ensuring that only approved personnel can make changes to the system. related-observations: - - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 - - observation-uuid: d517a52c-6742-4c6a-94f4-b6716aa64879 - - observation-uuid: 9da482e6-b1b4-47d5-b88c-ea78cb1a6089 + - observation-uuid: eb3200f0-0b42-4bab-9987-673684f62d82 + - observation-uuid: cf774c2c-17dc-48d2-ba4c-2ae6547ea8e0 + - observation-uuid: 1fc0d5bd-18e9-4244-a1a0-3c618aca8652 target: status: state: not-satisfied target-id: cm-5 type: objective-id title: 'Validation Result - Control: cm-5' - uuid: 0dc01260-0c79-4716-9766-f5fdf674042f + uuid: e3b8cf43-f476-44be-9f67-6b055afb67de - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 2fb488b2-f7f7-4db9-8fc8-3de7f3a9daba # Control Description "a. Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using [Assignment: oUnited States Government Configuration Baseline (USGCB)]; b. Implement the configuration settings; c. Identify, document, and approve any deviations from established configuration settings for [Assignment: organization-defined system components] based on [Assignment: organization-defined operational requirements]; and d. Monitor and control changes to the configuration settings in accordance with organizational policies and procedures." @@ -629,7 +597,7 @@ assessment-results: target-id: cm-6 type: objective-id title: 'Validation Result - Control: cm-6' - uuid: b2dca976-e07d-486e-893e-d87f7c91cfda + uuid: 89a6efb7-47b8-491a-a510-9679175322df - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: a9d92277-809d-440f-82c9-35c820ba00b8 # Control Description "a. Configure the system to provide only [Assignment: organization-defined mission essential capabilities]; and b. Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: [Assignment: organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services]." "CM-7 (b) Requirement: The service provider shall use the DoD STIGs or Center for Internet Security guidelines to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if USGCB is not available. CM-7 Guidance: Information on the USGCB checklists can be found at: https://csrc.nist.gov/projects/united-states-government-configuration-baseline." @@ -640,7 +608,7 @@ assessment-results: target-id: cm-7 type: objective-id title: 'Validation Result - Control: cm-7' - uuid: bba8e8dc-df3c-4664-9f4d-b69673496e72 + uuid: 7ad3be3a-696f-4fe8-a06a-d20ca88b0815 - description: | Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Implemented Requirement: 26B3D98B-0C9D-434B-8DE5-06CBBC46A38C Velero can restore application configuration/data from an approved cloud provider or on-premise location on-demand. @@ -650,7 +618,7 @@ assessment-results: target-id: cp-10 type: objective-id title: 'Validation Result - Control: cp-10' - uuid: 434837ff-2f2a-4bff-afcd-6f0ace60f6f5 + uuid: 833dd12f-c1a1-4790-b161-df244240fd59 - description: | Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Implemented Requirement: 3EA444B7-61ED-43DD-8B3D-24B55F286E59 Velero gives you tools to back up and restore your Kubernetes cluster resources and persistent volumes. You can run Velero with a cloud provider or on-premises. This includes: - System components/data. - User-level information/application metadata. - User-level storage/data. - Scheduled back-ups with configurable scopes. - Multi-cloud and on-premise support for availability of backup. @@ -660,7 +628,7 @@ assessment-results: target-id: cp-10.4 type: objective-id title: 'Validation Result - Control: cp-10.4' - uuid: e8178dd1-2e6b-43ce-b65c-6c3df60b264d + uuid: 8820d975-0a13-4068-a158-379efbdbd50e - description: | Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Implemented Requirement: 2ADA7512-E0D5-4CAE-81BC-C889C640AF93 Velero can take backups of your application configuration/data and store them off-site in either an approved cloud environment or on-premise location. @@ -670,7 +638,7 @@ assessment-results: target-id: cp-6 type: objective-id title: 'Validation Result - Control: cp-6' - uuid: cbbbd670-3e39-4625-82fb-45d762a6ea87 + uuid: 9b8d3f8d-acc6-490e-8571-6e716d8b1a8e - description: | Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Implemented Requirement: 6C3339A0-9636-4E35-8FA8-731CF900B326 Velero can take backups of your application configuration/data and store them off-site in either an approved cloud environment or on-premise location. @@ -680,7 +648,7 @@ assessment-results: target-id: cp-6.1 type: objective-id title: 'Validation Result - Control: cp-6.1' - uuid: baa8e2e7-054d-4c78-a5aa-0ec1f7573f35 + uuid: 463f79ec-a0d5-4372-b093-ffc9707d4b61 - description: | Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Implemented Requirement: 2799CCBF-C48D-4451-85BA-EBD9B949C361 Velero can restore application configuration/data from an approved cloud provider or on-premise location on-demand. @@ -690,7 +658,7 @@ assessment-results: target-id: cp-6.2 type: objective-id title: 'Validation Result - Control: cp-6.2' - uuid: c7c56dc6-9189-48e6-8153-541f8e7f129e + uuid: 7a97b30a-2246-4a2d-a069-d9a4c5518413 - description: | Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Implemented Requirement: 0AE59B43-50A7-4420-881B-E0635CCB8424 Velero supports back-ups to multiple cloud environments (including geo-separated locations for high availability) and on-premise environments in the event of an accessibility disruptions. @@ -700,7 +668,7 @@ assessment-results: target-id: cp-6.3 type: objective-id title: 'Validation Result - Control: cp-6.3' - uuid: d0fabced-345c-42fe-a52c-1ab67d72a0ce + uuid: fd1dcf1b-226a-4a46-afc8-9551a4c86ff9 - description: | Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Implemented Requirement: B11B38B8-8744-4DFD-8C1A-4A4EDD7F9574 Velero can restore application configuration/data from an approved cloud provider or on-premise location to an alternative deployment environment on-demand. @@ -710,7 +678,7 @@ assessment-results: target-id: cp-7 type: objective-id title: 'Validation Result - Control: cp-7' - uuid: 6cf300c3-516b-4864-8049-a5d423c5bddc + uuid: e64b4f34-9a67-4f53-9af5-010f7e23fa2f - description: | Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Implemented Requirement: D74C3A8C-E5B0-4F81-895D-FB2A318D723B Velero supports back-ups to and restores from multiple cloud environments (including geo-separated locations for high availability) and on-premise environments in the event of an accessibility disruptions. @@ -720,7 +688,7 @@ assessment-results: target-id: cp-7.1 type: objective-id title: 'Validation Result - Control: cp-7.1' - uuid: 003c98fa-877a-4571-9bb7-f8ad72b88768 + uuid: 3b91723b-8426-4de7-8e34-9fa9fb2623b1 - description: | Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Implemented Requirement: 72D7145F-7A3F-47AF-835F-7E3D6EFAE1CC Velero supports back-ups to and restores from multiple cloud environments (including geo-separated locations for high availability) and on-premise environments in the event of an accessibility disruptions. @@ -730,7 +698,7 @@ assessment-results: target-id: cp-7.2 type: objective-id title: 'Validation Result - Control: cp-7.2' - uuid: e36765c3-3e47-4c05-8998-03f1b9051917 + uuid: 3a18ef87-2d67-4fe1-a029-db52ff5a2416 - description: | Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Implemented Requirement: 5B0AA4CB-9C49-4D32-8242-5631788BD941 "Velero gives you tools to back up and restore your Kubernetes cluster resources and persistent volumes. You can run Velero with a cloud provider or on-premises. This includes: @@ -745,7 +713,7 @@ assessment-results: target-id: cp-9 type: objective-id title: 'Validation Result - Control: cp-9' - uuid: 12b7dad5-7d79-4be2-8050-fe7eef32365a + uuid: 93de1fe8-4652-4ad9-b558-7f6ae73ed529 - description: | Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Implemented Requirement: 8E5917F3-3E45-46C1-8585-48550E19AFFB Velero provides feedback/logging of back-up status for configuration/data via kubectl or the Velero CLI tool. Velero can restore your production configuration/data to validation environment to ensure reliability/integrity. @@ -755,7 +723,7 @@ assessment-results: target-id: cp-9.1 type: objective-id title: 'Validation Result - Control: cp-9.1' - uuid: 0b6e7933-5ad7-4659-94c8-4d39730208fd + uuid: 80715954-af49-4dee-90e1-1333f6c79610 - description: | Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Implemented Requirement: 51191D0E-0C7B-4D2D-861D-202AC8C505CF Velero can be configured to restore only certain components of a back-up when necessary. @@ -765,7 +733,7 @@ assessment-results: target-id: cp-9.2 type: objective-id title: 'Validation Result - Control: cp-9.2' - uuid: f4c55319-50b5-4219-bf6f-22c66421f441 + uuid: f70d34be-5cdf-404b-a160-ca35a8d8445f - description: | Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Implemented Requirement: C650411C-33FD-4B59-8899-AC34B43C860F Velero supports back-ups to multiple cloud environments (including geo-separated locations for high availability) and on-premise environments. @@ -775,7 +743,7 @@ assessment-results: target-id: cp-9.3 type: objective-id title: 'Validation Result - Control: cp-9.3' - uuid: 15eefc99-0cef-4652-9aea-9fe80a585b1e + uuid: cc3f593a-5138-4603-aaca-64248856b942 - description: | Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Implemented Requirement: 8AB09B17-301B-4836-835B-9CE22A9E2300 Velero gives you tools to back up and restore your Kubernetes cluster resources and persistent volumes. You can run Velero with a cloud provider or on-premises. This includes: - System components/data. - User-level information/application metadata. - User-level storage/data. - Scheduled back-ups with configurable scopes. - Multi-cloud and on-premise support for availability of backup. @@ -785,7 +753,7 @@ assessment-results: target-id: cp-9.5 type: objective-id title: 'Validation Result - Control: cp-9.5' - uuid: f44f374f-cbd4-4548-9e83-cfb7213e3438 + uuid: b4f84755-1e05-485e-8d08-12f81032183f - description: | Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Implemented Requirement: 7FACB782-C183-4585-8C0B-17824438FEA6 Velero supports encryption of backups via its supported providers' encryption support/mechanisms. @@ -795,7 +763,7 @@ assessment-results: target-id: cp-9.8 type: objective-id title: 'Validation Result - Control: cp-9.8' - uuid: 30ce1594-302b-4480-816e-f2b5b6cf729c + uuid: 2121fda9-ff81-434f-8add-3785ffa925f7 - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 8ef96f45-dfc4-41a8-999a-fc717e746966 # Control Description "a. Monitor and scan for vulnerabilities in the system and hosted applications [Assignment: monthly operating system/infrastructure; monthly web applications (including APIs) and databases] and when new vulnerabilities potentially affecting the system are identified and reported; b. Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: 1. Enumerating platforms, software flaws, and improper configurations; 2. Formatting checklists and test procedures; and 3. Measuring vulnerability impact; c. Analyze vulnerability scan reports and results from vulnerability monitoring; d. Remediate legitimate vulnerabilities [Assignment: high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery] in accordance with an organizational assessment of risk; e. Share information obtained from the vulnerability monitoring process and control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other systems; and f. Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned." @@ -806,7 +774,7 @@ assessment-results: target-id: ra-5 type: objective-id title: 'Validation Result - Control: ra-5' - uuid: 2b4a5a81-e527-4aac-b5d2-6e0c39cd68ca + uuid: d2939750-cb5c-44bd-8b2f-36fd734bd546 - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 760dde06-de0b-4575-8575-95a5835f97c0 # Control Description Update the system vulnerabilities to be scanned [prior to a new scan]; prior to a new scan; when new vulnerabilities are identified and reported]. @@ -817,7 +785,7 @@ assessment-results: target-id: ra-5.2 type: objective-id title: 'Validation Result - Control: ra-5.2' - uuid: f45a41e4-33ea-4f43-9c81-1b4b09630fc2 + uuid: 04546660-1b4a-428f-8f20-1f3575957efb - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 621595cd-f998-4f55-b68e-f765db48b332 # Control Description Define the breadth and depth of vulnerability scanning coverage. @@ -828,7 +796,7 @@ assessment-results: target-id: ra-5.3 type: objective-id title: 'Validation Result - Control: ra-5.3' - uuid: d97d6d08-19b7-4aec-990c-c885e9c52a15 + uuid: 498d8b43-30e0-4f94-9915-abc0233d6104 - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 994b03df-8320-4987-887b-fac8088bd944 # Control Description Implement privileged access authorization to [Assignment: all components that support authentication] for [Assignment: all scans]. @@ -839,7 +807,7 @@ assessment-results: target-id: ra-5.5 type: objective-id title: 'Validation Result - Control: ra-5.5' - uuid: 22531ec8-b5ca-4eb1-80f7-8c690d40211b + uuid: 881b2fec-7ae0-4a9a-9329-e202e10a75c6 - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 5a7bddc2-f94c-46c8-a15a-1e2f4d4ab948 # Control Description "Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to: a. Develop and implement a plan for ongoing security and privacy control assessments; b. Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation [Assignment: organization-defined frequency] at [Assignment: organization-defined depth and coverage]; c. Produce evidence of the execution of the assessment plan and the results of the testing and evaluation; d. Implement a verifiable flaw remediation process; and e. Correct flaws identified during testing and evaluation." @@ -850,7 +818,7 @@ assessment-results: target-id: sa-11 type: objective-id title: 'Validation Result - Control: sa-11' - uuid: a1b36d70-93cc-4dac-b0ee-07a83fcd7fc9 + uuid: ef49e421-c79a-4ebf-a963-2d3a94561836 - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: b6f194ad-bde3-479f-8a77-0ec4c9a5a77d # Control Description Require the developer of the system, system component, or system service to employ static code analysis tools to identify common flaws and document the results of the analysis. Static code analysis provides a technology and methodology for security reviews and includes checking for weaknesses in the code as well as for the incorporation of libraries or other included code with known vulnerabilities or that are out-of-date and not supported. Static code analysis can be used to identify vulnerabilities and enforce secure coding practices. It is most effective when used early in the development process, when each code change can automatically be scanned for potential weaknesses. Static code analysis can provide clear remediation guidance and identify defects for developers to fix. Evidence of the correct implementation of static analysis can include aggregate defect density for critical defect types, evidence that defects were inspected by developers or security professionals, and evidence that defects were remediated. A high density of ignored findings, commonly referred to as false positives, indicates a potential problem with the analysis process or the analysis tool. In such cases, organizations weigh the validity of the evidence against evidence from other sources. @@ -861,96 +829,62 @@ assessment-results: target-id: sa-11.1 type: objective-id title: 'Validation Result - Control: sa-11.1' - uuid: 5fb26d2e-4dde-4a30-985f-8e5bd5f403f2 + uuid: 3a093444-2d9b-4465-97ed-8745ff1fa60f - description: | - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 169c9ad3-0a6c-46ee-80cd-cd8cef5eca5c - # Control Implementation - Istio is configured to manage network connections associated with specific communication sessions. It can be set up to automatically terminate these connections after periods of inactivity, providing an additional layer of security. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: ad919a09-d186-4edd-9234-ead04f959fff + Istio is configured to manage network connections associated with specific communication sessions. It can be set up to automatically terminate these connections after periods of inactivity, providing an additional layer of security. related-observations: - - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 - - observation-uuid: a05d03e1-4f9c-476b-a657-2607a0c86258 + - observation-uuid: eb3200f0-0b42-4bab-9987-673684f62d82 + - observation-uuid: 825da259-13c9-4b85-b890-75d107573c62 target: status: state: not-satisfied target-id: sc-10 type: objective-id title: 'Validation Result - Control: sc-10' - uuid: e12cb6f2-4521-47af-a106-ffbd13bd2a15 + uuid: cd9707b3-f417-4ed1-9f6d-2c49351ca2e2 - description: | - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 2bf5c525-af5f-4b8b-8349-3f6a91e0aab9 - # Control Implementation - Istio provides FIPS encryption in transit for all applications in the mesh, TLS termination at ingress, and TLS origination at egress. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 675c0823-8e94-4910-9f61-5266d7e7b38c + Istio provides FIPS encryption in transit for all applications in the mesh, TLS termination at ingress, and TLS origination at egress. related-observations: - - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 - - observation-uuid: dbc9b893-9847-4ffa-8a91-7642f18f9784 - - observation-uuid: ff67f994-802a-4668-a261-f0cbfb7982d5 - - observation-uuid: edc21e52-53cd-4a6a-9e29-1016a56e0cb5 - - observation-uuid: e12e332c-6a86-43e8-9403-94824b948f45 + - observation-uuid: eb3200f0-0b42-4bab-9987-673684f62d82 + - observation-uuid: adb9497f-436d-4862-8043-6691bce1352c + - observation-uuid: a9c35339-fc94-4e59-bdf1-a89c1664bac0 + - observation-uuid: 47e30ded-89cf-4862-bed8-b3c5c0b3a17f + - observation-uuid: 46fd0f63-fefa-40fe-9894-7c52bbce7f9b target: status: state: not-satisfied target-id: sc-13 type: objective-id title: 'Validation Result - Control: sc-13' - uuid: db406556-9aee-4655-8e37-f97662c642fd + uuid: b5ca4929-a54b-4bb9-9aff-7178e4f9b86b - description: | - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 625bfdc1-0b20-45f3-919b-91afbac77799 - # Control Implementation - Istio is configured to protect session authenticity, establishing confidence in the ongoing identities of other parties and the validity of transmitted information. This is achieved through Istio's mutual TLS, which ensures secure communication. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: dac01dde-3bdf-4e70-9d4d-4081c88de380 + Istio is configured to protect session authenticity, establishing confidence in the ongoing identities of other parties and the validity of transmitted information. This is achieved through Istio's mutual TLS, which ensures secure communication. related-observations: - - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 - - observation-uuid: dbc9b893-9847-4ffa-8a91-7642f18f9784 + - observation-uuid: eb3200f0-0b42-4bab-9987-673684f62d82 + - observation-uuid: adb9497f-436d-4862-8043-6691bce1352c target: status: state: satisfied target-id: sc-23 type: objective-id title: 'Validation Result - Control: sc-23' - uuid: d0fff818-c4b0-408b-995c-425323750c29 + uuid: 5843dd90-f9bf-46fe-aabd-b736cbc69496 - description: | - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 9e2894a3-2452-4f7a-b8a5-f72b89b23c87 - # Control Implementation - Namespaces, Istio gateways, and network policies collectively by providing resource isolation, secure traffic routing, and network segmentation to prevent unauthorized and unintended information transfer. - related-observations: - - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 - - observation-uuid: 362043c5-ea38-4c11-83e3-35d34b79c938 - - observation-uuid: 610a3b9c-269e-47c7-8b2c-9412bc822e80 - target: - status: - state: satisfied - target-id: sc-3 - type: objective-id - title: 'Validation Result - Control: sc-3' - uuid: 14e04260-d26f-4d27-ac44-3819d7849574 - - description: | - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: f972ef8d-1eb0-403b-8db8-e65a4f4e2aaa - # Control Implementation - Istio is configured to maintain separate execution domains for each executing process. This is achieved through Istio's sidecar proxy design, where each service in the mesh has its own dedicated sidecar proxy to handle its inbound and outbound traffic. This ensures that communication between processes is controlled and one process cannot modify the executing code of another process. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 0e72ca49-e9cb-4a74-8701-6f81091197b6 + Istio is configured to maintain separate execution domains for each executing process. This is achieved through Istio's sidecar proxy design, where each service in the mesh has its own dedicated sidecar proxy to handle its inbound and outbound traffic. This ensures that communication between processes is controlled and one process cannot modify the executing code of another process. related-observations: - - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 - - observation-uuid: 435f54e2-3606-4250-9e16-79326844e82e + - observation-uuid: eb3200f0-0b42-4bab-9987-673684f62d82 + - observation-uuid: f10278ec-5f1b-4307-8709-a3745bf12d36 target: status: state: satisfied target-id: sc-39 type: objective-id title: 'Validation Result - Control: sc-39' - uuid: 7e308fb9-473e-4695-a9f0-d716c8b2b47c - - description: | - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 86bc4fb7-f91b-4f2c-b914-65427951018c - # Control Implementation - Istio enforces outbound traffic goes through an Egress Gateway with a Network Policy. - related-observations: - - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 - - observation-uuid: daf64ecb-b110-4c6e-907f-7b4cd8831232 - - observation-uuid: 46256c29-c662-4f0c-a037-bf1c534dee59 - target: - status: - state: not-satisfied - target-id: sc-4 - type: objective-id - title: 'Validation Result - Control: sc-4' - uuid: 036754b0-047d-48cf-a8c5-fa87601994c5 + uuid: fb891c52-8267-4632-b8e8-e4543ce5b872 - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 82d3ab37-b934-4731-9198-56ced7d92708 # Control Description "a. Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system; b. Implement subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and c. Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture." @@ -961,117 +895,67 @@ assessment-results: target-id: sc-7 type: objective-id title: 'Validation Result - Control: sc-7' - uuid: 5d65f54a-91fd-4e77-9afa-8099bd131959 - - description: | - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 30b49a3e-ad38-441d-8c07-5a9018848a02 - # Control Implementation - Istio is configured to dynamically isolate certain internal system components when necessary. This is achieved through Istio's network policies, which allow us to partition or separate system components - related-observations: - - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 - - observation-uuid: dbc9b893-9847-4ffa-8a91-7642f18f9784 - - observation-uuid: 435f54e2-3606-4250-9e16-79326844e82e - target: - status: - state: satisfied - target-id: sc-7.20 - type: objective-id - title: 'Validation Result - Control: sc-7.20' - uuid: 80ffa744-8c84-4b5e-9188-722b4f6542ca - - description: | - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: c9a1e9bc-3caa-44ce-a300-ecd722487987 - # Control Implementation - Istio is configured to isolate system components that perform different mission or business functions. This is achieved through Istio's network policies and mutual TLS, which allow us to control information flows and provide enhanced protection. - related-observations: - - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 - - observation-uuid: dbc9b893-9847-4ffa-8a91-7642f18f9784 - - observation-uuid: 435f54e2-3606-4250-9e16-79326844e82e - target: - status: - state: satisfied - target-id: sc-7.21 - type: objective-id - title: 'Validation Result - Control: sc-7.21' - uuid: 7d23eb48-f3ea-4d3c-9971-68cf25c62ba0 + uuid: abd6a4b8-c69f-40ec-b127-1597db93bd36 - description: | - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 85df9e6c-3d94-4c60-9a20-8c481831f1e0 - # Control Implementation - Istio is configured to provide managed interfaces for external telecommunication services, establish traffic flow policies, and protect the confidentiality and integrity of transmitted information. It also prevents unauthorized exchange of control plane traffic and filters unauthorized control plane traffic. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: a5bac410-d674-431d-b5fc-2f904842c29c + Istio is configured to provide managed interfaces for external telecommunication services, establish traffic flow policies, and protect the confidentiality and integrity of transmitted information. It also prevents unauthorized exchange of control plane traffic and filters unauthorized control plane traffic. related-observations: - - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 - - observation-uuid: 73aaf428-603c-447a-ad38-8ce66b7795f1 - - observation-uuid: 3b856533-2206-4ebd-932e-645886b20b10 - - observation-uuid: 610a3b9c-269e-47c7-8b2c-9412bc822e80 + - observation-uuid: eb3200f0-0b42-4bab-9987-673684f62d82 + - observation-uuid: ceb8c9fa-058a-4223-91f9-8361c84e359f + - observation-uuid: 9d69895a-0eed-4052-8102-ff9070d66851 + - observation-uuid: 4e1e697c-4a92-4c57-ae95-c75ba272dc1d target: status: state: satisfied target-id: sc-7.4 type: objective-id title: 'Validation Result - Control: sc-7.4' - uuid: 4edd983b-bb0a-4c16-a0f8-d827f52d39fc + uuid: 48fe83c1-ec77-4f79-bcc1-e233978571cc - description: | - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 4b930af3-ae84-43ff-b751-448fe1c2eec8 - # Control Implementation - is configured to route internal communications traffic to external networks through authenticated proxy servers at managed interfaces, using its Egress Gateway. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 3f409103-880e-4180-81e7-54f85a6143ae + Istio is configured to route internal communications traffic to external networks through authenticated proxy servers at managed interfaces, using its Egress Gateway. related-observations: - - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 - - observation-uuid: 46256c29-c662-4f0c-a037-bf1c534dee59 - - observation-uuid: 20db9c5e-e962-47ca-a0ab-c43b52d7b56e + - observation-uuid: eb3200f0-0b42-4bab-9987-673684f62d82 + - observation-uuid: 8cb4f8c0-cade-41b4-9a01-06a14888d13a + - observation-uuid: d831dc82-53da-438f-b7ff-a6b579bdb3ef target: status: state: not-satisfied target-id: sc-7.8 type: objective-id title: 'Validation Result - Control: sc-7.8' - uuid: f810556d-285b-4e75-b6ec-971235a3ffaa + uuid: b5761b5a-4afb-45ef-8050-d8768f8bc362 - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 132fb1ff-8b58-4cfd-8ad4-c01605d89f24 # Control Description Protect the [confidentiality AND integrity] of transmitted information. # Control Implementation Data in transit is protected using a TLS connection and secured between components within the data center using an internal certificate until it is terminated at the application node. This ensures that data in transit is encrypted using SSL. - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 7548b4ee-e4a3-4e3c-a34b-95eccad45f92 - # Control Implementation - Istio is configured to protect the confidentiality and integrity of transmitted information across both internal and external networks. This is achieved through Istio's mutual TLS, which encrypts service-to-service communication, ensuring that data in transit is not exposed to the possibility of interception and modification. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: e97a451e-44c7-4240-a7a7-adaadd26f01c + Istio is configured to protect the confidentiality and integrity of transmitted information across both internal and external networks. This is achieved through Istio's mutual TLS, which encrypts service-to-service communication, ensuring that data in transit is not exposed to the possibility of interception and modification. related-observations: - - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 - - observation-uuid: dbc9b893-9847-4ffa-8a91-7642f18f9784 - - observation-uuid: 435f54e2-3606-4250-9e16-79326844e82e + - observation-uuid: eb3200f0-0b42-4bab-9987-673684f62d82 + - observation-uuid: adb9497f-436d-4862-8043-6691bce1352c + - observation-uuid: f10278ec-5f1b-4307-8709-a3745bf12d36 target: status: state: not-satisfied target-id: sc-8 type: objective-id title: 'Validation Result - Control: sc-8' - uuid: a43fb38e-2aa9-4cc2-b7a7-103202c1ed5d + uuid: 9d7a4bdc-53f2-4a42-b30b-88c5a2c607ac - description: | - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 69415B92-0490-4A14-9E0F-E1EE61951F9C - # Control Implementation - Istio is configured to protect the confidentiality and integrity of transmitted information across both internal and external networks. This is achieved through Istio's mutual TLS, which encrypts service-to-service communication, ensuring that data in transit is not exposed to the possibility of interception and modification. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: f3b38f79-9bf7-4024-a1b2-00befd67fda7 + Istio is configured to protect the confidentiality and integrity of transmitted information across both internal and external networks. This is achieved through Istio's mutual TLS, which encrypts service-to-service communication, ensuring that data in transit is not exposed to the possibility of interception and modification. related-observations: - - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 - - observation-uuid: dbc9b893-9847-4ffa-8a91-7642f18f9784 - - observation-uuid: 435f54e2-3606-4250-9e16-79326844e82e + - observation-uuid: eb3200f0-0b42-4bab-9987-673684f62d82 + - observation-uuid: adb9497f-436d-4862-8043-6691bce1352c + - observation-uuid: f10278ec-5f1b-4307-8709-a3745bf12d36 target: status: state: satisfied target-id: sc-8.1 type: objective-id title: 'Validation Result - Control: sc-8.1' - uuid: 60aafba4-0b1b-41f1-bb67-11bf0a54f83a - - description: | - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: c158b75a-cefc-4794-b124-f1e56ff5646d - # Control Implementation - Istio implements with global configuration. - related-observations: - - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 - - observation-uuid: dbc9b893-9847-4ffa-8a91-7642f18f9784 - - observation-uuid: 435f54e2-3606-4250-9e16-79326844e82e - - observation-uuid: 3b856533-2206-4ebd-932e-645886b20b10 - target: - status: - state: satisfied - target-id: sc-8.2 - type: objective-id - title: 'Validation Result - Control: sc-8.2' - uuid: e588b254-b0df-4115-849d-5ad7d250acf1 + uuid: 28aec3a5-8f40-409d-bf88-9a83c476d0a3 - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 9b4c7011-aa35-4f61-ade2-7c070bb51767 # Control Description "a. Generate error messages that provide information necessary for corrective actions without revealing information that could be exploited; and b. Reveal error messages only to [Assignment: organization-defined personnel or roles]." @@ -1082,7 +966,7 @@ assessment-results: target-id: si-11 type: objective-id title: 'Validation Result - Control: si-11' - uuid: 901febde-3027-47e6-97b4-ed8ee9ed29da + uuid: f0008256-c408-442d-86f3-3a56c8177874 - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 4faa4029-52bc-4d7f-9896-e43c6731d5e5 # Control Description "(a) Measure the time between flaw identification and flaw remediation; and (b) Establish the following benchmarks for taking corrective actions: [Assignment: organization-defined benchmarks]." @@ -1093,7 +977,7 @@ assessment-results: target-id: si-2.3 type: objective-id title: 'Validation Result - Control: si-2.3' - uuid: 123c7cb2-309d-4f95-832b-3476367d80df + uuid: c4cde847-c1ac-4962-aec2-84f2e373405e - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: c83fdce5-53f5-4860-a586-242d044efaa9 # Control Description "a. Monitor the system to detect: 1. Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [Assignment: organization-defined monitoring objectives]; and 2. Unauthorized local, network, and remote connections; b. Identify unauthorized use of the system through the following techniques and methods: [Assignment: organization-defined techniques and methods]; c. Invoke internal monitoring capabilities or deploy monitoring devices: 1. Strategically within the system to collect organization-determined essential information; and 2. At ad hoc locations within the system to track specific types of transactions of interest to the organization; d. Analyze detected events and anomalies; e. Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation; f. Obtain legal opinion regarding system monitoring activities; and g. Provide [Assignment: organization-defined system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]]." @@ -1104,7 +988,7 @@ assessment-results: target-id: si-4 type: objective-id title: 'Validation Result - Control: si-4' - uuid: af7893bd-83c9-4318-9ed0-dd50582609d5 + uuid: 16c943ed-c12f-417b-8d90-21788f3349a5 - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: ac61e461-5fb8-4cf1-89ff-36d002056fda # Control Description "a. Receive system security alerts, advisories, and directives from [Assignment: o include US-CERT] on an ongoing basis; b. Generate internal security alerts, advisories, and directives as deemed necessary; c. Disseminate security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-defined personnel or roles]; to include system security personnel and administrators with configuration/patch-management responsibilities and d. Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance." @@ -1115,7 +999,7 @@ assessment-results: target-id: si-5 type: objective-id title: 'Validation Result - Control: si-5' - uuid: d75021f4-afad-46ca-a3e0-f5164db3147f + uuid: 970ac268-cdf4-44a2-8d86-3b10915f0a32 - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 80552838-9db8-41f7-9603-d91f884aa7bb # Control Description "a. Verify the correct operation of [Assignment: organization-defined security and privacy functions]; b. Perform the verification of the functions specified in SI-6a [Selection (one or more): [Assignment: to include upon system startup and/or restart]; upon command by user with appropriate privilege; [Assignment: at least monthly]]; c. Alert [Assignment: to include system administrators and security personnel] to failed security and privacy verification tests; and d. [Selection (one or more): Shut the system down; Restart the system; [Assignment: organization-defined alternative action (s)]] when anomalies are discovered." @@ -1126,291 +1010,271 @@ assessment-results: target-id: si-6 type: objective-id title: 'Validation Result - Control: si-6' - uuid: 8f936748-3181-4885-b5d4-519cffa1d992 + uuid: 33305746-ba60-43cd-8ed3-9f50fd279f0c observations: - - collected: 2024-08-06T02:58:06.749191822Z + - collected: 2024-10-16T20:13:50.57177773Z description: | - [TEST]: 663f5e92-6db4-4042-8b5a-eba3ebe5a622 - lula-validation-error + [TEST]: f345c359-3208-46fb-9348-959bd628301e - istio-prometheus-annotations-validation methods: - TEST relevant-evidence: - description: | - Result: not-satisfied + Result: satisfied remarks: | - Error getting Lula validation #663f5e92-6db4-4042-8b5a-eba3ebe5a622: validation failed: [{/required file:///home/runner/work/uds-core/uds-core/compliance/validation#/required missing properties: 'domain' }] - uuid: a05d03e1-4f9c-476b-a657-2607a0c86258 - - collected: 2024-08-06T02:58:06.749221207Z + validate.msg: All pods have correct prometheus annotations. + validate.msg_exempted_namespaces: istio-system, kube-system, uds-dev-stack, zarf + uuid: 6e9c7750-ccda-4f25-b8de-89e8e3e3d525 + - collected: 2024-10-16T20:13:50.571902333Z description: | - [TEST]: ecdb90c7-971a-4442-8f29-a8b0f6076bc9 - lula-validation-error + [TEST]: c3b022eb-19a5-4711-8099-da4a90c9dd5d - egress-gateway-exists-and-configured-PLACEHOLDER methods: - TEST relevant-evidence: - description: | Result: not-satisfied remarks: | - Error getting Lula validation #ecdb90c7-971a-4442-8f29-a8b0f6076bc9: validation failed: [{/required file:///home/runner/work/uds-core/uds-core/compliance/validation#/required missing properties: 'domain', 'provider' }] - uuid: 46256c29-c662-4f0c-a037-bf1c534dee59 - - collected: 2024-08-06T02:58:06.749255782Z + Error running validation: provider Evaluate error: opa validation not performed - no resources to validate + uuid: 8cb4f8c0-cade-41b4-9a01-06a14888d13a + - collected: 2024-10-16T20:13:50.681017055Z description: | - [TEST]: fbe5855d-b4ea-4ff5-9f0d-5901d620577a - lula-validation-error + [TEST]: 1761ac07-80dd-47d2-947e-09f67943b986 - all-pods-istio-injected methods: - TEST relevant-evidence: - description: | - Result: not-satisfied + Result: satisfied remarks: | - Error getting Lula validation #fbe5855d-b4ea-4ff5-9f0d-5901d620577a: validation failed: [{/required file:///home/runner/work/uds-core/uds-core/compliance/validation#/required missing properties: 'domain', 'provider' }] - uuid: af55317a-a3b8-42b9-8ba8-d859748635b5 - - collected: 2024-08-06T02:58:06.85546841Z + validate.msg_exempt_namespaces: istio-admin-gateway, istio-passthrough-gateway, istio-system, istio-tenant-gateway, kube-system, uds-dev-stack, zarf + validate.msg: All pods have Istio sidecar proxy. + uuid: f10278ec-5f1b-4307-8709-a3745bf12d36 + - collected: 2024-10-16T20:13:50.689844666Z description: | - [TEST]: 1761ac07-80dd-47d2-947e-09f67943b986 - all-pods-istio-injected + [TEST]: 0da39859-a91a-4ca6-bd8b-9b117689188f - all-namespaces-istio-injected methods: - TEST relevant-evidence: - description: | - Result: satisfied + Result: not-satisfied remarks: | - validate.exempt_namespaces_msg: Exempted Namespaces: istio-admin-gateway, istio-passthrough-gateway, istio-system, istio-tenant-gateway, kube-system, uds-dev-stack, zarf - validate.msg: All pods have Istio sidecar proxy. - uuid: 435f54e2-3606-4250-9e16-79326844e82e - - collected: 2024-08-06T02:58:06.861988088Z + validate.msg: Non-Istio-injected namespaces: {"authservice-test-app", "podinfo", "test-admin-app", "test-tenant-app"} + validate.msg_exempt_namespaces: default, istio-admin-gateway, istio-passthrough-gateway, istio-system, istio-tenant-gateway, kube-node-lease, kube-public, kube-system, uds-crds, uds-dev-stack, uds-policy-exemptions, zarf + uuid: 2c61853a-96af-4195-8dc9-f3313f6035f1 + - collected: 2024-10-16T20:13:50.693177593Z description: | - [TEST]: ca49ac97-487a-446a-a0b7-92b20e2c83cb - enforce-mtls-strict + [TEST]: 90738c86-6315-450a-ac69-cc50eb4859cc - check-istio-logging-all-traffic methods: - TEST relevant-evidence: - description: | Result: satisfied remarks: | - validate.msg: All PeerAuthentications have mtls mode set to STRICT. - uuid: dbc9b893-9847-4ffa-8a91-7642f18f9784 - - collected: 2024-08-06T02:58:06.868755824Z + validate.msg: Istio is logging all traffic. + uuid: a858d60b-5192-41de-bac4-a79479a91f64 + - collected: 2024-10-16T20:13:50.697120548Z description: | - [TEST]: fd071676-6b92-4e1c-a4f0-4c8d2bd55aed - ingress-traffic-encrypted + [TEST]: fbd877c8-d6b6-4d88-8685-2c4aaaab02a1 - istio-enforces-authorized-keycloak-access methods: - TEST relevant-evidence: - description: | Result: satisfied remarks: | - validate.msg: All gateways encrypt ingress traffic - validate.msg_exempt: Exempted Gateways: istio-passthrough-gateway/passthrough-gateway - uuid: ff67f994-802a-4668-a261-f0cbfb7982d5 - - collected: 2024-08-06T02:58:06.868804496Z + validate.msg: AuthorizationPolicy restricts access to Keycloak admin. + uuid: 9d69895a-0eed-4052-8102-ff9070d66851 + - collected: 2024-10-16T20:13:50.697182945Z description: | - [TEST]: 73434890-2751-4894-b7b2-7e583b4a8977 - lula-validation-error + [TEST]: fbe5855d-b4ea-4ff5-9f0d-5901d620577a - lula-validation-error methods: - TEST relevant-evidence: - description: | Result: not-satisfied remarks: | - Error getting Lula validation #73434890-2751-4894-b7b2-7e583b4a8977: validation failed: [{/required file:///home/runner/work/uds-core/uds-core/compliance/validation#/required missing properties: 'domain', 'provider' }] - uuid: e12e332c-6a86-43e8-9403-94824b948f45 - - collected: 2024-08-06T02:58:06.868833069Z + Error getting Lula validation #fbe5855d-b4ea-4ff5-9f0d-5901d620577a: schema is invalid: [{/required "missing properties 'domain', 'provider'" }] + uuid: 572f5829-517b-40d0-8b50-6d9bf9c54c77 + - collected: 2024-10-16T20:13:50.697270528Z description: | - [TEST]: 9bfc68e0-381a-4006-9f68-c293e3b20cee - lula-validation-error + [TEST]: 663f5e92-6db4-4042-8b5a-eba3ebe5a622 - communications-terminated-after-inactivity-PLACEHOLDER methods: - TEST relevant-evidence: - description: | Result: not-satisfied remarks: | - Error getting Lula validation #9bfc68e0-381a-4006-9f68-c293e3b20cee: validation failed: [{/required file:///home/runner/work/uds-core/uds-core/compliance/validation#/required missing properties: 'domain', 'provider' }] - uuid: 48a7c266-3ce0-4c63-b782-335c2461afc6 - - collected: 2024-08-06T02:58:06.875936601Z + Error running validation: provider Evaluate error: opa validation not performed - no resources to validate + uuid: 825da259-13c9-4b85-b890-75d107573c62 + - collected: 2024-10-16T20:13:50.697333466Z description: | - [TEST]: b0a8f21e-b12f-47ea-a967-2f4a3ec69e44 - gateway-configuration-check + [TEST]: 19faf69a-de74-4b78-a628-64a9f244ae13 - external-traffic-managed-PLACEHOLDER methods: - TEST relevant-evidence: - description: | - Result: satisfied + Result: not-satisfied remarks: | - validate.msg: Only allowed gateways found. All gateway types found. - validate.msg_existing_gateways: istio-admin-gateway/admin-gateway, istio-passthrough-gateway/passthrough-gateway, istio-tenant-gateway/tenant-gateway - validate.msg_allowed_gateways: admin, passthrough, tenant - uuid: 610a3b9c-269e-47c7-8b2c-9412bc822e80 - - collected: 2024-08-06T02:58:06.880031826Z + Error running validation: provider Evaluate error: opa validation not performed - no resources to validate + uuid: d831dc82-53da-438f-b7ff-a6b579bdb3ef + - collected: 2024-10-16T20:13:50.730168322Z description: | - [TEST]: 7b045b2a-106f-4c8c-85d9-ae3d7a8e0e28 - istio-rbac-enforcement-check + [TEST]: 570e2dc7-e6c2-4ad5-8ea3-f07974f59747 - secure-communication-with-istiod methods: - TEST relevant-evidence: - description: | Result: satisfied remarks: | - validate.msg: Istio RBAC enforced - validate.msg_authPolicies: Authorization Policies: keycloak/keycloak-block-admin-access-from-public-gateway - uuid: d517a52c-6742-4c6a-94f4-b6716aa64879 - - collected: 2024-08-06T02:58:06.880074886Z + validate.msg: NetworkPolicies correctly configured for istiod in required namespaces. + validate.msg_expected_istiod: Expected Istiod port: 15012, protocol: TCP. + validate.msg_required_namespaces: authservice, grafana, keycloak, loki, metrics-server, monitoring, neuvector, uds-runtime, vector, velero + uuid: ceb8c9fa-058a-4223-91f9-8361c84e359f + - collected: 2024-10-16T20:13:50.730223946Z description: | - [TEST]: 9b361d7b-4e07-40db-8b86-3854ed499a4b - lula-validation-error + [TEST]: 9bfc68e0-381a-4006-9f68-c293e3b20cee - lula-validation-error methods: - TEST relevant-evidence: - description: | Result: not-satisfied remarks: | - Error getting Lula validation #9b361d7b-4e07-40db-8b86-3854ed499a4b: validation failed: [{/required file:///home/runner/work/uds-core/uds-core/compliance/validation#/required missing properties: 'domain', 'provider' }] - uuid: 9da482e6-b1b4-47d5-b88c-ea78cb1a6089 - - collected: 2024-08-06T02:58:06.888036681Z + Error getting Lula validation #9bfc68e0-381a-4006-9f68-c293e3b20cee: schema is invalid: [{/required "missing properties 'domain', 'provider'" }] + uuid: e72b33d8-64ba-4871-ab47-2f0b1a5c18e7 + - collected: 2024-10-16T20:13:50.730273639Z description: | - [TEST]: 67456ae8-4505-4c93-b341-d977d90cb125 - istio-health-check + [TEST]: 8be1601e-5870-4573-ab4f-c1c199944815 - tls-origination-at-egress-PLACEHOLDER methods: - TEST relevant-evidence: - description: | - Result: satisfied + Result: not-satisfied remarks: | - istiohealth.deployment_message: All deployment conditions are true. - istiohealth.hpa_message: HPA has sufficient replicas. - uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 - - collected: 2024-08-06T02:58:06.986972859Z + Error running validation: provider Evaluate error: opa validation not performed - no resources to validate + uuid: 47e30ded-89cf-4862-bed8-b3c5c0b3a17f + - collected: 2024-10-16T20:13:50.738968965Z description: | - [TEST]: f345c359-3208-46fb-9348-959bd628301e - istio-prometheus-annotations-validation + [TEST]: 67456ae8-4505-4c93-b341-d977d90cb125 - istio-health-check methods: - TEST relevant-evidence: - description: | Result: satisfied remarks: | - validate.msg: All pods have correct prometheus annotations. - validate.exempt_namespaces_msg: Exempted Namespaces: istio-system, kube-system, uds-dev-stack, zarf - uuid: a906a088-3147-44cb-8d7b-69058d1d8484 - - collected: 2024-08-06T02:58:06.987037129Z + validate.msg: Istiod Deployment is healthy. HPA has sufficient replicas. + uuid: eb3200f0-0b42-4bab-9987-673684f62d82 + - collected: 2024-10-16T20:13:50.745123247Z description: | - [TEST]: 8be1601e-5870-4573-ab4f-c1c199944815 - lula-validation-error + [TEST]: ca49ac97-487a-446a-a0b7-92b20e2c83cb - enforce-mtls-strict methods: - TEST relevant-evidence: - description: | - Result: not-satisfied + Result: satisfied remarks: | - Error getting Lula validation #8be1601e-5870-4573-ab4f-c1c199944815: validation failed: [{/required file:///home/runner/work/uds-core/uds-core/compliance/validation#/required missing properties: 'domain' } {/properties/provider/$ref/properties/opa-spec/$ref/properties/rego/pattern file:///home/runner/work/uds-core/uds-core/compliance/validation#/definitions/opaSpec/properties/rego/pattern /provider/opa-spec/rego does not match pattern '.*\\S\\s\\n.*' package validate - default validate := false - # How to prove TLS origination is configured at egress - # DestinationRule? - }] - uuid: edc21e52-53cd-4a6a-9e29-1016a56e0cb5 - - collected: 2024-08-06T02:58:07.017260415Z + validate.msg: All PeerAuthentications have mtls mode set to STRICT. + uuid: adb9497f-436d-4862-8043-6691bce1352c + - collected: 2024-10-16T20:13:50.754286064Z description: | - [TEST]: 570e2dc7-e6c2-4ad5-8ea3-f07974f59747 - secure-communication-with-istiod + [TEST]: c6c9daf1-4196-406d-8679-312c0512ab2e - check-istio-admin-gateway-and-usage methods: - TEST relevant-evidence: - description: | Result: satisfied remarks: | - validate.msg_correct: NetworkPolicies correctly configured for istiod in namespaces: authservice, grafana, keycloak, loki, metrics-server, monitoring, neuvector, promtail, velero. - validate.msg_incorrect: No incorrect istiod NetworkPolicies found. - uuid: 73aaf428-603c-447a-ad38-8ce66b7795f1 - - collected: 2024-08-06T02:58:07.017384197Z + validate.msg: Admin gateway exists: istio-admin-gateway/admin-gateway. Admin virtual services are using admin gateway. + uuid: 20f98c91-2308-4356-837b-c253353d7479 + - collected: 2024-10-16T20:13:50.754326089Z description: | - [TEST]: 19faf69a-de74-4b78-a628-64a9f244ae13 - lula-validation-error + [TEST]: 98b97ec9-a9ce-4444-83d8-71066270a424 - lula-validation-error methods: - TEST relevant-evidence: - description: | Result: not-satisfied remarks: | - Error getting Lula validation #19faf69a-de74-4b78-a628-64a9f244ae13: validation failed: [{/required file:///home/runner/work/uds-core/uds-core/compliance/validation#/required missing properties: 'domain' } {/properties/provider/$ref/properties/opa-spec/$ref/properties/rego/pattern file:///home/runner/work/uds-core/uds-core/compliance/validation#/definitions/opaSpec/properties/rego/pattern /provider/opa-spec/rego does not match pattern '.*\\S\\s\\n.*' package validate - default validate := false - # This policy could check meshConfig.outboundTrafficPolicy.mode (default is ALLOW_ANY) - # Possibly would need a ServiceEntry(?) - # (https://istio.io/latest/docs/tasks/traffic-management/egress/egress-control/#envoy-passthrough-to-external-services) - }] - uuid: 20db9c5e-e962-47ca-a0ab-c43b52d7b56e - - collected: 2024-08-06T02:58:07.025304675Z + Error getting Lula validation #98b97ec9-a9ce-4444-83d8-71066270a424: schema is invalid: [{/required "missing properties 'domain', 'provider'" }] + uuid: 39cf41d1-048e-4132-9681-f7274e4be4ea + - collected: 2024-10-16T20:13:50.868647184Z description: | - [TEST]: 0da39859-a91a-4ca6-bd8b-9b117689188f - all-namespaces-istio-injected + [TEST]: 7b045b2a-106f-4c8c-85d9-ae3d7a8e0e28 - istio-rbac-enforcement-check methods: - TEST relevant-evidence: - description: | - Result: not-satisfied + Result: satisfied remarks: | - validate.msg: Non-Istio-injected namespaces: {"authservice-test-app", "podinfo", "test-admin-app", "test-tenant-app"} - validate.exempted_namespaces_msg: Exempted Namespaces: default, istio-admin-gateway, istio-passthrough-gateway, istio-system, istio-tenant-gateway, kube-node-lease, kube-public, kube-system, uds-crds, uds-dev-stack, uds-policy-exemptions, zarf - uuid: f25d32b1-4bbd-4309-a96e-99fb8f484c88 - - collected: 2024-08-06T02:58:07.025349479Z + validate.msg: Istio RBAC enforced + validate.msg_all_auth_policies: keycloak/keycloak-block-admin-access-from-public-gateway, uds-runtime/runtime-authservice, uds-runtime/runtime-jwt-authz + uuid: cf774c2c-17dc-48d2-ba4c-2ae6547ea8e0 + - collected: 2024-10-16T20:13:50.868740227Z description: | - [TEST]: 7455f86d-b79c-4226-9ce3-f3fb7d9348c8 - lula-validation-error + [TEST]: 9b361d7b-4e07-40db-8b86-3854ed499a4b - istio-rbac-for-approved-personnel-PLACEHOLDER methods: - TEST relevant-evidence: - description: | Result: not-satisfied remarks: | - Error getting Lula validation #7455f86d-b79c-4226-9ce3-f3fb7d9348c8: validation failed: [{/required file:///home/runner/work/uds-core/uds-core/compliance/validation#/required missing properties: 'domain', 'provider' }] - uuid: daf64ecb-b110-4c6e-907f-7b4cd8831232 - - collected: 2024-08-06T02:58:07.03317813Z - description: | - [TEST]: 90738c86-6315-450a-ac69-cc50eb4859cc - check-istio-logging-all-traffic - methods: - - TEST - relevant-evidence: - - description: | - Result: satisfied - remarks: | - validate.msg: Istio is logging all traffic - uuid: 9e4a8aa7-2736-4aad-8b08-7fcee4fa2a68 - - collected: 2024-08-06T02:58:07.041938066Z + Error running validation: provider Evaluate error: opa validation not performed - no resources to validate + uuid: 1fc0d5bd-18e9-4244-a1a0-3c618aca8652 + - collected: 2024-10-16T20:13:51.070408027Z description: | - [TEST]: 70d99754-2918-400c-ac9a-319f874fff90 - istio-metrics-logging-configured + [TEST]: b0a8f21e-b12f-47ea-a967-2f4a3ec69e44 - gateway-configuration-check methods: - TEST relevant-evidence: - description: | Result: satisfied remarks: | - validate.msg: Metrics logging supported. - uuid: 06449da5-4cb5-4a5e-922d-5309d5c8f0c8 - - collected: 2024-08-06T02:58:07.0520707Z + validate.msg_existing_gateways: istio-admin-gateway/admin-gateway, istio-passthrough-gateway/passthrough-gateway, istio-tenant-gateway/tenant-gateway + validate.msg_allowed_gateways: admin, passthrough, tenant + validate.msg: Only allowed gateways found. All gateway types found. + uuid: 4e1e697c-4a92-4c57-ae95-c75ba272dc1d + - collected: 2024-10-16T20:13:51.266003971Z description: | - [TEST]: c6c9daf1-4196-406d-8679-312c0512ab2e - check-istio-admin-gateway-and-usage + [TEST]: f346b797-be35-40a8-a93a-585db6fd56ec - istio-tracing-logging-support methods: - TEST relevant-evidence: - description: | - Result: satisfied + Result: not-satisfied remarks: | - validate.msg: Admin gateway exists. Admin virtual services are using admin gateway. - uuid: 362043c5-ea38-4c11-83e3-35d34b79c938 - - collected: 2024-08-06T02:58:07.056306187Z + validate.msg: Tracing logging not supported. + uuid: ca312bc9-b8cd-4a30-9b72-50ffee51e828 + - collected: 2024-10-16T20:13:51.470751962Z description: | - [TEST]: fbd877c8-d6b6-4d88-8685-2c4aaaab02a1 - istio-enforces-authorized-keycloak-access + [TEST]: fd071676-6b92-4e1c-a4f0-4c8d2bd55aed - ingress-traffic-encrypted methods: - TEST relevant-evidence: - description: | Result: satisfied remarks: | - validate.msg: AuthorizationPolicy restricts access to Keycloak admin. - uuid: 3b856533-2206-4ebd-932e-645886b20b10 - - collected: 2024-08-06T02:58:07.064560781Z + validate.msg: All gateways encrypt ingress traffic + validate.msg_exempted_gateways: istio-passthrough-gateway/passthrough-gateway + uuid: a9c35339-fc94-4e59-bdf1-a89c1664bac0 + - collected: 2024-10-16T20:13:51.47086859Z description: | - [TEST]: f346b797-be35-40a8-a93a-585db6fd56ec - istio-tracing-logging-support + [TEST]: 73434890-2751-4894-b7b2-7e583b4a8977 - fips-evaluation-PLACEHOLDER methods: - TEST relevant-evidence: - description: | Result: not-satisfied remarks: | - validate.msg: Tracing logging not supported. - uuid: 94477b5d-84b7-427c-88b3-71367c501528 - - collected: 2024-08-06T02:58:07.0646133Z + Error running validation: provider Evaluate error: opa validation not performed - no resources to validate + uuid: 46fd0f63-fefa-40fe-9894-7c52bbce7f9b + - collected: 2024-10-16T20:13:51.665120832Z description: | - [TEST]: 98b97ec9-a9ce-4444-83d8-71066270a424 - lula-validation-error + [TEST]: 70d99754-2918-400c-ac9a-319f874fff90 - istio-metrics-logging-configured methods: - TEST relevant-evidence: - description: | - Result: not-satisfied + Result: satisfied remarks: | - Error getting Lula validation #98b97ec9-a9ce-4444-83d8-71066270a424: validation failed: [{/required file:///home/runner/work/uds-core/uds-core/compliance/validation#/required missing properties: 'domain', 'provider' }] - uuid: a1236290-6057-4695-b4bd-20dd2981d60d - - collected: 2024-08-06T02:58:07.064634109Z + validate.msg: Metrics logging supported. + uuid: 64a22438-eba3-4fcb-bfe8-68ed8bad61ba + - collected: 2024-10-16T20:13:51.665185653Z description: | [TEST]: 0be7345d-e9d3-4248-9c14-5fed8e7bfa01 - lula-validation-error methods: @@ -1419,8 +1283,8 @@ assessment-results: - description: | Result: not-satisfied remarks: | - Error getting Lula validation #0be7345d-e9d3-4248-9c14-5fed8e7bfa01: validation failed: [{/required file:///home/runner/work/uds-core/uds-core/compliance/validation#/required missing properties: 'domain', 'provider' }] - uuid: d265b5b6-9306-4c22-ad35-d6f00a41920e + Error getting Lula validation #0be7345d-e9d3-4248-9c14-5fed8e7bfa01: schema is invalid: [{/required "missing properties 'domain', 'provider'" }] + uuid: 0e3f9f2a-c596-4688-8841-0f9d2845f0a2 props: - name: threshold ns: https://docs.lula.dev/oscal/ns @@ -1438,1282 +1302,6 @@ assessment-results: - control-id: ac-3 - control-id: ac-4 - control-id: ac-4.21 - - control-id: ac-4.4 - - control-id: ac-5 - - control-id: ac-6 - - control-id: ac-6.1 - - control-id: ac-6.10 - - control-id: ac-6.3 - - control-id: ac-6.9 - - control-id: au-11 - - control-id: au-12 - - control-id: au-12.1 - - control-id: au-2 - - control-id: au-3 - - control-id: au-3.1 - - control-id: au-4 - - control-id: au-5.1 - - control-id: au-5.2 - - control-id: au-6 - - control-id: au-6.1 - - control-id: au-6.3 - - control-id: au-6.5 - - control-id: au-6.6 - - control-id: au-7 - - control-id: au-7.1 - - control-id: au-8 - - control-id: au-9 - - control-id: au-9.2 - - control-id: au-9.4 - - control-id: au7.1 - - control-id: ca-2.2 - - control-id: ca-7 - - control-id: cm-5 - - control-id: cm-6 - - control-id: cm-7 - - control-id: cp-10 - - control-id: cp-10.4 - - control-id: cp-6 - - control-id: cp-6.1 - - control-id: cp-6.2 - - control-id: cp-6.3 - - control-id: cp-7 - - control-id: cp-7.1 - - control-id: cp-7.2 - - control-id: cp-9 - - control-id: cp-9.1 - - control-id: cp-9.2 - - control-id: cp-9.3 - - control-id: cp-9.5 - - control-id: cp-9.8 - - control-id: ra-5 - - control-id: ra-5.2 - - control-id: ra-5.3 - - control-id: ra-5.5 - - control-id: sa-11 - - control-id: sa-11.1 - - control-id: sc-10 - - control-id: sc-13 - - control-id: sc-23 - - control-id: sc-3 - - control-id: sc-39 - - control-id: sc-4 - - control-id: sc-7 - - control-id: sc-7.20 - - control-id: sc-7.21 - - control-id: sc-7.4 - - control-id: sc-7.8 - - control-id: sc-8 - - control-id: sc-8.1 - - control-id: sc-8.2 - - control-id: si-11 - - control-id: si-2.3 - - control-id: si-4 - - control-id: si-5 - - control-id: si-6 - description: Controls validated - remarks: Validation performed may indicate full or partial satisfaction - start: 2024-08-06T02:58:07.070919511Z - title: Lula Validation Result - uuid: f246b0cb-f71a-41b0-a2fe-7ef03c16c754 - - description: Assessment results for performing Validations with Lula version v0.4.1 - findings: - - description: |- - # Control Implementation - Istio implements with service to service and provides authorization policies that require authentication to access any non-public features. - related-observations: - - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead - - observation-uuid: 31654aca-4189-447d-b5e6-4928c5acc603 - target: - status: - state: satisfied - target-id: ac-14 - type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-14' - uuid: d61c76bb-7552-492f-a39e-e7da0748e84c - - description: |- - # Control Description "a. Define and document the types of accounts allowed and specifically prohibited for use within the system; b. Assign account managers; c. Require [Assignment: organization-defined prerequisites and criteria] for group and role membership; d. Specify: 1. Authorized users of the system; 2. Group and role membership; and 3. Access authorizations (i.e., privileges) and [Assignment: organization-defined attributes (as required)] for each account; e. Require approvals by [Assignment: organization-defined personnel or roles] for requests to create accounts; f. Create, enable, modify, disable, and remove accounts in accordance with [Assignment: organization-defined policy, procedures, prerequisites, and criteria]; g. Monitor the use of accounts; h. Notify account managers and [Assignment: organization-defined personnel or roles] within: 1. [Assignment: twenty-four (24) hours] when accounts are no longer required; 2. [Assignment: eight (8) hours] when users are terminated or transferred; and 3. [Assignment: eight (8) hours] when system usage or need-to-know changes for an individual; i. Authorize access to the system based on: 1. A valid access authorization; 2. Intended system usage; and 3. [Assignment: organization-defined attributes (as required)]; j. Review accounts for compliance with account management requirements [Assignment: monthly for privileged accessed, every six (6) months for non-privileged access]; k. Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and l. Align account management processes with personnel termination and transfer processes." - # Control Implementation NeuVector supports internal user accounts and roles in addition to LDAP and SSO for providing RBAC access. - target: - status: - state: not-satisfied - target-id: ac-2 - type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-2' - uuid: 35b172fc-505d-441c-a498-358eb777ed24 - - description: |- - # Control Description Support the management of system accounts using [Assignment: organization-defined automated mechanisms]. - # Control Implementation NeuVector supports internal user accounts and roles in addition to LDAP and SSO for providing RBAC access. - target: - status: - state: not-satisfied - target-id: ac-2.1 - type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-2.1' - uuid: 0a50cb43-5018-4190-a89a-f8aca2005186 - - description: |- - # Control Description Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. - # Control Implementation NeuVector supports internal user accounts and roles in addition to LDAP and SSO for providing RBAC access. - target: - status: - state: not-satisfied - target-id: ac-3 - type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-3' - uuid: 574305f1-0e70-4cc7-85c3-fcfa94943753 - - description: |- - # Control Implementation - Istio encrypts all in-mesh communication at runtime using FIPS verified mTLS in addition to ingress and egress gateways for controlling communication. - related-observations: - - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead - - observation-uuid: f6a130b1-bdb8-41de-8921-c1c373023f59 - - observation-uuid: 3d86e5f1-bf50-43c1-a3d8-4f9d26311481 - - observation-uuid: 60ff69f7-6d6f-4b92-a0a4-4ecd2df24b52 - target: - status: - state: satisfied - target-id: ac-4 - type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-4' - uuid: 86b4aa9e-cdb4-499d-b93a-8f0a76ac4c6b - - description: |- - # Control Implementation - Istio is configured to use ingress and egress gateways to provide logical flow separation. - related-observations: - - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead - - observation-uuid: 4df2137a-de64-4d02-8121-1911fc9dedab - - observation-uuid: 4e69dd7e-0ba5-489c-82fd-bdfdd3d80afd - - observation-uuid: 2639ccbf-1a94-440e-b820-90e957f6987c - target: - status: - state: not-satisfied - target-id: ac-4.21 - type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-4.21' - uuid: 5b7406b7-334a-4a50-8013-bd63b566c391 - - description: |- - # Control Implementation - All encrypted HTTPS connections are terminated at the Istio ingress gateway. - related-observations: - - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead - - observation-uuid: f6a130b1-bdb8-41de-8921-c1c373023f59 - - observation-uuid: 3d86e5f1-bf50-43c1-a3d8-4f9d26311481 - - observation-uuid: 60ff69f7-6d6f-4b92-a0a4-4ecd2df24b52 - target: - status: - state: satisfied - target-id: ac-4.4 - type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-4.4' - uuid: d24258c7-b611-4c00-b387-518682e288a5 - - description: |- - # Control Description "a. Identify and document [Assignment: organization-defined duties of individuals requiring separation]; and b. Define system access authorizations to support separation of duties." - # Control Implementation Loki implements RBAC to define system authorization and separation of duties. - target: - status: - state: not-satisfied - target-id: ac-5 - type: objective-id - title: 'Validation Result - Component:a735b5a4-aabd-482d-b335-60ddcd4b1c00 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-5' - uuid: 98b4b967-b087-4514-af76-47fbdd301940 - - description: |- - # Control Description Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks. - # Control Implementation NeuVector supports mapping internal user accounts and roles in addition to LDAP and SSO roles or groups for providing RBAC access. - target: - status: - state: not-satisfied - target-id: ac-6 - type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-6' - uuid: 425a62e9-d211-4b56-9ed3-ae145e4bda7a - - description: |- - # Control Description "Authorize access for [Assignment: organization-defined individuals or roles] to: (a) [Assignment: organization-defined all functions not publicly accessible]; and (b) [Assignment: organization-defined all security-relevant information not publicly available]." - # Control Implementation NeuVector supports mapping internal user accounts and roles in addition to LDAP and SSO roles or groups for providing RBAC access. - target: - status: - state: not-satisfied - target-id: ac-6.1 - type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-6.1' - uuid: e0522516-4f01-4319-963c-b61ffc714e5d - - description: |- - # Control Description Prevent non-privileged users from executing privileged functions. - # Control Implementation Loki layers an additional RBAC layer that prohibits non-privileged users from executing privileged functions. - target: - status: - state: not-satisfied - target-id: ac-6.10 - type: objective-id - title: 'Validation Result - Component:a735b5a4-aabd-482d-b335-60ddcd4b1c00 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-6.10' - uuid: 1fdec6d5-12a6-4400-bb86-65811be00806 - - description: |- - # Control Implementation - Configured with an "admin" gateway to restrict access to applications that only need administrative access. - related-observations: - - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead - - observation-uuid: 4e69dd7e-0ba5-489c-82fd-bdfdd3d80afd - target: - status: - state: not-satisfied - target-id: ac-6.3 - type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-6.3' - uuid: 02a7b8e8-c6cf-4263-ad16-65d64957169f - - description: |- - # Control Description Log the execution of privileged functions. - # Control Implementation Privileged events, including updating the deployment of an application, or use of privileged containers are collected as metrics by prometheus and displayed by Grafana. - related-observations: - - observation-uuid: 053bdc9e-654d-4287-adf1-02c14e77ece1 - - observation-uuid: c18cb484-a3d7-4f1b-9de2-bc40675ebef6 - target: - status: - state: not-satisfied - target-id: ac-6.9 - type: objective-id - title: 'Validation Result - Component:375f8171-3eb9-48d6-be3c-c8f1c0fe05fa / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-6.9' - uuid: b5e568c2-539e-45f2-9aa6-b31dd4ddf30b - - description: |- - # Control Description Retain audit records for [Assignment: at least one (1) year] to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements. - # Control Implementation Can configure audit record storage retention policy for defined periods of time via the store(s) Loki is configured to use. - target: - status: - state: not-satisfied - target-id: au-11 - type: objective-id - title: 'Validation Result - Component:a735b5a4-aabd-482d-b335-60ddcd4b1c00 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-11' - uuid: 1133f9d6-790b-4f66-ba94-89ce6cf7ed26 - - description: |- - # Control Implementation - Istio provides audit record generation capabilities for a variety of event types, including session, connection, transaction, or activity durations, and the number of bytes received and sent. - related-observations: - - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead - - observation-uuid: 337f9bea-6f8e-4c89-8142-4474083105e6 - target: - status: - state: satisfied - target-id: au-12 - type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-12' - uuid: f0b63c33-bdbd-43bb-9a36-4a386e4567eb - - description: |- - # Control Description Compile audit records from [Assignment: all network, data storage, and computing devices] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail]. - # Control Implementation Compatible metrics endpoints emitted from each application is compiled by Prometheus and displayed through Grafana with associated timestamps of when the data was collected. - target: - status: - state: not-satisfied - target-id: au-12.1 - type: objective-id - title: 'Validation Result - Component:375f8171-3eb9-48d6-be3c-c8f1c0fe05fa / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-12.1' - uuid: 832e1041-64e8-4455-8331-48025d4cdfbc - - description: |- - # Control Description a. Identify the types of events that the system is capable of logging in support of the audit function: [Assignment: successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes]; b. Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; c. Specify the following event types for logging within the system: [Assignment: organization-defined event types (subset of the event types defined in AU-2a.) along with the frequency of (or situation requiring) logging for each identified event type]; d. Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and e. Review and update the event types selected for logging [Assignment: annually or whenever there is a change in the threat environment]. - # Control Implementation API endpoints suitable for capturing application level metrics are present on each of the supported applications running as containers. In addition, system and cluster level metrics are emitted by containers with read only access to host level information. Metrics are captured and stored by Prometheus, an web server capable of scraping endpoints formatted in the appropriate dimensional data format. Metrics information is stored on disk in a time series data base, and later queried through a separate component providing a web interface for the query language: PromQL. Metrics data can be displayed through a Grafana dashboard for visualization. - related-observations: - - observation-uuid: 053bdc9e-654d-4287-adf1-02c14e77ece1 - - observation-uuid: 65c62b95-df70-4723-bf3b-46799d0536ad - target: - status: - state: not-satisfied - target-id: au-2 - type: objective-id - title: 'Validation Result - Component:375f8171-3eb9-48d6-be3c-c8f1c0fe05fa / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-2' - uuid: ae5e79ac-3535-48f0-b306-fe9cd1f34736 - - description: |- - # Control Description - Audit record content that may be necessary to satisfy the requirement of this control, includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. - Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the information system after the event occurred). - - # Control Implementation - Logs are captured by promtail from the node. The node logs will contain the necessary log data from all pods/applications inside the selected nodes. - Validating `logfmt` as the config.logFormat would be the goal. This is currently a secret mounted to /etc/promtail/promtail.yaml in the promtail container. We will ensure the promtail.yaml file is at a minimum the target config. - https://grafana.com/docs/loki/latest/send-data/promtail/stages/logfmt/ - related-observations: - - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead - - observation-uuid: b8c97e5c-a953-44f1-9868-42abdb5f36d3 - target: - status: - state: not-satisfied - target-id: au-3 - type: objective-id - title: 'Validation Result - Component:3ca1e9a3-a566-48d1-93af-200abd1245e3 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-3' - uuid: 661fde7a-25f7-4d8f-8673-d95a570001ff - - description: |- - # Control Implementation - Istio has been configured to implement event logging within our environment. This includes capturing metrics related to the duration of sessions, connections, transactions, or activities. Specifically, Istio's telemetry features are utilized to capture these metrics, which provide valuable data that can be used to infer the duration of sessions or connections. - related-observations: - - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead - - observation-uuid: d6de0a77-9d2c-4332-9ab0-3c97c8b5234c - - observation-uuid: 3d86e5f1-bf50-43c1-a3d8-4f9d26311481 - - observation-uuid: 6fb0ef76-86ad-4629-9e9d-a725ddbf3373 - target: - status: - state: not-satisfied - target-id: au-3.1 - type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-3.1' - uuid: 612c395f-5036-444a-bfe4-2f9ab941622a - - description: |- - # Control Description Allocate audit log storage capacity to accommodate [Assignment: organization-defined audit log retention requirements]. - # Control Implementation NeuVector can scale elastically based upon actual workload demands to allocate audit log storage capacity. - target: - status: - state: not-satisfied - target-id: au-4 - type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-4' - uuid: 92598581-3f72-478e-a8f2-33aaeccd56db - - description: |- - # Control Description Provide a warning to [Assignment: organization-defined personnel, roles, and/or locations] within [Assignment: organization-defined time period] when allocated audit log storage volume reaches [Assignment: organization-defined percentage] of repository maximum audit log storage capacity. - # Control Implementation Alertmanager has pre-built alerts for PVC storage thresholds that would fire for PVCs supporting prometheus metrics storage. Metrics data can be displayed through a Grafana dashboard for visualization. - target: - status: - state: not-satisfied - target-id: au-5.1 - type: objective-id - title: 'Validation Result - Component:375f8171-3eb9-48d6-be3c-c8f1c0fe05fa / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-5.1' - uuid: f0e9a25c-2440-4299-8a32-1e9274b98f87 - - description: |- - # Control Description Provide an alert within [Assignment: real-time] to [Assignment: service provider personnel with authority to address failed audit events] when the following audit failure events occur: [Assignment: audit failure events requiring real-time alerts, as defined by organization audit policy]. - # Control Implementation Alertmanager has pre-built alerts for failed pods that would show when ClusterAuditor is not processing events, or prometheus is unable to scrape events. Prometheus also has a deadman's alert to ensure end users are seeing events from prometheus as part of its configuration. Data can be displayed through a Grafana dashboard for visualization. - target: - status: - state: not-satisfied - target-id: au-5.2 - type: objective-id - title: 'Validation Result - Component:375f8171-3eb9-48d6-be3c-c8f1c0fe05fa / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-5.2' - uuid: 4c6f58e6-d210-45a3-bede-b0b758c685de - - description: |- - # Control Description "a. Review and analyze system audit records [Assignment: at least weekly] for indications of [Assignment: organization-defined inappropriate or unusual activity] and the potential impact of the inappropriate or unusual activity; b. Report findings to [Assignment: organization-defined personnel or roles]; and c. Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information." - # Control Implementation Provides audit record query and analysis capabilities. Organization will implement record review and analysis. - target: - status: - state: not-satisfied - target-id: au-6 - type: objective-id - title: 'Validation Result - Component:a735b5a4-aabd-482d-b335-60ddcd4b1c00 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-6' - uuid: 086b37df-eae0-46d5-a525-ead6453af43f - - description: |- - # Control Description Integrate audit record review, analysis, and reporting processes using [Assignment: organization-defined automated mechanisms]. - # Control Implementation Provides audit record query and analysis capabilities. Organization will implement record review and analysis. - target: - status: - state: not-satisfied - target-id: au-6.1 - type: objective-id - title: 'Validation Result - Component:a735b5a4-aabd-482d-b335-60ddcd4b1c00 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-6.1' - uuid: ec6c6e31-e5df-4836-b5e6-f114d61d1081 - - description: |- - # Control Description Analyze and correlate audit records across different repositories to gain organization-wide situational awareness. - # Control Implementation Aggregating cluster auditor events across multiple sources (clusters) is possible with a multi-cluster deployment of prometheus/grafana. - target: - status: - state: not-satisfied - target-id: au-6.3 - type: objective-id - title: 'Validation Result - Component:375f8171-3eb9-48d6-be3c-c8f1c0fe05fa / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-6.3' - uuid: 5a9912e9-c2e1-4fad-a651-9f84d351bea1 - - description: |- - # Control Description Integrate analysis of audit records with analysis of [Selection (one or more): vulnerability scanning information; performance data; system monitoring information; [Assignment: organization-defined data/information collected from other sources]] to further enhance the ability to identify inappropriate or unusual activity. - # Control Implementation Cluster Auditor's audit data is consolidated with system monitoring tooling (node exporters) for consolidated view to enhance inappropriate or unusual activity. - target: - status: - state: not-satisfied - target-id: au-6.5 - type: objective-id - title: 'Validation Result - Component:108c78a9-5494-4abc-a1e7-f046da419687 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-6.5' - uuid: 66c039ce-0453-481a-a754-0c8ca7e5a4c0 - - description: |- - # Control Description Correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity. - # Control Implementation Cluster Auditor data in prometheus would enable this, but would require prometheus to also obtain access to physical metrics. - target: - status: - state: not-satisfied - target-id: au-6.6 - type: objective-id - title: 'Validation Result - Component:108c78a9-5494-4abc-a1e7-f046da419687 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-6.6' - uuid: 8d2a5829-ee96-4a38-b3b9-a7931b551b02 - - description: |- - # Control Description "Provide and implement an audit record reduction and report generation capability that: a. Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and b. Does not alter the original content or time ordering of audit records." - # Control Implementation Grafana is configured with a pre-built dashboard for policy violations that displays data collected by Cluster Auditor. - target: - status: - state: not-satisfied - target-id: au-7 - type: objective-id - title: 'Validation Result - Component:108c78a9-5494-4abc-a1e7-f046da419687 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-7' - uuid: 958794eb-a1a5-4c29-b42c-ddfbabd544d9 - - description: |- - # Control Description Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: [Assignment: organization-defined fields within audit records]. - # Control Implementation Grafana is configured with a pre-built dashboard for policy violations that displays data collected by Cluster Auditor. - target: - status: - state: not-satisfied - target-id: au-7.1 - type: objective-id - title: 'Validation Result - Component:375f8171-3eb9-48d6-be3c-c8f1c0fe05fa / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-7.1' - uuid: d42a6865-6869-4961-a90e-6d82eee7c561 - - description: |- - # Control Description - Time stamps generated by the information system include date and time. - Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. - Granularity of time measurements refers to the degree of synchronization between information system clocks and reference clocks, for example, clocks synchronizing within hundreds of milliseconds or within tens of milliseconds. - Organizations may define different time granularities for different system components. - Time service can also be critical to other security capabilities such as access control and identification and authentication, depending on the nature of the mechanisms used to support those capabilities. - - # Control Implementation - Records captured by the logging daemon are enriched to ensure the following are always present: - * time of the event (UTC). - * source of event (pod, namespace, container id). - Applications are responsible for providing all other information. - Validating `logfmt` as the config.logFormat would be the goal. This is currently a secret mounted to /etc/promtail/promtail.yaml in the promtail container. We will ensure the promtail.yaml file is at a minimum the target config. - https://grafana.com/docs/loki/latest/send-data/promtail/stages/logfmt/ - related-observations: - - observation-uuid: 053bdc9e-654d-4287-adf1-02c14e77ece1 - - observation-uuid: fa62278d-a485-40ec-a660-51845c227040 - target: - status: - state: not-satisfied - target-id: au-8 - type: objective-id - title: 'Validation Result - Component:3ca1e9a3-a566-48d1-93af-200abd1245e3 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-8' - uuid: 0c87ccd3-8a4f-48a9-9be0-69034e18885f - - description: |- - # Control Description a. Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and b. Alert [Assignment: organization-defined personnel or roles] upon detection of unauthorized access, modification, or deletion of audit information. - # Control Implementation Grafana has the ability to provide Role Based Access Control to limit the data sources that end users can view by leveraging an identity provider. Grafana can also limit users to subsets of metrics within a datasource by the use of Label Based Access Control when using Grafana Enterprise. - target: - status: - state: not-satisfied - target-id: au-9 - type: objective-id - title: 'Validation Result - Component:375f8171-3eb9-48d6-be3c-c8f1c0fe05fa / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-9' - uuid: 826cb8c0-8297-4f90-b2b2-d0bc95531db1 - - description: |- - # Control Description Store audit records [Assignment: at least weekly] in a repository that is part of a physically different system or system component than the system or component being audited. - # Control Implementation Prometheus can scrape external components outside of the system, but this configuration is not easily supported as part of the current big bang configuration of ClusterAuditor since external access to ClusterAuditor metrics is not exposed via Istio. Metrics data can be displayed through a Grafana dashboard for visualization. - target: - status: - state: not-satisfied - target-id: au-9.2 - type: objective-id - title: 'Validation Result - Component:375f8171-3eb9-48d6-be3c-c8f1c0fe05fa / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-9.2' - uuid: f970ff94-5aef-4521-bd62-2e71ed0e5c70 - - description: |- - # Control Description Authorize access to management of audit logging functionality to only [Assignment: organization-defined subset of privileged users or roles]. - # Control Implementation Grafana has the ability to provide Role Based Access Control to limit the data sources that end users can view by leveraging an identity provider. Grafana can also limit users to subsets of metrics within a datasource by the use of Label Based Access Control when using Grafana Enterprise. - target: - status: - state: not-satisfied - target-id: au-9.4 - type: objective-id - title: 'Validation Result - Component:108c78a9-5494-4abc-a1e7-f046da419687 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-9.4' - uuid: 28f0e109-6c62-405d-b11c-8623f6829dad - - description: |- - # Control Description Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: [Assignment: organization-defined fields within audit records]. - # Control Implementation Loki provides an API for retrieving and filtering logs. - target: - status: - state: not-satisfied - target-id: au7.1 - type: objective-id - title: 'Validation Result - Component:a735b5a4-aabd-482d-b335-60ddcd4b1c00 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au7.1' - uuid: 3c9b6412-0808-48b6-889b-54fefa4dcdb1 - - description: |- - # Control Description - Include as part of control assessments, [Assignment: at least annually], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; security instrumentation; automated security test cases; vulnerability scanning; malicious - user testing; insider threat assessment; performance and load testing; data leakage or data loss assessment; [Assignment: organization-defined other forms of assessment]]. - - # Control Implementation NeuVector continually monitors kubernetes environments and container images to detect misconfigurations, advanced network threats, and vulnerable hosts with all attempts to exploit a vulnerability is documented. - target: - status: - state: not-satisfied - target-id: ca-2.2 - type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ca-2.2' - uuid: c4dadea0-3628-4444-b493-85fe4f44a9a2 - - description: |- - # Control Description "Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: a. Establishing the following system-level metrics to be monitored: [Assignment: organization-defined system-level metrics]; b. Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness; c. Ongoing control assessments in accordance with the continuous monitoring strategy; d. Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy; e. Correlation and analysis of information generated by control assessments and monitoring; f. Response actions to address results of the analysis of control assessment and monitoring information; and g. Reporting the security and privacy status of the system to [Assignment: to include JAB/AO] [Assignment: organization-defined frequency]." - # Control Implementation NeuVector continually monitors kubernetes environments and container images to detect misconfigurations, advanced network threats, and vulnerable hosts with all attempts to exploit a vulnerability is documented. - target: - status: - state: not-satisfied - target-id: ca-7 - type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ca-7' - uuid: f90d9d08-6cd9-463a-a606-c1359e00e1fe - - description: |- - # Control Implementation - Istio enforces logical access restrictions associated with changes to the system. Istio's Role-Based Access Control (RBAC) features are used to define and enforce access controls, ensuring that only approved personnel can make changes to the system. - related-observations: - - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead - - observation-uuid: f3ff3fbb-16d9-4a92-90e1-d8b7a020bccc - - observation-uuid: 41637e36-95ee-4c89-b332-80ca2d006620 - target: - status: - state: not-satisfied - target-id: cm-5 - type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: cm-5' - uuid: 7741992f-299d-4e30-ac94-f7797f95a661 - - description: |- - # Control Description "a. Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using [Assignment: oUnited States Government Configuration Baseline (USGCB)]; b. Implement the configuration settings; c. Identify, document, and approve any deviations from established configuration settings for [Assignment: organization-defined system components] based on [Assignment: organization-defined operational requirements]; and d. Monitor and control changes to the configuration settings in accordance with organizational policies and procedures." - # Control Implementation NeuVector is configured using Helm Charts. Default settings can be found. - target: - status: - state: not-satisfied - target-id: cm-6 - type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: cm-6' - uuid: 279d19b1-4297-43a9-a631-168431b3c0cd - - description: |- - # Control Description "a. Configure the system to provide only [Assignment: organization-defined mission essential capabilities]; and b. Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: [Assignment: organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services]." "CM-7 (b) Requirement: The service provider shall use the DoD STIGs or Center for Internet Security guidelines to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if USGCB is not available. CM-7 Guidance: Information on the USGCB checklists can be found at: https://csrc.nist.gov/projects/united-states-government-configuration-baseline." - # Control Implementation NeuVector is configured securely and only access to required ports are available. - target: - status: - state: not-satisfied - target-id: cm-7 - type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: cm-7' - uuid: 4bcaa46e-66ab-4b3e-8414-92e28955d4d8 - - description: Velero can restore application configuration/data from an approved cloud provider or on-premise location on-demand. - target: - status: - state: not-satisfied - target-id: cp-10 - type: objective-id - title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-10' - uuid: db12a70d-960a-4bcc-bef2-d765371bc641 - - description: 'Velero gives you tools to back up and restore your Kubernetes cluster resources and persistent volumes. You can run Velero with a cloud provider or on-premises. This includes: - System components/data. - User-level information/application metadata. - User-level storage/data. - Scheduled back-ups with configurable scopes. - Multi-cloud and on-premise support for availability of backup.' - target: - status: - state: not-satisfied - target-id: cp-10.4 - type: objective-id - title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-10.4' - uuid: 4866acda-188f-40b1-8af4-ad3812060ef2 - - description: Velero can take backups of your application configuration/data and store them off-site in either an approved cloud environment or on-premise location. - target: - status: - state: not-satisfied - target-id: cp-6 - type: objective-id - title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-6' - uuid: fa78499f-12e1-4ded-86a1-1ce785cd7cbd - - description: Velero can take backups of your application configuration/data and store them off-site in either an approved cloud environment or on-premise location. - target: - status: - state: not-satisfied - target-id: cp-6.1 - type: objective-id - title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-6.1' - uuid: 38c5c57c-e4fa-40c0-a371-519f922ce751 - - description: Velero can restore application configuration/data from an approved cloud provider or on-premise location on-demand. - target: - status: - state: not-satisfied - target-id: cp-6.2 - type: objective-id - title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-6.2' - uuid: fde3d548-4c98-451e-8ad1-08ebf918ec1f - - description: Velero supports back-ups to multiple cloud environments (including geo-separated locations for high availability) and on-premise environments in the event of an accessibility disruptions. - target: - status: - state: not-satisfied - target-id: cp-6.3 - type: objective-id - title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-6.3' - uuid: c0659b8c-36b9-4d6d-8e94-48343ff6d57b - - description: Velero can restore application configuration/data from an approved cloud provider or on-premise location to an alternative deployment environment on-demand. - target: - status: - state: not-satisfied - target-id: cp-7 - type: objective-id - title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-7' - uuid: 30788898-87df-4185-ab1c-9becdee50f6c - - description: Velero supports back-ups to and restores from multiple cloud environments (including geo-separated locations for high availability) and on-premise environments in the event of an accessibility disruptions. - target: - status: - state: not-satisfied - target-id: cp-7.1 - type: objective-id - title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-7.1' - uuid: a718a683-1df0-4cac-9b9e-f61792134683 - - description: Velero supports back-ups to and restores from multiple cloud environments (including geo-separated locations for high availability) and on-premise environments in the event of an accessibility disruptions. - target: - status: - state: not-satisfied - target-id: cp-7.2 - type: objective-id - title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-7.2' - uuid: 90a09f38-2e0f-496a-94a0-4fcbbd79b308 - - description: |- - "Velero gives you tools to back up and restore your Kubernetes cluster resources and persistent volumes. You can run Velero with a cloud provider or on-premises. This includes: - - System components/data. - - User-level information/application metadata. - - User-level storage/data. - - Scheduled back-ups with configurable scopes. - - Multi-cloud and on-premise support for availability of backup." - target: - status: - state: not-satisfied - target-id: cp-9 - type: objective-id - title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-9' - uuid: 67397dd3-5693-4223-8015-5755325d5bf8 - - description: Velero provides feedback/logging of back-up status for configuration/data via kubectl or the Velero CLI tool. Velero can restore your production configuration/data to validation environment to ensure reliability/integrity. - target: - status: - state: not-satisfied - target-id: cp-9.1 - type: objective-id - title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-9.1' - uuid: 751a260d-f6c8-4ace-ad71-7aef30c0b9f0 - - description: Velero can be configured to restore only certain components of a back-up when necessary. - target: - status: - state: not-satisfied - target-id: cp-9.2 - type: objective-id - title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-9.2' - uuid: 2134ba61-df24-4258-80fc-a406ee86e4df - - description: Velero supports back-ups to multiple cloud environments (including geo-separated locations for high availability) and on-premise environments. - target: - status: - state: not-satisfied - target-id: cp-9.3 - type: objective-id - title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-9.3' - uuid: 76b44e70-4f34-44f1-a8ee-72cb642dedfe - - description: 'Velero gives you tools to back up and restore your Kubernetes cluster resources and persistent volumes. You can run Velero with a cloud provider or on-premises. This includes: - System components/data. - User-level information/application metadata. - User-level storage/data. - Scheduled back-ups with configurable scopes. - Multi-cloud and on-premise support for availability of backup.' - target: - status: - state: not-satisfied - target-id: cp-9.5 - type: objective-id - title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-9.5' - uuid: de04bf59-4529-4906-a829-a078dbcf74bf - - description: Velero supports encryption of backups via its supported providers' encryption support/mechanisms. - target: - status: - state: not-satisfied - target-id: cp-9.8 - type: objective-id - title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-9.8' - uuid: cc050937-d5e7-4696-8f25-9b86b62c0d07 - - description: |- - # Control Description "a. Monitor and scan for vulnerabilities in the system and hosted applications [Assignment: monthly operating system/infrastructure; monthly web applications (including APIs) and databases] and when new vulnerabilities potentially affecting the system are identified and reported; b. Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: 1. Enumerating platforms, software flaws, and improper configurations; 2. Formatting checklists and test procedures; and 3. Measuring vulnerability impact; c. Analyze vulnerability scan reports and results from vulnerability monitoring; d. Remediate legitimate vulnerabilities [Assignment: high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery] in accordance with an organizational assessment of risk; e. Share information obtained from the vulnerability monitoring process and control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other systems; and f. Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned." - # Control Implementation NeuVector is Kubernetes and container security tool. NeuVector will scan containers for vulnerabilities in addition to continuous monitoring for active threats. - target: - status: - state: not-satisfied - target-id: ra-5 - type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ra-5' - uuid: 3eca257e-9609-41fd-b21f-1aaee5b3d433 - - description: |- - # Control Description Update the system vulnerabilities to be scanned [prior to a new scan]; prior to a new scan; when new vulnerabilities are identified and reported]. - # Control Implementation NeuVector container scanning vulnerability database is updated frequently. - target: - status: - state: not-satisfied - target-id: ra-5.2 - type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ra-5.2' - uuid: 2b6daa85-9fdf-408c-9176-75a45ef22ea4 - - description: |- - # Control Description Define the breadth and depth of vulnerability scanning coverage. - # Control Implementation NeuVector container scanning configurations depth can be modified. - target: - status: - state: not-satisfied - target-id: ra-5.3 - type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ra-5.3' - uuid: 10f8b813-c6f3-4265-9eb6-475cc7cbc636 - - description: |- - # Control Description Implement privileged access authorization to [Assignment: all components that support authentication] for [Assignment: all scans]. - # Control Implementation NeuVector supports mapping internal user accounts and roles in addition to LDAP and SSO roles or groups for providing RBAC access. - target: - status: - state: not-satisfied - target-id: ra-5.5 - type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ra-5.5' - uuid: b2e08e6b-16b3-4a00-ac9f-c8c9bdee64ce - - description: |- - # Control Description "Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to: a. Develop and implement a plan for ongoing security and privacy control assessments; b. Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation [Assignment: organization-defined frequency] at [Assignment: organization-defined depth and coverage]; c. Produce evidence of the execution of the assessment plan and the results of the testing and evaluation; d. Implement a verifiable flaw remediation process; and e. Correct flaws identified during testing and evaluation." - # Control Implementation NeuVector continually monitors kubernetes environments and container images to detect misconfigurations, advanced network threats, and vulnerable hosts with all attempts to exploit a vulnerability is documented. - target: - status: - state: not-satisfied - target-id: sa-11 - type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sa-11' - uuid: ac49e0de-7653-4be5-8005-331927322ec2 - - description: |- - # Control Description Require the developer of the system, system component, or system service to employ static code analysis tools to identify common flaws and document the results of the analysis. Static code analysis provides a technology and methodology for security reviews and includes checking for weaknesses in the code as well as for the incorporation of libraries or other included code with known vulnerabilities or that are out-of-date and not supported. Static code analysis can be used to identify vulnerabilities and enforce secure coding practices. It is most effective when used early in the development process, when each code change can automatically be scanned for potential weaknesses. Static code analysis can provide clear remediation guidance and identify defects for developers to fix. Evidence of the correct implementation of static analysis can include aggregate defect density for critical defect types, evidence that defects were inspected by developers or security professionals, and evidence that defects were remediated. A high density of ignored findings, commonly referred to as false positives, indicates a potential problem with the analysis process or the analysis tool. In such cases, organizations weigh the validity of the evidence against evidence from other sources. - # Control Implementation NeuVector continually monitors kubernetes environments and container images to detect misconfigurations, advanced network threats, and vulnerable hosts with all attempts to exploit a vulnerability is documented. - target: - status: - state: not-satisfied - target-id: sa-11.1 - type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sa-11.1' - uuid: 0af42784-0963-4f76-90ef-c6d98ca5fee6 - - description: |- - # Control Implementation - Istio is configured to manage network connections associated with specific communication sessions. It can be set up to automatically terminate these connections after periods of inactivity, providing an additional layer of security. - related-observations: - - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead - - observation-uuid: 6a1961d3-8819-4db9-b052-e3998d29f94c - target: - status: - state: not-satisfied - target-id: sc-10 - type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-10' - uuid: 5f4f6691-affd-4acc-89f6-d3055b2f2481 - - description: |- - # Control Implementation - Istio provides FIPS encryption in transit for all applications in the mesh, TLS termination at ingress, and TLS origination at egress. - related-observations: - - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead - - observation-uuid: f6a130b1-bdb8-41de-8921-c1c373023f59 - - observation-uuid: 60ff69f7-6d6f-4b92-a0a4-4ecd2df24b52 - - observation-uuid: bf2a95fb-c40e-425a-a1a3-ec1307343179 - - observation-uuid: 31044f2f-75fd-4472-b624-1d918be32f40 - target: - status: - state: not-satisfied - target-id: sc-13 - type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-13' - uuid: 3df66b7f-1dec-4ab7-b76e-56023c2881a1 - - description: |- - # Control Implementation - Istio is configured to protect session authenticity, establishing confidence in the ongoing identities of other parties and the validity of transmitted information. This is achieved through Istio's mutual TLS, which ensures secure communication. - related-observations: - - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead - - observation-uuid: f6a130b1-bdb8-41de-8921-c1c373023f59 - target: - status: - state: satisfied - target-id: sc-23 - type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-23' - uuid: c39917b0-8de0-4497-808a-a186ee2d9583 - - description: |- - # Control Implementation - Namespaces, Istio gateways, and network policies collectively by providing resource isolation, secure traffic routing, and network segmentation to prevent unauthorized and unintended information transfer. - related-observations: - - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead - - observation-uuid: 4e69dd7e-0ba5-489c-82fd-bdfdd3d80afd - - observation-uuid: 2639ccbf-1a94-440e-b820-90e957f6987c - target: - status: - state: satisfied - target-id: sc-3 - type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-3' - uuid: 693835f8-466c-4437-9e95-1968070df3a9 - - description: |- - # Control Implementation - Istio is configured to maintain separate execution domains for each executing process. This is achieved through Istio's sidecar proxy design, where each service in the mesh has its own dedicated sidecar proxy to handle its inbound and outbound traffic. This ensures that communication between processes is controlled and one process cannot modify the executing code of another process. - related-observations: - - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead - - observation-uuid: 3d86e5f1-bf50-43c1-a3d8-4f9d26311481 - target: - status: - state: satisfied - target-id: sc-39 - type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-39' - uuid: c0a6d960-0976-4e3c-b539-00c36bf8565a - - description: |- - # Control Implementation - Istio enforces outbound traffic goes through an Egress Gateway with a Network Policy. - related-observations: - - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead - - observation-uuid: 35470a10-7ec9-4663-980b-c31ad61e08eb - - observation-uuid: f9e01aee-c30f-4df5-a4c7-0af351cef153 - target: - status: - state: not-satisfied - target-id: sc-4 - type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-4' - uuid: 29bf18cb-9d9a-4b5a-9708-38fb4cb63563 - - description: |- - # Control Description "a. Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system; b. Implement subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and c. Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture." - # Control Implementation NeuVector monitors all communications to external interfaces by only connecting to external networks through managed interfaces and utilizes whitelists and blacklists for rules at Layer 7. - target: - status: - state: not-satisfied - target-id: sc-7 - type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-7' - uuid: bbea5abc-37ef-461c-a912-7118ea5618ca - - description: |- - # Control Implementation - Istio is configured to dynamically isolate certain internal system components when necessary. This is achieved through Istio's network policies, which allow us to partition or separate system components - related-observations: - - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead - - observation-uuid: f6a130b1-bdb8-41de-8921-c1c373023f59 - - observation-uuid: 3d86e5f1-bf50-43c1-a3d8-4f9d26311481 - target: - status: - state: satisfied - target-id: sc-7.20 - type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-7.20' - uuid: 782db436-d52a-461f-acd0-25b215fc3c3e - - description: |- - # Control Implementation - Istio is configured to isolate system components that perform different mission or business functions. This is achieved through Istio's network policies and mutual TLS, which allow us to control information flows and provide enhanced protection. - related-observations: - - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead - - observation-uuid: f6a130b1-bdb8-41de-8921-c1c373023f59 - - observation-uuid: 3d86e5f1-bf50-43c1-a3d8-4f9d26311481 - target: - status: - state: satisfied - target-id: sc-7.21 - type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-7.21' - uuid: 5d59c939-fb61-4aea-8ef2-39ff71fd6756 - - description: |- - # Control Implementation - Istio is configured to provide managed interfaces for external telecommunication services, establish traffic flow policies, and protect the confidentiality and integrity of transmitted information. It also prevents unauthorized exchange of control plane traffic and filters unauthorized control plane traffic. - related-observations: - - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead - - observation-uuid: a7867fed-93d7-457c-8886-6dae4459c5b2 - - observation-uuid: b2b0c4c3-8b3d-42a6-9ba4-ce36f198e15c - - observation-uuid: 2639ccbf-1a94-440e-b820-90e957f6987c - target: - status: - state: satisfied - target-id: sc-7.4 - type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-7.4' - uuid: 87d6ff85-4067-442b-b2d3-c82cbddda0c3 - - description: |- - # Control Implementation - is configured to route internal communications traffic to external networks through authenticated proxy servers at managed interfaces, using its Egress Gateway. - related-observations: - - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead - - observation-uuid: f9e01aee-c30f-4df5-a4c7-0af351cef153 - - observation-uuid: 76674b13-a05d-40ba-b6ac-99aafe1c916e - target: - status: - state: not-satisfied - target-id: sc-7.8 - type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-7.8' - uuid: ac90c141-2e83-4bfa-8833-dde2808592f1 - - description: |- - # Control Implementation - Istio is configured to protect the confidentiality and integrity of transmitted information across both internal and external networks. This is achieved through Istio's mutual TLS, which encrypts service-to-service communication, ensuring that data in transit is not exposed to the possibility of interception and modification. - related-observations: - - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead - - observation-uuid: f6a130b1-bdb8-41de-8921-c1c373023f59 - - observation-uuid: 3d86e5f1-bf50-43c1-a3d8-4f9d26311481 - target: - status: - state: not-satisfied - target-id: sc-8 - type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-8' - uuid: 13dfdcfd-d77b-4649-ae0f-b9ebaeaa0549 - - description: |- - # Control Implementation - Istio is configured to protect the confidentiality and integrity of transmitted information across both internal and external networks. This is achieved through Istio's mutual TLS, which encrypts service-to-service communication, ensuring that data in transit is not exposed to the possibility of interception and modification. - related-observations: - - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead - - observation-uuid: f6a130b1-bdb8-41de-8921-c1c373023f59 - - observation-uuid: 3d86e5f1-bf50-43c1-a3d8-4f9d26311481 - target: - status: - state: satisfied - target-id: sc-8.1 - type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-8.1' - uuid: f10e5f70-81c4-4b00-a8c3-29e3cd97527c - - description: |- - # Control Implementation - Istio implements with global configuration. - related-observations: - - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead - - observation-uuid: f6a130b1-bdb8-41de-8921-c1c373023f59 - - observation-uuid: 3d86e5f1-bf50-43c1-a3d8-4f9d26311481 - - observation-uuid: b2b0c4c3-8b3d-42a6-9ba4-ce36f198e15c - target: - status: - state: satisfied - target-id: sc-8.2 - type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-8.2' - uuid: 3e58bd7b-2e7d-4e85-bb8e-fc4e8b83f282 - - description: |- - # Control Description "a. Generate error messages that provide information necessary for corrective actions without revealing information that could be exploited; and b. Reveal error messages only to [Assignment: organization-defined personnel or roles]." - # Control Implementation NeuVector correlates configuration data and network traffic for error tracking to provide context around misconfigurations and threats in the form of actionable alerts. - target: - status: - state: not-satisfied - target-id: si-11 - type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: si-11' - uuid: e82d6f63-db19-460b-bf7d-3c46dcf1e38c - - description: |- - # Control Description "(a) Measure the time between flaw identification and flaw remediation; and (b) Establish the following benchmarks for taking corrective actions: [Assignment: organization-defined benchmarks]." - # Control Implementation NeuVector continually monitors your Kubernetes environments to detect misconfigurations, advanced network threats, and vulnerable hosts with all attempts to exploit a vulnerability is documented. - target: - status: - state: not-satisfied - target-id: si-2.3 - type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: si-2.3' - uuid: 5da35a6e-9526-4864-b153-dcd851e98a51 - - description: |- - # Control Description "a. Monitor the system to detect: 1. Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [Assignment: organization-defined monitoring objectives]; and 2. Unauthorized local, network, and remote connections; b. Identify unauthorized use of the system through the following techniques and methods: [Assignment: organization-defined techniques and methods]; c. Invoke internal monitoring capabilities or deploy monitoring devices: 1. Strategically within the system to collect organization-determined essential information; and 2. At ad hoc locations within the system to track specific types of transactions of interest to the organization; d. Analyze detected events and anomalies; e. Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation; f. Obtain legal opinion regarding system monitoring activities; and g. Provide [Assignment: organization-defined system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]]." - # Control Implementation NeuVector continually monitors your Kubernetes environments to detect misconfigurations, advanced network threats, and vulnerable hosts with all attempts to exploit a vulnerability is documented. - target: - status: - state: not-satisfied - target-id: si-4 - type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: si-4' - uuid: 6452a578-b1b8-4a1c-9ff8-6f05821ca37d - - description: |- - # Control Description "a. Receive system security alerts, advisories, and directives from [Assignment: o include US-CERT] on an ongoing basis; b. Generate internal security alerts, advisories, and directives as deemed necessary; c. Disseminate security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-defined personnel or roles]; to include system security personnel and administrators with configuration/patch-management responsibilities and d. Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance." - # Control Implementation NeuVector correlates configuration data with user behavior and network traffic to provide context around misconfigurations and threats in the form of actionable alerts. - target: - status: - state: not-satisfied - target-id: si-5 - type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: si-5' - uuid: a8b3553e-e9af-4781-83ac-400ea1d77b77 - - description: |- - # Control Description "a. Verify the correct operation of [Assignment: organization-defined security and privacy functions]; b. Perform the verification of the functions specified in SI-6a [Selection (one or more): [Assignment: to include upon system startup and/or restart]; upon command by user with appropriate privilege; [Assignment: at least monthly]]; c. Alert [Assignment: to include system administrators and security personnel] to failed security and privacy verification tests; and d. [Selection (one or more): Shut the system down; Restart the system; [Assignment: organization-defined alternative action (s)]] when anomalies are discovered." - # Control Implementation NeuVector correlates configuration data and network traffic to provide context around verification in the form of actionable alerts. - target: - status: - state: not-satisfied - target-id: si-6 - type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: si-6' - uuid: 6628f225-60a5-47a1-90f8-b4ea78dc72ef - observations: - - collected: 2024-07-09T03:24:38.473729311Z - description: | - [TEST]: 98b97ec9-a9ce-4444-83d8-71066270a424 - lula-validation-error - methods: - - TEST - relevant-evidence: - - description: | - Result: not-satisfied - remarks: | - Error getting Lula validation #98b97ec9-a9ce-4444-83d8-71066270a424: required domain is nil - uuid: 053bdc9e-654d-4287-adf1-02c14e77ece1 - - collected: 2024-07-09T03:24:38.489004016Z - description: | - [TEST]: b0a8f21e-b12f-47ea-a967-2f4a3ec69e44 - gateway-configuration-check - methods: - - TEST - relevant-evidence: - - description: | - Result: satisfied - remarks: | - validate.msg: Only allowed gateways found. All gateway types found. - validate.msg_existing_gateways: istio-admin-gateway/admin-gateway, istio-passthrough-gateway/passthrough-gateway, istio-tenant-gateway/tenant-gateway - validate.msg_allowed_gateways: admin, passthrough, tenant - uuid: 2639ccbf-1a94-440e-b820-90e957f6987c - - collected: 2024-07-09T03:24:38.489063617Z - description: | - [TEST]: 0be7345d-e9d3-4248-9c14-5fed8e7bfa01 - lula-validation-error - methods: - - TEST - relevant-evidence: - - description: | - Result: not-satisfied - remarks: | - Error getting Lula validation #0be7345d-e9d3-4248-9c14-5fed8e7bfa01: required domain is nil - uuid: 65c62b95-df70-4723-bf3b-46799d0536ad - - collected: 2024-07-09T03:24:38.489091198Z - description: | - [TEST]: 9b361d7b-4e07-40db-8b86-3854ed499a4b - lula-validation-error - methods: - - TEST - relevant-evidence: - - description: | - Result: not-satisfied - remarks: | - Error getting Lula validation #9b361d7b-4e07-40db-8b86-3854ed499a4b: required domain is nil - uuid: 41637e36-95ee-4c89-b332-80ca2d006620 - - collected: 2024-07-09T03:24:38.48912419Z - description: | - [TEST]: ecdb90c7-971a-4442-8f29-a8b0f6076bc9 - lula-validation-error - methods: - - TEST - relevant-evidence: - - description: | - Result: not-satisfied - remarks: | - Error getting Lula validation #ecdb90c7-971a-4442-8f29-a8b0f6076bc9: required domain is nil - uuid: f9e01aee-c30f-4df5-a4c7-0af351cef153 - - collected: 2024-07-09T03:24:38.497116991Z - description: | - [TEST]: 70d99754-2918-400c-ac9a-319f874fff90 - istio-metrics-logging-configured - methods: - - TEST - relevant-evidence: - - description: | - Result: satisfied - remarks: | - validate.msg: Metrics logging supported. - uuid: d6de0a77-9d2c-4332-9ab0-3c97c8b5234c - - collected: 2024-07-09T03:24:38.594646609Z - description: | - [TEST]: f345c359-3208-46fb-9348-959bd628301e - istio-prometheus-annotations-validation - methods: - - TEST - relevant-evidence: - - description: | - Result: satisfied - remarks: | - validate.msg: All pods have correct prometheus annotations. - validate.exempt_namespaces_msg: Exempted Namespaces: istio-system, kube-system, uds-dev-stack, zarf - uuid: 6fb0ef76-86ad-4629-9e9d-a725ddbf3373 - - collected: 2024-07-09T03:24:38.594709567Z - description: | - [TEST]: 8be1601e-5870-4573-ab4f-c1c199944815 - lula-validation-error - methods: - - TEST - relevant-evidence: - - description: | - Result: not-satisfied - remarks: | - Error getting Lula validation #8be1601e-5870-4573-ab4f-c1c199944815: required domain is nil - uuid: bf2a95fb-c40e-425a-a1a3-ec1307343179 - - collected: 2024-07-09T03:24:38.594743009Z - description: | - [TEST]: 73434890-2751-4894-b7b2-7e583b4a8977 - lula-validation-error - methods: - - TEST - relevant-evidence: - - description: | - Result: not-satisfied - remarks: | - Error getting Lula validation #73434890-2751-4894-b7b2-7e583b4a8977: required domain is nil - uuid: 31044f2f-75fd-4472-b624-1d918be32f40 - - collected: 2024-07-09T03:24:38.594778174Z - description: | - [TEST]: 9bfc68e0-381a-4006-9f68-c293e3b20cee - lula-validation-error - methods: - - TEST - relevant-evidence: - - description: | - Result: not-satisfied - remarks: | - Error getting Lula validation #9bfc68e0-381a-4006-9f68-c293e3b20cee: required domain is nil - uuid: fa62278d-a485-40ec-a660-51845c227040 - - collected: 2024-07-09T03:24:38.602916174Z - description: | - [TEST]: f346b797-be35-40a8-a93a-585db6fd56ec - istio-tracing-logging-support - methods: - - TEST - relevant-evidence: - - description: | - Result: not-satisfied - remarks: | - validate.msg: Tracing logging not supported. - uuid: b8c97e5c-a953-44f1-9868-42abdb5f36d3 - - collected: 2024-07-09T03:24:38.611569524Z - description: | - [TEST]: 67456ae8-4505-4c93-b341-d977d90cb125 - istio-health-check - methods: - - TEST - relevant-evidence: - - description: | - Result: satisfied - remarks: | - istiohealth.deployment_message: All deployment conditions are true. - istiohealth.hpa_message: HPA has sufficient replicas. - uuid: f920e554-a7c0-4315-89ec-037e7e971ead - - collected: 2024-07-09T03:24:38.611623214Z - description: | - [TEST]: fbe5855d-b4ea-4ff5-9f0d-5901d620577a - lula-validation-error - methods: - - TEST - relevant-evidence: - - description: | - Result: not-satisfied - remarks: | - Error getting Lula validation #fbe5855d-b4ea-4ff5-9f0d-5901d620577a: required domain is nil - uuid: c18cb484-a3d7-4f1b-9de2-bc40675ebef6 - - collected: 2024-07-09T03:24:38.621193684Z - description: | - [TEST]: c6c9daf1-4196-406d-8679-312c0512ab2e - check-istio-admin-gateway-and-usage - methods: - - TEST - relevant-evidence: - - description: | - Result: satisfied - remarks: | - validate.msg: Admin gateway exists. Admin virtual services are using admin gateway. - uuid: 4e69dd7e-0ba5-489c-82fd-bdfdd3d80afd - - collected: 2024-07-09T03:24:38.719799848Z - description: | - [TEST]: 1761ac07-80dd-47d2-947e-09f67943b986 - all-pods-istio-injected - methods: - - TEST - relevant-evidence: - - description: | - Result: satisfied - remarks: | - validate.msg: All pods have Istio sidecar proxy. - validate.exempt_namespaces_msg: Exempted Namespaces: istio-system, kube-system, uds-dev-stack, zarf - uuid: 3d86e5f1-bf50-43c1-a3d8-4f9d26311481 - - collected: 2024-07-09T03:24:38.729154607Z - description: | - [TEST]: 0da39859-a91a-4ca6-bd8b-9b117689188f - all-namespaces-istio-injected - methods: - - TEST - relevant-evidence: - - description: | - Result: not-satisfied - remarks: | - validate.msg: Non-Istio-injected namespaces: {"exempted-app", "podinfo", "test-admin-app", "test-tenant-app"} - validate.exempted_namespaces_msg: Exempted Namespaces: default, istio-admin-gateway, istio-passthrough-gateway, istio-system, istio-tenant-gateway, kube-node-lease, kube-public, kube-system, uds-crds, uds-dev-stack, uds-policy-exemptions, zarf - uuid: 4df2137a-de64-4d02-8121-1911fc9dedab - - collected: 2024-07-09T03:24:38.751849467Z - description: | - [TEST]: 570e2dc7-e6c2-4ad5-8ea3-f07974f59747 - secure-communication-with-istiod - methods: - - TEST - relevant-evidence: - - description: | - Result: satisfied - remarks: | - validate.msg_correct: NetworkPolicies correctly configured for istiod in namespaces: authservice, grafana, keycloak, loki, metrics-server, monitoring, neuvector, promtail, velero. - validate.msg_incorrect: No incorrect istiod NetworkPolicies found. - uuid: a7867fed-93d7-457c-8886-6dae4459c5b2 - - collected: 2024-07-09T03:24:38.751895453Z - description: | - [TEST]: 663f5e92-6db4-4042-8b5a-eba3ebe5a622 - lula-validation-error - methods: - - TEST - relevant-evidence: - - description: | - Result: not-satisfied - remarks: | - Error getting Lula validation #663f5e92-6db4-4042-8b5a-eba3ebe5a622: required domain is nil - uuid: 6a1961d3-8819-4db9-b052-e3998d29f94c - - collected: 2024-07-09T03:24:38.75191546Z - description: | - [TEST]: 19faf69a-de74-4b78-a628-64a9f244ae13 - lula-validation-error - methods: - - TEST - relevant-evidence: - - description: | - Result: not-satisfied - remarks: | - Error getting Lula validation #19faf69a-de74-4b78-a628-64a9f244ae13: required domain is nil - uuid: 76674b13-a05d-40ba-b6ac-99aafe1c916e - - collected: 2024-07-09T03:24:38.757825399Z - description: | - [TEST]: ca49ac97-487a-446a-a0b7-92b20e2c83cb - enforce-mtls-strict - methods: - - TEST - relevant-evidence: - - description: | - Result: satisfied - remarks: | - validate.msg: All PeerAuthentications have mtls mode set to STRICT. - uuid: f6a130b1-bdb8-41de-8921-c1c373023f59 - - collected: 2024-07-09T03:24:38.766341924Z - description: | - [TEST]: 90738c86-6315-450a-ac69-cc50eb4859cc - check-istio-logging-all-traffic - methods: - - TEST - relevant-evidence: - - description: | - Result: satisfied - remarks: | - validate.msg: Istio is logging all traffic - uuid: 337f9bea-6f8e-4c89-8142-4474083105e6 - - collected: 2024-07-09T03:24:38.772656748Z - description: | - [TEST]: fd071676-6b92-4e1c-a4f0-4c8d2bd55aed - ingress-traffic-encrypted - methods: - - TEST - relevant-evidence: - - description: | - Result: satisfied - remarks: | - validate.msg: All gateways encrypt ingress traffic - validate.msg_exempt: Exempted Gateways: istio-passthrough-gateway/passthrough-gateway - uuid: 60ff69f7-6d6f-4b92-a0a4-4ecd2df24b52 - - collected: 2024-07-09T03:24:38.776561899Z - description: | - [TEST]: e38c0695-10f6-40b6-b246-fa58b26ccd25 - istio-authorization-policies-require-authentication - methods: - - TEST - relevant-evidence: - - description: | - Result: satisfied - remarks: | - validate.msg: Authorization Policy requires authentication for keycloak - uuid: 31654aca-4189-447d-b5e6-4928c5acc603 - - collected: 2024-07-09T03:24:38.781059357Z - description: | - [TEST]: 7b045b2a-106f-4c8c-85d9-ae3d7a8e0e28 - istio-rbac-enforcement-check - methods: - - TEST - relevant-evidence: - - description: | - Result: satisfied - remarks: | - validate.msg: Istio RBAC enforced - validate.msg_authPolicies: Authorization Policies: istio-system/authservice, istio-system/jwt-authz, keycloak/keycloak-block-admin-access-from-public-gateway - uuid: f3ff3fbb-16d9-4a92-90e1-d8b7a020bccc - - collected: 2024-07-09T03:24:38.791675282Z - description: | - [TEST]: 3e217577-930e-4469-a999-1a5704b5cecb - request-authenication-and-auth-policies-configured - methods: - - TEST - relevant-evidence: - - description: | - Result: satisfied - remarks: | - validate.msg: All AuthorizationPolicies properly configured. All RequestAuthentications properly configured. - uuid: b2b0c4c3-8b3d-42a6-9ba4-ce36f198e15c - - collected: 2024-07-09T03:24:38.79173886Z - description: | - [TEST]: 7455f86d-b79c-4226-9ce3-f3fb7d9348c8 - lula-validation-error - methods: - - TEST - relevant-evidence: - - description: | - Result: not-satisfied - remarks: | - Error getting Lula validation #7455f86d-b79c-4226-9ce3-f3fb7d9348c8: required domain is nil - uuid: 35470a10-7ec9-4663-980b-c31ad61e08eb - props: - - name: threshold - ns: https://docs.lula.dev/oscal/ns - value: "true" - reviewed-controls: - control-selections: - - description: Controls Assessed by Lula - include-controls: - - control-id: ac-14 - - control-id: ac-2 - - control-id: ac-2.1 - - control-id: ac-3 - - control-id: ac-4 - - control-id: ac-4.21 - - control-id: ac-4.4 - control-id: ac-5 - control-id: ac-6 - control-id: ac-6.1 @@ -2770,17 +1358,12 @@ assessment-results: - control-id: sc-10 - control-id: sc-13 - control-id: sc-23 - - control-id: sc-3 - control-id: sc-39 - - control-id: sc-4 - control-id: sc-7 - - control-id: sc-7.20 - - control-id: sc-7.21 - control-id: sc-7.4 - control-id: sc-7.8 - control-id: sc-8 - control-id: sc-8.1 - - control-id: sc-8.2 - control-id: si-11 - control-id: si-2.3 - control-id: si-4 @@ -2788,7 +1371,7 @@ assessment-results: - control-id: si-6 description: Controls validated remarks: Validation performed may indicate full or partial satisfaction - start: 2024-07-09T03:24:38.798446786Z + start: 2024-10-16T20:13:51.671525491Z title: Lula Validation Result - uuid: 5a0a9538-e734-48a5-a327-02e6aa6891b0 - uuid: bf456173-34f4-480b-a659-1aae77092ee6 + uuid: 2d3dad50-ee92-4dec-a73c-cc683e28c5a2 + uuid: 1f7a298e-29e3-4d62-92c0-e4f4b42078b4 diff --git a/compliance/oscal-component.yaml b/compliance/oscal-component.yaml index 4be69f019..e48e07e5c 100644 --- a/compliance/oscal-component.yaml +++ b/compliance/oscal-component.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + component-definition: uuid: 8ef481dd-7924-42de-b426-ac300db35ec8 metadata: diff --git a/compliance/validations/istio/all-namespaces-istio-injected/README.md b/compliance/validations/istio/all-namespaces-istio-injected/README.md new file mode 100644 index 000000000..821a4d081 --- /dev/null +++ b/compliance/validations/istio/all-namespaces-istio-injected/README.md @@ -0,0 +1,9 @@ +# README.md + +**NAME** - all-namespaces-istio-injected + +**INPUT** - Collects all namespaces in the Kubernetes cluster. + +**POLICY** - Checks that all namespaces are Istio-injected, except for a predefined list of exempted namespaces. + +**NOTES** - The exempted namespaces are: `istio-system`, `kube-system`, `default`, `istio-admin-gateway`, `istio-passthrough-gateway`, `istio-tenant-gateway`, `kube-node-lease`, `kube-public`, `uds-crds`, `uds-dev-stack`, `uds-policy-exemptions`, `zarf`. \ No newline at end of file diff --git a/compliance/validations/istio/all-namespaces-istio-injected/resources.json b/compliance/validations/istio/all-namespaces-istio-injected/resources.json new file mode 100644 index 000000000..17897f6d6 --- /dev/null +++ b/compliance/validations/istio/all-namespaces-istio-injected/resources.json @@ -0,0 +1,537 @@ +{ + "namespaces": [ + { + "apiVersion": "v1", + "kind": "Namespace", + "metadata": { + "creationTimestamp": "2024-04-22T14:00:42Z", + "labels": { + "kubernetes.io/metadata.name": "default", + "zarf.dev/agent": "ignore" + }, + "name": "default", + "resourceVersion": "680", + "uid": "0f317322-d4b2-49cf-9bdc-949b1760c7a0" + }, + "spec": { + "finalizers": [ + "kubernetes" + ] + }, + "status": { + "phase": "Active" + } + }, + { + "apiVersion": "v1", + "kind": "Namespace", + "metadata": { + "creationTimestamp": "2024-04-22T14:00:42Z", + "labels": { + "kubernetes.io/metadata.name": "kube-system", + "zarf.dev/agent": "ignore" + }, + "name": "kube-system", + "resourceVersion": "681", + "uid": "4b063c85-1386-4887-b391-a303532f586e" + }, + "spec": { + "finalizers": [ + "kubernetes" + ] + }, + "status": { + "phase": "Active" + } + }, + { + "apiVersion": "v1", + "kind": "Namespace", + "metadata": { + "creationTimestamp": "2024-04-22T14:00:42Z", + "labels": { + "kubernetes.io/metadata.name": "kube-public", + "zarf.dev/agent": "ignore" + }, + "name": "kube-public", + "resourceVersion": "683", + "uid": "5047265c-9614-4b52-8617-b20de9a1ae13" + }, + "spec": { + "finalizers": [ + "kubernetes" + ] + }, + "status": { + "phase": "Active" + } + }, + { + "apiVersion": "v1", + "kind": "Namespace", + "metadata": { + "creationTimestamp": "2024-04-22T14:00:42Z", + "labels": { + "kubernetes.io/metadata.name": "kube-node-lease", + "zarf.dev/agent": "ignore" + }, + "name": "kube-node-lease", + "resourceVersion": "684", + "uid": "ba53aa5c-2b5b-4302-8572-fed2efbb88d4" + }, + "spec": { + "finalizers": [ + "kubernetes" + ] + }, + "status": { + "phase": "Active" + } + }, + { + "apiVersion": "v1", + "kind": "Namespace", + "metadata": { + "creationTimestamp": "2024-04-22T14:01:05Z", + "labels": { + "app.kubernetes.io/managed-by": "zarf", + "kubernetes.io/metadata.name": "zarf", + "zarf.dev/agent": "ignore" + }, + "name": "zarf", + "resourceVersion": "685", + "uid": "80e207f5-5aab-414e-9ed4-e3f96b654920" + }, + "spec": { + "finalizers": [ + "kubernetes" + ] + }, + "status": { + "phase": "Active" + } + }, + { + "apiVersion": "v1", + "kind": "Namespace", + "metadata": { + "creationTimestamp": "2024-04-22T14:01:06Z", + "labels": { + "app.kubernetes.io/managed-by": "zarf", + "kubernetes.io/metadata.name": "uds-dev-stack", + "zarf.dev/agent": "ignore" + }, + "name": "uds-dev-stack", + "resourceVersion": "686", + "uid": "4967045b-0d5d-4d47-b221-b9f7c41f5fa9" + }, + "spec": { + "finalizers": [ + "kubernetes" + ] + }, + "status": { + "phase": "Active" + } + }, + { + "apiVersion": "v1", + "kind": "Namespace", + "metadata": { + "creationTimestamp": "2024-04-22T14:03:52Z", + "labels": { + "app.kubernetes.io/managed-by": "zarf", + "kubernetes.io/metadata.name": "uds-crds" + }, + "name": "uds-crds", + "resourceVersion": "949", + "uid": "20f83ea4-99bd-49e0-99c8-5f61a83271b2" + }, + "spec": { + "finalizers": [ + "kubernetes" + ] + }, + "status": { + "phase": "Active" + } + }, + { + "apiVersion": "v1", + "kind": "Namespace", + "metadata": { + "creationTimestamp": "2024-04-22T14:04:14Z", + "labels": { + "app.kubernetes.io/managed-by": "zarf", + "kubernetes.io/metadata.name": "istio-system" + }, + "name": "istio-system", + "resourceVersion": "1051", + "uid": "eadee776-a36e-448e-8ec7-e8649db8e181" + }, + "spec": { + "finalizers": [ + "kubernetes" + ] + }, + "status": { + "phase": "Active" + } + }, + { + "apiVersion": "v1", + "kind": "Namespace", + "metadata": { + "creationTimestamp": "2024-04-22T14:04:19Z", + "labels": { + "app.kubernetes.io/managed-by": "zarf", + "istio-injection": "enabled", + "kubernetes.io/metadata.name": "pepr-system", + "zarf-helm-release": "zarf-a102b532d6a523b085622665b606574b0cd82025" + }, + "name": "pepr-system", + "resourceVersion": "1128", + "uid": "6ff15b92-117f-4226-97aa-c334ce7a6d5d" + }, + "spec": { + "finalizers": [ + "kubernetes" + ] + }, + "status": { + "phase": "Active" + } + }, + { + "apiVersion": "v1", + "kind": "Namespace", + "metadata": { + "creationTimestamp": "2024-04-22T14:04:21Z", + "labels": { + "app.kubernetes.io/managed-by": "zarf", + "kubernetes.io/metadata.name": "istio-admin-gateway" + }, + "name": "istio-admin-gateway", + "resourceVersion": "1142", + "uid": "d66870cc-5b8e-4611-aeae-6f314f1e8076" + }, + "spec": { + "finalizers": [ + "kubernetes" + ] + }, + "status": { + "phase": "Active" + } + }, + { + "apiVersion": "v1", + "kind": "Namespace", + "metadata": { + "creationTimestamp": "2024-04-22T14:04:27Z", + "labels": { + "app.kubernetes.io/managed-by": "zarf", + "kubernetes.io/metadata.name": "istio-tenant-gateway" + }, + "name": "istio-tenant-gateway", + "resourceVersion": "1200", + "uid": "2e51a476-fe56-4aaf-a342-27efe1fe4ce0" + }, + "spec": { + "finalizers": [ + "kubernetes" + ] + }, + "status": { + "phase": "Active" + } + }, + { + "apiVersion": "v1", + "kind": "Namespace", + "metadata": { + "creationTimestamp": "2024-04-22T14:04:31Z", + "labels": { + "app.kubernetes.io/managed-by": "zarf", + "kubernetes.io/metadata.name": "istio-passthrough-gateway" + }, + "name": "istio-passthrough-gateway", + "resourceVersion": "1258", + "uid": "895505ba-3dd7-49db-8b6a-76a16220526d" + }, + "spec": { + "finalizers": [ + "kubernetes" + ] + }, + "status": { + "phase": "Active" + } + }, + { + "apiVersion": "v1", + "kind": "Namespace", + "metadata": { + "annotations": { + "uds.dev/original-istio-injection": "non-existent", + "uds.dev/pkg-metrics-server": "true" + }, + "creationTimestamp": "2024-04-22T14:04:54Z", + "labels": { + "app.kubernetes.io/managed-by": "zarf", + "istio-injection": "enabled", + "kubernetes.io/metadata.name": "metrics-server" + }, + "name": "metrics-server", + "resourceVersion": "1516", + "uid": "b98e6771-1752-46f9-9de8-dbab84ef3803" + }, + "spec": { + "finalizers": [ + "kubernetes" + ] + }, + "status": { + "phase": "Active" + } + }, + { + "apiVersion": "v1", + "kind": "Namespace", + "metadata": { + "annotations": { + "uds.dev/original-istio-injection": "non-existent", + "uds.dev/pkg-keycloak": "true" + }, + "creationTimestamp": "2024-04-22T14:05:21Z", + "labels": { + "app.kubernetes.io/managed-by": "zarf", + "istio-injection": "enabled", + "kubernetes.io/metadata.name": "keycloak" + }, + "name": "keycloak", + "resourceVersion": "1698", + "uid": "6560188f-4555-475b-aa5b-b3b0173d6e32" + }, + "spec": { + "finalizers": [ + "kubernetes" + ] + }, + "status": { + "phase": "Active" + } + }, + { + "apiVersion": "v1", + "kind": "Namespace", + "metadata": { + "creationTimestamp": "2024-04-22T14:06:37Z", + "labels": { + "app.kubernetes.io/managed-by": "zarf", + "kubernetes.io/metadata.name": "uds-policy-exemptions" + }, + "name": "uds-policy-exemptions", + "resourceVersion": "1903", + "uid": "f56bf67e-4c62-4b15-80c2-82639586bd35" + }, + "spec": { + "finalizers": [ + "kubernetes" + ] + }, + "status": { + "phase": "Active" + } + }, + { + "apiVersion": "v1", + "kind": "Namespace", + "metadata": { + "annotations": { + "uds.dev/original-istio-injection": "non-existent", + "uds.dev/pkg-neuvector": "true" + }, + "creationTimestamp": "2024-04-22T14:06:35Z", + "labels": { + "app.kubernetes.io/managed-by": "zarf", + "istio-injection": "enabled", + "kubernetes.io/metadata.name": "neuvector" + }, + "name": "neuvector", + "resourceVersion": "1940", + "uid": "b69f3003-abc4-4495-b3bb-79a3e12ab05f" + }, + "spec": { + "finalizers": [ + "kubernetes" + ] + }, + "status": { + "phase": "Active" + } + }, + { + "apiVersion": "v1", + "kind": "Namespace", + "metadata": { + "annotations": { + "uds.dev/original-istio-injection": "non-existent", + "uds.dev/pkg-loki": "true" + }, + "creationTimestamp": "2024-04-22T14:07:07Z", + "labels": { + "app.kubernetes.io/managed-by": "zarf", + "istio-injection": "enabled", + "kubernetes.io/metadata.name": "loki" + }, + "name": "loki", + "resourceVersion": "2421", + "uid": "e92842e6-2242-44d5-9473-83a97fdf0c3d" + }, + "spec": { + "finalizers": [ + "kubernetes" + ] + }, + "status": { + "phase": "Active" + } + }, + { + "apiVersion": "v1", + "kind": "Namespace", + "metadata": { + "annotations": { + "uds.dev/original-istio-injection": "non-existent", + "uds.dev/pkg-prometheus-stack": "true" + }, + "creationTimestamp": "2024-04-22T14:08:40Z", + "labels": { + "app.kubernetes.io/managed-by": "zarf", + "istio-injection": "enabled", + "kubernetes.io/metadata.name": "monitoring" + }, + "name": "monitoring", + "resourceVersion": "2915", + "uid": "ebb401c8-13ee-4636-8e36-b04a0a0e3cfb" + }, + "spec": { + "finalizers": [ + "kubernetes" + ] + }, + "status": { + "phase": "Active" + } + }, + { + "apiVersion": "v1", + "kind": "Namespace", + "metadata": { + "annotations": { + "uds.dev/original-istio-injection": "non-existent", + "uds.dev/pkg-promtail": "true" + }, + "creationTimestamp": "2024-04-22T14:09:19Z", + "labels": { + "app.kubernetes.io/managed-by": "zarf", + "istio-injection": "enabled", + "kubernetes.io/metadata.name": "promtail" + }, + "name": "promtail", + "resourceVersion": "3466", + "uid": "9ee64052-8c6c-4d4e-82fb-d5fe016f441e" + }, + "spec": { + "finalizers": [ + "kubernetes" + ] + }, + "status": { + "phase": "Active" + } + }, + { + "apiVersion": "v1", + "kind": "Namespace", + "metadata": { + "annotations": { + "uds.dev/original-istio-injection": "non-existent", + "uds.dev/pkg-grafana": "true" + }, + "creationTimestamp": "2024-04-22T14:07:07Z", + "labels": { + "app.kubernetes.io/managed-by": "zarf", + "istio-injection": "enabled", + "kubernetes.io/metadata.name": "grafana" + }, + "name": "grafana", + "resourceVersion": "3621", + "uid": "c8064cce-25f4-4fd4-a16c-9e5a4af869b5" + }, + "spec": { + "finalizers": [ + "kubernetes" + ] + }, + "status": { + "phase": "Active" + } + }, + { + "apiVersion": "v1", + "kind": "Namespace", + "metadata": { + "annotations": { + "uds.dev/original-istio-injection": "non-existent", + "uds.dev/pkg-authservice": "true" + }, + "creationTimestamp": "2024-04-22T14:10:05Z", + "labels": { + "app.kubernetes.io/managed-by": "zarf", + "istio-injection": "enabled", + "kubernetes.io/metadata.name": "authservice" + }, + "name": "authservice", + "resourceVersion": "3775", + "uid": "2c399f0d-f380-43b5-a717-edf4f19d2b17" + }, + "spec": { + "finalizers": [ + "kubernetes" + ] + }, + "status": { + "phase": "Active" + } + }, + { + "apiVersion": "v1", + "kind": "Namespace", + "metadata": { + "annotations": { + "uds.dev/original-istio-injection": "non-existent", + "uds.dev/pkg-velero": "true" + }, + "creationTimestamp": "2024-04-22T14:10:17Z", + "labels": { + "app.kubernetes.io/managed-by": "zarf", + "istio-injection": "enabled", + "kubernetes.io/metadata.name": "velero" + }, + "name": "velero", + "resourceVersion": "3857", + "uid": "e6a181f4-02b4-4625-8d9e-78656316fc35" + }, + "spec": { + "finalizers": [ + "kubernetes" + ] + }, + "status": { + "phase": "Active" + } + } + ] +} \ No newline at end of file diff --git a/compliance/validations/istio/all-namespaces-istio-injected/tests.yaml b/compliance/validations/istio/all-namespaces-istio-injected/tests.yaml new file mode 100644 index 000000000..dd27a4e8a --- /dev/null +++ b/compliance/validations/istio/all-namespaces-istio-injected/tests.yaml @@ -0,0 +1,13 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +pass: + - test: default + validation: validation.yaml + resources: resources.json + expected-validation: true + - test: grafana-no-istio-injection + validation: validation.yaml + resources: resources.json + permutation: '.namespaces |= map(if .metadata.name == "grafana" then del(.metadata.labels["istio-injection"]) else . end)' + expected-validation: false diff --git a/compliance/validations/istio/all-namespaces-istio-injected/validation.yaml b/compliance/validations/istio/all-namespaces-istio-injected/validation.yaml new file mode 100644 index 000000000..8acfa3b8a --- /dev/null +++ b/compliance/validations/istio/all-namespaces-istio-injected/validation.yaml @@ -0,0 +1,58 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +metadata: + name: all-namespaces-istio-injected + uuid: 0da39859-a91a-4ca6-bd8b-9b117689188f +domain: + type: kubernetes + kubernetes-spec: + resources: + - name: namespaces + resource-rule: + group: "" + version: v1 + resource: namespaces + namespaces: [] +provider: + type: opa + opa-spec: + rego: | + package validate + import rego.v1 + + # Default values + default validate := false + default msg := "Not evaluated" + + # Validation + validate if { + check_non_istio_injected_namespaces.result + } + msg = check_non_istio_injected_namespaces.msg + msg_exempt_namespaces = concat(", ", exempted_namespaces) + + # List of exempted namespaces + exempted_namespaces := {"istio-system", "kube-system", "default", "istio-admin-gateway", + "istio-passthrough-gateway", "istio-tenant-gateway", "kube-node-lease", "kube-public", "uds-crds", + "uds-dev-stack", "uds-policy-exemptions", "zarf"} + + # Collect non-Istio-injected namespaces + non_istio_injected_namespaces := {ns.metadata.name | + ns := input.namespaces[_] + ns.kind == "Namespace" + not ns.metadata.labels["istio-injection"] == "enabled" + not ns.metadata.name in exempted_namespaces + } + + # Check no non-Istio-injected namespaces + check_non_istio_injected_namespaces = { "result": true, "msg": "All namespaces are Istio-injected" } if { + count(non_istio_injected_namespaces) == 0 + } else = { "result": false, "msg": msg } if { + msg := sprintf("Non-Istio-injected namespaces: %v", [non_istio_injected_namespaces]) + } + output: + validation: validate.validate + observations: + - validate.msg + - validate.msg_exempt_namespaces diff --git a/compliance/validations/istio/all-pods-istio-injected/README.md b/compliance/validations/istio/all-pods-istio-injected/README.md new file mode 100644 index 000000000..fcacfe2b1 --- /dev/null +++ b/compliance/validations/istio/all-pods-istio-injected/README.md @@ -0,0 +1,9 @@ +# README.md + +**NAME** - all-pods-istio-injected + +**INPUT** - Collects all pods in the Kubernetes cluster. + +**POLICY** - Checks that all pods have an Istio sidecar proxy, except for pods in a predefined list of exempted namespaces. + +**NOTES** - The exempted namespaces are: `kube-system`, `istio-system`, `uds-dev-stack`, `zarf`, `istio-admin-gateway`, `istio-tenant-gateway`, `istio-passthrough-gateway`. \ No newline at end of file diff --git a/compliance/validations/istio/all-pods-istio-injected/resources.json b/compliance/validations/istio/all-pods-istio-injected/resources.json new file mode 100644 index 000000000..a281dc426 --- /dev/null +++ b/compliance/validations/istio/all-pods-istio-injected/resources.json @@ -0,0 +1,24014 @@ +{ + "pods": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "creationTimestamp": "2024-07-15T19:21:06Z", + "generateName": "metallb-controller-665d96757f-", + "labels": { + "app.kubernetes.io/component": "controller", + "app.kubernetes.io/instance": "metallb", + "app.kubernetes.io/name": "metallb", + "pod-template-hash": "665d96757f" + }, + "name": "metallb-controller-665d96757f-s8hj5", + "namespace": "uds-dev-stack", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "metallb-controller-665d96757f", + "uid": "ccba3766-c585-46f7-9b64-b3b07d908e1e" + } + ], + "resourceVersion": "486", + "uid": "7795a37b-5d17-416f-aebc-13c82ea4162b" + }, + "spec": { + "containers": [ + { + "args": [ + "--port=7472", + "--log-level=info", + "--tls-min-version=VersionTLS12" + ], + "env": [ + { + "name": "METALLB_ML_SECRET_NAME", + "value": "metallb-memberlist" + }, + { + "name": "METALLB_DEPLOYMENT", + "value": "metallb-controller" + }, + { + "name": "METALLB_BGP_TYPE", + "value": "frr" + } + ], + "image": "quay.io/metallb/controller:v0.14.5", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/metrics", + "port": "monitoring", + "scheme": "HTTP" + }, + "initialDelaySeconds": 10, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "name": "controller", + "ports": [ + { + "containerPort": 7472, + "name": "monitoring", + "protocol": "TCP" + }, + { + "containerPort": 9443, + "name": "webhook-server", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/metrics", + "port": "monitoring", + "scheme": "HTTP" + }, + "initialDelaySeconds": 10, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": {}, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/tmp/k8s-webhook-server/serving-certs", + "name": "cert", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-pvfts", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "nodeName": "k3d-uds-server-0", + "nodeSelector": { + "kubernetes.io/os": "linux" + }, + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 65534, + "runAsNonRoot": true, + "runAsUser": 65534 + }, + "serviceAccount": "metallb-controller", + "serviceAccountName": "metallb-controller", + "terminationGracePeriodSeconds": 0, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "name": "cert", + "secret": { + "defaultMode": 420, + "secretName": "metallb-webhook-cert" + } + }, + { + "name": "kube-api-access-pvfts", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:10Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:06Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:27Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:27Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:06Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://e9dde122aac6ff1bc8137450616e137751f05f69a6ddd120d55b26745e3425d3", + "image": "quay.io/metallb/controller:v0.14.5", + "imageID": "quay.io/metallb/controller@sha256:3f776529447094c8d318baeb4f9efe024cf154859762ec3eefcd878b1fe8a01f", + "lastState": {}, + "name": "controller", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:21:10Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "phase": "Running", + "podIP": "10.42.0.3", + "podIPs": [ + { + "ip": "10.42.0.3" + } + ], + "qosClass": "BestEffort", + "startTime": "2024-07-15T19:21:06Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "creationTimestamp": "2024-07-15T19:21:29Z", + "generateName": "nginx-", + "labels": { + "controller-revision-hash": "796f655567", + "name": "nginx", + "pod-template-generation": "1", + "sidecar.istio.io/inject": "false" + }, + "name": "nginx-d6xdx", + "namespace": "uds-dev-stack", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "DaemonSet", + "name": "nginx", + "uid": "d27f737c-8eaa-4243-a7c8-c2a8331eef9f" + } + ], + "resourceVersion": "542", + "uid": "cca0b707-cf92-44be-9fdc-38159979f5f7" + }, + "spec": { + "affinity": { + "nodeAffinity": { + "requiredDuringSchedulingIgnoredDuringExecution": { + "nodeSelectorTerms": [ + { + "matchFields": [ + { + "key": "metadata.name", + "operator": "In", + "values": [ + "k3d-uds-server-0" + ] + } + ] + } + ] + } + } + }, + "containers": [ + { + "command": [ + "nginx", + "-g", + "daemon off;" + ], + "image": "ghcr.io/defenseunicorns/oss/uds-k3d-nginx:alpine-1.25.3", + "imagePullPolicy": "IfNotPresent", + "name": "nginx", + "ports": [ + { + "containerPort": 80, + "hostPort": 80, + "protocol": "TCP" + }, + { + "containerPort": 443, + "hostPort": 443, + "protocol": "TCP" + } + ], + "resources": {}, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/nginx/nginx.conf", + "name": "config-volume", + "subPath": "nginx.conf" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-485d9", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "serviceAccount": "default", + "serviceAccountName": "default", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists" + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/disk-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/memory-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/pid-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/unschedulable", + "operator": "Exists" + } + ], + "volumes": [ + { + "configMap": { + "defaultMode": 420, + "name": "nginx-config" + }, + "name": "config-volume" + }, + { + "name": "kube-api-access-485d9", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:32Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:29Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:32Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:32Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:29Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://f1e5591d3cca12a7e9ffbdc3e90373b0d740324ba785e41e52dcb645c06066cb", + "image": "ghcr.io/defenseunicorns/oss/uds-k3d-nginx:alpine-1.25.3", + "imageID": "ghcr.io/defenseunicorns/oss/uds-k3d-nginx@sha256:a59278fd22a9d411121e190b8cec8aa57b306aa3332459197777583beb728f59", + "lastState": {}, + "name": "nginx", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:21:32Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "phase": "Running", + "podIP": "10.42.0.4", + "podIPs": [ + { + "ip": "10.42.0.4" + } + ], + "qosClass": "BestEffort", + "startTime": "2024-07-15T19:21:29Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "creationTimestamp": "2024-07-15T19:21:29Z", + "generateName": "local-path-provisioner-6d9d9b57c9-", + "labels": { + "app": "local-path-provisioner", + "pod-template-hash": "6d9d9b57c9" + }, + "name": "local-path-provisioner-6d9d9b57c9-hcv5w", + "namespace": "uds-dev-stack", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "local-path-provisioner-6d9d9b57c9", + "uid": "6fec9ac8-cdef-4052-bbe5-2325eed27917" + } + ], + "resourceVersion": "544", + "uid": "f13000c3-ec5d-46e8-96c2-1b3f800dd95e" + }, + "spec": { + "containers": [ + { + "command": [ + "local-path-provisioner", + "--debug", + "start", + "--config", + "/etc/config/config.json" + ], + "env": [ + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + } + ], + "image": "rancher/local-path-provisioner:v0.0.26", + "imagePullPolicy": "IfNotPresent", + "name": "local-path-provisioner", + "resources": {}, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/config/", + "name": "config-volume" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-jcpzb", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "serviceAccount": "local-path-provisioner-service-account", + "serviceAccountName": "local-path-provisioner-service-account", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "configMap": { + "defaultMode": 420, + "name": "local-path-config" + }, + "name": "config-volume" + }, + { + "name": "kube-api-access-jcpzb", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:32Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:29Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:32Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:32Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:29Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://469d27a57d2c8d0193d1a6bd41455b443f50df8befd66d6f90365fb41a108ca2", + "image": "docker.io/rancher/local-path-provisioner:v0.0.26", + "imageID": "docker.io/rancher/local-path-provisioner@sha256:aee53cadc62bd023911e7f077877d047c5b3c269f9bba25724d558654f43cea0", + "lastState": {}, + "name": "local-path-provisioner", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:21:31Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "phase": "Running", + "podIP": "10.42.0.6", + "podIPs": [ + { + "ip": "10.42.0.6" + } + ], + "qosClass": "BestEffort", + "startTime": "2024-07-15T19:21:29Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "creationTimestamp": "2024-07-15T19:21:29Z", + "generateName": "ensure-machine-id-", + "labels": { + "controller-revision-hash": "555967fc7b", + "name": "ensure-machine-id", + "pod-template-generation": "1" + }, + "name": "ensure-machine-id-r9dqh", + "namespace": "uds-dev-stack", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "DaemonSet", + "name": "ensure-machine-id", + "uid": "80ab6077-003d-4be2-860d-8a17372b226d" + } + ], + "resourceVersion": "594", + "uid": "fe2ebb8c-fee8-4a5b-a79b-f5d733756d8f" + }, + "spec": { + "affinity": { + "nodeAffinity": { + "requiredDuringSchedulingIgnoredDuringExecution": { + "nodeSelectorTerms": [ + { + "matchFields": [ + { + "key": "metadata.name", + "operator": "In", + "values": [ + "k3d-uds-server-0" + ] + } + ] + } + ] + } + } + }, + "containers": [ + { + "image": "registry.k8s.io/pause:3.9", + "imagePullPolicy": "IfNotPresent", + "name": "pause", + "resources": { + "limits": { + "cpu": "100m", + "memory": "50Mi" + }, + "requests": { + "cpu": "100m", + "memory": "50Mi" + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-29ltk", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "hostPID": true, + "initContainers": [ + { + "args": [ + "echo \"B0D07F1F43F246409516ADBDCCC86FCE\" \u003e /mnt/host/etc/machine-id;" + ], + "command": [ + "/bin/sh", + "-c" + ], + "image": "cgr.dev/chainguard/wolfi-base:latest", + "imagePullPolicy": "Always", + "name": "generate-machine-id", + "resources": {}, + "securityContext": { + "privileged": true, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/mnt/host/etc", + "name": "machine-id" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-29ltk", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "serviceAccount": "default", + "serviceAccountName": "default", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists" + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/disk-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/memory-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/pid-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/unschedulable", + "operator": "Exists" + } + ], + "volumes": [ + { + "hostPath": { + "path": "/etc", + "type": "" + }, + "name": "machine-id" + }, + { + "name": "kube-api-access-29ltk", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:33Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:33Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:35Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:35Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:29Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://4961e8b7180b5117d23ec0ea1a9336a6bcf20cb1b7a413ccb130ba7554f18e7a", + "image": "registry.k8s.io/pause:3.9", + "imageID": "registry.k8s.io/pause@sha256:7031c1b283388d2c2e09b57badb803c05ebed362dc88d84b480cc47f72a21097", + "lastState": {}, + "name": "pause", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:21:35Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://de664030a331e49795fdd67d1bd689ad074d54c401d5d14b72bd18f3ef9bfc87", + "image": "cgr.dev/chainguard/wolfi-base:latest", + "imageID": "cgr.dev/chainguard/wolfi-base@sha256:d6b37317ae7cb5c0864189e9e5acd825386ae226a413e7c19370f5f87d150f92", + "lastState": {}, + "name": "generate-machine-id", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://de664030a331e49795fdd67d1bd689ad074d54c401d5d14b72bd18f3ef9bfc87", + "exitCode": 0, + "finishedAt": "2024-07-15T19:21:32Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:21:32Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.5", + "podIPs": [ + { + "ip": "10.42.0.5" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:21:29Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "creationTimestamp": "2024-07-15T19:21:06Z", + "generateName": "metallb-speaker-", + "labels": { + "app.kubernetes.io/component": "speaker", + "app.kubernetes.io/instance": "metallb", + "app.kubernetes.io/name": "metallb", + "controller-revision-hash": "6c7b58bfd7", + "pod-template-generation": "1" + }, + "name": "metallb-speaker-8gb22", + "namespace": "uds-dev-stack", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "DaemonSet", + "name": "metallb-speaker", + "uid": "c6d8e3b1-cbf3-4880-bad7-96b393df14f5" + } + ], + "resourceVersion": "610", + "uid": "5b51dfe0-90b9-4337-86a9-6d8ea087b5cb" + }, + "spec": { + "affinity": { + "nodeAffinity": { + "requiredDuringSchedulingIgnoredDuringExecution": { + "nodeSelectorTerms": [ + { + "matchFields": [ + { + "key": "metadata.name", + "operator": "In", + "values": [ + "k3d-uds-server-0" + ] + } + ] + } + ] + } + } + }, + "containers": [ + { + "args": [ + "--port=7472", + "--log-level=info" + ], + "env": [ + { + "name": "METALLB_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "METALLB_HOST", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "METALLB_ML_BIND_ADDR", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "METALLB_ML_LABELS", + "value": "app.kubernetes.io/name=metallb,app.kubernetes.io/component=speaker" + }, + { + "name": "METALLB_ML_BIND_PORT", + "value": "7946" + }, + { + "name": "METALLB_ML_SECRET_KEY_PATH", + "value": "/etc/ml_secret_key" + }, + { + "name": "FRR_CONFIG_FILE", + "value": "/etc/frr_reloader/frr.conf" + }, + { + "name": "FRR_RELOADER_PID_FILE", + "value": "/etc/frr_reloader/reloader.pid" + }, + { + "name": "METALLB_BGP_TYPE", + "value": "frr" + } + ], + "image": "quay.io/metallb/speaker:v0.14.5", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/metrics", + "port": "monitoring", + "scheme": "HTTP" + }, + "initialDelaySeconds": 10, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "name": "speaker", + "ports": [ + { + "containerPort": 7472, + "hostPort": 7472, + "name": "monitoring", + "protocol": "TCP" + }, + { + "containerPort": 7946, + "hostPort": 7946, + "name": "memberlist-tcp", + "protocol": "TCP" + }, + { + "containerPort": 7946, + "hostPort": 7946, + "name": "memberlist-udp", + "protocol": "UDP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/metrics", + "port": "monitoring", + "scheme": "HTTP" + }, + "initialDelaySeconds": 10, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": {}, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/ml_secret_key", + "name": "memberlist" + }, + { + "mountPath": "/etc/frr_reloader", + "name": "reloader" + }, + { + "mountPath": "/etc/metallb", + "name": "metallb-excludel2" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-fknxr", + "readOnly": true + } + ] + }, + { + "command": [ + "/bin/sh", + "-c", + "/sbin/tini -- /usr/lib/frr/docker-start \u0026\nattempts=0\nuntil [[ -f /etc/frr/frr.log || $attempts -eq 60 ]]; do\n sleep 1\n attempts=$(( $attempts + 1 ))\ndone\ntail -f /etc/frr/frr.log\n" + ], + "env": [ + { + "name": "TINI_SUBREAPER", + "value": "true" + } + ], + "image": "quay.io/frrouting/frr:9.0.2", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "livez", + "port": 7473, + "scheme": "HTTP" + }, + "initialDelaySeconds": 10, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "name": "frr", + "resources": {}, + "securityContext": { + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW", + "SYS_ADMIN", + "NET_BIND_SERVICE" + ] + } + }, + "startupProbe": { + "failureThreshold": 30, + "httpGet": { + "path": "/livez", + "port": 7473, + "scheme": "HTTP" + }, + "periodSeconds": 5, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/frr", + "name": "frr-sockets" + }, + { + "mountPath": "/etc/frr", + "name": "frr-conf" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-fknxr", + "readOnly": true + } + ] + }, + { + "command": [ + "/etc/frr_reloader/frr-reloader.sh" + ], + "image": "quay.io/frrouting/frr:9.0.2", + "imagePullPolicy": "IfNotPresent", + "name": "reloader", + "resources": {}, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/frr", + "name": "frr-sockets" + }, + { + "mountPath": "/etc/frr", + "name": "frr-conf" + }, + { + "mountPath": "/etc/frr_reloader", + "name": "reloader" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-fknxr", + "readOnly": true + } + ] + }, + { + "args": [ + "--metrics-port=7473" + ], + "command": [ + "/etc/frr_metrics/frr-metrics" + ], + "image": "quay.io/frrouting/frr:9.0.2", + "imagePullPolicy": "IfNotPresent", + "name": "frr-metrics", + "ports": [ + { + "containerPort": 7473, + "hostPort": 7473, + "name": "monitoring", + "protocol": "TCP" + } + ], + "resources": {}, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/frr", + "name": "frr-sockets" + }, + { + "mountPath": "/etc/frr", + "name": "frr-conf" + }, + { + "mountPath": "/etc/frr_metrics", + "name": "metrics" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-fknxr", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "hostNetwork": true, + "initContainers": [ + { + "command": [ + "/bin/sh", + "-c", + "cp -rLf /tmp/frr/* /etc/frr/" + ], + "image": "quay.io/frrouting/frr:9.0.2", + "imagePullPolicy": "IfNotPresent", + "name": "cp-frr-files", + "resources": {}, + "securityContext": { + "runAsGroup": 101, + "runAsUser": 100 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/tmp/frr", + "name": "frr-startup" + }, + { + "mountPath": "/etc/frr", + "name": "frr-conf" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-fknxr", + "readOnly": true + } + ] + }, + { + "command": [ + "/bin/sh", + "-c", + "cp -f /frr-reloader.sh /etc/frr_reloader/" + ], + "image": "quay.io/metallb/speaker:v0.14.5", + "imagePullPolicy": "IfNotPresent", + "name": "cp-reloader", + "resources": {}, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/frr_reloader", + "name": "reloader" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-fknxr", + "readOnly": true + } + ] + }, + { + "command": [ + "/bin/sh", + "-c", + "cp -f /frr-metrics /etc/frr_metrics/" + ], + "image": "quay.io/metallb/speaker:v0.14.5", + "imagePullPolicy": "IfNotPresent", + "name": "cp-metrics", + "resources": {}, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/frr_metrics", + "name": "metrics" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-fknxr", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "nodeSelector": { + "kubernetes.io/os": "linux" + }, + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "serviceAccount": "metallb-speaker", + "serviceAccountName": "metallb-speaker", + "shareProcessNamespace": true, + "terminationGracePeriodSeconds": 0, + "tolerations": [ + { + "effect": "NoSchedule", + "key": "node-role.kubernetes.io/master", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node-role.kubernetes.io/control-plane", + "operator": "Exists" + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists" + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/disk-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/memory-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/pid-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/unschedulable", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/network-unavailable", + "operator": "Exists" + } + ], + "volumes": [ + { + "name": "memberlist", + "secret": { + "defaultMode": 420, + "secretName": "metallb-memberlist" + } + }, + { + "configMap": { + "defaultMode": 256, + "name": "metallb-excludel2" + }, + "name": "metallb-excludel2" + }, + { + "emptyDir": {}, + "name": "frr-sockets" + }, + { + "configMap": { + "defaultMode": 420, + "name": "metallb-frr-startup" + }, + "name": "frr-startup" + }, + { + "emptyDir": {}, + "name": "frr-conf" + }, + { + "emptyDir": {}, + "name": "reloader" + }, + { + "emptyDir": {}, + "name": "metrics" + }, + { + "name": "kube-api-access-fknxr", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:18Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:22Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:40Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:40Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:06Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://206d74412d6f746852ed33e9448b100ae2762ba6a722e94a04e3e5aa7f03260c", + "image": "quay.io/frrouting/frr:9.0.2", + "imageID": "quay.io/frrouting/frr@sha256:086acb1278fe86118345f456a1fbfafb80c34d03f7bca9137da0729a1aee5e9c", + "lastState": {}, + "name": "frr", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:21:22Z" + } + } + }, + { + "containerID": "containerd://9407b90e38fba202082dfa4a550efde6f3d16250ebc32c87b8431ed735e1430a", + "image": "quay.io/frrouting/frr:9.0.2", + "imageID": "quay.io/frrouting/frr@sha256:086acb1278fe86118345f456a1fbfafb80c34d03f7bca9137da0729a1aee5e9c", + "lastState": {}, + "name": "frr-metrics", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:21:22Z" + } + } + }, + { + "containerID": "containerd://d7541882f85936e252f33d0130b123a08d8316655b0aba281276429eb479c7af", + "image": "quay.io/frrouting/frr:9.0.2", + "imageID": "quay.io/frrouting/frr@sha256:086acb1278fe86118345f456a1fbfafb80c34d03f7bca9137da0729a1aee5e9c", + "lastState": {}, + "name": "reloader", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:21:22Z" + } + } + }, + { + "containerID": "containerd://05a490aad7458d0127e70c256ee4c0e9ee56b793620a499f6d8196b38bad0583", + "image": "quay.io/metallb/speaker:v0.14.5", + "imageID": "quay.io/metallb/speaker@sha256:34e9cc2db6d83ca3ad4d92a6e2eadaf6b78be65621798e90827041749898acc0", + "lastState": {}, + "name": "speaker", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:21:22Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://ec00aef71a7110a1899d7b6fbf965b93bc8004cec9f9f7002e320b1c5ad8dd29", + "image": "quay.io/frrouting/frr:9.0.2", + "imageID": "quay.io/frrouting/frr@sha256:086acb1278fe86118345f456a1fbfafb80c34d03f7bca9137da0729a1aee5e9c", + "lastState": {}, + "name": "cp-frr-files", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://ec00aef71a7110a1899d7b6fbf965b93bc8004cec9f9f7002e320b1c5ad8dd29", + "exitCode": 0, + "finishedAt": "2024-07-15T19:21:17Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:21:17Z" + } + } + }, + { + "containerID": "containerd://ba979b36684e75411bbcc2ba4af20dc1ce3e2ef2321ac4e72fcd5139fb737dc3", + "image": "quay.io/metallb/speaker:v0.14.5", + "imageID": "quay.io/metallb/speaker@sha256:34e9cc2db6d83ca3ad4d92a6e2eadaf6b78be65621798e90827041749898acc0", + "lastState": {}, + "name": "cp-reloader", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://ba979b36684e75411bbcc2ba4af20dc1ce3e2ef2321ac4e72fcd5139fb737dc3", + "exitCode": 0, + "finishedAt": "2024-07-15T19:21:21Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:21:21Z" + } + } + }, + { + "containerID": "containerd://7381fb10b9989113eaabf5ca8bcb4344519725c0a5111e8e796f2e6383d790f1", + "image": "quay.io/metallb/speaker:v0.14.5", + "imageID": "quay.io/metallb/speaker@sha256:34e9cc2db6d83ca3ad4d92a6e2eadaf6b78be65621798e90827041749898acc0", + "lastState": {}, + "name": "cp-metrics", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://7381fb10b9989113eaabf5ca8bcb4344519725c0a5111e8e796f2e6383d790f1", + "exitCode": 0, + "finishedAt": "2024-07-15T19:21:21Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:21:21Z" + } + } + } + ], + "phase": "Running", + "podIP": "172.19.0.3", + "podIPs": [ + { + "ip": "172.19.0.3" + } + ], + "qosClass": "BestEffort", + "startTime": "2024-07-15T19:21:06Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "checksum/config": "25ba5a36ee6bd1887b73590eee26c55e5673fbf1ef59d3f2e380255cea24fc78", + "checksum/secrets": "9b856ae77a7f70b2d03ee838d91fc2f61b9dc5f9140837fd2f14aa3a0631eb6a" + }, + "creationTimestamp": "2024-07-15T19:21:33Z", + "generateName": "minio-6c8d84fc7f-", + "labels": { + "app": "minio", + "pod-template-hash": "6c8d84fc7f", + "release": "minio" + }, + "name": "minio-6c8d84fc7f-zw9dv", + "namespace": "uds-dev-stack", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "minio-6c8d84fc7f", + "uid": "1cbd7b49-530e-4864-be2d-bfa8765649fc" + } + ], + "resourceVersion": "615", + "uid": "08e134cb-f32d-44f3-a858-a46d5709c9ba" + }, + "spec": { + "containers": [ + { + "command": [ + "/bin/sh", + "-ce", + "/usr/bin/docker-entrypoint.sh minio server /export -S /etc/minio/certs/ --address :9000 --console-address :9001" + ], + "env": [ + { + "name": "MINIO_ROOT_USER", + "valueFrom": { + "secretKeyRef": { + "key": "rootUser", + "name": "minio" + } + } + }, + { + "name": "MINIO_ROOT_PASSWORD", + "valueFrom": { + "secretKeyRef": { + "key": "rootPassword", + "name": "minio" + } + } + }, + { + "name": "MINIO_PROMETHEUS_AUTH_TYPE", + "value": "public" + } + ], + "image": "quay.io/minio/minio:RELEASE.2024-04-18T19-09-19Z", + "imagePullPolicy": "IfNotPresent", + "name": "minio", + "ports": [ + { + "containerPort": 9000, + "name": "http", + "protocol": "TCP" + }, + { + "containerPort": 9001, + "name": "http-console", + "protocol": "TCP" + } + ], + "resources": { + "requests": { + "cpu": "150m", + "memory": "256Mi" + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/tmp/credentials", + "name": "minio-user", + "readOnly": true + }, + { + "mountPath": "/export", + "name": "export" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-xwwsx", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 1000, + "fsGroupChangePolicy": "OnRootMismatch", + "runAsGroup": 1000, + "runAsUser": 1000 + }, + "serviceAccount": "minio-sa", + "serviceAccountName": "minio-sa", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "name": "export", + "persistentVolumeClaim": { + "claimName": "minio" + } + }, + { + "name": "minio-user", + "secret": { + "defaultMode": 420, + "secretName": "minio" + } + }, + { + "name": "kube-api-access-xwwsx", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:42Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:38Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:42Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:42Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:38Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://db32566b2641bbc63592030e260f7964ef49292aee694752b7a344d0b31e0fcd", + "image": "quay.io/minio/minio:RELEASE.2024-04-18T19-09-19Z", + "imageID": "quay.io/minio/minio@sha256:036a068d7d6b69400da6bc07a480bee1e241ef3c341c41d988ed11f520f85124", + "lastState": {}, + "name": "minio", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:21:42Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "phase": "Running", + "podIP": "10.42.0.8", + "podIPs": [ + { + "ip": "10.42.0.8" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:21:38Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "kubectl.kubernetes.io/restartedAt": "2024-07-15T15:21:50-04:00" + }, + "creationTimestamp": "2024-07-15T19:21:50Z", + "generateName": "coredns-67cddc4fb4-", + "labels": { + "k8s-app": "kube-dns", + "pod-template-hash": "67cddc4fb4" + }, + "name": "coredns-67cddc4fb4-5fsgn", + "namespace": "kube-system", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "coredns-67cddc4fb4", + "uid": "fecf9a0b-1ff7-4fbc-a0b4-2d027e838a5d" + } + ], + "resourceVersion": "689", + "uid": "dee39420-a2ab-4ec3-a7ae-d13c251b8910" + }, + "spec": { + "containers": [ + { + "args": [ + "-conf", + "/etc/coredns/Corefile" + ], + "image": "rancher/mirrored-coredns-coredns:1.10.1", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/health", + "port": 8080, + "scheme": "HTTP" + }, + "initialDelaySeconds": 60, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "name": "coredns", + "ports": [ + { + "containerPort": 53, + "name": "dns", + "protocol": "UDP" + }, + { + "containerPort": 53, + "name": "dns-tcp", + "protocol": "TCP" + }, + { + "containerPort": 9153, + "name": "metrics", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/ready", + "port": 8181, + "scheme": "HTTP" + }, + "periodSeconds": 2, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": { + "limits": { + "memory": "170Mi" + }, + "requests": { + "cpu": "100m", + "memory": "70Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_BIND_SERVICE" + ], + "drop": [ + "all" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/coredns", + "name": "config-volume", + "readOnly": true + }, + { + "mountPath": "/etc/coredns/custom", + "name": "custom-config-volume", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-7bjqt", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "Default", + "enableServiceLinks": true, + "nodeName": "k3d-uds-server-0", + "nodeSelector": { + "kubernetes.io/os": "linux" + }, + "preemptionPolicy": "PreemptLowerPriority", + "priority": 2000000000, + "priorityClassName": "system-cluster-critical", + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "serviceAccount": "coredns", + "serviceAccountName": "coredns", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "key": "CriticalAddonsOnly", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node-role.kubernetes.io/control-plane", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node-role.kubernetes.io/master", + "operator": "Exists" + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "topologySpreadConstraints": [ + { + "labelSelector": { + "matchLabels": { + "k8s-app": "kube-dns" + } + }, + "maxSkew": 1, + "topologyKey": "kubernetes.io/hostname", + "whenUnsatisfiable": "DoNotSchedule" + } + ], + "volumes": [ + { + "configMap": { + "defaultMode": 420, + "items": [ + { + "key": "Corefile", + "path": "Corefile" + }, + { + "key": "NodeHosts", + "path": "NodeHosts" + } + ], + "name": "coredns" + }, + "name": "config-volume" + }, + { + "configMap": { + "defaultMode": 420, + "name": "coredns-custom", + "optional": true + }, + "name": "custom-config-volume" + }, + { + "name": "kube-api-access-7bjqt", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:51Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:50Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:51Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:51Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:50Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://8ec9910459f9fde24c470d4d30c08fcc0cc8b6578e9025a59136396ab91e2ea8", + "image": "docker.io/rancher/mirrored-coredns-coredns:1.10.1", + "imageID": "docker.io/rancher/mirrored-coredns-coredns@sha256:a11fafae1f8037cbbd66c5afa40ba2423936b72b4fd50a7034a7e8b955163594", + "lastState": {}, + "name": "coredns", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:21:51Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "phase": "Running", + "podIP": "10.42.0.10", + "podIPs": [ + { + "ip": "10.42.0.10" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:21:50Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "checksum/secret": "5944c97d04b79de507bf45171f9cc5a207b0edbfe79b85beed66145312c9a6d5" + }, + "creationTimestamp": "2024-07-15T19:22:43Z", + "generateName": "zarf-docker-registry-5df7748994-", + "labels": { + "app": "docker-registry", + "pod-template-hash": "5df7748994", + "release": "zarf-docker-registry", + "zarf.dev/agent": "ignore" + }, + "name": "zarf-docker-registry-5df7748994-wv45k", + "namespace": "zarf", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "zarf-docker-registry-5df7748994", + "uid": "d0616098-3a93-4a57-a8f3-0214bcfcdaf3" + } + ], + "resourceVersion": "877", + "uid": "5edae467-72ca-46d7-924f-de8c81cdfc88" + }, + "spec": { + "affinity": { + "podAffinity": { + "preferredDuringSchedulingIgnoredDuringExecution": [ + { + "podAffinityTerm": { + "labelSelector": { + "matchExpressions": [ + { + "key": "app", + "operator": "In", + "values": [ + "docker-registry" + ] + } + ] + }, + "topologyKey": "kubernetes.io/hostname" + }, + "weight": 100 + } + ] + } + }, + "containers": [ + { + "command": [ + "/bin/registry", + "serve", + "/etc/docker/registry/config.yml" + ], + "env": [ + { + "name": "REGISTRY_AUTH", + "value": "htpasswd" + }, + { + "name": "REGISTRY_AUTH_HTPASSWD_REALM", + "value": "Registry Realm" + }, + { + "name": "REGISTRY_AUTH_HTPASSWD_PATH", + "value": "/etc/docker/registry/htpasswd" + }, + { + "name": "REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY", + "value": "/var/lib/registry" + }, + { + "name": "REGISTRY_STORAGE_DELETE_ENABLED", + "value": "true" + } + ], + "image": "127.0.0.1:31999/library/registry:2.8.3", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/", + "port": 5000, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "name": "docker-registry", + "ports": [ + { + "containerPort": 5000, + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/", + "port": 5000, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": { + "limits": { + "cpu": "3", + "memory": "2Gi" + }, + "requests": { + "cpu": "100m", + "memory": "256Mi" + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/lib/registry/", + "name": "data" + }, + { + "mountPath": "/etc/docker/registry", + "name": "config" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-htsj8", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 2000001000, + "priorityClassName": "system-node-critical", + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 1000, + "runAsUser": 1000 + }, + "serviceAccount": "default", + "serviceAccountName": "default", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "name": "config", + "secret": { + "defaultMode": 420, + "items": [ + { + "key": "configData", + "path": "config.yml" + }, + { + "key": "htpasswd", + "path": "htpasswd" + } + ], + "secretName": "zarf-docker-registry-secret" + } + }, + { + "name": "data", + "persistentVolumeClaim": { + "claimName": "zarf-docker-registry" + } + }, + { + "name": "kube-api-access-htsj8", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:22:44Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:22:43Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:22:44Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:22:44Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:22:43Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://ad7e03c72e45aadd7a7e04fef67e8c0b71558b061540549c949ff1c8062ed91d", + "image": "127.0.0.1:31999/library/registry:2.8.3", + "imageID": "127.0.0.1:31999/library/registry@sha256:53ee3286cf0400c2ec957e31594c77439ec959e26ca00c8264c5ce521f7859ac", + "lastState": {}, + "name": "docker-registry", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:22:44Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "phase": "Running", + "podIP": "10.42.0.14", + "podIPs": [ + { + "ip": "10.42.0.14" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:22:43Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "creationTimestamp": "2024-07-15T19:22:48Z", + "generateName": "agent-hook-59ffcd5dc9-", + "labels": { + "app": "agent-hook", + "pod-template-hash": "59ffcd5dc9", + "zarf.dev/agent": "ignore" + }, + "name": "agent-hook-59ffcd5dc9-psr4z", + "namespace": "zarf", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "agent-hook-59ffcd5dc9", + "uid": "9a754d33-1d43-493e-b103-ec5e2b424813" + } + ], + "resourceVersion": "951", + "uid": "3cef1be4-d010-4241-abdf-980cd35a4545" + }, + "spec": { + "containers": [ + { + "image": "127.0.0.1:31999/defenseunicorns/zarf/agent:v0.35.0", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/healthz", + "port": 8443, + "scheme": "HTTPS" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "name": "server", + "ports": [ + { + "containerPort": 8443, + "protocol": "TCP" + } + ], + "resources": { + "limits": { + "cpu": "500m", + "memory": "128Mi" + }, + "requests": { + "cpu": "100m", + "memory": "32Mi" + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/certs", + "name": "tls-certs", + "readOnly": true + }, + { + "mountPath": "/.config", + "name": "config" + }, + { + "mountPath": "/etc/xdg", + "name": "xdg" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-x875g", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 2000001000, + "priorityClassName": "system-node-critical", + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "serviceAccount": "zarf", + "serviceAccountName": "zarf", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "name": "tls-certs", + "secret": { + "defaultMode": 420, + "secretName": "agent-hook-tls" + } + }, + { + "emptyDir": {}, + "name": "config" + }, + { + "emptyDir": {}, + "name": "xdg" + }, + { + "name": "kube-api-access-x875g", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:22:50Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:22:49Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:22:50Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:22:50Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:22:48Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://9cc795de2a2bf1670e605802314bec0fe06349ede9d8f223fe7b5ad88aab4c61", + "image": "127.0.0.1:31999/defenseunicorns/zarf/agent:v0.35.0", + "imageID": "127.0.0.1:31999/defenseunicorns/zarf/agent@sha256:790f5523474c1e468177cec8095897c24fa4f6b44fe4b3c170ead4efccb33deb", + "lastState": {}, + "name": "server", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:22:50Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "phase": "Running", + "podIP": "10.42.0.16", + "podIPs": [ + { + "ip": "10.42.0.16" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:22:49Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "creationTimestamp": "2024-07-15T19:22:48Z", + "generateName": "agent-hook-59ffcd5dc9-", + "labels": { + "app": "agent-hook", + "pod-template-hash": "59ffcd5dc9", + "zarf.dev/agent": "ignore" + }, + "name": "agent-hook-59ffcd5dc9-km2n7", + "namespace": "zarf", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "agent-hook-59ffcd5dc9", + "uid": "9a754d33-1d43-493e-b103-ec5e2b424813" + } + ], + "resourceVersion": "955", + "uid": "a97ce80c-e562-46f3-929b-4b2f90cb4781" + }, + "spec": { + "containers": [ + { + "image": "127.0.0.1:31999/defenseunicorns/zarf/agent:v0.35.0", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/healthz", + "port": 8443, + "scheme": "HTTPS" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "name": "server", + "ports": [ + { + "containerPort": 8443, + "protocol": "TCP" + } + ], + "resources": { + "limits": { + "cpu": "500m", + "memory": "128Mi" + }, + "requests": { + "cpu": "100m", + "memory": "32Mi" + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/certs", + "name": "tls-certs", + "readOnly": true + }, + { + "mountPath": "/.config", + "name": "config" + }, + { + "mountPath": "/etc/xdg", + "name": "xdg" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-kwrgm", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 2000001000, + "priorityClassName": "system-node-critical", + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "serviceAccount": "zarf", + "serviceAccountName": "zarf", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "name": "tls-certs", + "secret": { + "defaultMode": 420, + "secretName": "agent-hook-tls" + } + }, + { + "emptyDir": {}, + "name": "config" + }, + { + "emptyDir": {}, + "name": "xdg" + }, + { + "name": "kube-api-access-kwrgm", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:22:50Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:22:49Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:22:50Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:22:50Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:22:49Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://765eb72b9f732ad82195fa111ffc842a7327afd22e3ca36cb0764abf9cb5e30b", + "image": "127.0.0.1:31999/defenseunicorns/zarf/agent:v0.35.0", + "imageID": "127.0.0.1:31999/defenseunicorns/zarf/agent@sha256:790f5523474c1e468177cec8095897c24fa4f6b44fe4b3c170ead4efccb33deb", + "lastState": {}, + "name": "server", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:22:50Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "phase": "Running", + "podIP": "10.42.0.15", + "podIPs": [ + { + "ip": "10.42.0.15" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:22:49Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "prometheus.io/port": "15014", + "prometheus.io/scrape": "true", + "sidecar.istio.io/inject": "false" + }, + "creationTimestamp": "2024-07-15T19:23:10Z", + "generateName": "istiod-65d755df65-", + "labels": { + "app": "istiod", + "install.operator.istio.io/owning-resource": "unknown", + "istio": "pilot", + "istio.io/dataplane-mode": "none", + "istio.io/rev": "default", + "operator.istio.io/component": "Pilot", + "pod-template-hash": "65d755df65", + "sidecar.istio.io/inject": "false", + "zarf-agent": "patched" + }, + "name": "istiod-65d755df65-wqqv4", + "namespace": "istio-system", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "istiod-65d755df65", + "uid": "8c0fcf4c-a8a6-457e-a746-213fe5b10d14" + } + ], + "resourceVersion": "1137", + "uid": "f2441ec0-38ba-4b6c-94f7-f0e6023facf9" + }, + "spec": { + "containers": [ + { + "args": [ + "discovery", + "--monitoringAddr=:15014", + "--log_output_level=default:info", + "--domain", + "cluster.local", + "--keepaliveMaxServerConnectionAge", + "30m" + ], + "env": [ + { + "name": "REVISION", + "value": "default" + }, + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "KUBECONFIG", + "value": "/var/run/secrets/remote/config" + }, + { + "name": "PILOT_JWT_ENABLE_REMOTE_JWKS", + "value": "hybrid" + }, + { + "name": "PILOT_TRACE_SAMPLING", + "value": "1" + }, + { + "name": "PILOT_ENABLE_ANALYSIS", + "value": "false" + }, + { + "name": "CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PLATFORM" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-pilot-fips:1.22.2-zarf-1946820730", + "imagePullPolicy": "IfNotPresent", + "name": "discovery", + "ports": [ + { + "containerPort": 8080, + "protocol": "TCP" + }, + { + "containerPort": 15010, + "protocol": "TCP" + }, + { + "containerPort": 15017, + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/ready", + "port": 8080, + "scheme": "HTTP" + }, + "initialDelaySeconds": 1, + "periodSeconds": 3, + "successThreshold": 1, + "timeoutSeconds": 5 + }, + "resources": { + "requests": { + "cpu": "500m", + "memory": "2Gi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true, + "runAsNonRoot": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/istio-dns", + "name": "local-certs" + }, + { + "mountPath": "/etc/cacerts", + "name": "cacerts", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/remote", + "name": "istio-kubeconfig", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/istiod/tls", + "name": "istio-csr-dns-cert", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/istiod/ca", + "name": "istio-csr-ca-configmap", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-s75s7", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "serviceAccount": "istiod", + "serviceAccountName": "istiod", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "key": "cni.istio.io/not-ready", + "operator": "Exists" + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": { + "medium": "Memory" + }, + "name": "local-certs" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "name": "cacerts", + "secret": { + "defaultMode": 420, + "optional": true, + "secretName": "cacerts" + } + }, + { + "name": "istio-kubeconfig", + "secret": { + "defaultMode": 420, + "optional": true, + "secretName": "istio-kubeconfig" + } + }, + { + "name": "istio-csr-dns-cert", + "secret": { + "defaultMode": 420, + "optional": true, + "secretName": "istiod-tls" + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert", + "optional": true + }, + "name": "istio-csr-ca-configmap" + }, + { + "name": "kube-api-access-s75s7", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:11Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:10Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:12Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:12Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:10Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://8b2948f7be4e06016ba417ebb0b567cca7fe3b22c8463bea0cf070b19ef7fe6a", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-pilot-fips:1.22.2-zarf-1946820730", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-pilot-fips@sha256:d62df1d72be6182a41ecb7259b195e6b7bd28c0301fe7f46126187e6601f5f20", + "lastState": {}, + "name": "discovery", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:23:11Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "phase": "Running", + "podIP": "10.42.0.17", + "podIPs": [ + { + "ip": "10.42.0.17" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:23:10Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "inject.istio.io/templates": "gateway", + "istio.io/rev": "default", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "proxy.istio.io/overrides": "{\"containers\":[{\"name\":\"istio-proxy\",\"ports\":[{\"name\":\"http-envoy-prom\",\"containerPort\":15090,\"protocol\":\"TCP\"}],\"resources\":{\"limits\":{\"cpu\":\"2\",\"memory\":\"1Gi\"},\"requests\":{\"cpu\":\"100m\",\"memory\":\"128Mi\"}},\"volumeMounts\":[{\"name\":\"kube-api-access-48f5b\",\"readOnly\":true,\"mountPath\":\"/var/run/secrets/kubernetes.io/serviceaccount\"}],\"terminationMessagePath\":\"/dev/termination-log\",\"terminationMessagePolicy\":\"File\",\"imagePullPolicy\":\"Always\",\"securityContext\":{\"capabilities\":{\"drop\":[\"ALL\"]},\"privileged\":false,\"runAsUser\":1337,\"runAsGroup\":1337,\"runAsNonRoot\":true,\"readOnlyRootFilesystem\":true,\"allowPrivilegeEscalation\":false}}]}", + "sidecar.istio.io/inject": "true", + "sidecar.istio.io/status": "{\"initContainers\":null,\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}" + }, + "creationTimestamp": "2024-07-15T19:23:17Z", + "generateName": "admin-ingressgateway-65c568569f-", + "labels": { + "app": "admin-ingressgateway", + "istio": "admin-ingressgateway", + "pod-template-hash": "65c568569f", + "service.istio.io/canonical-name": "admin-ingressgateway", + "service.istio.io/canonical-revision": "latest", + "sidecar.istio.io/inject": "true", + "zarf-agent": "patched" + }, + "name": "admin-ingressgateway-65c568569f-nssjx", + "namespace": "istio-admin-gateway", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "admin-ingressgateway-65c568569f", + "uid": "4807fa82-ff07-41b5-bba9-e9aa4433dd38" + } + ], + "resourceVersion": "1211", + "uid": "b390a7ed-b997-4236-80dc-d7c2d3b1ead3" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "router", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http-envoy-prom\",\"containerPort\":15090,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_APP_CONTAINERS" + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "admin-ingressgateway" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/istio-admin-gateway/deployments/admin-ingressgateway" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "Always", + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-48f5b", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "sysctls": [ + { + "name": "net.ipv4.ip_unprivileged_port_start", + "value": "0" + } + ] + }, + "serviceAccount": "admin-ingressgateway", + "serviceAccountName": "admin-ingressgateway", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "kube-api-access-48f5b", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:18Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:17Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:19Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:19Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:17Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://4aeab66391eea771294a630f113c82c039de7b48bc70cb502bc03aabda8624b7", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:23:18Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "phase": "Running", + "podIP": "10.42.0.18", + "podIPs": [ + { + "ip": "10.42.0.18" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:23:17Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "inject.istio.io/templates": "gateway", + "istio.io/rev": "default", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "proxy.istio.io/overrides": "{\"containers\":[{\"name\":\"istio-proxy\",\"ports\":[{\"name\":\"http-envoy-prom\",\"containerPort\":15090,\"protocol\":\"TCP\"}],\"resources\":{\"limits\":{\"cpu\":\"2\",\"memory\":\"1Gi\"},\"requests\":{\"cpu\":\"100m\",\"memory\":\"128Mi\"}},\"volumeMounts\":[{\"name\":\"kube-api-access-2smgd\",\"readOnly\":true,\"mountPath\":\"/var/run/secrets/kubernetes.io/serviceaccount\"}],\"terminationMessagePath\":\"/dev/termination-log\",\"terminationMessagePolicy\":\"File\",\"imagePullPolicy\":\"Always\",\"securityContext\":{\"capabilities\":{\"drop\":[\"ALL\"]},\"privileged\":false,\"runAsUser\":1337,\"runAsGroup\":1337,\"runAsNonRoot\":true,\"readOnlyRootFilesystem\":true,\"allowPrivilegeEscalation\":false}}]}", + "sidecar.istio.io/inject": "true", + "sidecar.istio.io/status": "{\"initContainers\":null,\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}" + }, + "creationTimestamp": "2024-07-15T19:23:23Z", + "generateName": "tenant-ingressgateway-79d5d77d67-", + "labels": { + "app": "tenant-ingressgateway", + "istio": "tenant-ingressgateway", + "pod-template-hash": "79d5d77d67", + "service.istio.io/canonical-name": "tenant-ingressgateway", + "service.istio.io/canonical-revision": "latest", + "sidecar.istio.io/inject": "true", + "zarf-agent": "patched" + }, + "name": "tenant-ingressgateway-79d5d77d67-fdcrk", + "namespace": "istio-tenant-gateway", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "tenant-ingressgateway-79d5d77d67", + "uid": "4e8436d1-1a72-48c2-8401-029d6a88e0be" + } + ], + "resourceVersion": "1266", + "uid": "be7b37b2-96ba-41d3-a5f9-6b546cedd6c0" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "router", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http-envoy-prom\",\"containerPort\":15090,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_APP_CONTAINERS" + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "tenant-ingressgateway" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/istio-tenant-gateway/deployments/tenant-ingressgateway" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "Always", + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-2smgd", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "sysctls": [ + { + "name": "net.ipv4.ip_unprivileged_port_start", + "value": "0" + } + ] + }, + "serviceAccount": "tenant-ingressgateway", + "serviceAccountName": "tenant-ingressgateway", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "kube-api-access-2smgd", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:23Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:23Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:24Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:24Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:23Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://9411159858b495e26067084207456676f7b2182273670876fdce8ff2770a5e55", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:23:23Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "phase": "Running", + "podIP": "10.42.0.19", + "podIPs": [ + { + "ip": "10.42.0.19" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:23:23Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "inject.istio.io/templates": "gateway", + "istio.io/rev": "default", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "proxy.istio.io/overrides": "{\"containers\":[{\"name\":\"istio-proxy\",\"ports\":[{\"name\":\"http-envoy-prom\",\"containerPort\":15090,\"protocol\":\"TCP\"}],\"resources\":{\"limits\":{\"cpu\":\"2\",\"memory\":\"1Gi\"},\"requests\":{\"cpu\":\"100m\",\"memory\":\"128Mi\"}},\"volumeMounts\":[{\"name\":\"kube-api-access-d8nvq\",\"readOnly\":true,\"mountPath\":\"/var/run/secrets/kubernetes.io/serviceaccount\"}],\"terminationMessagePath\":\"/dev/termination-log\",\"terminationMessagePolicy\":\"File\",\"imagePullPolicy\":\"Always\",\"securityContext\":{\"capabilities\":{\"drop\":[\"ALL\"]},\"privileged\":false,\"runAsUser\":1337,\"runAsGroup\":1337,\"runAsNonRoot\":true,\"readOnlyRootFilesystem\":true,\"allowPrivilegeEscalation\":false}}]}", + "sidecar.istio.io/inject": "true", + "sidecar.istio.io/status": "{\"initContainers\":null,\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}" + }, + "creationTimestamp": "2024-07-15T19:23:27Z", + "generateName": "passthrough-ingressgateway-77f78c89b5-", + "labels": { + "app": "passthrough-ingressgateway", + "istio": "passthrough-ingressgateway", + "pod-template-hash": "77f78c89b5", + "service.istio.io/canonical-name": "passthrough-ingressgateway", + "service.istio.io/canonical-revision": "latest", + "sidecar.istio.io/inject": "true", + "zarf-agent": "patched" + }, + "name": "passthrough-ingressgateway-77f78c89b5-pm8qs", + "namespace": "istio-passthrough-gateway", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "passthrough-ingressgateway-77f78c89b5", + "uid": "78cc1423-b80a-4b9c-8f1b-3d59b7f75c53" + } + ], + "resourceVersion": "1329", + "uid": "f7217d2e-6486-4eaf-8629-2912fd29a340" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "router", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http-envoy-prom\",\"containerPort\":15090,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_APP_CONTAINERS" + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "passthrough-ingressgateway" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/istio-passthrough-gateway/deployments/passthrough-ingressgateway" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "Always", + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-d8nvq", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "sysctls": [ + { + "name": "net.ipv4.ip_unprivileged_port_start", + "value": "0" + } + ] + }, + "serviceAccount": "passthrough-ingressgateway", + "serviceAccountName": "passthrough-ingressgateway", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "kube-api-access-d8nvq", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:27Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:27Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:29Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:29Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:27Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://7b990fded25b108e98eb26bedf084d992082372b787056fb359418047b26777e", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:23:27Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "phase": "Running", + "podIP": "10.42.0.20", + "podIPs": [ + { + "ip": "10.42.0.20" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:23:27Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "buildTimestamp": "1721071155270", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "server", + "kubectl.kubernetes.io/default-logs-container": "server", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}" + }, + "creationTimestamp": "2024-07-15T19:23:31Z", + "generateName": "pepr-uds-core-5c765b95fc-", + "labels": { + "app": "pepr-uds-core", + "pepr.dev/controller": "admission", + "pod-template-hash": "5c765b95fc", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "pepr-uds-core", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "pepr-uds-core-5c765b95fc-cfkkk", + "namespace": "pepr-system", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "pepr-uds-core-5c765b95fc", + "uid": "0a1532c3-713f-43e5-a524-162af59e0d07" + } + ], + "resourceVersion": "1482", + "uid": "a2ac1d4c-cee9-4329-8d30-c0843aae66c1" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"containerPort\":3000,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "server" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "pepr-uds-core" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/pepr-system/deployments/pepr-uds-core" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/server/livez\":{\"httpGet\":{\"path\":\"/healthz\",\"port\":3000,\"scheme\":\"HTTPS\"},\"timeoutSeconds\":1},\"/app-health/server/readyz\":{\"httpGet\":{\"path\":\"/healthz\",\"port\":3000,\"scheme\":\"HTTPS\"},\"timeoutSeconds\":1}}" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-tzqh9", + "readOnly": true + } + ] + }, + { + "command": [ + "node", + "/app/node_modules/pepr/dist/controller.js", + "835918263d02780c552f9239598a5cb88b1b630ef35cec16e2886ab5e64ee9e9" + ], + "env": [ + { + "name": "PEPR_WATCH_MODE", + "value": "false" + }, + { + "name": "PEPR_PRETTY_LOG", + "value": "false" + }, + { + "name": "LOG_LEVEL", + "value": "info" + }, + { + "name": "UDS_DOMAIN", + "value": "uds.dev" + }, + { + "name": "UDS_CA_CERT" + }, + { + "name": "UDS_ALLOW_ALL_NS_EXEMPTIONS", + "value": "###ZARF_VAR_ALLOW_ALL_NS_EXEMPTIONS###" + }, + { + "name": "UDS_SINGLE_TEST", + "value": "###ZARF_VAR_UDS_SINGLE_TEST###" + }, + { + "name": "UDS_LOG_LEVEL", + "value": "###ZARF_VAR_UDS_LOG_LEVEL###" + } + ], + "image": "127.0.0.1:31999/defenseunicorns/pepr/controller:v0.32.6-zarf-804409620", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/server/livez", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "name": "server", + "ports": [ + { + "containerPort": 3000, + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/server/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": { + "limits": { + "cpu": "500m", + "memory": "256Mi" + }, + "requests": { + "cpu": "100m", + "memory": "64Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "runAsGroup": 65532, + "runAsNonRoot": true, + "runAsUser": 65532 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/certs", + "name": "tls-certs", + "readOnly": true + }, + { + "mountPath": "/app/api-token", + "name": "api-token", + "readOnly": true + }, + { + "mountPath": "/app/load", + "name": "module", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-tzqh9", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-tzqh9", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 2000001000, + "priorityClassName": "system-node-critical", + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 65532, + "runAsGroup": 65532, + "runAsNonRoot": true, + "runAsUser": 65532 + }, + "serviceAccount": "pepr-uds-core", + "serviceAccountName": "pepr-uds-core", + "terminationGracePeriodSeconds": 5, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "tls-certs", + "secret": { + "defaultMode": 420, + "secretName": "pepr-uds-core-tls" + } + }, + { + "name": "api-token", + "secret": { + "defaultMode": 420, + "secretName": "pepr-uds-core-api-token" + } + }, + { + "name": "module", + "secret": { + "defaultMode": 420, + "secretName": "pepr-uds-core-module" + } + }, + { + "name": "kube-api-access-tzqh9", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:33Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:33Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:39Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:39Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:31Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://159d6f4b88ac8016e5a92934206b51f21c0061c500bce0c153b4e82a7ad8bf4d", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:23:33Z" + } + } + }, + { + "containerID": "containerd://6b1f6abf4bc9fbe85a28145ac16c4f5bf3f3e1479c039b5eff81426c826e60b0", + "image": "127.0.0.1:31999/defenseunicorns/pepr/controller:v0.32.6-zarf-804409620", + "imageID": "127.0.0.1:31999/defenseunicorns/pepr/controller@sha256:9beb7acd16dbae3d14b10faa0e6f74efb755481025f0b970f160a53a773e1668", + "lastState": {}, + "name": "server", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:23:35Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://7a8f7f63cf2f2c10e696e21bd6256c496789edfd01d785ea77d7468ab0db4826", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://7a8f7f63cf2f2c10e696e21bd6256c496789edfd01d785ea77d7468ab0db4826", + "exitCode": 0, + "finishedAt": "2024-07-15T19:23:32Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:23:32Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.23", + "podIPs": [ + { + "ip": "10.42.0.23" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:23:31Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "buildTimestamp": "1721071155270", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "watcher", + "kubectl.kubernetes.io/default-logs-container": "watcher", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}" + }, + "creationTimestamp": "2024-07-15T19:23:31Z", + "generateName": "pepr-uds-core-watcher-66b655ddf4-", + "labels": { + "app": "pepr-uds-core-watcher", + "pepr.dev/controller": "watcher", + "pod-template-hash": "66b655ddf4", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "pepr-uds-core-watcher", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "pepr-uds-core-watcher-66b655ddf4-bpq9g", + "namespace": "pepr-system", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "pepr-uds-core-watcher-66b655ddf4", + "uid": "ae364113-5898-474f-bcd1-286861bb69fe" + } + ], + "resourceVersion": "1490", + "uid": "84585c9d-6165-4901-bde2-9f98761d74cd" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"containerPort\":3000,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "watcher" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "pepr-uds-core-watcher" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/pepr-system/deployments/pepr-uds-core-watcher" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/watcher/livez\":{\"httpGet\":{\"path\":\"/healthz\",\"port\":3000,\"scheme\":\"HTTPS\"},\"timeoutSeconds\":1},\"/app-health/watcher/readyz\":{\"httpGet\":{\"path\":\"/healthz\",\"port\":3000,\"scheme\":\"HTTPS\"},\"timeoutSeconds\":1}}" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-8kh7x", + "readOnly": true + } + ] + }, + { + "command": [ + "node", + "/app/node_modules/pepr/dist/controller.js", + "835918263d02780c552f9239598a5cb88b1b630ef35cec16e2886ab5e64ee9e9" + ], + "env": [ + { + "name": "PEPR_WATCH_MODE", + "value": "true" + }, + { + "name": "PEPR_PRETTY_LOG", + "value": "false" + }, + { + "name": "LOG_LEVEL", + "value": "info" + }, + { + "name": "UDS_DOMAIN", + "value": "uds.dev" + }, + { + "name": "UDS_CA_CERT" + }, + { + "name": "UDS_ALLOW_ALL_NS_EXEMPTIONS", + "value": "###ZARF_VAR_ALLOW_ALL_NS_EXEMPTIONS###" + }, + { + "name": "UDS_SINGLE_TEST", + "value": "###ZARF_VAR_UDS_SINGLE_TEST###" + }, + { + "name": "UDS_LOG_LEVEL", + "value": "###ZARF_VAR_UDS_LOG_LEVEL###" + } + ], + "image": "127.0.0.1:31999/defenseunicorns/pepr/controller:v0.32.6-zarf-804409620", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/watcher/livez", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "name": "watcher", + "ports": [ + { + "containerPort": 3000, + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/watcher/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": { + "limits": { + "cpu": "500m", + "memory": "256Mi" + }, + "requests": { + "cpu": "100m", + "memory": "64Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "runAsGroup": 65532, + "runAsNonRoot": true, + "runAsUser": 65532 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/certs", + "name": "tls-certs", + "readOnly": true + }, + { + "mountPath": "/app/load", + "name": "module", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-8kh7x", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-8kh7x", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 65532, + "runAsGroup": 65532, + "runAsNonRoot": true, + "runAsUser": 65532 + }, + "serviceAccount": "pepr-uds-core", + "serviceAccountName": "pepr-uds-core", + "terminationGracePeriodSeconds": 5, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "tls-certs", + "secret": { + "defaultMode": 420, + "secretName": "pepr-uds-core-tls" + } + }, + { + "name": "module", + "secret": { + "defaultMode": 420, + "secretName": "pepr-uds-core-module" + } + }, + { + "name": "kube-api-access-8kh7x", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:33Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:33Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:42Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:42Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:31Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://85d64001599c5308e7c2e71ca09ef22053485a6289acba3ea4769a8354ef6e4b", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:23:33Z" + } + } + }, + { + "containerID": "containerd://a862028611efdf0c258a1b76c8c5cbd3604dc1b5a83699d6ec92839e151260df", + "image": "127.0.0.1:31999/defenseunicorns/pepr/controller:v0.32.6-zarf-804409620", + "imageID": "127.0.0.1:31999/defenseunicorns/pepr/controller@sha256:9beb7acd16dbae3d14b10faa0e6f74efb755481025f0b970f160a53a773e1668", + "lastState": {}, + "name": "watcher", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:23:35Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://71e6351114992f381e3e8b171786010b883e76b800d597adb1f3258de12c9f84", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://71e6351114992f381e3e8b171786010b883e76b800d597adb1f3258de12c9f84", + "exitCode": 0, + "finishedAt": "2024-07-15T19:23:32Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:23:32Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.21", + "podIPs": [ + { + "ip": "10.42.0.21" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:23:31Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "buildTimestamp": "1721071155270", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "server", + "kubectl.kubernetes.io/default-logs-container": "server", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}" + }, + "creationTimestamp": "2024-07-15T19:23:31Z", + "generateName": "pepr-uds-core-5c765b95fc-", + "labels": { + "app": "pepr-uds-core", + "pepr.dev/controller": "admission", + "pod-template-hash": "5c765b95fc", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "pepr-uds-core", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "pepr-uds-core-5c765b95fc-67xnv", + "namespace": "pepr-system", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "pepr-uds-core-5c765b95fc", + "uid": "0a1532c3-713f-43e5-a524-162af59e0d07" + } + ], + "resourceVersion": "1494", + "uid": "369da40a-d38b-4d0c-97ef-727debbd0746" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"containerPort\":3000,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "server" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "pepr-uds-core" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/pepr-system/deployments/pepr-uds-core" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/server/livez\":{\"httpGet\":{\"path\":\"/healthz\",\"port\":3000,\"scheme\":\"HTTPS\"},\"timeoutSeconds\":1},\"/app-health/server/readyz\":{\"httpGet\":{\"path\":\"/healthz\",\"port\":3000,\"scheme\":\"HTTPS\"},\"timeoutSeconds\":1}}" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-vm8xd", + "readOnly": true + } + ] + }, + { + "command": [ + "node", + "/app/node_modules/pepr/dist/controller.js", + "835918263d02780c552f9239598a5cb88b1b630ef35cec16e2886ab5e64ee9e9" + ], + "env": [ + { + "name": "PEPR_WATCH_MODE", + "value": "false" + }, + { + "name": "PEPR_PRETTY_LOG", + "value": "false" + }, + { + "name": "LOG_LEVEL", + "value": "info" + }, + { + "name": "UDS_DOMAIN", + "value": "uds.dev" + }, + { + "name": "UDS_CA_CERT" + }, + { + "name": "UDS_ALLOW_ALL_NS_EXEMPTIONS", + "value": "###ZARF_VAR_ALLOW_ALL_NS_EXEMPTIONS###" + }, + { + "name": "UDS_SINGLE_TEST", + "value": "###ZARF_VAR_UDS_SINGLE_TEST###" + }, + { + "name": "UDS_LOG_LEVEL", + "value": "###ZARF_VAR_UDS_LOG_LEVEL###" + } + ], + "image": "127.0.0.1:31999/defenseunicorns/pepr/controller:v0.32.6-zarf-804409620", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/server/livez", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "name": "server", + "ports": [ + { + "containerPort": 3000, + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/server/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": { + "limits": { + "cpu": "500m", + "memory": "256Mi" + }, + "requests": { + "cpu": "100m", + "memory": "64Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "runAsGroup": 65532, + "runAsNonRoot": true, + "runAsUser": 65532 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/certs", + "name": "tls-certs", + "readOnly": true + }, + { + "mountPath": "/app/api-token", + "name": "api-token", + "readOnly": true + }, + { + "mountPath": "/app/load", + "name": "module", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-vm8xd", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-vm8xd", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 2000001000, + "priorityClassName": "system-node-critical", + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 65532, + "runAsGroup": 65532, + "runAsNonRoot": true, + "runAsUser": 65532 + }, + "serviceAccount": "pepr-uds-core", + "serviceAccountName": "pepr-uds-core", + "terminationGracePeriodSeconds": 5, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "tls-certs", + "secret": { + "defaultMode": 420, + "secretName": "pepr-uds-core-tls" + } + }, + { + "name": "api-token", + "secret": { + "defaultMode": 420, + "secretName": "pepr-uds-core-api-token" + } + }, + { + "name": "module", + "secret": { + "defaultMode": 420, + "secretName": "pepr-uds-core-module" + } + }, + { + "name": "kube-api-access-vm8xd", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:33Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:33Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:42Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:42Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:31Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://52bc399613ee525613fafce8448b2730eac0057149186f0d384d32df86da986e", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:23:33Z" + } + } + }, + { + "containerID": "containerd://e1999cff8e62631cd329f06102304e60a0d628d306b75af300981b2f9bc86ef4", + "image": "127.0.0.1:31999/defenseunicorns/pepr/controller:v0.32.6-zarf-804409620", + "imageID": "127.0.0.1:31999/defenseunicorns/pepr/controller@sha256:9beb7acd16dbae3d14b10faa0e6f74efb755481025f0b970f160a53a773e1668", + "lastState": {}, + "name": "server", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:23:35Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://82d343ee90dcedec09af8c07d37a7b9d8821cc2ae8a7ff3c09101da41238e40f", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://82d343ee90dcedec09af8c07d37a7b9d8821cc2ae8a7ff3c09101da41238e40f", + "exitCode": 0, + "finishedAt": "2024-07-15T19:23:32Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:23:32Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.22", + "podIPs": [ + { + "ip": "10.42.0.22" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:23:31Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "metrics-server", + "kubectl.kubernetes.io/default-logs-container": "metrics-server", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-07-15T19:23:46Z", + "generateName": "metrics-server-6bcc744c5f-", + "labels": { + "app.kubernetes.io/instance": "metrics-server", + "app.kubernetes.io/name": "metrics-server", + "pod-template-hash": "6bcc744c5f", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "metrics-server", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "metrics-server-6bcc744c5f-mbrrc", + "namespace": "metrics-server", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "metrics-server-6bcc744c5f", + "uid": "2d94087c-2ea1-4028-8ca6-936caad2069a" + } + ], + "resourceVersion": "1610", + "uid": "0ad94ed4-3b0d-4cb8-a75e-d00843f62f51" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"https\",\"containerPort\":10250,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "metrics-server" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "metrics-server" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/metrics-server/deployments/metrics-server" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/metrics-server/livez\":{\"httpGet\":{\"path\":\"/livez\",\"port\":10250,\"scheme\":\"HTTPS\"},\"timeoutSeconds\":1},\"/app-health/metrics-server/readyz\":{\"httpGet\":{\"path\":\"/readyz\",\"port\":10250,\"scheme\":\"HTTPS\"},\"timeoutSeconds\":1}}" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-q52dc", + "readOnly": true + } + ] + }, + { + "args": [ + "--secure-port=10250", + "--cert-dir=/tmp", + "--kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname", + "--kubelet-use-node-status-port", + "--metric-resolution=15s", + "--authorization-always-allow-paths=/metrics" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/metrics-server-fips:0.7.1-zarf-2411220177", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/metrics-server/livez", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "name": "metrics-server", + "ports": [ + { + "containerPort": 10250, + "name": "https", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 5, + "httpGet": { + "path": "/app-health/metrics-server/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 10, + "periodSeconds": 5, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": { + "requests": { + "cpu": "100m", + "memory": "200Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true, + "runAsNonRoot": true, + "runAsUser": 1000, + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/tmp", + "name": "tmp" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-q52dc", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-q52dc", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 2000000000, + "priorityClassName": "system-cluster-critical", + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "runAsGroup": 1000, + "runAsNonRoot": true, + "runAsUser": 1000 + }, + "serviceAccount": "metrics-server", + "serviceAccountName": "metrics-server", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "emptyDir": {}, + "name": "tmp" + }, + { + "name": "kube-api-access-q52dc", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:47Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:48Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:24:01Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:24:01Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:46Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://553557fcf02f2346baa5f4929a879fc18655109c0330da309876921b309fe5ff", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:23:48Z" + } + } + }, + { + "containerID": "containerd://abad4d35d31bae601c8308445e98f5e8f28141815cee4f519523058ede4126f4", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/metrics-server-fips:0.7.1-zarf-2411220177", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/metrics-server-fips@sha256:9803ec7418a3c45dcc3841f796cca2d64e35e5efa383109411b6f161d38e451a", + "lastState": {}, + "name": "metrics-server", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:23:49Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://eb242f86d299ce544be7544c712a261c6bed0c615f1f0511aba4a391bf79a003", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://eb242f86d299ce544be7544c712a261c6bed0c615f1f0511aba4a391bf79a003", + "exitCode": 0, + "finishedAt": "2024-07-15T19:23:46Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:23:46Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.24", + "podIPs": [ + { + "ip": "10.42.0.24" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:23:46Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "keycloak", + "kubectl.kubernetes.io/default-logs-container": "keycloak", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-07-15T19:24:10Z", + "generateName": "keycloak-", + "labels": { + "app.kubernetes.io/instance": "keycloak", + "app.kubernetes.io/name": "keycloak", + "apps.kubernetes.io/pod-index": "0", + "controller-revision-hash": "keycloak-8595d86f46", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "keycloak", + "service.istio.io/canonical-revision": "latest", + "statefulset.kubernetes.io/pod-name": "keycloak-0", + "zarf-agent": "patched" + }, + "name": "keycloak-0", + "namespace": "keycloak", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "StatefulSet", + "name": "keycloak", + "uid": "a347223a-fa63-48a3-9d8e-e6e13759b313" + } + ], + "resourceVersion": "1827", + "uid": "eb5b770d-ae1b-4ea1-8990-837776913210" + }, + "spec": { + "affinity": { + "podAntiAffinity": { + "preferredDuringSchedulingIgnoredDuringExecution": [ + { + "podAffinityTerm": { + "labelSelector": { + "matchExpressions": [ + { + "key": "app.kubernetes.io/component", + "operator": "NotIn", + "values": [ + "test" + ] + } + ], + "matchLabels": { + "app.kubernetes.io/instance": "keycloak", + "app.kubernetes.io/name": "keycloak" + } + }, + "topologyKey": "failure-domain.beta.kubernetes.io/zone" + }, + "weight": 100 + } + ] + } + }, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http\",\"containerPort\":8080,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "keycloak" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "keycloak" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/keycloak/statefulsets/keycloak" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/keycloak/livez\":{\"httpGet\":{\"path\":\"/health/live\",\"port\":8080,\"scheme\":\"HTTP\"},\"timeoutSeconds\":2},\"/app-health/keycloak/readyz\":{\"httpGet\":{\"path\":\"/health/ready\",\"port\":8080,\"scheme\":\"HTTP\"},\"timeoutSeconds\":2}}" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-9jxj5", + "readOnly": true + } + ] + }, + { + "args": [ + "start-dev", + "--spi-theme-static-max-age=-1", + "--spi-theme-cache-themes=false", + "--spi-theme-cache-templates=false", + "--import-realm", + "--features=preview" + ], + "command": [ + "/opt/keycloak/bin/kc.sh" + ], + "env": [ + { + "name": "UDS_DOMAIN", + "value": "uds.dev" + }, + { + "name": "KC_HEALTH_ENABLED", + "value": "true" + }, + { + "name": "KC_METRICS_ENABLED", + "value": "true" + }, + { + "name": "QUARKUS_HTTP_ACCESS_LOG_ENABLED", + "value": "true" + }, + { + "name": "KC_HOSTNAME_STRICT", + "value": "false" + }, + { + "name": "KC_HOSTNAME_STRICT_HTTPS", + "value": "false" + }, + { + "name": "KC_PROXY", + "value": "edge" + }, + { + "name": "KC_HTTPS_CLIENT_AUTH", + "value": "request" + }, + { + "name": "KC_SPI_X509CERT_LOOKUP_PROVIDER", + "value": "nginx" + }, + { + "name": "KC_SPI_X509CERT_LOOKUP_NGINX_SSL_CLIENT_CERT", + "value": "istio-mtls-client-certificate" + }, + { + "name": "KC_SPI_X509CERT_LOOKUP_NGINX_SSL_CLIENT_CERT_CHAIN_PREFIX", + "value": "UNUSED" + }, + { + "name": "KC_LOG_LEVEL", + "value": "DEBUG" + }, + { + "name": "QUARKUS_LOG_CATEGORY__ORG_APACHE_HTTP__LEVEL", + "value": "DEBUG" + }, + { + "name": "QUARKUS_LOG_CATEGORY__ORG_KEYCLOAK_SERVICES_X509__LEVEL", + "value": "TRACE" + } + ], + "envFrom": [ + { + "secretRef": { + "name": "keycloak-realm-env" + } + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/keycloak:24.0.5-zarf-1424829975", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 15, + "httpGet": { + "path": "/app-health/keycloak/livez", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 10, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 2 + }, + "name": "keycloak", + "ports": [ + { + "containerPort": 8080, + "name": "http", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 15, + "httpGet": { + "path": "/app-health/keycloak/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 10, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 2 + }, + "resources": { + "limits": { + "cpu": "1", + "memory": "1Gi" + }, + "requests": { + "cpu": "500m", + "memory": "512Mi" + } + }, + "securityContext": { + "capabilities": { + "drop": [ + "ALL" + ] + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/opt/keycloak/providers", + "name": "providers" + }, + { + "mountPath": "/opt/keycloak/data", + "name": "data" + }, + { + "mountPath": "/opt/keycloak/themes", + "name": "themes" + }, + { + "mountPath": "/opt/keycloak/conf", + "name": "conf", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-9jxj5", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "hostname": "keycloak-0", + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "image": "127.0.0.1:31999/defenseunicorns/uds/identity-config:0.5.0-zarf-1934043158", + "imagePullPolicy": "IfNotPresent", + "name": "uds-config", + "resources": { + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "capabilities": { + "drop": [ + "ALL" + ] + }, + "runAsGroup": 65532, + "runAsUser": 65532 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/opt/keycloak/providers", + "name": "providers" + }, + { + "mountPath": "/opt/keycloak/data", + "name": "data" + }, + { + "mountPath": "/opt/keycloak/themes", + "name": "themes" + }, + { + "mountPath": "/opt/keycloak/conf", + "name": "conf" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-9jxj5", + "readOnly": true + } + ] + }, + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-9jxj5", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "runAsGroup": 1000, + "runAsNonRoot": true, + "runAsUser": 1000 + }, + "serviceAccount": "default", + "serviceAccountName": "default", + "subdomain": "keycloak-headless", + "terminationGracePeriodSeconds": 5, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "emptyDir": {}, + "name": "providers" + }, + { + "emptyDir": {}, + "name": "conf" + }, + { + "name": "data", + "persistentVolumeClaim": { + "claimName": "keycloak-data" + } + }, + { + "name": "themes", + "persistentVolumeClaim": { + "claimName": "keycloak-themes" + } + }, + { + "name": "kube-api-access-9jxj5", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:24:15Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:24:16Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:04Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:04Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:24:13Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://ae3724785974b617c1f36902ea3abba0a3126c1069e5ec3a8e4a7e30840962ec", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:24:16Z" + } + } + }, + { + "containerID": "containerd://f737fb0172a0f37a4165b986e3049b0cc970ecabf54f6bcd636728741d7cc1ee", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/keycloak:24.0.5-zarf-1424829975", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/keycloak@sha256:4b7c5429b47d7b1dba30698780526d1ea00a8789d16b0e82a04a8e6448d99d61", + "lastState": {}, + "name": "keycloak", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:24:19Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://a13545650387343f80245555fb1c08af87426cc594d202df571afe7bf661a7e9", + "image": "127.0.0.1:31999/defenseunicorns/uds/identity-config:0.5.0-zarf-1934043158", + "imageID": "127.0.0.1:31999/defenseunicorns/uds/identity-config@sha256:8daeedba128c1154c278332d45378062e490344bb5fc8274fcce92a43d7a11e9", + "lastState": {}, + "name": "uds-config", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://a13545650387343f80245555fb1c08af87426cc594d202df571afe7bf661a7e9", + "exitCode": 0, + "finishedAt": "2024-07-15T19:24:14Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:24:14Z" + } + } + }, + { + "containerID": "containerd://ec3f96e0eb0287bcacddc293236530b778c4d7455da522e404160c149dcabc6e", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://ec3f96e0eb0287bcacddc293236530b778c4d7455da522e404160c149dcabc6e", + "exitCode": 0, + "finishedAt": "2024-07-15T19:24:15Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:24:15Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.27", + "podIPs": [ + { + "ip": "10.42.0.27" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:24:13Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "neuvector-scanner-pod", + "kubectl.kubernetes.io/default-logs-container": "neuvector-scanner-pod", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-07-15T19:25:28Z", + "generateName": "neuvector-scanner-pod-64d5b96b4d-", + "labels": { + "app": "neuvector-scanner-pod", + "pod-template-hash": "64d5b96b4d", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "neuvector-scanner-pod", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "neuvector-scanner-pod-64d5b96b4d-zrpj6", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "neuvector-scanner-pod-64d5b96b4d", + "uid": "70858f0e-37c2-44bf-814b-bc2e9bb5df4a" + } + ], + "resourceVersion": "2209", + "uid": "7de9842a-fb74-42b7-b942-02b39440062f" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "neuvector-scanner-pod" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "neuvector-scanner-pod" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/neuvector/deployments/neuvector-scanner-pod" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-jrgz2", + "readOnly": true + } + ] + }, + { + "env": [ + { + "name": "CLUSTER_JOIN_ADDR", + "value": "neuvector-svc-controller.neuvector" + } + ], + "image": "127.0.0.1:31999/neuvector/scanner:latest-zarf-3299389045", + "imagePullPolicy": "Always", + "name": "neuvector-scanner-pod", + "resources": {}, + "securityContext": { + "capabilities": { + "drop": [ + "ALL" + ] + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-jrgz2", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-jrgz2", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "runAsGroup": 1000, + "runAsNonRoot": true, + "runAsUser": 1000 + }, + "serviceAccount": "scanner", + "serviceAccountName": "scanner", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "kube-api-access-jrgz2", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:30Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:30Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:37Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:37Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:29Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://ffca5c8b96f0e2f0dcb1cd113e9a934f4e0c843fe00da2d84ae9d4d46d2a4f77", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:25:30Z" + } + } + }, + { + "containerID": "containerd://af0a3a7241fd9b7565778315afa787df090c1cf395650e41015447a9f9dc48d9", + "image": "127.0.0.1:31999/neuvector/scanner:latest-zarf-3299389045", + "imageID": "127.0.0.1:31999/neuvector/scanner@sha256:fb29fb99baf64c41a8c53bfa32d855730f00b392c7f1457947e354bce9fad9a2", + "lastState": {}, + "name": "neuvector-scanner-pod", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:25:35Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://2e99e7a72800546f79f76de7ab33ccb7e8e7c41c9b2ca21bf4f565b4818c054d", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://2e99e7a72800546f79f76de7ab33ccb7e8e7c41c9b2ca21bf4f565b4818c054d", + "exitCode": 0, + "finishedAt": "2024-07-15T19:25:29Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:25:29Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.30", + "podIPs": [ + { + "ip": "10.42.0.30" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:25:29Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "neuvector-scanner-pod", + "kubectl.kubernetes.io/default-logs-container": "neuvector-scanner-pod", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-07-15T19:25:29Z", + "generateName": "neuvector-scanner-pod-64d5b96b4d-", + "labels": { + "app": "neuvector-scanner-pod", + "pod-template-hash": "64d5b96b4d", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "neuvector-scanner-pod", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "neuvector-scanner-pod-64d5b96b4d-d552k", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "neuvector-scanner-pod-64d5b96b4d", + "uid": "70858f0e-37c2-44bf-814b-bc2e9bb5df4a" + } + ], + "resourceVersion": "2213", + "uid": "b2a7f732-e96c-4bf7-9adc-9a1c6b21d008" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "neuvector-scanner-pod" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "neuvector-scanner-pod" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/neuvector/deployments/neuvector-scanner-pod" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-xph4g", + "readOnly": true + } + ] + }, + { + "env": [ + { + "name": "CLUSTER_JOIN_ADDR", + "value": "neuvector-svc-controller.neuvector" + } + ], + "image": "127.0.0.1:31999/neuvector/scanner:latest-zarf-3299389045", + "imagePullPolicy": "Always", + "name": "neuvector-scanner-pod", + "resources": {}, + "securityContext": { + "capabilities": { + "drop": [ + "ALL" + ] + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-xph4g", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-xph4g", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "runAsGroup": 1000, + "runAsNonRoot": true, + "runAsUser": 1000 + }, + "serviceAccount": "scanner", + "serviceAccountName": "scanner", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "kube-api-access-xph4g", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:30Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:30Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:37Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:37Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:29Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://23eeca63405b9da57e951b821f8a52b29667cb733a757ab1f0b0f62f30b22a6f", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:25:30Z" + } + } + }, + { + "containerID": "containerd://92bf9526301abf67918bd0ebe43486aaa5b6a4377f4c63d85bebf9dae98703fb", + "image": "127.0.0.1:31999/neuvector/scanner:latest-zarf-3299389045", + "imageID": "127.0.0.1:31999/neuvector/scanner@sha256:fb29fb99baf64c41a8c53bfa32d855730f00b392c7f1457947e354bce9fad9a2", + "lastState": {}, + "name": "neuvector-scanner-pod", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:25:35Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://101bd4f33f7595af504d6663348b92338d233b0228abc8c0c6a3d53afe4c819f", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://101bd4f33f7595af504d6663348b92338d233b0228abc8c0c6a3d53afe4c819f", + "exitCode": 0, + "finishedAt": "2024-07-15T19:25:29Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:25:29Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.33", + "podIPs": [ + { + "ip": "10.42.0.33" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:25:29Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "neuvector-scanner-pod", + "kubectl.kubernetes.io/default-logs-container": "neuvector-scanner-pod", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-07-15T19:25:29Z", + "generateName": "neuvector-scanner-pod-64d5b96b4d-", + "labels": { + "app": "neuvector-scanner-pod", + "pod-template-hash": "64d5b96b4d", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "neuvector-scanner-pod", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "neuvector-scanner-pod-64d5b96b4d-c4nkm", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "neuvector-scanner-pod-64d5b96b4d", + "uid": "70858f0e-37c2-44bf-814b-bc2e9bb5df4a" + } + ], + "resourceVersion": "2219", + "uid": "ebdab16c-9794-4e04-a511-6702c1026016" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "neuvector-scanner-pod" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "neuvector-scanner-pod" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/neuvector/deployments/neuvector-scanner-pod" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-b6rxb", + "readOnly": true + } + ] + }, + { + "env": [ + { + "name": "CLUSTER_JOIN_ADDR", + "value": "neuvector-svc-controller.neuvector" + } + ], + "image": "127.0.0.1:31999/neuvector/scanner:latest-zarf-3299389045", + "imagePullPolicy": "Always", + "name": "neuvector-scanner-pod", + "resources": {}, + "securityContext": { + "capabilities": { + "drop": [ + "ALL" + ] + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-b6rxb", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-b6rxb", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "runAsGroup": 1000, + "runAsNonRoot": true, + "runAsUser": 1000 + }, + "serviceAccount": "scanner", + "serviceAccountName": "scanner", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "kube-api-access-b6rxb", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:30Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:30Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:37Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:37Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:29Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://5ee5f403ed5a5b0858e295976e83bac42b2b337b096366cb2d633bc792f6b0df", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:25:30Z" + } + } + }, + { + "containerID": "containerd://b2cea19404ab8f8d94539101c27a42d7808e4f6babb40f8251df30dd6d3e2c16", + "image": "127.0.0.1:31999/neuvector/scanner:latest-zarf-3299389045", + "imageID": "127.0.0.1:31999/neuvector/scanner@sha256:fb29fb99baf64c41a8c53bfa32d855730f00b392c7f1457947e354bce9fad9a2", + "lastState": {}, + "name": "neuvector-scanner-pod", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:25:35Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://f6a7edde1ba8903da923a07a8971595cbdd4cad0112cd54d90cf022fa1cd37f4", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://f6a7edde1ba8903da923a07a8971595cbdd4cad0112cd54d90cf022fa1cd37f4", + "exitCode": 0, + "finishedAt": "2024-07-15T19:25:29Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:25:29Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.32", + "podIPs": [ + { + "ip": "10.42.0.32" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:25:29Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "neuvector-enforcer-pod", + "kubectl.kubernetes.io/default-logs-container": "neuvector-enforcer-pod", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/uds-core-policies": "succeeded", + "uds-core.pepr.dev/uds-core-policies.DisallowHostNamespaces": "exempted", + "uds-core.pepr.dev/uds-core-policies.DisallowPrivileged": "exempted", + "uds-core.pepr.dev/uds-core-policies.DropAllCapabilities": "exempted", + "uds-core.pepr.dev/uds-core-policies.RequireNonRootUser": "exempted", + "uds-core.pepr.dev/uds-core-policies.RestrictHostPathWrite": "exempted", + "uds-core.pepr.dev/uds-core-policies.RestrictVolumeTypes": "exempted" + }, + "creationTimestamp": "2024-07-15T19:25:28Z", + "generateName": "neuvector-enforcer-pod-", + "labels": { + "app": "neuvector-enforcer-pod", + "controller-revision-hash": "6bff578d6b", + "pod-template-generation": "1", + "release": "core", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "neuvector-enforcer-pod", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "neuvector-enforcer-pod-jzhh5", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "DaemonSet", + "name": "neuvector-enforcer-pod", + "uid": "183e282a-5df5-43cf-ba2f-1d8580b519aa" + } + ], + "resourceVersion": "2223", + "uid": "1a2d41a3-cb47-4255-9a81-99a87f3c9cb8" + }, + "spec": { + "affinity": { + "nodeAffinity": { + "requiredDuringSchedulingIgnoredDuringExecution": { + "nodeSelectorTerms": [ + { + "matchFields": [ + { + "key": "metadata.name", + "operator": "In", + "values": [ + "k3d-uds-server-0" + ] + } + ] + } + ] + } + } + }, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "neuvector-enforcer-pod" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "neuvector-enforcer-pod" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/neuvector/daemonsets/neuvector-enforcer-pod" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-r548n", + "readOnly": true + } + ] + }, + { + "env": [ + { + "name": "CLUSTER_JOIN_ADDR", + "value": "neuvector-svc-controller.neuvector" + }, + { + "name": "CLUSTER_ADVERTISED_ADDR", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "CLUSTER_BIND_ADDR", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + } + ], + "image": "127.0.0.1:31999/neuvector/enforcer:5.3.3-zarf-2886042343", + "imagePullPolicy": "IfNotPresent", + "name": "neuvector-enforcer-pod", + "resources": {}, + "securityContext": { + "privileged": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/lib/modules", + "name": "modules-vol", + "readOnly": true + }, + { + "mountPath": "/var/nv_debug", + "name": "nv-debug" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-r548n", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "hostPID": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-r548n", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "serviceAccount": "enforcer", + "serviceAccountName": "enforcer", + "terminationGracePeriodSeconds": 1200, + "tolerations": [ + { + "effect": "NoSchedule", + "key": "node-role.kubernetes.io/master" + }, + { + "effect": "NoSchedule", + "key": "node-role.kubernetes.io/control-plane" + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists" + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/disk-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/memory-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/pid-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/unschedulable", + "operator": "Exists" + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "hostPath": { + "path": "/lib/modules", + "type": "" + }, + "name": "modules-vol" + }, + { + "hostPath": { + "path": "/var/nv_debug", + "type": "" + }, + "name": "nv-debug" + }, + { + "name": "kube-api-access-r548n", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:29Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:30Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:37Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:37Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:29Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://8a5f914091f6f48b6ce72bd070d1643fafcecf90a4cca81b35a6aa3bdb0a4390", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:25:30Z" + } + } + }, + { + "containerID": "containerd://418d8bbc2f40259804deb019fd35763f2b14eb91ee50273a9058b1cfc5466e7c", + "image": "127.0.0.1:31999/neuvector/enforcer:5.3.3-zarf-2886042343", + "imageID": "127.0.0.1:31999/neuvector/enforcer@sha256:c958223f49d5aebc24af798c168c1643d3aa88caeb1ee741df8beb0b93d14b5a", + "lastState": {}, + "name": "neuvector-enforcer-pod", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:25:36Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://d71b8ff850816baf5c50983a3a8659e21e2371497c98f4d3ff99bca7186409a2", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://d71b8ff850816baf5c50983a3a8659e21e2371497c98f4d3ff99bca7186409a2", + "exitCode": 0, + "finishedAt": "2024-07-15T19:25:29Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:25:29Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.28", + "podIPs": [ + { + "ip": "10.42.0.28" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:25:29Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "neuvector-manager-pod", + "kubectl.kubernetes.io/default-logs-container": "neuvector-manager-pod", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-07-15T19:25:29Z", + "generateName": "neuvector-manager-pod-59679458cf-", + "labels": { + "app": "neuvector-manager-pod", + "pod-template-hash": "59679458cf", + "release": "core", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "neuvector-manager-pod", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "neuvector-manager-pod-59679458cf-zppj8", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "neuvector-manager-pod-59679458cf", + "uid": "ebf4e397-bb65-4f4b-bb6c-b1b31e8eb980" + } + ], + "resourceVersion": "2236", + "uid": "0612d87f-55f9-4a47-b518-6131ae94d340" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http\",\"containerPort\":8443,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "neuvector-manager-pod" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "neuvector-manager-pod" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/neuvector/deployments/neuvector-manager-pod" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-cs2w9", + "readOnly": true + } + ] + }, + { + "env": [ + { + "name": "CTRL_SERVER_IP", + "value": "neuvector-svc-controller.neuvector" + }, + { + "name": "MANAGER_SSL", + "value": "off" + } + ], + "image": "127.0.0.1:31999/neuvector/manager:5.3.3-zarf-1801671909", + "imagePullPolicy": "IfNotPresent", + "name": "neuvector-manager-pod", + "ports": [ + { + "containerPort": 8443, + "name": "http", + "protocol": "TCP" + } + ], + "resources": {}, + "securityContext": { + "capabilities": { + "drop": [ + "ALL" + ] + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-cs2w9", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-cs2w9", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "runAsGroup": 1000, + "runAsNonRoot": true, + "runAsUser": 1000 + }, + "serviceAccount": "basic", + "serviceAccountName": "basic", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "kube-api-access-cs2w9", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:29Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:30Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:39Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:39Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:29Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://a14260911a5bd949ee7dcda513bc485f5501728b93819fcad9a1a82e0a6f4d49", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:25:30Z" + } + } + }, + { + "containerID": "containerd://b0c7a8f870291e3ff2d3f496b993594cc2ee8bbe58086f6fcf4f9e54792c1a51", + "image": "127.0.0.1:31999/neuvector/manager:5.3.3-zarf-1801671909", + "imageID": "127.0.0.1:31999/neuvector/manager@sha256:2125c2c8ae4bb2684e8a18089ebbaa369727a230c61de1314e884ad30f3e5b91", + "lastState": {}, + "name": "neuvector-manager-pod", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:25:37Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://4a135c4771ffce5ed1f2f7a8f6ebcac7f9285277611abd4f83fd8725fe6124de", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://4a135c4771ffce5ed1f2f7a8f6ebcac7f9285277611abd4f83fd8725fe6124de", + "exitCode": 0, + "finishedAt": "2024-07-15T19:25:29Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:25:29Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.29", + "podIPs": [ + { + "ip": "10.42.0.29" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:25:29Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "checksum/config": "bb09a05e33c5aa2966debe5a0953fc44b5d234893a981c66172e001bbccbaf07", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "nginx", + "kubectl.kubernetes.io/default-logs-container": "nginx", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-07-15T19:25:51Z", + "generateName": "loki-gateway-64756ffb74-", + "labels": { + "app.kubernetes.io/component": "gateway", + "app.kubernetes.io/instance": "loki", + "app.kubernetes.io/name": "loki", + "pod-template-hash": "64756ffb74", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "loki", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "loki-gateway-64756ffb74-fbwkb", + "namespace": "loki", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "loki-gateway-64756ffb74", + "uid": "43aed466-1137-4e55-8d1e-ce0a748d6a9d" + } + ], + "resourceVersion": "2646", + "uid": "d432b488-0f71-4fe3-8ad4-9d20274bad34" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http\",\"containerPort\":8080,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "nginx" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "loki-gateway" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/loki/deployments/loki-gateway" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/nginx/readyz\":{\"httpGet\":{\"path\":\"/\",\"port\":8080,\"scheme\":\"HTTP\"},\"timeoutSeconds\":1}}" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-299m5", + "readOnly": true + } + ] + }, + { + "image": "127.0.0.1:31999/du-uds-defenseunicorns/nginx-fips:1.27.0-zarf-2401993313", + "imagePullPolicy": "IfNotPresent", + "name": "nginx", + "ports": [ + { + "containerPort": 8080, + "name": "http", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/nginx/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 15, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": {}, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/nginx", + "name": "config" + }, + { + "mountPath": "/tmp", + "name": "tmp" + }, + { + "mountPath": "/docker-entrypoint.d", + "name": "docker-entrypoint-d-override" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-299m5", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-299m5", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 101, + "runAsGroup": 101, + "runAsNonRoot": true, + "runAsUser": 101 + }, + "serviceAccount": "loki", + "serviceAccountName": "loki", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "configMap": { + "defaultMode": 420, + "name": "loki-gateway" + }, + "name": "config" + }, + { + "emptyDir": {}, + "name": "tmp" + }, + { + "emptyDir": {}, + "name": "docker-entrypoint-d-override" + }, + { + "name": "kube-api-access-299m5", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:52Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:53Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:26:12Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:26:12Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:51Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://a5f24572c70a654f9e97680b65936358371a079065168dae9358ed7eafb9bbbb", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:25:54Z" + } + } + }, + { + "containerID": "containerd://29972bf8a5ff4aa33b7a1cf2a0c4b340a76e4e1132ef528306f34501b59aaea4", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/nginx-fips:1.27.0-zarf-2401993313", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/nginx-fips@sha256:9b8deffcaf1d566a7409cab03cc2db67feff596dfcd582d8ff11d472025123bf", + "lastState": {}, + "name": "nginx", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:25:57Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://eebdc230652e421f376b30889ca8c2209290ab5ac9d145e6704c946c4f06029b", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://eebdc230652e421f376b30889ca8c2209290ab5ac9d145e6704c946c4f06029b", + "exitCode": 0, + "finishedAt": "2024-07-15T19:25:52Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:25:52Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.38", + "podIPs": [ + { + "ip": "10.42.0.38" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:25:51Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "checksum/init-configmap": "09739169a4cac1b76e349f92d75fe6b9900b484f897d017597195d07b8c25048", + "checksum/uds-sso-secret": "", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "neuvector-controller-pod", + "kubectl.kubernetes.io/default-logs-container": "neuvector-controller-pod", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/uds-core-policies": "succeeded", + "uds-core.pepr.dev/uds-core-policies.DisallowPrivileged": "exempted", + "uds-core.pepr.dev/uds-core-policies.DropAllCapabilities": "exempted", + "uds-core.pepr.dev/uds-core-policies.RequireNonRootUser": "exempted", + "uds-core.pepr.dev/uds-core-policies.RestrictHostPathWrite": "exempted", + "uds-core.pepr.dev/uds-core-policies.RestrictVolumeTypes": "exempted" + }, + "creationTimestamp": "2024-07-15T19:25:46Z", + "generateName": "neuvector-controller-pod-5dccb6c44f-", + "labels": { + "app": "neuvector-controller-pod", + "pod-template-hash": "5dccb6c44f", + "release": "core", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "neuvector-controller-pod", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "neuvector-controller-pod-5dccb6c44f-ch8cx", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "neuvector-controller-pod-5dccb6c44f", + "uid": "8e887e07-0945-4e20-ad12-b1c40f529e1a" + } + ], + "resourceVersion": "2667", + "uid": "e06cbc18-9ac5-41d1-871e-2a1bf7ef614e" + }, + "spec": { + "affinity": { + "podAntiAffinity": { + "preferredDuringSchedulingIgnoredDuringExecution": [ + { + "podAffinityTerm": { + "labelSelector": { + "matchExpressions": [ + { + "key": "app", + "operator": "In", + "values": [ + "neuvector-controller-pod" + ] + } + ] + }, + "topologyKey": "kubernetes.io/hostname" + }, + "weight": 100 + } + ] + } + }, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "neuvector-controller-pod" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "neuvector-controller-pod" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/neuvector/deployments/neuvector-controller-pod" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-x7v72", + "readOnly": true + } + ] + }, + { + "env": [ + { + "name": "CLUSTER_JOIN_ADDR", + "value": "neuvector-svc-controller.neuvector" + }, + { + "name": "CLUSTER_ADVERTISED_ADDR", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "CLUSTER_BIND_ADDR", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "NO_DEFAULT_ADMIN", + "value": "1" + } + ], + "image": "127.0.0.1:31999/neuvector/controller:5.3.3-zarf-4157091163", + "imagePullPolicy": "IfNotPresent", + "name": "neuvector-controller-pod", + "readinessProbe": { + "exec": { + "command": [ + "cat", + "/tmp/ready" + ] + }, + "failureThreshold": 3, + "initialDelaySeconds": 5, + "periodSeconds": 5, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": {}, + "securityContext": { + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/config", + "name": "config-volume", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-x7v72", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-x7v72", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "serviceAccount": "controller", + "serviceAccountName": "controller", + "terminationGracePeriodSeconds": 300, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "config-volume", + "projected": { + "defaultMode": 420, + "sources": [ + { + "configMap": { + "name": "neuvector-init", + "optional": true + } + }, + { + "secret": { + "name": "neuvector-init", + "optional": true + } + }, + { + "secret": { + "name": "neuvector-secret", + "optional": true + } + } + ] + } + }, + { + "name": "kube-api-access-x7v72", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:47Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:47Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:26:22Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:26:22Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:46Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://f922695d22170eeb364ed8a2bbfbd155f83915dff412653dddfe80b9c3fe572c", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:25:47Z" + } + } + }, + { + "containerID": "containerd://58d73000b5bc33689b0be74a8ae5d69c207ec8c6badf7489018f8a0906a72861", + "image": "127.0.0.1:31999/neuvector/controller:5.3.3-zarf-4157091163", + "imageID": "127.0.0.1:31999/neuvector/controller@sha256:1102321e8ed5bd3aad26e3d2c3b9a3ddc5aa82c2949fc2600b9350c7e951950e", + "lastState": {}, + "name": "neuvector-controller-pod", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:25:49Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://3b769c791af5ec78bf87e0c9f8c3392886921d20c37511591649685aa0d2a238", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://3b769c791af5ec78bf87e0c9f8c3392886921d20c37511591649685aa0d2a238", + "exitCode": 0, + "finishedAt": "2024-07-15T19:25:47Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:25:47Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.36", + "podIPs": [ + { + "ip": "10.42.0.36" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:25:46Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "checksum/config": "71aa2e600a166ff5ea6680da3a366f438955dff125cf135db83a10d2e4281565", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "loki", + "kubectl.kubernetes.io/default-logs-container": "loki", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-07-15T19:25:51Z", + "generateName": "loki-read-648f4564f8-", + "labels": { + "app.kubernetes.io/component": "read", + "app.kubernetes.io/instance": "loki", + "app.kubernetes.io/name": "loki", + "app.kubernetes.io/part-of": "memberlist", + "pod-template-hash": "648f4564f8", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "loki", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "loki-read-648f4564f8-svncd", + "namespace": "loki", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "loki-read-648f4564f8", + "uid": "08e0e0d6-4d15-47ed-9c3a-3093ec6cdf9f" + } + ], + "resourceVersion": "2689", + "uid": "132c9371-c71c-4744-a8ed-95573395076e" + }, + "spec": { + "automountServiceAccountToken": true, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http-metrics\",\"containerPort\":3100,\"protocol\":\"TCP\"}\n ,{\"name\":\"grpc\",\"containerPort\":9095,\"protocol\":\"TCP\"}\n ,{\"name\":\"http-memberlist\",\"containerPort\":7946,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "loki" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "loki-read" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/loki/deployments/loki-read" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/loki/readyz\":{\"httpGet\":{\"path\":\"/ready\",\"port\":3100,\"scheme\":\"HTTP\"},\"timeoutSeconds\":1}}" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-bthg5", + "readOnly": true + } + ] + }, + { + "args": [ + "-config.file=/etc/loki/config/config.yaml", + "-target=read", + "-legacy-read-mode=false", + "-common.compactor-grpc-address=loki-backend.loki.svc.cluster.local:9095" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/loki:2.9.8-zarf-777750453", + "imagePullPolicy": "IfNotPresent", + "name": "loki", + "ports": [ + { + "containerPort": 3100, + "name": "http-metrics", + "protocol": "TCP" + }, + { + "containerPort": 9095, + "name": "grpc", + "protocol": "TCP" + }, + { + "containerPort": 7946, + "name": "http-memberlist", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/loki/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 30, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": {}, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/loki/config", + "name": "config" + }, + { + "mountPath": "/etc/loki/runtime-config", + "name": "runtime-config" + }, + { + "mountPath": "/tmp", + "name": "tmp" + }, + { + "mountPath": "/var/loki", + "name": "data" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-bthg5", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-bthg5", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 10001, + "runAsGroup": 10001, + "runAsNonRoot": true, + "runAsUser": 10001 + }, + "serviceAccount": "loki", + "serviceAccountName": "loki", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "emptyDir": {}, + "name": "tmp" + }, + { + "emptyDir": {}, + "name": "data" + }, + { + "configMap": { + "defaultMode": 420, + "items": [ + { + "key": "config.yaml", + "path": "config.yaml" + } + ], + "name": "loki" + }, + "name": "config" + }, + { + "configMap": { + "defaultMode": 420, + "name": "loki-runtime" + }, + "name": "runtime-config" + }, + { + "name": "kube-api-access-bthg5", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:53Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:53Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:26:32Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:26:32Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:51Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://54fd909651fdad1f06d924b87f57fe4219ac384faa627e6372314af448f00f6e", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:25:54Z" + } + } + }, + { + "containerID": "containerd://05018bc860d48b89b94118774e8615772e1dd5fd004c23feefb4be25bdb7cda3", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/loki:2.9.8-zarf-777750453", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/loki@sha256:0343efe09e351e9b943e4854bd0543684dd4614d3394b4e77a13fc717a6fab49", + "lastState": {}, + "name": "loki", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:25:57Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://98fa4a1b5029d9c00f5c05d9f462238333cf87e5549e5f3c44c90c62658fb2d9", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://98fa4a1b5029d9c00f5c05d9f462238333cf87e5549e5f3c44c90c62658fb2d9", + "exitCode": 0, + "finishedAt": "2024-07-15T19:25:52Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:25:52Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.40", + "podIPs": [ + { + "ip": "10.42.0.40" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:25:51Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "checksum/config": "71aa2e600a166ff5ea6680da3a366f438955dff125cf135db83a10d2e4281565", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "loki", + "kubectl.kubernetes.io/default-logs-container": "loki", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-07-15T19:25:51Z", + "generateName": "loki-backend-", + "labels": { + "app.kubernetes.io/component": "backend", + "app.kubernetes.io/instance": "loki", + "app.kubernetes.io/name": "loki", + "app.kubernetes.io/part-of": "memberlist", + "apps.kubernetes.io/pod-index": "0", + "controller-revision-hash": "loki-backend-585d56dcd5", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "loki", + "service.istio.io/canonical-revision": "latest", + "statefulset.kubernetes.io/pod-name": "loki-backend-0", + "zarf-agent": "patched" + }, + "name": "loki-backend-0", + "namespace": "loki", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "StatefulSet", + "name": "loki-backend", + "uid": "3e167792-57f8-4d4b-8f99-ea676f0dcfe3" + } + ], + "resourceVersion": "2706", + "uid": "f90ba134-9478-45fa-89aa-b10156ae45e9" + }, + "spec": { + "automountServiceAccountToken": true, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http-metrics\",\"containerPort\":3100,\"protocol\":\"TCP\"}\n ,{\"name\":\"grpc\",\"containerPort\":9095,\"protocol\":\"TCP\"}\n ,{\"name\":\"http-memberlist\",\"containerPort\":7946,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "loki" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "loki-backend" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/loki/statefulsets/loki-backend" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/loki/readyz\":{\"httpGet\":{\"path\":\"/ready\",\"port\":3100,\"scheme\":\"HTTP\"},\"timeoutSeconds\":1}}" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-682tw", + "readOnly": true + } + ] + }, + { + "args": [ + "-config.file=/etc/loki/config/config.yaml", + "-target=backend", + "-legacy-read-mode=false" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/loki:2.9.8-zarf-777750453", + "imagePullPolicy": "IfNotPresent", + "name": "loki", + "ports": [ + { + "containerPort": 3100, + "name": "http-metrics", + "protocol": "TCP" + }, + { + "containerPort": 9095, + "name": "grpc", + "protocol": "TCP" + }, + { + "containerPort": 7946, + "name": "http-memberlist", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/loki/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 30, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": {}, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/loki/config", + "name": "config" + }, + { + "mountPath": "/etc/loki/runtime-config", + "name": "runtime-config" + }, + { + "mountPath": "/tmp", + "name": "tmp" + }, + { + "mountPath": "/var/loki", + "name": "data" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-682tw", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "hostname": "loki-backend-0", + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-682tw", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 10001, + "runAsGroup": 10001, + "runAsNonRoot": true, + "runAsUser": 10001 + }, + "serviceAccount": "loki", + "serviceAccountName": "loki", + "subdomain": "loki-backend-headless", + "terminationGracePeriodSeconds": 300, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "data", + "persistentVolumeClaim": { + "claimName": "data-loki-backend-0" + } + }, + { + "emptyDir": {}, + "name": "tmp" + }, + { + "configMap": { + "defaultMode": 420, + "items": [ + { + "key": "config.yaml", + "path": "config.yaml" + } + ], + "name": "loki" + }, + "name": "config" + }, + { + "configMap": { + "defaultMode": 420, + "name": "loki-runtime" + }, + "name": "runtime-config" + }, + { + "name": "kube-api-access-682tw", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:59Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:59Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:26:38Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:26:38Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:58Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://34d70ffe9b0446ffc0b10193674018ba36884e98aa56a27a3f219b2300b4c8d6", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:25:59Z" + } + } + }, + { + "containerID": "containerd://b10d21503a1b0852e44ab2eee34d4b949e115fc44d703ca828dd09ee39e93baa", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/loki:2.9.8-zarf-777750453", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/loki@sha256:0343efe09e351e9b943e4854bd0543684dd4614d3394b4e77a13fc717a6fab49", + "lastState": {}, + "name": "loki", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:26:02Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://67990cc461fdb5b8fe8b2ff6feed18182349281c7ca6356921dd2811c7ae9384", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://67990cc461fdb5b8fe8b2ff6feed18182349281c7ca6356921dd2811c7ae9384", + "exitCode": 0, + "finishedAt": "2024-07-15T19:25:59Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:25:58Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.43", + "podIPs": [ + { + "ip": "10.42.0.43" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:25:58Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "checksum/config": "71aa2e600a166ff5ea6680da3a366f438955dff125cf135db83a10d2e4281565", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "loki", + "kubectl.kubernetes.io/default-logs-container": "loki", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-07-15T19:25:51Z", + "generateName": "loki-write-", + "labels": { + "app.kubernetes.io/component": "write", + "app.kubernetes.io/instance": "loki", + "app.kubernetes.io/name": "loki", + "app.kubernetes.io/part-of": "memberlist", + "apps.kubernetes.io/pod-index": "0", + "controller-revision-hash": "loki-write-6bcf4bcf7", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "loki", + "service.istio.io/canonical-revision": "latest", + "statefulset.kubernetes.io/pod-name": "loki-write-0", + "zarf-agent": "patched" + }, + "name": "loki-write-0", + "namespace": "loki", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "StatefulSet", + "name": "loki-write", + "uid": "29bd3ccc-185d-442f-b604-11ac7b6891d3" + } + ], + "resourceVersion": "2739", + "uid": "a007ced9-645b-4297-9062-5c4b91a6a417" + }, + "spec": { + "automountServiceAccountToken": true, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http-metrics\",\"containerPort\":3100,\"protocol\":\"TCP\"}\n ,{\"name\":\"grpc\",\"containerPort\":9095,\"protocol\":\"TCP\"}\n ,{\"name\":\"http-memberlist\",\"containerPort\":7946,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "loki" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "loki-write" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/loki/statefulsets/loki-write" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/loki/readyz\":{\"httpGet\":{\"path\":\"/ready\",\"port\":3100,\"scheme\":\"HTTP\"},\"timeoutSeconds\":1}}" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-v797b", + "readOnly": true + } + ] + }, + { + "args": [ + "-config.file=/etc/loki/config/config.yaml", + "-target=write" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/loki:2.9.8-zarf-777750453", + "imagePullPolicy": "IfNotPresent", + "name": "loki", + "ports": [ + { + "containerPort": 3100, + "name": "http-metrics", + "protocol": "TCP" + }, + { + "containerPort": 9095, + "name": "grpc", + "protocol": "TCP" + }, + { + "containerPort": 7946, + "name": "http-memberlist", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/loki/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 30, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": {}, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/loki/config", + "name": "config" + }, + { + "mountPath": "/etc/loki/runtime-config", + "name": "runtime-config" + }, + { + "mountPath": "/var/loki", + "name": "data" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-v797b", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "hostname": "loki-write-0", + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-v797b", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 10001, + "runAsGroup": 10001, + "runAsNonRoot": true, + "runAsUser": 10001 + }, + "serviceAccount": "loki", + "serviceAccountName": "loki", + "subdomain": "loki-write-headless", + "terminationGracePeriodSeconds": 300, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "data", + "persistentVolumeClaim": { + "claimName": "data-loki-write-0" + } + }, + { + "configMap": { + "defaultMode": 420, + "items": [ + { + "key": "config.yaml", + "path": "config.yaml" + } + ], + "name": "loki" + }, + "name": "config" + }, + { + "configMap": { + "defaultMode": 420, + "name": "loki-runtime" + }, + "name": "runtime-config" + }, + { + "name": "kube-api-access-v797b", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:57Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:58Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:26:57Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:26:57Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:57Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://0e6e439d422c8623288eb811a4cf3ac34bf23686c1a5ddd9023b62dd110a8228", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:25:58Z" + } + } + }, + { + "containerID": "containerd://c54daa5c2b2e6ab51bdad5a94fe7dd2fb3f90c35cb96da58bd6729e547912c5a", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/loki:2.9.8-zarf-777750453", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/loki@sha256:0343efe09e351e9b943e4854bd0543684dd4614d3394b4e77a13fc717a6fab49", + "lastState": {}, + "name": "loki", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:26:01Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://9164f9a3c879133f04086c4a4f389a7592ef5deed86ac824e1b1ff7851667e21", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://9164f9a3c879133f04086c4a4f389a7592ef5deed86ac824e1b1ff7851667e21", + "exitCode": 0, + "finishedAt": "2024-07-15T19:25:57Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:25:57Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.42", + "podIPs": [ + { + "ip": "10.42.0.42" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:25:57Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "kube-prometheus-stack", + "kubectl.kubernetes.io/default-logs-container": "kube-prometheus-stack", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-07-15T19:27:19Z", + "generateName": "kube-prometheus-stack-operator-5db8867bcd-", + "labels": { + "app": "kube-prometheus-stack-operator", + "app.kubernetes.io/component": "prometheus-operator", + "app.kubernetes.io/instance": "kube-prometheus-stack", + "app.kubernetes.io/managed-by": "Helm", + "app.kubernetes.io/name": "kube-prometheus-stack-prometheus-operator", + "app.kubernetes.io/part-of": "kube-prometheus-stack", + "app.kubernetes.io/version": "58.7.2", + "chart": "kube-prometheus-stack-58.7.2", + "heritage": "Helm", + "pod-template-hash": "5db8867bcd", + "release": "kube-prometheus-stack", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "kube-prometheus-stack-prometheus-operator", + "service.istio.io/canonical-revision": "58.7.2", + "zarf-agent": "patched" + }, + "name": "kube-prometheus-stack-operator-5db8867bcd-8xdrk", + "namespace": "monitoring", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "kube-prometheus-stack-operator-5db8867bcd", + "uid": "5e00df34-8e47-48f2-af44-2d020d4c14a3" + } + ], + "resourceVersion": "3162", + "uid": "b82eebac-189d-4163-8d05-bb3b7f80c581" + }, + "spec": { + "automountServiceAccountToken": true, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"https\",\"containerPort\":10250,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "kube-prometheus-stack" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "kube-prometheus-stack-operator" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/monitoring/deployments/kube-prometheus-stack-operator" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-btm2b", + "readOnly": true + } + ] + }, + { + "args": [ + "--kubelet-service=kube-system/kube-prometheus-stack-kubelet", + "--localhost=127.0.0.1", + "--prometheus-config-reloader=cgr.dev/du-uds-defenseunicorns/prometheus-config-reloader-fips:0.74.0", + "--config-reloader-cpu-request=50m", + "--config-reloader-cpu-limit=100m", + "--config-reloader-memory-request=128Mi", + "--config-reloader-memory-limit=128Mi", + "--thanos-default-base-image=quay.io/thanos/thanos:v0.35.0", + "--secret-field-selector=type!=kubernetes.io/dockercfg,type!=kubernetes.io/service-account-token,type!=helm.sh/release.v1", + "--web.enable-tls=true", + "--web.cert-file=/cert/cert", + "--web.key-file=/cert/key", + "--web.listen-address=:10250", + "--web.tls-min-version=VersionTLS13" + ], + "env": [ + { + "name": "GOGC", + "value": "30" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/prometheus-operator-fips:0.74.0-zarf-1504306260", + "imagePullPolicy": "IfNotPresent", + "name": "kube-prometheus-stack", + "ports": [ + { + "containerPort": 10250, + "name": "https", + "protocol": "TCP" + } + ], + "resources": { + "limits": { + "cpu": "500m", + "memory": "512Mi" + }, + "requests": { + "cpu": "100m", + "memory": "512Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/cert", + "name": "tls-secret", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-btm2b", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-btm2b", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 65534, + "runAsGroup": 65534, + "runAsNonRoot": true, + "runAsUser": 65534, + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "serviceAccount": "kube-prometheus-stack-operator", + "serviceAccountName": "kube-prometheus-stack-operator", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "tls-secret", + "secret": { + "defaultMode": 420, + "secretName": "kube-prometheus-stack-admission" + } + }, + { + "name": "kube-api-access-btm2b", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:21Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:21Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:25Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:25Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:19Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://239885f17c04c8b246371200107438e5bff7f826f6fc9ccf451d6db5fcb2c9ab", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:27:21Z" + } + } + }, + { + "containerID": "containerd://f6ed0e29bbd438bda64dda1db0f4518a24f25d737a72a835ed9a415570baad68", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/prometheus-operator-fips:0.74.0-zarf-1504306260", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/prometheus-operator-fips@sha256:dcbe22a321af6fc999d87bd1cc5afaabf0d7804d96e0d7dffa827caae03e1db8", + "lastState": {}, + "name": "kube-prometheus-stack", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:27:24Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://4a38570d788f69b2fb806332d4a6de8b475779ce06a153e9827b0eb0b014b885", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://4a38570d788f69b2fb806332d4a6de8b475779ce06a153e9827b0eb0b014b885", + "exitCode": 0, + "finishedAt": "2024-07-15T19:27:20Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:27:20Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.45", + "podIPs": [ + { + "ip": "10.42.0.45" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:27:19Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "cluster-autoscaler.kubernetes.io/safe-to-evict": "true", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "node-exporter", + "kubectl.kubernetes.io/default-logs-container": "node-exporter", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded", + "uds-core.pepr.dev/uds-core-policies.RestrictVolumeTypes": "exempted" + }, + "creationTimestamp": "2024-07-15T19:27:19Z", + "generateName": "kube-prometheus-stack-prometheus-node-exporter-", + "labels": { + "app.kubernetes.io/component": "metrics", + "app.kubernetes.io/instance": "kube-prometheus-stack", + "app.kubernetes.io/managed-by": "Helm", + "app.kubernetes.io/name": "prometheus-node-exporter", + "app.kubernetes.io/part-of": "prometheus-node-exporter", + "app.kubernetes.io/version": "1.8.0", + "controller-revision-hash": "566d74f9", + "helm.sh/chart": "prometheus-node-exporter-4.34.0", + "jobLabel": "node-exporter", + "pod-template-generation": "1", + "release": "kube-prometheus-stack", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "prometheus-node-exporter", + "service.istio.io/canonical-revision": "1.8.0", + "zarf-agent": "patched" + }, + "name": "kube-prometheus-stack-prometheus-node-exporter-wqwtp", + "namespace": "monitoring", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "DaemonSet", + "name": "kube-prometheus-stack-prometheus-node-exporter", + "uid": "7b074804-cb7c-4052-b4f6-70501284db8a" + } + ], + "resourceVersion": "3166", + "uid": "6f9ab7a7-2798-43e2-965b-2d257f7ec2be" + }, + "spec": { + "affinity": { + "nodeAffinity": { + "requiredDuringSchedulingIgnoredDuringExecution": { + "nodeSelectorTerms": [ + { + "matchFields": [ + { + "key": "metadata.name", + "operator": "In", + "values": [ + "k3d-uds-server-0" + ] + } + ] + } + ] + } + } + }, + "automountServiceAccountToken": false, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http-metrics\",\"containerPort\":9100,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "node-exporter" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "kube-prometheus-stack-prometheus-node-exporter" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/monitoring/daemonsets/kube-prometheus-stack-prometheus-node-exporter" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/node-exporter/livez\":{\"httpGet\":{\"path\":\"/\",\"port\":9100,\"scheme\":\"HTTP\"},\"timeoutSeconds\":1},\"/app-health/node-exporter/readyz\":{\"httpGet\":{\"path\":\"/\",\"port\":9100,\"scheme\":\"HTTP\"},\"timeoutSeconds\":1}}" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + } + ] + }, + { + "args": [ + "--path.procfs=/host/proc", + "--path.sysfs=/host/sys", + "--path.rootfs=/host/root", + "--path.udev.data=/host/root/run/udev/data", + "--web.listen-address=[$(HOST_IP)]:9100", + "--collector.filesystem.mount-points-exclude=^/(dev|proc|sys|var/lib/docker/.+|var/lib/kubelet/.+)($|/)", + "--collector.filesystem.fs-types-exclude=^(autofs|binfmt_misc|bpf|cgroup2?|configfs|debugfs|devpts|devtmpfs|fusectl|hugetlbfs|iso9660|mqueue|nsfs|overlay|proc|procfs|pstore|rpc_pipefs|securityfs|selinuxfs|squashfs|sysfs|tracefs)$" + ], + "env": [ + { + "name": "HOST_IP", + "value": "0.0.0.0" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/prometheus-node-exporter-fips:1.8.1-zarf-1988696916", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/node-exporter/livez", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "name": "node-exporter", + "ports": [ + { + "containerPort": 9100, + "name": "http-metrics", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/node-exporter/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": {}, + "securityContext": { + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/host/proc", + "name": "proc", + "readOnly": true + }, + { + "mountPath": "/host/sys", + "name": "sys", + "readOnly": true + }, + { + "mountPath": "/host/root", + "mountPropagation": "HostToContainer", + "name": "root", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File" + } + ], + "nodeName": "k3d-uds-server-0", + "nodeSelector": { + "kubernetes.io/os": "linux" + }, + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 65534, + "runAsGroup": 65534, + "runAsNonRoot": true, + "runAsUser": 65534 + }, + "serviceAccount": "kube-prometheus-stack-prometheus-node-exporter", + "serviceAccountName": "kube-prometheus-stack-prometheus-node-exporter", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoSchedule", + "operator": "Exists" + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists" + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/disk-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/memory-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/pid-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/unschedulable", + "operator": "Exists" + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "hostPath": { + "path": "/proc", + "type": "" + }, + "name": "proc" + }, + { + "hostPath": { + "path": "/sys", + "type": "" + }, + "name": "sys" + }, + { + "hostPath": { + "path": "/", + "type": "" + }, + "name": "root" + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:21Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:21Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:25Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:25Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:19Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://b657fbdd1fc99c1ded1d9d22cfa169b018d12a168ed53d1ce5fa3b8313d1f614", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:27:21Z" + } + } + }, + { + "containerID": "containerd://17c54ba7ddf572d50059d1ad0f4c56729aa3e96627749f3de03b1b09c31335bf", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/prometheus-node-exporter-fips:1.8.1-zarf-1988696916", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/prometheus-node-exporter-fips@sha256:b4159d47db5b20a3a862f9f0cb4bebf6a779de99293492c6a56d4f3cbae9591d", + "lastState": {}, + "name": "node-exporter", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:27:23Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://50173dbc18c5590318a173cc57625a0bb67dcf5cad6471e089a79dd5cbe236c1", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://50173dbc18c5590318a173cc57625a0bb67dcf5cad6471e089a79dd5cbe236c1", + "exitCode": 0, + "finishedAt": "2024-07-15T19:27:20Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:27:20Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.47", + "podIPs": [ + { + "ip": "10.42.0.47" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:27:19Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "kube-state-metrics", + "kubectl.kubernetes.io/default-logs-container": "kube-state-metrics", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-07-15T19:27:19Z", + "generateName": "kube-prometheus-stack-kube-state-metrics-7dd586f546-", + "labels": { + "app.kubernetes.io/component": "metrics", + "app.kubernetes.io/instance": "kube-prometheus-stack", + "app.kubernetes.io/managed-by": "Helm", + "app.kubernetes.io/name": "kube-state-metrics", + "app.kubernetes.io/part-of": "kube-state-metrics", + "app.kubernetes.io/version": "2.12.0", + "helm.sh/chart": "kube-state-metrics-5.19.0", + "pod-template-hash": "7dd586f546", + "release": "kube-prometheus-stack", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "kube-state-metrics", + "service.istio.io/canonical-revision": "2.12.0", + "zarf-agent": "patched" + }, + "name": "kube-prometheus-stack-kube-state-metrics-7dd586f546-6hzx8", + "namespace": "monitoring", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "kube-prometheus-stack-kube-state-metrics-7dd586f546", + "uid": "f339332a-634a-4fca-9465-7ea983fb79eb" + } + ], + "resourceVersion": "3220", + "uid": "3f97176a-a231-47e3-8918-b766492be550" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http\",\"containerPort\":8080,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "kube-state-metrics" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "kube-prometheus-stack-kube-state-metrics" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/monitoring/deployments/kube-prometheus-stack-kube-state-metrics" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/kube-state-metrics/livez\":{\"httpGet\":{\"path\":\"/healthz\",\"port\":8080,\"scheme\":\"HTTP\"},\"timeoutSeconds\":5},\"/app-health/kube-state-metrics/readyz\":{\"httpGet\":{\"path\":\"/\",\"port\":8080,\"scheme\":\"HTTP\"},\"timeoutSeconds\":5}}" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-ghcgm", + "readOnly": true + } + ] + }, + { + "args": [ + "--port=8080", + "--resources=certificatesigningrequests,configmaps,cronjobs,daemonsets,deployments,endpoints,horizontalpodautoscalers,ingresses,jobs,leases,limitranges,mutatingwebhookconfigurations,namespaces,networkpolicies,nodes,persistentvolumeclaims,persistentvolumes,poddisruptionbudgets,pods,replicasets,replicationcontrollers,resourcequotas,secrets,services,statefulsets,storageclasses,validatingwebhookconfigurations,volumeattachments" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/kube-state-metrics-fips:2.12.0-zarf-3880197347", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/kube-state-metrics/livez", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 5, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 5 + }, + "name": "kube-state-metrics", + "ports": [ + { + "containerPort": 8080, + "name": "http", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/kube-state-metrics/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 5, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 5 + }, + "resources": {}, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-ghcgm", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-ghcgm", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 65532, + "runAsGroup": 65532, + "runAsNonRoot": true, + "runAsUser": 65532, + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "serviceAccount": "kube-prometheus-stack-kube-state-metrics", + "serviceAccountName": "kube-prometheus-stack-kube-state-metrics", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "kube-api-access-ghcgm", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:21Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:21Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:29Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:29Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:19Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://0367d52d8fa6f43d049926dda9356a01ba7fd022feec7165ad9fcfb1428d20e5", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:27:21Z" + } + } + }, + { + "containerID": "containerd://aa8b5f6145373edd19f91748c8d3e7e8e6140b043dd869dddc2a48ea38cd9815", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/kube-state-metrics-fips:2.12.0-zarf-3880197347", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/kube-state-metrics-fips@sha256:b3ba196c56ac3ab713ad13bfbf14c97bac616c3d9529d06a8d42a2628491e1cc", + "lastState": {}, + "name": "kube-state-metrics", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:27:23Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://ba55f9d20f4c9f56312035237b371988c9443ffe6357783d20e7f641d549265e", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://ba55f9d20f4c9f56312035237b371988c9443ffe6357783d20e7f641d549265e", + "exitCode": 0, + "finishedAt": "2024-07-15T19:27:20Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:27:20Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.46", + "podIPs": [ + { + "ip": "10.42.0.46" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:27:19Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "alertmanager", + "kubectl.kubernetes.io/default-logs-container": "alertmanager", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-07-15T19:27:24Z", + "generateName": "alertmanager-kube-prometheus-stack-alertmanager-", + "labels": { + "alertmanager": "kube-prometheus-stack-alertmanager", + "app.kubernetes.io/instance": "kube-prometheus-stack-alertmanager", + "app.kubernetes.io/managed-by": "prometheus-operator", + "app.kubernetes.io/name": "alertmanager", + "app.kubernetes.io/version": "0.27.0", + "apps.kubernetes.io/pod-index": "0", + "controller-revision-hash": "alertmanager-kube-prometheus-stack-alertmanager-86df757d96", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "alertmanager", + "service.istio.io/canonical-revision": "0.27.0", + "statefulset.kubernetes.io/pod-name": "alertmanager-kube-prometheus-stack-alertmanager-0", + "zarf-agent": "patched" + }, + "name": "alertmanager-kube-prometheus-stack-alertmanager-0", + "namespace": "monitoring", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "StatefulSet", + "name": "alertmanager-kube-prometheus-stack-alertmanager", + "uid": "61db9157-af82-4a9a-a74c-1fc4071df013" + } + ], + "resourceVersion": "3274", + "uid": "6acfc084-1f52-47d5-875c-23593ca23342" + }, + "spec": { + "automountServiceAccountToken": true, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http-web\",\"containerPort\":9093,\"protocol\":\"TCP\"}\n ,{\"name\":\"mesh-tcp\",\"containerPort\":9094,\"protocol\":\"TCP\"}\n ,{\"name\":\"mesh-udp\",\"containerPort\":9094,\"protocol\":\"UDP\"}\n ,{\"name\":\"reloader-web\",\"containerPort\":8080,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "alertmanager,config-reloader" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "alertmanager-kube-prometheus-stack-alertmanager" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/monitoring/statefulsets/alertmanager-kube-prometheus-stack-alertmanager" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/alertmanager/livez\":{\"httpGet\":{\"path\":\"/-/healthy\",\"port\":9093,\"scheme\":\"HTTP\"},\"timeoutSeconds\":3},\"/app-health/alertmanager/readyz\":{\"httpGet\":{\"path\":\"/-/ready\",\"port\":9093,\"scheme\":\"HTTP\"},\"timeoutSeconds\":3}}" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-ftq4l", + "readOnly": true + } + ] + }, + { + "args": [ + "--config.file=/etc/alertmanager/config_out/alertmanager.env.yaml", + "--storage.path=/alertmanager", + "--data.retention=120h", + "--cluster.listen-address=", + "--web.listen-address=:9093", + "--web.external-url=http://kube-prometheus-stack-alertmanager.monitoring:9093", + "--web.route-prefix=/", + "--cluster.label=monitoring/kube-prometheus-stack-alertmanager", + "--cluster.peer=alertmanager-kube-prometheus-stack-alertmanager-0.alertmanager-operated:9094", + "--cluster.reconnect-timeout=5m", + "--web.config.file=/etc/alertmanager/web_config/web-config.yaml" + ], + "env": [ + { + "name": "POD_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/prometheus-alertmanager-fips:0.27.0-zarf-3083929401", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 10, + "httpGet": { + "path": "/app-health/alertmanager/livez", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "name": "alertmanager", + "ports": [ + { + "containerPort": 9093, + "name": "http-web", + "protocol": "TCP" + }, + { + "containerPort": 9094, + "name": "mesh-tcp", + "protocol": "TCP" + }, + { + "containerPort": 9094, + "name": "mesh-udp", + "protocol": "UDP" + } + ], + "readinessProbe": { + "failureThreshold": 10, + "httpGet": { + "path": "/app-health/alertmanager/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 3, + "periodSeconds": 5, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "requests": { + "memory": "200Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "FallbackToLogsOnError", + "volumeMounts": [ + { + "mountPath": "/etc/alertmanager/config", + "name": "config-volume" + }, + { + "mountPath": "/etc/alertmanager/config_out", + "name": "config-out", + "readOnly": true + }, + { + "mountPath": "/etc/alertmanager/certs", + "name": "tls-assets", + "readOnly": true + }, + { + "mountPath": "/alertmanager", + "name": "alertmanager-kube-prometheus-stack-alertmanager-db" + }, + { + "mountPath": "/etc/alertmanager/web_config/web-config.yaml", + "name": "web-config", + "readOnly": true, + "subPath": "web-config.yaml" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-ftq4l", + "readOnly": true + } + ] + }, + { + "args": [ + "--listen-address=:8080", + "--reload-url=http://127.0.0.1:9093/-/reload", + "--config-file=/etc/alertmanager/config/alertmanager.yaml.gz", + "--config-envsubst-file=/etc/alertmanager/config_out/alertmanager.env.yaml", + "--watched-dir=/etc/alertmanager/config" + ], + "command": [ + "/bin/prometheus-config-reloader" + ], + "env": [ + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "SHARD", + "value": "-1" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/prometheus-config-reloader-fips:0.74.0-zarf-2650362023", + "imagePullPolicy": "IfNotPresent", + "name": "config-reloader", + "ports": [ + { + "containerPort": 8080, + "name": "reloader-web", + "protocol": "TCP" + } + ], + "resources": { + "limits": { + "cpu": "100m", + "memory": "128Mi" + }, + "requests": { + "cpu": "50m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "FallbackToLogsOnError", + "volumeMounts": [ + { + "mountPath": "/etc/alertmanager/config", + "name": "config-volume", + "readOnly": true + }, + { + "mountPath": "/etc/alertmanager/config_out", + "name": "config-out" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-ftq4l", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "hostname": "alertmanager-kube-prometheus-stack-alertmanager-0", + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "--watch-interval=0", + "--listen-address=:8080", + "--config-file=/etc/alertmanager/config/alertmanager.yaml.gz", + "--config-envsubst-file=/etc/alertmanager/config_out/alertmanager.env.yaml", + "--watched-dir=/etc/alertmanager/config" + ], + "command": [ + "/bin/prometheus-config-reloader" + ], + "env": [ + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "SHARD", + "value": "-1" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/prometheus-config-reloader-fips:0.74.0-zarf-2650362023", + "imagePullPolicy": "IfNotPresent", + "name": "init-config-reloader", + "ports": [ + { + "containerPort": 8080, + "name": "reloader-web", + "protocol": "TCP" + } + ], + "resources": { + "limits": { + "cpu": "100m", + "memory": "128Mi" + }, + "requests": { + "cpu": "50m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "FallbackToLogsOnError", + "volumeMounts": [ + { + "mountPath": "/etc/alertmanager/config", + "name": "config-volume", + "readOnly": true + }, + { + "mountPath": "/etc/alertmanager/config_out", + "name": "config-out" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-ftq4l", + "readOnly": true + } + ] + }, + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-ftq4l", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 2000, + "runAsGroup": 2000, + "runAsNonRoot": true, + "runAsUser": 1000, + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "serviceAccount": "kube-prometheus-stack-alertmanager", + "serviceAccountName": "kube-prometheus-stack-alertmanager", + "subdomain": "alertmanager-operated", + "terminationGracePeriodSeconds": 120, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "config-volume", + "secret": { + "defaultMode": 420, + "secretName": "alertmanager-kube-prometheus-stack-alertmanager-generated" + } + }, + { + "name": "tls-assets", + "projected": { + "defaultMode": 420, + "sources": [ + { + "secret": { + "name": "alertmanager-kube-prometheus-stack-alertmanager-tls-assets-0" + } + } + ] + } + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "config-out" + }, + { + "name": "web-config", + "secret": { + "defaultMode": 420, + "secretName": "alertmanager-kube-prometheus-stack-alertmanager-web-config" + } + }, + { + "emptyDir": {}, + "name": "alertmanager-kube-prometheus-stack-alertmanager-db" + }, + { + "name": "kube-api-access-ftq4l", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:26Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:28Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:33Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:33Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:24Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://d37730fa66a607f62d31ead0d659e107a229ebbc32c0201cb6f90cbd1c66040c", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/prometheus-alertmanager-fips:0.27.0-zarf-3083929401", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/prometheus-alertmanager-fips@sha256:2a06bfa891e766f4e6df9ce310cdbf9ef7cc203a06c037af8e91ae3d8f8ac74d", + "lastState": {}, + "name": "alertmanager", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:27:30Z" + } + } + }, + { + "containerID": "containerd://0986cc37144cc9354295ac587fccf064e23a66988727e3bd836d957332123c90", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/prometheus-config-reloader-fips:0.74.0-zarf-2650362023", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/prometheus-config-reloader-fips@sha256:82a53ed83f67ecec7419a57f7bdb906bbd4d126902a9f958b59df19c56a8ddfc", + "lastState": {}, + "name": "config-reloader", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:27:30Z" + } + } + }, + { + "containerID": "containerd://ac24cf7cf1219306cc29eab003b700e3b2eef8a0773ce4e6e35025d8a1b8c30d", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:27:28Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://8a837b1154bf109328f3aac1b60852072235a7aaeddb440db72149be2c09a001", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/prometheus-config-reloader-fips:0.74.0-zarf-2650362023", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/prometheus-config-reloader-fips@sha256:82a53ed83f67ecec7419a57f7bdb906bbd4d126902a9f958b59df19c56a8ddfc", + "lastState": {}, + "name": "init-config-reloader", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://8a837b1154bf109328f3aac1b60852072235a7aaeddb440db72149be2c09a001", + "exitCode": 0, + "finishedAt": "2024-07-15T19:27:26Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:27:25Z" + } + } + }, + { + "containerID": "containerd://21db31430fbcc9e339e63b65dee79ac4de47bf6cf799fdaff895a61ac1463472", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://21db31430fbcc9e339e63b65dee79ac4de47bf6cf799fdaff895a61ac1463472", + "exitCode": 0, + "finishedAt": "2024-07-15T19:27:27Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:27:27Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.49", + "podIPs": [ + { + "ip": "10.42.0.49" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:27:24Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "checksum/init-configmap": "09739169a4cac1b76e349f92d75fe6b9900b484f897d017597195d07b8c25048", + "checksum/uds-sso-secret": "", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "neuvector-controller-pod", + "kubectl.kubernetes.io/default-logs-container": "neuvector-controller-pod", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/uds-core-policies": "succeeded", + "uds-core.pepr.dev/uds-core-policies.DisallowPrivileged": "exempted", + "uds-core.pepr.dev/uds-core-policies.DropAllCapabilities": "exempted", + "uds-core.pepr.dev/uds-core-policies.RequireNonRootUser": "exempted", + "uds-core.pepr.dev/uds-core-policies.RestrictHostPathWrite": "exempted", + "uds-core.pepr.dev/uds-core-policies.RestrictVolumeTypes": "exempted" + }, + "creationTimestamp": "2024-07-15T19:27:22Z", + "generateName": "neuvector-controller-pod-5dccb6c44f-", + "labels": { + "app": "neuvector-controller-pod", + "pod-template-hash": "5dccb6c44f", + "release": "core", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "neuvector-controller-pod", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "neuvector-controller-pod-5dccb6c44f-w488m", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "neuvector-controller-pod-5dccb6c44f", + "uid": "8e887e07-0945-4e20-ad12-b1c40f529e1a" + } + ], + "resourceVersion": "3315", + "uid": "4559ff09-1ccc-4a8d-9efe-2f7154ef2dc1" + }, + "spec": { + "affinity": { + "podAntiAffinity": { + "preferredDuringSchedulingIgnoredDuringExecution": [ + { + "podAffinityTerm": { + "labelSelector": { + "matchExpressions": [ + { + "key": "app", + "operator": "In", + "values": [ + "neuvector-controller-pod" + ] + } + ] + }, + "topologyKey": "kubernetes.io/hostname" + }, + "weight": 100 + } + ] + } + }, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "neuvector-controller-pod" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "neuvector-controller-pod" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/neuvector/deployments/neuvector-controller-pod" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-lc5t2", + "readOnly": true + } + ] + }, + { + "env": [ + { + "name": "CLUSTER_JOIN_ADDR", + "value": "neuvector-svc-controller.neuvector" + }, + { + "name": "CLUSTER_ADVERTISED_ADDR", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "CLUSTER_BIND_ADDR", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "NO_DEFAULT_ADMIN", + "value": "1" + } + ], + "image": "127.0.0.1:31999/neuvector/controller:5.3.3-zarf-4157091163", + "imagePullPolicy": "IfNotPresent", + "name": "neuvector-controller-pod", + "readinessProbe": { + "exec": { + "command": [ + "cat", + "/tmp/ready" + ] + }, + "failureThreshold": 3, + "initialDelaySeconds": 5, + "periodSeconds": 5, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": {}, + "securityContext": { + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/config", + "name": "config-volume", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-lc5t2", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-lc5t2", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "serviceAccount": "controller", + "serviceAccountName": "controller", + "terminationGracePeriodSeconds": 300, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "config-volume", + "projected": { + "defaultMode": 420, + "sources": [ + { + "configMap": { + "name": "neuvector-init", + "optional": true + } + }, + { + "secret": { + "name": "neuvector-init", + "optional": true + } + }, + { + "secret": { + "name": "neuvector-secret", + "optional": true + } + } + ] + } + }, + { + "name": "kube-api-access-lc5t2", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:23Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:23Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:37Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:37Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:22Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://dc1e70bb091ae6da52e6ad66d5c9ea7523da8564e1cf75b46a852432cc3410ed", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:27:23Z" + } + } + }, + { + "containerID": "containerd://107261771dee580ff42ade832aa0caf7ebbdcfb3c7cb7d1eccf22ae0131739c5", + "image": "127.0.0.1:31999/neuvector/controller:5.3.3-zarf-4157091163", + "imageID": "127.0.0.1:31999/neuvector/controller@sha256:1102321e8ed5bd3aad26e3d2c3b9a3ddc5aa82c2949fc2600b9350c7e951950e", + "lastState": {}, + "name": "neuvector-controller-pod", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:27:25Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://c1a58429dad4aad9b4d9aebde10c4b181d3021914849a3d9878a0e763f9b3f80", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://c1a58429dad4aad9b4d9aebde10c4b181d3021914849a3d9878a0e763f9b3f80", + "exitCode": 0, + "finishedAt": "2024-07-15T19:27:22Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:27:22Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.48", + "podIPs": [ + { + "ip": "10.42.0.48" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:27:22Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "prometheus", + "kubectl.kubernetes.io/default-logs-container": "prometheus", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "proxy.istio.io/config": "proxyMetadata:\n OUTPUT_CERTS: /etc/istio-output-certs\n", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "sidecar.istio.io/userVolumeMount": "[{\"name\": \"istio-certs\", \"mountPath\": \"/etc/istio-output-certs\"}]", + "traffic.sidecar.istio.io/includeOutboundIPRanges": "", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded", + "uds-core.pepr.dev/uds-core-policies.RestrictHostPathWrite": "exempted", + "uds-core.pepr.dev/uds-core-policies.RestrictVolumeTypes": "exempted" + }, + "creationTimestamp": "2024-07-15T19:27:24Z", + "generateName": "prometheus-kube-prometheus-stack-prometheus-", + "labels": { + "app": "prometheus", + "app.kubernetes.io/instance": "kube-prometheus-stack-prometheus", + "app.kubernetes.io/managed-by": "prometheus-operator", + "app.kubernetes.io/name": "prometheus", + "app.kubernetes.io/version": "2.52.0", + "apps.kubernetes.io/pod-index": "0", + "controller-revision-hash": "prometheus-kube-prometheus-stack-prometheus-8784b54db", + "operator.prometheus.io/name": "kube-prometheus-stack-prometheus", + "operator.prometheus.io/shard": "0", + "prometheus": "kube-prometheus-stack-prometheus", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "prometheus", + "service.istio.io/canonical-revision": "2.52.0", + "statefulset.kubernetes.io/pod-name": "prometheus-kube-prometheus-stack-prometheus-0", + "zarf-agent": "patched" + }, + "name": "prometheus-kube-prometheus-stack-prometheus-0", + "namespace": "monitoring", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "StatefulSet", + "name": "prometheus-kube-prometheus-stack-prometheus", + "uid": "03a11223-c17f-4abd-bff8-35e67bbc478f" + } + ], + "resourceVersion": "3406", + "uid": "c7e56a77-3e1e-4c38-908e-eeaae798dd49" + }, + "spec": { + "automountServiceAccountToken": true, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"proxyMetadata\":{\"OUTPUT_CERTS\":\"/etc/istio-output-certs\"},\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http-web\",\"containerPort\":9090,\"protocol\":\"TCP\"}\n ,{\"name\":\"reloader-web\",\"containerPort\":8080,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "prometheus,config-reloader" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "prometheus-kube-prometheus-stack-prometheus" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/monitoring/statefulsets/prometheus-kube-prometheus-stack-prometheus" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "OUTPUT_CERTS", + "value": "/etc/istio-output-certs" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/prometheus/livez\":{\"httpGet\":{\"path\":\"/-/healthy\",\"port\":9090,\"scheme\":\"HTTP\"},\"timeoutSeconds\":3},\"/app-health/prometheus/readyz\":{\"httpGet\":{\"path\":\"/-/ready\",\"port\":9090,\"scheme\":\"HTTP\"},\"timeoutSeconds\":3},\"/app-health/prometheus/startupz\":{\"httpGet\":{\"path\":\"/-/ready\",\"port\":9090,\"scheme\":\"HTTP\"},\"timeoutSeconds\":3}}" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/etc/istio-output-certs", + "name": "istio-certs" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-v4jgm", + "readOnly": true + } + ] + }, + { + "args": [ + "--web.console.templates=/etc/prometheus/consoles", + "--web.console.libraries=/etc/prometheus/console_libraries", + "--config.file=/etc/prometheus/config_out/prometheus.env.yaml", + "--web.enable-lifecycle", + "--enable-feature=remote-write-receiver", + "--web.external-url=http://kube-prometheus-stack-prometheus.monitoring:9090", + "--web.route-prefix=/", + "--storage.tsdb.retention.time=10d", + "--storage.tsdb.path=/prometheus", + "--storage.tsdb.wal-compression", + "--web.config.file=/etc/prometheus/web_config/web-config.yaml" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/prometheus-fips:2.52.0-zarf-1514605890", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 6, + "httpGet": { + "path": "/app-health/prometheus/livez", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 5, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "name": "prometheus", + "ports": [ + { + "containerPort": 9090, + "name": "http-web", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/prometheus/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 5, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "300m", + "memory": "2Gi" + }, + "requests": { + "cpu": "100m", + "memory": "512Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "startupProbe": { + "failureThreshold": 60, + "httpGet": { + "path": "/app-health/prometheus/startupz", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "FallbackToLogsOnError", + "volumeMounts": [ + { + "mountPath": "/etc/prometheus/config_out", + "name": "config-out", + "readOnly": true + }, + { + "mountPath": "/etc/prometheus/certs", + "name": "tls-assets", + "readOnly": true + }, + { + "mountPath": "/prometheus", + "name": "prometheus-kube-prometheus-stack-prometheus-db", + "subPath": "prometheus-db" + }, + { + "mountPath": "/etc/prom-certs/", + "name": "istio-certs" + }, + { + "mountPath": "/etc/prometheus/rules/prometheus-kube-prometheus-stack-prometheus-rulefiles-0", + "name": "prometheus-kube-prometheus-stack-prometheus-rulefiles-0" + }, + { + "mountPath": "/etc/prometheus/web_config/web-config.yaml", + "name": "web-config", + "readOnly": true, + "subPath": "web-config.yaml" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-v4jgm", + "readOnly": true + } + ] + }, + { + "args": [ + "--listen-address=:8080", + "--reload-url=http://127.0.0.1:9090/-/reload", + "--config-file=/etc/prometheus/config/prometheus.yaml.gz", + "--config-envsubst-file=/etc/prometheus/config_out/prometheus.env.yaml", + "--watched-dir=/etc/prometheus/rules/prometheus-kube-prometheus-stack-prometheus-rulefiles-0" + ], + "command": [ + "/bin/prometheus-config-reloader" + ], + "env": [ + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "SHARD", + "value": "0" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/prometheus-config-reloader-fips:0.74.0-zarf-2650362023", + "imagePullPolicy": "IfNotPresent", + "name": "config-reloader", + "ports": [ + { + "containerPort": 8080, + "name": "reloader-web", + "protocol": "TCP" + } + ], + "resources": { + "limits": { + "cpu": "100m", + "memory": "128Mi" + }, + "requests": { + "cpu": "50m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "FallbackToLogsOnError", + "volumeMounts": [ + { + "mountPath": "/etc/prometheus/config", + "name": "config" + }, + { + "mountPath": "/etc/prometheus/config_out", + "name": "config-out" + }, + { + "mountPath": "/etc/prometheus/rules/prometheus-kube-prometheus-stack-prometheus-rulefiles-0", + "name": "prometheus-kube-prometheus-stack-prometheus-rulefiles-0" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-v4jgm", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "hostname": "prometheus-kube-prometheus-stack-prometheus-0", + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "--watch-interval=0", + "--listen-address=:8080", + "--config-file=/etc/prometheus/config/prometheus.yaml.gz", + "--config-envsubst-file=/etc/prometheus/config_out/prometheus.env.yaml", + "--watched-dir=/etc/prometheus/rules/prometheus-kube-prometheus-stack-prometheus-rulefiles-0" + ], + "command": [ + "/bin/prometheus-config-reloader" + ], + "env": [ + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "SHARD", + "value": "0" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/prometheus-config-reloader-fips:0.74.0-zarf-2650362023", + "imagePullPolicy": "IfNotPresent", + "name": "init-config-reloader", + "ports": [ + { + "containerPort": 8080, + "name": "reloader-web", + "protocol": "TCP" + } + ], + "resources": { + "limits": { + "cpu": "100m", + "memory": "128Mi" + }, + "requests": { + "cpu": "50m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "FallbackToLogsOnError", + "volumeMounts": [ + { + "mountPath": "/etc/prometheus/config", + "name": "config" + }, + { + "mountPath": "/etc/prometheus/config_out", + "name": "config-out" + }, + { + "mountPath": "/etc/prometheus/rules/prometheus-kube-prometheus-stack-prometheus-rulefiles-0", + "name": "prometheus-kube-prometheus-stack-prometheus-rulefiles-0" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-v4jgm", + "readOnly": true + } + ] + }, + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "OUTPUT_CERTS", + "value": "/etc/istio-output-certs" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-v4jgm", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 2000, + "runAsGroup": 2000, + "runAsNonRoot": true, + "runAsUser": 1000, + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "serviceAccount": "kube-prometheus-stack-prometheus", + "serviceAccountName": "kube-prometheus-stack-prometheus", + "shareProcessNamespace": false, + "subdomain": "prometheus-operated", + "terminationGracePeriodSeconds": 600, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "prometheus-kube-prometheus-stack-prometheus-db", + "persistentVolumeClaim": { + "claimName": "prometheus-kube-prometheus-stack-prometheus-db-prometheus-kube-prometheus-stack-prometheus-0" + } + }, + { + "name": "config", + "secret": { + "defaultMode": 420, + "secretName": "prometheus-kube-prometheus-stack-prometheus" + } + }, + { + "name": "tls-assets", + "projected": { + "defaultMode": 420, + "sources": [ + { + "secret": { + "name": "prometheus-kube-prometheus-stack-prometheus-tls-assets-0" + } + } + ] + } + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "config-out" + }, + { + "configMap": { + "defaultMode": 420, + "name": "prometheus-kube-prometheus-stack-prometheus-rulefiles-0" + }, + "name": "prometheus-kube-prometheus-stack-prometheus-rulefiles-0" + }, + { + "name": "web-config", + "secret": { + "defaultMode": 420, + "secretName": "prometheus-kube-prometheus-stack-prometheus-web-config" + } + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-certs" + }, + { + "name": "kube-api-access-v4jgm", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:29Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:31Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:44Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:44Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:28Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://7ddf638cfaa67d0ab3f278759b14345d85c2782133169db145e04a0a07654360", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/prometheus-config-reloader-fips:0.74.0-zarf-2650362023", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/prometheus-config-reloader-fips@sha256:82a53ed83f67ecec7419a57f7bdb906bbd4d126902a9f958b59df19c56a8ddfc", + "lastState": {}, + "name": "config-reloader", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:27:34Z" + } + } + }, + { + "containerID": "containerd://60305c47a10238f9c0562c8f8a4b9ac54420a40d46d78f4d3c45dc535e23bdff", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:27:31Z" + } + } + }, + { + "containerID": "containerd://3ed3b243647230506614c9b6a0149f98f989eebded1778f39adbaba85000c51f", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/prometheus-fips:2.52.0-zarf-1514605890", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/prometheus-fips@sha256:25cbfab089f562bd8a9768bbda98a89a8b8b38c0e38f98ec9e0734ec10e11a04", + "lastState": {}, + "name": "prometheus", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:27:34Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://50ee9a05401029ef85c6458ce8ae25e3e7f673e9d12846c0b87991315db93da4", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/prometheus-config-reloader-fips:0.74.0-zarf-2650362023", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/prometheus-config-reloader-fips@sha256:82a53ed83f67ecec7419a57f7bdb906bbd4d126902a9f958b59df19c56a8ddfc", + "lastState": {}, + "name": "init-config-reloader", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://50ee9a05401029ef85c6458ce8ae25e3e7f673e9d12846c0b87991315db93da4", + "exitCode": 0, + "finishedAt": "2024-07-15T19:27:29Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:27:29Z" + } + } + }, + { + "containerID": "containerd://68736b4e1593c0c2f3917cfad22a679b5d1bd99188b0afa7e9c2a92f0509f049", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://68736b4e1593c0c2f3917cfad22a679b5d1bd99188b0afa7e9c2a92f0509f049", + "exitCode": 0, + "finishedAt": "2024-07-15T19:27:30Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:27:30Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.51", + "podIPs": [ + { + "ip": "10.42.0.51" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:27:28Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "checksum/config": "a54b4b978607806a73c1e79d416367816e4d9407c7f1cffa13519cfc40a654fc", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "promtail", + "kubectl.kubernetes.io/default-logs-container": "promtail", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded", + "uds-core.pepr.dev/uds-core-policies.DisallowPrivileged": "exempted", + "uds-core.pepr.dev/uds-core-policies.RequireNonRootUser": "exempted", + "uds-core.pepr.dev/uds-core-policies.RestrictHostPathWrite": "exempted", + "uds-core.pepr.dev/uds-core-policies.RestrictSELinuxType": "exempted", + "uds-core.pepr.dev/uds-core-policies.RestrictVolumeTypes": "exempted" + }, + "creationTimestamp": "2024-07-15T19:27:43Z", + "generateName": "promtail-", + "labels": { + "app.kubernetes.io/instance": "promtail", + "app.kubernetes.io/name": "promtail", + "controller-revision-hash": "8658478dbf", + "pod-template-generation": "1", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "promtail", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "promtail-d5dtx", + "namespace": "promtail", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "DaemonSet", + "name": "promtail", + "uid": "a6f37285-cfa8-4b8f-b07e-ee51a798e525" + } + ], + "resourceVersion": "3510", + "uid": "ce1b3f37-4983-4fff-b0a2-4c50bc6dbac8" + }, + "spec": { + "affinity": { + "nodeAffinity": { + "requiredDuringSchedulingIgnoredDuringExecution": { + "nodeSelectorTerms": [ + { + "matchFields": [ + { + "key": "metadata.name", + "operator": "In", + "values": [ + "k3d-uds-server-0" + ] + } + ] + } + ] + } + } + }, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http-metrics\",\"containerPort\":3101,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "promtail" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "promtail" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/promtail/daemonsets/promtail" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/promtail/readyz\":{\"httpGet\":{\"path\":\"/ready\",\"port\":3101,\"scheme\":\"HTTP\"},\"timeoutSeconds\":1}}" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-9t52k", + "readOnly": true + } + ] + }, + { + "args": [ + "-config.file=/etc/promtail/promtail.yaml", + "-config.expand-env=true" + ], + "env": [ + { + "name": "HOSTNAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "NODE_HOSTNAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/promtail:3.1.0-zarf-1953805084", + "imagePullPolicy": "IfNotPresent", + "name": "promtail", + "ports": [ + { + "containerPort": 3101, + "name": "http-metrics", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 5, + "httpGet": { + "path": "/app-health/promtail/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 10, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": { + "limits": { + "cpu": "500m", + "memory": "750Mi" + }, + "requests": { + "cpu": "100m", + "memory": "256Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsUser": 0, + "seLinuxOptions": { + "type": "spc_t" + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/promtail", + "name": "config" + }, + { + "mountPath": "/run/promtail", + "name": "run" + }, + { + "mountPath": "/var/lib/docker/containers", + "name": "containers", + "readOnly": true + }, + { + "mountPath": "/var/log/pods", + "name": "pods", + "readOnly": true + }, + { + "mountPath": "/var/log", + "name": "varlog", + "readOnly": true + }, + { + "mountPath": "/etc/machine-id", + "name": "machine-id", + "readOnly": true, + "subPath": "machine-id" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-9t52k", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-9t52k", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "runAsGroup": 0, + "runAsUser": 0 + }, + "serviceAccount": "promtail", + "serviceAccountName": "promtail", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoSchedule", + "key": "node-role.kubernetes.io/master", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node-role.kubernetes.io/control-plane", + "operator": "Exists" + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists" + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/disk-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/memory-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/pid-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/unschedulable", + "operator": "Exists" + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "config", + "secret": { + "defaultMode": 420, + "secretName": "promtail" + } + }, + { + "hostPath": { + "path": "/run/promtail", + "type": "" + }, + "name": "run" + }, + { + "hostPath": { + "path": "/var/lib/docker/containers", + "type": "" + }, + "name": "containers" + }, + { + "hostPath": { + "path": "/var/log/pods", + "type": "" + }, + "name": "pods" + }, + { + "hostPath": { + "path": "/var/log", + "type": "" + }, + "name": "varlog" + }, + { + "hostPath": { + "path": "/etc", + "type": "" + }, + "name": "machine-id" + }, + { + "name": "kube-api-access-9t52k", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:44Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:44Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:28:03Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:28:03Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:43Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://7c78e49d88146054d56028666a64566f9ad9269b9d8d40c12a02492f0e2e4e07", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:27:44Z" + } + } + }, + { + "containerID": "containerd://403fd9b05ed7c9fe2e7a45b50738d7af1d830dc8bfd77d2286bd7bf6850f3146", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/promtail:3.1.0-zarf-1953805084", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/promtail@sha256:8339c37daa94d90d4453d165423dc4a46075fbcbb38786aa76355db18a305b65", + "lastState": {}, + "name": "promtail", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:27:46Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://68e093c428ff18b83bff504a1d5b1e2b7b3aa55c815a10e1c0fecef1e92f3763", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://68e093c428ff18b83bff504a1d5b1e2b7b3aa55c815a10e1c0fecef1e92f3763", + "exitCode": 0, + "finishedAt": "2024-07-15T19:27:43Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:27:43Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.53", + "podIPs": [ + { + "ip": "10.42.0.53" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:27:43Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "checksum/config": "9d9bced621e77ec20a9bf42da6b31a13ce3e48b53bb44c0e021e0bfe99128c73", + "checksum/sc-dashboard-provider-config": "e70bf6a851099d385178a76de9757bb0bef8299da6d8443602590e44f05fdf24", + "checksum/secret": "110ea712f39f96f61d507e11b774e2e0f90fce1d1cfa234a759ed7840ff7e238", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "grafana", + "kubectl.kubernetes.io/default-logs-container": "grafana-sc-dashboard", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-07-15T19:27:52Z", + "generateName": "grafana-647c794798-", + "labels": { + "app.kubernetes.io/instance": "grafana", + "app.kubernetes.io/name": "grafana", + "pod-template-hash": "647c794798", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "grafana", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "grafana-647c794798-w8nmq", + "namespace": "grafana", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "grafana-647c794798", + "uid": "f3b8df0e-6c56-4358-b027-54281acdeec5" + } + ], + "resourceVersion": "3535", + "uid": "2e22ddcc-e870-4423-8ffe-590060566326" + }, + "spec": { + "automountServiceAccountToken": true, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"grafana\",\"containerPort\":3000,\"protocol\":\"TCP\"}\n ,{\"name\":\"gossip-tcp\",\"containerPort\":9094,\"protocol\":\"TCP\"}\n ,{\"name\":\"gossip-udp\",\"containerPort\":9094,\"protocol\":\"UDP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "grafana-sc-dashboard,grafana-sc-datasources,grafana" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "grafana" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/grafana/deployments/grafana" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/grafana/livez\":{\"httpGet\":{\"path\":\"/api/health\",\"port\":3000,\"scheme\":\"HTTP\"},\"timeoutSeconds\":30},\"/app-health/grafana/readyz\":{\"httpGet\":{\"path\":\"/api/health\",\"port\":3000,\"scheme\":\"HTTP\"},\"timeoutSeconds\":1}}" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-fhzqj", + "readOnly": true + } + ] + }, + { + "env": [ + { + "name": "METHOD", + "value": "WATCH" + }, + { + "name": "LABEL", + "value": "grafana_dashboard" + }, + { + "name": "FOLDER", + "value": "/tmp/dashboards" + }, + { + "name": "RESOURCE", + "value": "both" + }, + { + "name": "NAMESPACE", + "value": "ALL" + }, + { + "name": "REQ_USERNAME", + "valueFrom": { + "secretKeyRef": { + "key": "admin-user", + "name": "grafana" + } + } + }, + { + "name": "REQ_PASSWORD", + "valueFrom": { + "secretKeyRef": { + "key": "admin-password", + "name": "grafana" + } + } + }, + { + "name": "REQ_URL", + "value": "http://localhost:3000/api/admin/provisioning/dashboards/reload" + }, + { + "name": "REQ_METHOD", + "value": "POST" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/k8s-sidecar-fips:1.27.4-zarf-132651805", + "imagePullPolicy": "IfNotPresent", + "name": "grafana-sc-dashboard", + "resources": {}, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/tmp/dashboards", + "name": "sc-dashboard-volume" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-fhzqj", + "readOnly": true + } + ] + }, + { + "env": [ + { + "name": "METHOD", + "value": "WATCH" + }, + { + "name": "LABEL", + "value": "grafana_datasource" + }, + { + "name": "FOLDER", + "value": "/etc/grafana/provisioning/datasources" + }, + { + "name": "RESOURCE", + "value": "both" + }, + { + "name": "REQ_USERNAME", + "valueFrom": { + "secretKeyRef": { + "key": "admin-user", + "name": "grafana" + } + } + }, + { + "name": "REQ_PASSWORD", + "valueFrom": { + "secretKeyRef": { + "key": "admin-password", + "name": "grafana" + } + } + }, + { + "name": "REQ_URL", + "value": "http://localhost:3000/api/admin/provisioning/datasources/reload" + }, + { + "name": "REQ_METHOD", + "value": "POST" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/k8s-sidecar-fips:1.27.4-zarf-132651805", + "imagePullPolicy": "IfNotPresent", + "name": "grafana-sc-datasources", + "resources": {}, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/grafana/provisioning/datasources", + "name": "sc-datasources-volume" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-fhzqj", + "readOnly": true + } + ] + }, + { + "env": [ + { + "name": "POD_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "GF_SECURITY_ADMIN_USER", + "valueFrom": { + "secretKeyRef": { + "key": "admin-user", + "name": "grafana" + } + } + }, + { + "name": "GF_SECURITY_ADMIN_PASSWORD", + "valueFrom": { + "secretKeyRef": { + "key": "admin-password", + "name": "grafana" + } + } + }, + { + "name": "GF_PATHS_DATA", + "value": "/var/lib/grafana/" + }, + { + "name": "GF_PATHS_LOGS", + "value": "/var/log/grafana" + }, + { + "name": "GF_PATHS_PLUGINS", + "value": "/var/lib/grafana/plugins" + }, + { + "name": "GF_PATHS_PROVISIONING", + "value": "/etc/grafana/provisioning" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/grafana-fips:11.1.0-zarf-4028590474", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 10, + "httpGet": { + "path": "/app-health/grafana/livez", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 60, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 30 + }, + "name": "grafana", + "ports": [ + { + "containerPort": 3000, + "name": "grafana", + "protocol": "TCP" + }, + { + "containerPort": 9094, + "name": "gossip-tcp", + "protocol": "TCP" + }, + { + "containerPort": 9094, + "name": "gossip-udp", + "protocol": "UDP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/grafana/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": {}, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/grafana/grafana.ini", + "name": "config", + "subPath": "grafana.ini" + }, + { + "mountPath": "/var/lib/grafana", + "name": "storage" + }, + { + "mountPath": "/tmp/dashboards", + "name": "sc-dashboard-volume" + }, + { + "mountPath": "/etc/grafana/provisioning/dashboards/sc-dashboardproviders.yaml", + "name": "sc-dashboard-provider", + "subPath": "provider.yaml" + }, + { + "mountPath": "/etc/grafana/provisioning/datasources", + "name": "sc-datasources-volume" + }, + { + "mountPath": "/etc/secrets/auth_generic_oauth", + "name": "auth-generic-oauth-secret-mount", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-fhzqj", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-fhzqj", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 472, + "runAsGroup": 472, + "runAsNonRoot": true, + "runAsUser": 472 + }, + "serviceAccount": "grafana", + "serviceAccountName": "grafana", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "configMap": { + "defaultMode": 420, + "name": "grafana" + }, + "name": "config" + }, + { + "emptyDir": {}, + "name": "storage" + }, + { + "emptyDir": {}, + "name": "sc-dashboard-volume" + }, + { + "configMap": { + "defaultMode": 420, + "name": "grafana-config-dashboards" + }, + "name": "sc-dashboard-provider" + }, + { + "emptyDir": {}, + "name": "sc-datasources-volume" + }, + { + "name": "auth-generic-oauth-secret-mount", + "secret": { + "defaultMode": 288, + "secretName": "sso-client-uds-core-admin-grafana" + } + }, + { + "name": "kube-api-access-fhzqj", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:28:01Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:28:01Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:28:09Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:28:09Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:52Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://884a0dd9ad6f9478686f4f15eb2cc44851f6ab681b8e9d0599e6046567c7693e", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/grafana-fips:11.1.0-zarf-4028590474", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/grafana-fips@sha256:a7cc925119dced9bc77019a738db07bdcfddd0b38eac36f4590a27dbbf5763bb", + "lastState": {}, + "name": "grafana", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:28:06Z" + } + } + }, + { + "containerID": "containerd://f798d9e35f707b90b8f0b5358d193ca8fd4af9d52907e1c6edb099874d9ac608", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/k8s-sidecar-fips:1.27.4-zarf-132651805", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/k8s-sidecar-fips@sha256:1cbdec9527ffe75aa3de0e03a6e8cabb81ca9f94768b5b83eb452787f6d366b4", + "lastState": {}, + "name": "grafana-sc-dashboard", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:28:03Z" + } + } + }, + { + "containerID": "containerd://242ae3d5d11f58a864adf3d378781f5e35235bc107b201f35ffbd95d7e3e7982", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/k8s-sidecar-fips:1.27.4-zarf-132651805", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/k8s-sidecar-fips@sha256:1cbdec9527ffe75aa3de0e03a6e8cabb81ca9f94768b5b83eb452787f6d366b4", + "lastState": {}, + "name": "grafana-sc-datasources", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:28:04Z" + } + } + }, + { + "containerID": "containerd://7c9514989ad600e18d8aef46cfc96b19967e35b21266337d1327fb35bc1def5e", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:28:01Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://85ae00c6ce13f8cc11729ebc19605a70e5195efa00466682d84a0fe381e71a09", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://85ae00c6ce13f8cc11729ebc19605a70e5195efa00466682d84a0fe381e71a09", + "exitCode": 0, + "finishedAt": "2024-07-15T19:28:00Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:28:00Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.54", + "podIPs": [ + { + "ip": "10.42.0.54" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:27:52Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "checksum/init-configmap": "09739169a4cac1b76e349f92d75fe6b9900b484f897d017597195d07b8c25048", + "checksum/uds-sso-secret": "", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "neuvector-controller-pod", + "kubectl.kubernetes.io/default-logs-container": "neuvector-controller-pod", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/uds-core-policies": "succeeded", + "uds-core.pepr.dev/uds-core-policies.DisallowPrivileged": "exempted", + "uds-core.pepr.dev/uds-core-policies.DropAllCapabilities": "exempted", + "uds-core.pepr.dev/uds-core-policies.RequireNonRootUser": "exempted", + "uds-core.pepr.dev/uds-core-policies.RestrictHostPathWrite": "exempted", + "uds-core.pepr.dev/uds-core-policies.RestrictVolumeTypes": "exempted" + }, + "creationTimestamp": "2024-07-15T19:28:37Z", + "generateName": "neuvector-controller-pod-5dccb6c44f-", + "labels": { + "app": "neuvector-controller-pod", + "pod-template-hash": "5dccb6c44f", + "release": "core", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "neuvector-controller-pod", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "neuvector-controller-pod-5dccb6c44f-q9wqn", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "neuvector-controller-pod-5dccb6c44f", + "uid": "8e887e07-0945-4e20-ad12-b1c40f529e1a" + } + ], + "resourceVersion": "3926", + "uid": "e8e4f4ed-d1f9-44ba-91df-a4d59058d026" + }, + "spec": { + "affinity": { + "podAntiAffinity": { + "preferredDuringSchedulingIgnoredDuringExecution": [ + { + "podAffinityTerm": { + "labelSelector": { + "matchExpressions": [ + { + "key": "app", + "operator": "In", + "values": [ + "neuvector-controller-pod" + ] + } + ] + }, + "topologyKey": "kubernetes.io/hostname" + }, + "weight": 100 + } + ] + } + }, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "neuvector-controller-pod" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "neuvector-controller-pod" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/neuvector/deployments/neuvector-controller-pod" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-cvrxs", + "readOnly": true + } + ] + }, + { + "env": [ + { + "name": "CLUSTER_JOIN_ADDR", + "value": "neuvector-svc-controller.neuvector" + }, + { + "name": "CLUSTER_ADVERTISED_ADDR", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "CLUSTER_BIND_ADDR", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "NO_DEFAULT_ADMIN", + "value": "1" + } + ], + "image": "127.0.0.1:31999/neuvector/controller:5.3.3-zarf-4157091163", + "imagePullPolicy": "IfNotPresent", + "name": "neuvector-controller-pod", + "readinessProbe": { + "exec": { + "command": [ + "cat", + "/tmp/ready" + ] + }, + "failureThreshold": 3, + "initialDelaySeconds": 5, + "periodSeconds": 5, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": {}, + "securityContext": { + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/config", + "name": "config-volume", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-cvrxs", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-cvrxs", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "serviceAccount": "controller", + "serviceAccountName": "controller", + "terminationGracePeriodSeconds": 300, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "config-volume", + "projected": { + "defaultMode": 420, + "sources": [ + { + "configMap": { + "name": "neuvector-init", + "optional": true + } + }, + { + "secret": { + "name": "neuvector-init", + "optional": true + } + }, + { + "secret": { + "name": "neuvector-secret", + "optional": true + } + } + ] + } + }, + { + "name": "kube-api-access-cvrxs", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:28:38Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:28:38Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:28:52Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:28:52Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:28:37Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://9adc37b3be62e06e5fb876586ea41b936edca829a40c55f70edb78a6af4e6436", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:28:38Z" + } + } + }, + { + "containerID": "containerd://407913f08e9a8e27c17597d5444da17066dcc8dad799e47c85e2172942406f4b", + "image": "127.0.0.1:31999/neuvector/controller:5.3.3-zarf-4157091163", + "imageID": "127.0.0.1:31999/neuvector/controller@sha256:1102321e8ed5bd3aad26e3d2c3b9a3ddc5aa82c2949fc2600b9350c7e951950e", + "lastState": {}, + "name": "neuvector-controller-pod", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:28:40Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://2b63f034d6d41bc74ab16c64d251aab9f82676e985d31f4b6bff75431f705e64", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://2b63f034d6d41bc74ab16c64d251aab9f82676e985d31f4b6bff75431f705e64", + "exitCode": 0, + "finishedAt": "2024-07-15T19:28:38Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:28:38Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.58", + "podIPs": [ + { + "ip": "10.42.0.58" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:28:37Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "checksum/secret": "79f899ac6a4a76b043e67e4b17b25dfdf1b899526953bf3015fc1b4e41123ee5", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "velero", + "kubectl.kubernetes.io/default-logs-container": "velero", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-07-15T19:28:37Z", + "generateName": "velero-5544f6bfdf-", + "labels": { + "app.kubernetes.io/instance": "velero", + "app.kubernetes.io/managed-by": "Helm", + "app.kubernetes.io/name": "velero", + "helm.sh/chart": "velero-6.6.0", + "name": "velero", + "pod-template-hash": "5544f6bfdf", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "velero", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "velero-5544f6bfdf-rbjj4", + "namespace": "velero", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "velero-5544f6bfdf", + "uid": "eb1ee6ba-4d83-4f93-80ee-08fef38f5f4b" + } + ], + "resourceVersion": "3957", + "uid": "a187ebae-282f-4dd2-8bb8-388a9f4c78d9" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http-monitoring\",\"containerPort\":8085,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "velero" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "velero" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/velero/deployments/velero" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/velero/livez\":{\"httpGet\":{\"path\":\"/metrics\",\"port\":8085,\"scheme\":\"HTTP\"},\"timeoutSeconds\":5},\"/app-health/velero/readyz\":{\"httpGet\":{\"path\":\"/metrics\",\"port\":8085,\"scheme\":\"HTTP\"},\"timeoutSeconds\":5}}" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-4pblb", + "readOnly": true + } + ] + }, + { + "args": [ + "server", + "--uploader-type=kopia" + ], + "command": [ + "/velero" + ], + "env": [ + { + "name": "VELERO_SCRATCH_DIR", + "value": "/scratch" + }, + { + "name": "VELERO_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "LD_LIBRARY_PATH", + "value": "/plugins" + }, + { + "name": "AWS_SHARED_CREDENTIALS_FILE", + "value": "/credentials/cloud" + }, + { + "name": "GOOGLE_APPLICATION_CREDENTIALS", + "value": "/credentials/cloud" + }, + { + "name": "AZURE_CREDENTIALS_FILE", + "value": "/credentials/cloud" + }, + { + "name": "ALIBABA_CLOUD_CREDENTIALS_FILE", + "value": "/credentials/cloud" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/velero-fips:1.13.2-dev-zarf-2406703094", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 5, + "httpGet": { + "path": "/app-health/velero/livez", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 10, + "periodSeconds": 30, + "successThreshold": 1, + "timeoutSeconds": 5 + }, + "name": "velero", + "ports": [ + { + "containerPort": 8085, + "name": "http-monitoring", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 5, + "httpGet": { + "path": "/app-health/velero/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 10, + "periodSeconds": 30, + "successThreshold": 1, + "timeoutSeconds": 5 + }, + "resources": { + "limits": { + "cpu": "1", + "memory": "512Mi" + }, + "requests": { + "cpu": "500m", + "memory": "128Mi" + } + }, + "securityContext": { + "capabilities": { + "drop": [ + "ALL" + ] + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/plugins", + "name": "plugins" + }, + { + "mountPath": "/credentials", + "name": "cloud-credentials" + }, + { + "mountPath": "/scratch", + "name": "scratch" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-4pblb", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "image": "127.0.0.1:31999/du-uds-defenseunicorns/velero-plugin-for-aws-fips:1.9.2-zarf-1238650474", + "imagePullPolicy": "IfNotPresent", + "name": "velero-plugin-for-aws", + "resources": {}, + "securityContext": { + "capabilities": { + "drop": [ + "ALL" + ] + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/target", + "name": "plugins" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-4pblb", + "readOnly": true + } + ] + }, + { + "image": "127.0.0.1:31999/du-uds-defenseunicorns/velero-plugin-for-csi-fips:0.7.1-zarf-1576226041", + "imagePullPolicy": "IfNotPresent", + "name": "velero-plugin-for-csi", + "resources": {}, + "securityContext": { + "capabilities": { + "drop": [ + "ALL" + ] + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/target", + "name": "plugins" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-4pblb", + "readOnly": true + } + ] + }, + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-4pblb", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "runAsGroup": 1000, + "runAsNonRoot": true, + "runAsUser": 1000 + }, + "serviceAccount": "velero-server", + "serviceAccountName": "velero-server", + "terminationGracePeriodSeconds": 3600, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "cloud-credentials", + "secret": { + "defaultMode": 420, + "secretName": "velero-bucket-credentials" + } + }, + { + "emptyDir": {}, + "name": "plugins" + }, + { + "emptyDir": {}, + "name": "scratch" + }, + { + "name": "kube-api-access-4pblb", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:28:39Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:28:43Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:29:08Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:29:08Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:28:37Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://0553bff815c4a98eb8ede35f0ffea37db5707f0484dc4a4d0c8d94d1246ee7db", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:28:43Z" + } + } + }, + { + "containerID": "containerd://78c6584d1d096b18c088381b6bff9d659da2795b0e67f1324ce48b6ed7208dc9", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/velero-fips:1.13.2-dev-zarf-2406703094", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/velero-fips@sha256:f955947ebf2fe14f383cb165bb7f1f198c482c24430f74eb3a11d112985f6c3e", + "lastState": {}, + "name": "velero", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:28:45Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://ad108658f6297f9cc0a8023e51091d382796554f0ba5053245bf6b739db6b46e", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/velero-plugin-for-aws-fips:1.9.2-zarf-1238650474", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/velero-plugin-for-aws-fips@sha256:0da93d5ded960d04f7de0cd0150c564db7451ce829e7eedb86df54a6f50b7630", + "lastState": {}, + "name": "velero-plugin-for-aws", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://ad108658f6297f9cc0a8023e51091d382796554f0ba5053245bf6b739db6b46e", + "exitCode": 0, + "finishedAt": "2024-07-15T19:28:39Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:28:39Z" + } + } + }, + { + "containerID": "containerd://bc7398d6f12401ddea02369993c450f97070f08d2dbc58e739ab6fd80aebf8b2", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/velero-plugin-for-csi-fips:0.7.1-zarf-1576226041", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/velero-plugin-for-csi-fips@sha256:42d2c96c5a9506da4fbd8ce7c60a21a33af604548276f037ab37af99383958a2", + "lastState": {}, + "name": "velero-plugin-for-csi", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://bc7398d6f12401ddea02369993c450f97070f08d2dbc58e739ab6fd80aebf8b2", + "exitCode": 0, + "finishedAt": "2024-07-15T19:28:41Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:28:41Z" + } + } + }, + { + "containerID": "containerd://091280b8cf47abd1fe82bbf2b22c519ea4f07c95c4de8a6b6751162a1c7a74a8", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://091280b8cf47abd1fe82bbf2b22c519ea4f07c95c4de8a6b6751162a1c7a74a8", + "exitCode": 0, + "finishedAt": "2024-07-15T19:28:42Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:28:42Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.59", + "podIPs": [ + { + "ip": "10.42.0.59" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:28:37Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "authservice", + "kubectl.kubernetes.io/default-logs-container": "authservice", + "pepr.dev/checksum": "dc8636e6149a3c60f2325a2e1abc389fe76b73ffc99c901ac1c3d52908869050", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-07-15T19:30:43Z", + "generateName": "authservice-c984c4c8c-", + "labels": { + "app.kubernetes.io/instance": "authservice", + "app.kubernetes.io/name": "authservice", + "pod-template-hash": "c984c4c8c", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "authservice", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "authservice-c984c4c8c-lxqp9", + "namespace": "authservice", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "authservice-c984c4c8c", + "uid": "1f65225f-7758-44b8-bc15-31bb1fe1d5a9" + } + ], + "resourceVersion": "4707", + "uid": "40504f16-50d3-41b2-805c-74a8f3280748" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http\",\"containerPort\":10003,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "authservice" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "authservice" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/authservice/deployments/authservice" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/authservice/livez\":{\"tcpSocket\":{\"port\":10003},\"timeoutSeconds\":1},\"/app-health/authservice/readyz\":{\"tcpSocket\":{\"port\":10003},\"timeoutSeconds\":1}}" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-8mrrg", + "readOnly": true + } + ] + }, + { + "image": "127.0.0.1:31999/du-uds-defenseunicorns/authservice-fips:1.0.1-zarf-2913600038", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/authservice/livez", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "name": "authservice", + "ports": [ + { + "containerPort": 10003, + "name": "http", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/authservice/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": {}, + "securityContext": { + "capabilities": { + "drop": [ + "ALL" + ] + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/authservice", + "name": "authservice" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-8mrrg", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-8mrrg", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "runAsGroup": 1000, + "runAsNonRoot": true, + "runAsUser": 1000 + }, + "serviceAccount": "default", + "serviceAccountName": "default", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "authservice", + "secret": { + "defaultMode": 420, + "secretName": "authservice-uds" + } + }, + { + "name": "kube-api-access-8mrrg", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:30:44Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:30:44Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:30:47Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:30:47Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:30:43Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://a924c662f7796cffa8eb19e9f8f4d7720a1fb6ba3b754bc8d5b5b494b2370be0", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/authservice-fips:1.0.1-zarf-2913600038", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/authservice-fips@sha256:77c447525dc934e592fc753050039e8a990110a58077889653c1f40351b90fb2", + "lastState": {}, + "name": "authservice", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:30:46Z" + } + } + }, + { + "containerID": "containerd://1f21cfec03f93c53bb3fe1f15f074e18d331a759e1ee6e7e5a0184e874389953", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:30:44Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://7cc5767fdcb3d285d786d893b4609ed1f7df1a2b306c6b5d16d17028598aff27", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://7cc5767fdcb3d285d786d893b4609ed1f7df1a2b306c6b5d16d17028598aff27", + "exitCode": 0, + "finishedAt": "2024-07-15T19:30:44Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:30:44Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.68", + "podIPs": [ + { + "ip": "10.42.0.68" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:30:43Z" + } + } + ] +} \ No newline at end of file diff --git a/compliance/validations/istio/all-pods-istio-injected/tests.yaml b/compliance/validations/istio/all-pods-istio-injected/tests.yaml new file mode 100644 index 000000000..82eb1e66c --- /dev/null +++ b/compliance/validations/istio/all-pods-istio-injected/tests.yaml @@ -0,0 +1,28 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +pass: + - test: default + validation: validation.yaml + resources: resources.json + expected-validation: true + - test: grafana-pods-no-istio-proxy + validation: validation.yaml + resources: resources.json + permutation: '.pods |= map(if .metadata.namespace == "grafana" then .spec.containers |= map(select(.name != "istio-proxy")) else . end)' + expected-validation: false + - test: grafana-pods-istio-proxy-incorrect-name + validation: validation.yaml + resources: resources.json + permutation: '.pods |= map(if .metadata.namespace == "grafana" then .spec.containers |= map(if .name == "istio-proxy" then .name = "different-name" else . end) else . end)' + expected-validation: false + - test: grafana-pods-istio-init-incorrect-name + validation: validation.yaml + resources: resources.json + permutation: '.pods |= map(if .metadata.namespace == "grafana" then .spec.initContainers |= map(if .name == "istio-init" then .name = "different-name" else . end) else . end)' + expected-validation: false + - test: grafana-pods-no-annotation + validation: validation.yaml + resources: resources.json + permutation: '.pods |= map(if .metadata.namespace == "grafana" then .metadata.annotations = {} else . end)' + expected-validation: false diff --git a/compliance/validations/istio/all-pods-istio-injected/validation.yaml b/compliance/validations/istio/all-pods-istio-injected/validation.yaml new file mode 100644 index 000000000..05b4f0fee --- /dev/null +++ b/compliance/validations/istio/all-pods-istio-injected/validation.yaml @@ -0,0 +1,69 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +metadata: + name: all-pods-istio-injected + uuid: 1761ac07-80dd-47d2-947e-09f67943b986 +domain: + type: kubernetes + kubernetes-spec: + resources: + - name: pods + resource-rule: + version: v1 + resource: pods + namespaces: [] +provider: + type: opa + opa-spec: + rego: | + package validate + import rego.v1 + + # Default policy result + default validate := false + default msg := "Not evaluated" + + exempt_namespaces := {"kube-system", "istio-system", "uds-dev-stack", "zarf", "istio-admin-gateway", "istio-tenant-gateway", "istio-passthrough-gateway"} + msg_exempt_namespaces = concat(", ", exempt_namespaces) + + validate if { + has_istio_sidecar.result + } + msg = has_istio_sidecar.msg + + # Check for sidecar and init containers in pod spec + no_sidecar = [sprintf("%s/%s", [pod.metadata.namespace, pod.metadata.name]) | pod := input.pods[_]; not has_sidecar(pod); not is_exempt(pod)] + + has_istio_sidecar = {"result": true, "msg": msg} if { + count(no_sidecar) == 0 + msg := "All pods have Istio sidecar proxy." + } else = {"result": false, "msg": msg} if { + msg := sprintf("Istio sidecar proxy not found in pods: %s.", [concat(", ", no_sidecar)]) + } + + has_sidecar(pod) if { + status := pod.metadata.annotations["sidecar.istio.io/status"] + containers := json.unmarshal(status).containers + initContainers := json.unmarshal(status).initContainers + + has_container_name(pod.spec.containers, containers) + has_container_name(pod.spec.initContainers, initContainers) + } else = false + + has_container_name(containers, names) if { + every name in names { + containers[_].name == name + } + } else = true if { + names == null + } else = false + + is_exempt(pod) if { + pod.metadata.namespace in exempt_namespaces + } + output: + validation: validate.validate + observations: + - validate.msg + - validate.msg_exempt_namespaces diff --git a/compliance/validations/istio/authorization-policies-require-authentication-DEPRECATED/README.md b/compliance/validations/istio/authorization-policies-require-authentication-DEPRECATED/README.md new file mode 100644 index 000000000..163b7f15c --- /dev/null +++ b/compliance/validations/istio/authorization-policies-require-authentication-DEPRECATED/README.md @@ -0,0 +1,9 @@ +# README.md + +**NAME** - istio-authorization-policies-require-authentication + +**INPUT** - Collects the AuthorizationPolicy named `jwt-authz` in the `istio-system` namespace. + +**POLICY** - Checks that the AuthorizationPolicy requires authentication by ensuring that `requestPrincipals` is defined and the `selector.protect` label is set to `keycloak`. + +**NOTES** - Ensure that the AuthorizationPolicy exists and is correctly configured to require authentication for Keycloak. \ No newline at end of file diff --git a/compliance/validations/istio/authorization-policies-require-authentication-DEPRECATED/resources.json b/compliance/validations/istio/authorization-policies-require-authentication-DEPRECATED/resources.json new file mode 100644 index 000000000..c22469b0f --- /dev/null +++ b/compliance/validations/istio/authorization-policies-require-authentication-DEPRECATED/resources.json @@ -0,0 +1,41 @@ +{ + "authorizationPolicy": { + "apiVersion": "security.istio.io/v1beta1", + "kind": "AuthorizationPolicy", + "metadata": { + "annotations": { + "meta.helm.sh/release-name": "authservice", + "meta.helm.sh/release-namespace": "authservice" + }, + "creationTimestamp": "2024-04-22T14:10:05Z", + "generation": 1, + "labels": { + "app.kubernetes.io/managed-by": "Helm" + }, + "name": "jwt-authz", + "namespace": "istio-system", + "resourceVersion": "3753", + "uid": "be533399-3b67-4dbd-a6c3-97d21cae7360" + }, + "spec": { + "rules": [ + { + "from": [ + { + "source": { + "requestPrincipals": [ + "https://login.uds.dev/auth/realms/doug/*" + ] + } + } + ] + } + ], + "selector": { + "matchLabels": { + "protect": "keycloak" + } + } + } + } +} \ No newline at end of file diff --git a/compliance/validations/istio/authorization-policies-require-authentication-DEPRECATED/tests.yaml b/compliance/validations/istio/authorization-policies-require-authentication-DEPRECATED/tests.yaml new file mode 100644 index 000000000..948eff134 --- /dev/null +++ b/compliance/validations/istio/authorization-policies-require-authentication-DEPRECATED/tests.yaml @@ -0,0 +1,23 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +pass: + - test: default + validation: validation.yaml + resources: resources.json + expected-validation: true + - test: change-protect-label + validation: validation.yaml + resources: resources.json + permutation: .authorizationPolicy.spec.selector.matchLabels.protect = "other" + expected-validation: false + - test: remove-requestPrincipals + validation: validation.yaml + resources: resources.json + permutation: del(.authorizationPolicy.spec.rules[0].from[0].source.requestPrincipals) + expected-validation: false + - test: remove-authorizationPolicy + validation: validation.yaml + resources: resources.json + permutation: del(.authorizationPolicy) + expected-validation: false diff --git a/compliance/validations/istio/authorization-policies-require-authentication-DEPRECATED/validation.yaml b/compliance/validations/istio/authorization-policies-require-authentication-DEPRECATED/validation.yaml new file mode 100644 index 000000000..69aea4c6f --- /dev/null +++ b/compliance/validations/istio/authorization-policies-require-authentication-DEPRECATED/validation.yaml @@ -0,0 +1,50 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +metadata: + name: istio-authorization-policies-require-authentication + uuid: e38c0695-10f6-40b6-b246-fa58b26ccd25 +domain: + type: kubernetes + kubernetes-spec: + resources: + - name: authorizationPolicy + resource-rule: + name: jwt-authz + group: security.istio.io + namespaces: ["istio-system"] + resource: authorizationpolicies + version: v1beta1 +provider: + type: opa + opa-spec: + output: + observations: + - validate.msg + validation: validate.validate + rego: | + package validate + + # Default policy result + default validate = false + default msg = "Authorization Policies do not require authentication" + + # Evaluation for Istio Authorization Policies + validate { + result_auth_policy.result + } + + msg = result_auth_policy.msg + + result_auth_policy = {"result": true, "msg": msg} { + # Check that authorization policy exists and require authentication + input.authorizationPolicy.kind == "AuthorizationPolicy" + + # "require authentication" is defined as having requestPrincipals defined + # and the selector.protect label is set to "keycloak" + input.authorizationPolicy.spec.rules[_].from[_].source.requestPrincipals != null + input.authorizationPolicy.spec.selector.matchLabels.protect == "keycloak" + msg := "Authorization Policy requires authentication for keycloak" + } else = {"result": false, "msg": msg} { + msg := "Authorization Policy does not require authentication" + } diff --git a/compliance/validations/istio/authorized-keycloak-access/README.md b/compliance/validations/istio/authorized-keycloak-access/README.md new file mode 100644 index 000000000..17fb7f3b4 --- /dev/null +++ b/compliance/validations/istio/authorized-keycloak-access/README.md @@ -0,0 +1,9 @@ +# README.md + +**NAME** - istio-enforces-authorized-keycloak-access + +**INPUT** - Collects the AuthorizationPolicy named `keycloak-block-admin-access-from-public-gateway` in the `keycloak` namespace. + +**POLICY** - Checks that the AuthorizationPolicy restricts access to Keycloak admin by denying access from sources not in the `istio-admin-gateway` namespace to paths `/admin*` and `/realms/master*` on port `8080`. + +**NOTES** - Ensure that the AuthorizationPolicy exists and is correctly configured to deny access to Keycloak admin as specified. \ No newline at end of file diff --git a/compliance/validations/istio/authorized-keycloak-access/resources.json b/compliance/validations/istio/authorized-keycloak-access/resources.json new file mode 100644 index 000000000..38eaff7fa --- /dev/null +++ b/compliance/validations/istio/authorized-keycloak-access/resources.json @@ -0,0 +1,132 @@ +{ + "authorizationPolicy": { + "apiVersion": "security.istio.io/v1beta1", + "kind": "AuthorizationPolicy", + "metadata": { + "annotations": { + "meta.helm.sh/release-name": "keycloak", + "meta.helm.sh/release-namespace": "keycloak" + }, + "creationTimestamp": "2024-08-05T13:42:55Z", + "generation": 1, + "labels": { + "app.kubernetes.io/managed-by": "Helm" + }, + "name": "keycloak-block-admin-access-from-public-gateway", + "namespace": "keycloak", + "resourceVersion": "1683", + "uid": "d479e061-abbd-4a05-8450-90939bc7497f" + }, + "spec": { + "action": "DENY", + "rules": [ + { + "from": [ + { + "source": { + "notNamespaces": [ + "istio-admin-gateway" + ] + } + } + ], + "to": [ + { + "operation": { + "paths": [ + "/admin*", + "/realms/master*" + ], + "ports": [ + "8080" + ] + } + } + ] + }, + { + "from": [ + { + "source": { + "notNamespaces": [ + "istio-admin-gateway", + "monitoring" + ] + } + } + ], + "to": [ + { + "operation": { + "paths": [ + "/metrics*" + ], + "ports": [ + "8080" + ] + } + } + ] + }, + { + "from": [ + { + "source": { + "notNamespaces": [ + "pepr-system" + ] + } + } + ], + "to": [ + { + "operation": { + "paths": [ + "/realms/uds/clients-registrations/*" + ], + "ports": [ + "8080" + ] + } + } + ] + }, + { + "from": [ + { + "source": { + "notNamespaces": [ + "istio-tenant-gateway", + "istio-admin-gateway" + ] + } + } + ], + "to": [ + { + "operation": { + "ports": [ + "8080" + ] + } + } + ], + "when": [ + { + "key": "request.headers[istio-mtls-client-certificate]", + "values": [ + "*" + ] + } + ] + } + ], + "selector": { + "matchLabels": { + "app.kubernetes.io/instance": "keycloak", + "app.kubernetes.io/name": "keycloak" + } + } + } + } +} \ No newline at end of file diff --git a/compliance/validations/istio/authorized-keycloak-access/tests.yaml b/compliance/validations/istio/authorized-keycloak-access/tests.yaml new file mode 100644 index 000000000..49e1e1164 --- /dev/null +++ b/compliance/validations/istio/authorized-keycloak-access/tests.yaml @@ -0,0 +1,18 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +pass: + - test: default + validation: validation.yaml + resources: resources.json + expected-validation: true + - test: remove-auth-rules + validation: validation.yaml + resources: resources.json + permutation: "del(.authorizationPolicy.spec.rules)" + expected-validation: false + - test: add-not-namespaces + validation: validation.yaml + resources: resources.json + permutation: '(.authorizationPolicy.spec.rules[] | .from[] | .source.notNamespaces) |= . + ["test-ns"]' + expected-validation: false diff --git a/compliance/validations/istio/authorized-keycloak-access/validation.yaml b/compliance/validations/istio/authorized-keycloak-access/validation.yaml new file mode 100644 index 000000000..ba3c0066b --- /dev/null +++ b/compliance/validations/istio/authorized-keycloak-access/validation.yaml @@ -0,0 +1,75 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +metadata: + name: istio-enforces-authorized-keycloak-access + uuid: fbd877c8-d6b6-4d88-8685-2c4aaaab02a1 +domain: + type: kubernetes + kubernetes-spec: + resources: + - name: authorizationPolicy + resource-rule: + name: keycloak-block-admin-access-from-public-gateway + group: security.istio.io + resource: authorizationpolicies + namespaces: [keycloak] + version: v1beta1 +provider: + type: opa + opa-spec: + rego: | + package validate + import rego.v1 + + # Default policy result + default validate := false + default msg := "Not evaluated" + + # Validate both AuthorizationPolicy restricts access to Keycloak admin + validate if { + check_auth_policy_for_keycloak_admin_access.result + } + + msg = check_auth_policy_for_keycloak_admin_access.msg + + check_auth_policy_for_keycloak_admin_access = {"result": true, "msg": msg} if { + input.authorizationPolicy.kind == "AuthorizationPolicy" + valid_auth_policy(input.authorizationPolicy) + msg := "AuthorizationPolicy restricts access to Keycloak admin." + } else = {"result": false, "msg": msg} if { + msg := "AuthorizationPolicy does not restrict access to Keycloak admin." + } + + # Define the rule for denying access + expected_keycloak_admin_denial_rule := { + "from": [ + { + "source": { + "notNamespaces": ["istio-admin-gateway"] + } + } + ], + "to": [ + { + "operation": { + "ports": ["8080"], + "paths": ["/admin*", "/realms/master*"] + } + } + ] + } + + # Validate that the authorization policy contains the expected first rule + valid_auth_policy(ap) if { + ap.spec.action == "DENY" + rules := ap.spec.rules + + # Ensure the expected rule is present in the input policy + some i + rules[i] == expected_keycloak_admin_denial_rule + } + output: + validation: validate.validate + observations: + - validate.msg diff --git a/compliance/validations/istio/authorized-traffic-egress/README.md b/compliance/validations/istio/authorized-traffic-egress/README.md new file mode 100644 index 000000000..6b9d57715 --- /dev/null +++ b/compliance/validations/istio/authorized-traffic-egress/README.md @@ -0,0 +1,9 @@ +# README.md + +**NAME** - authorized-traffic-egress-PLACEHOLDER + +**INPUT** - This validation currently does not specify any input resources. + +**POLICY** - This policy currently does not specify any validation logic. + +**NOTES** - This validation is a placeholder and needs to be updated with specific resources and validation logic. \ No newline at end of file diff --git a/compliance/validations/istio/authorized-traffic-egress/validation.yaml b/compliance/validations/istio/authorized-traffic-egress/validation.yaml new file mode 100644 index 000000000..a2523b93c --- /dev/null +++ b/compliance/validations/istio/authorized-traffic-egress/validation.yaml @@ -0,0 +1,17 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +metadata: + name: authorized-traffic-egress-PLACEHOLDER + uuid: 7455f86d-b79c-4226-9ce3-f3fb7d9348c8 +domain: + type: kubernetes + kubernetes-spec: + resources: [] +provider: + type: opa + opa-spec: + rego: | + package validate + + default validate := false diff --git a/compliance/validations/istio/check-istio-admin-gateway-and-usage/README.md b/compliance/validations/istio/check-istio-admin-gateway-and-usage/README.md new file mode 100644 index 000000000..c3f39c8f7 --- /dev/null +++ b/compliance/validations/istio/check-istio-admin-gateway-and-usage/README.md @@ -0,0 +1,9 @@ +# README.md + +**NAME** - check-istio-admin-gateway-and-usage + +**INPUT** - This validation collects the `admin-gateway` from the `istio-admin-gateway` namespace and all `virtualservices` from all namespaces. + +**POLICY** - This policy checks if the `admin-gateway` exists in the `istio-admin-gateway` namespace and verifies that all admin virtual services are using the admin gateway. + +**NOTES** - Ensure that the `admin-gateway` is correctly set up in the `istio-admin-gateway` namespace. The policy specifically looks for virtual services with names containing "admin" to be using the admin gateway. \ No newline at end of file diff --git a/compliance/validations/istio/check-istio-admin-gateway-and-usage/resources.json b/compliance/validations/istio/check-istio-admin-gateway-and-usage/resources.json new file mode 100644 index 000000000..5ee7e41f1 --- /dev/null +++ b/compliance/validations/istio/check-istio-admin-gateway-and-usage/resources.json @@ -0,0 +1,546 @@ +{ + "adminGateway": { + "apiVersion": "networking.istio.io/v1beta1", + "kind": "Gateway", + "metadata": { + "annotations": { + "meta.helm.sh/release-name": "uds-istio-config", + "meta.helm.sh/release-namespace": "istio-admin-gateway" + }, + "creationTimestamp": "2024-04-22T14:04:26Z", + "generation": 1, + "labels": { + "app.kubernetes.io/managed-by": "Helm" + }, + "name": "admin-gateway", + "namespace": "istio-admin-gateway", + "resourceVersion": "1196", + "uid": "7dbddd10-c3ca-45d5-9377-f99bfd819a2c" + }, + "spec": { + "selector": { + "app": "admin-ingressgateway" + }, + "servers": [ + { + "hosts": [ + "*.admin.uds.dev" + ], + "port": { + "name": "http-admin", + "number": 80, + "protocol": "HTTP" + }, + "tls": { + "httpsRedirect": true + } + }, + { + "hosts": [ + "*.admin.uds.dev" + ], + "port": { + "name": "https-admin", + "number": 443, + "protocol": "HTTPS" + }, + "tls": { + "credentialName": "gateway-tls", + "minProtocolVersion": "TLSV1_3", + "mode": "SIMPLE" + } + }, + { + "hosts": [ + "keycloak.admin.uds.dev" + ], + "port": { + "name": "http-keycloak", + "number": 80, + "protocol": "HTTP" + }, + "tls": { + "httpsRedirect": true + } + }, + { + "hosts": [ + "keycloak.admin.uds.dev" + ], + "port": { + "name": "https-keycloak", + "number": 443, + "protocol": "HTTPS" + }, + "tls": { + "credentialName": "gateway-tls", + "minProtocolVersion": "TLSV1_3", + "mode": "OPTIONAL_MUTUAL" + } + } + ] + } + }, + "virtualServices": [ + { + "apiVersion": "networking.istio.io/v1beta1", + "kind": "VirtualService", + "metadata": { + "creationTimestamp": "2024-04-22T14:05:22Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "keycloak" + }, + "name": "keycloak-tenant-remove-private-paths-from-public-gateway", + "namespace": "keycloak", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "keycloak", + "uid": "9310f8a4-d575-4fe9-bcc5-f00ba5abe9d2" + } + ], + "resourceVersion": "1702", + "uid": "e4ff9458-0a7c-4723-9c51-b51568a6a277" + }, + "spec": { + "gateways": [ + "istio-tenant-gateway/tenant-gateway" + ], + "hosts": [ + "sso.uds.dev" + ], + "http": [ + { + "headers": { + "request": { + "add": { + "istio-mtls-client-certificate": "%DOWNSTREAM_PEER_CERT%" + }, + "remove": [ + "istio-mtls-client-certificate" + ] + } + }, + "match": [ + { + "name": "redirect-welcome", + "uri": { + "exact": "/" + } + }, + { + "name": "redirect-admin", + "uri": { + "prefix": "/admin" + } + }, + { + "name": "redirect-master-realm", + "uri": { + "prefix": "/realms/master" + } + }, + { + "name": "redirect-metrics", + "uri": { + "prefix": "/metrics" + } + } + ], + "rewrite": { + "uri": "/realms/uds/account" + }, + "route": [ + { + "destination": { + "host": "keycloak-http.keycloak.svc.cluster.local", + "port": { + "number": 8080 + } + } + } + ] + } + ] + } + }, + { + "apiVersion": "networking.istio.io/v1beta1", + "kind": "VirtualService", + "metadata": { + "creationTimestamp": "2024-04-22T14:05:22Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "keycloak" + }, + "name": "keycloak-tenant-public-auth-access-with-optional-client-certificate", + "namespace": "keycloak", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "keycloak", + "uid": "9310f8a4-d575-4fe9-bcc5-f00ba5abe9d2" + } + ], + "resourceVersion": "1703", + "uid": "8355e39e-79b8-4bb8-b5fc-6d4e5f72c8a4" + }, + "spec": { + "gateways": [ + "istio-tenant-gateway/tenant-gateway" + ], + "hosts": [ + "sso.uds.dev" + ], + "http": [ + { + "headers": { + "request": { + "add": { + "istio-mtls-client-certificate": "%DOWNSTREAM_PEER_CERT%" + }, + "remove": [ + "istio-mtls-client-certificate" + ] + } + }, + "route": [ + { + "destination": { + "host": "keycloak-http.keycloak.svc.cluster.local", + "port": { + "number": 8080 + } + } + } + ] + } + ] + } + }, + { + "apiVersion": "networking.istio.io/v1beta1", + "kind": "VirtualService", + "metadata": { + "creationTimestamp": "2024-04-22T14:05:22Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "keycloak" + }, + "name": "keycloak-admin-admin-access-with-optional-client-certificate", + "namespace": "keycloak", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "keycloak", + "uid": "9310f8a4-d575-4fe9-bcc5-f00ba5abe9d2" + } + ], + "resourceVersion": "1704", + "uid": "100da481-a5a8-4a87-82a7-35163d0f7a10" + }, + "spec": { + "gateways": [ + "istio-admin-gateway/admin-gateway" + ], + "hosts": [ + "keycloak.admin.uds.dev" + ], + "http": [ + { + "headers": { + "request": { + "add": { + "istio-mtls-client-certificate": "%DOWNSTREAM_PEER_CERT%" + }, + "remove": [ + "istio-mtls-client-certificate" + ] + } + }, + "route": [ + { + "destination": { + "host": "keycloak-http.keycloak.svc.cluster.local", + "port": { + "number": 8080 + } + } + } + ] + } + ] + } + }, + { + "apiVersion": "networking.istio.io/v1beta1", + "kind": "VirtualService", + "metadata": { + "creationTimestamp": "2024-04-22T14:05:22Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "keycloak" + }, + "name": "keycloak-tenant-emulate-gitlab-authorize-endpoint", + "namespace": "keycloak", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "keycloak", + "uid": "9310f8a4-d575-4fe9-bcc5-f00ba5abe9d2" + } + ], + "resourceVersion": "1706", + "uid": "45ad1fa8-b4b2-47f6-8d27-b3711f500ecd" + }, + "spec": { + "gateways": [ + "istio-tenant-gateway/tenant-gateway" + ], + "hosts": [ + "sso.uds.dev" + ], + "http": [ + { + "match": [ + { + "name": "gitlab-authorize", + "uri": { + "prefix": "/oauth/authorize" + } + } + ], + "rewrite": { + "uri": "/realms/uds/protocol/openid-connect/auth" + }, + "route": [ + { + "destination": { + "host": "keycloak-http.keycloak.svc.cluster.local", + "port": { + "number": 8080 + } + } + } + ] + } + ] + } + }, + { + "apiVersion": "networking.istio.io/v1beta1", + "kind": "VirtualService", + "metadata": { + "creationTimestamp": "2024-04-22T14:05:22Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "keycloak" + }, + "name": "keycloak-tenant-emulate-gitlab-user-endpoint", + "namespace": "keycloak", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "keycloak", + "uid": "9310f8a4-d575-4fe9-bcc5-f00ba5abe9d2" + } + ], + "resourceVersion": "1710", + "uid": "cead5510-3501-4605-bbb0-c2c05dc56702" + }, + "spec": { + "gateways": [ + "istio-tenant-gateway/tenant-gateway" + ], + "hosts": [ + "sso.uds.dev" + ], + "http": [ + { + "match": [ + { + "name": "gitlab-user", + "uri": { + "prefix": "/api/v4/user" + } + } + ], + "rewrite": { + "uri": "/realms/uds/protocol/openid-connect/userinfo" + }, + "route": [ + { + "destination": { + "host": "keycloak-http.keycloak.svc.cluster.local", + "port": { + "number": 8080 + } + } + } + ] + } + ] + } + }, + { + "apiVersion": "networking.istio.io/v1beta1", + "kind": "VirtualService", + "metadata": { + "creationTimestamp": "2024-04-22T14:05:22Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "keycloak" + }, + "name": "keycloak-tenant-emulate-gitlab-token-endpoint", + "namespace": "keycloak", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "keycloak", + "uid": "9310f8a4-d575-4fe9-bcc5-f00ba5abe9d2" + } + ], + "resourceVersion": "1711", + "uid": "53f44ca4-2a3d-4053-9c25-7ddc3e1213f4" + }, + "spec": { + "gateways": [ + "istio-tenant-gateway/tenant-gateway" + ], + "hosts": [ + "sso.uds.dev" + ], + "http": [ + { + "match": [ + { + "name": "gitlab-token", + "uri": { + "prefix": "/oauth/token" + } + } + ], + "rewrite": { + "uri": "/realms/uds/protocol/openid-connect/token" + }, + "route": [ + { + "destination": { + "host": "keycloak-http.keycloak.svc.cluster.local", + "port": { + "number": 8080 + } + } + } + ] + } + ] + } + }, + { + "apiVersion": "networking.istio.io/v1beta1", + "kind": "VirtualService", + "metadata": { + "creationTimestamp": "2024-04-22T14:06:37Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "neuvector" + }, + "name": "neuvector-admin-neuvector-8443-neuvector-service-webui", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "neuvector", + "uid": "e5021367-f25b-466f-93a1-19a6419ebafa" + } + ], + "resourceVersion": "1941", + "uid": "b647739b-571a-44e5-a90a-14156f910572" + }, + "spec": { + "gateways": [ + "istio-admin-gateway/admin-gateway" + ], + "hosts": [ + "neuvector.admin.uds.dev" + ], + "http": [ + { + "route": [ + { + "destination": { + "host": "neuvector-service-webui.neuvector.svc.cluster.local", + "port": { + "number": 8443 + } + } + } + ] + } + ] + } + }, + { + "apiVersion": "networking.istio.io/v1beta1", + "kind": "VirtualService", + "metadata": { + "creationTimestamp": "2024-04-22T14:09:45Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "grafana" + }, + "name": "grafana-admin-grafana-80-grafana", + "namespace": "grafana", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "grafana", + "uid": "5e00957e-acfd-453d-82eb-c4fae4252660" + } + ], + "resourceVersion": "3622", + "uid": "e1805572-9271-4e48-9e26-a1f84ac78a09" + }, + "spec": { + "gateways": [ + "istio-admin-gateway/admin-gateway" + ], + "hosts": [ + "grafana.admin.uds.dev" + ], + "http": [ + { + "route": [ + { + "destination": { + "host": "grafana.grafana.svc.cluster.local", + "port": { + "number": 80 + } + } + } + ] + } + ] + } + } + ] +} \ No newline at end of file diff --git a/compliance/validations/istio/check-istio-admin-gateway-and-usage/tests.yaml b/compliance/validations/istio/check-istio-admin-gateway-and-usage/tests.yaml new file mode 100644 index 000000000..2c1638602 --- /dev/null +++ b/compliance/validations/istio/check-istio-admin-gateway-and-usage/tests.yaml @@ -0,0 +1,23 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +pass: + - test: default + validation: validation.yaml + resources: resources.json + expected-validation: true + - test: no-gateway + validation: validation.yaml + resources: resources.json + permutation: "del(.adminGateway)" + expected-validation: false + - test: admin-vs-not-using-admin-gw + validation: validation.yaml + resources: resources.json + permutation: '.virtualServices |= map(if .metadata.name == "keycloak-admin-admin-access-with-optional-client-certificate" then .spec.gateways = ["new-gateway/new-gateway-name"] else . end)' + expected-validation: false + - test: not-admin-vs-using-admin-gw + validation: validation.yaml + resources: resources.json + permutation: '.virtualServices |= map(if .metadata.name == "keycloak-tenant-public-auth-access-with-optional-client-certificate" then .spec.gateways = ["istio-admin-gateway/admin-gateway"] else . end)' + expected-validation: false diff --git a/compliance/validations/istio/check-istio-admin-gateway-and-usage/validation.yaml b/compliance/validations/istio/check-istio-admin-gateway-and-usage/validation.yaml new file mode 100644 index 000000000..9c1c6ce57 --- /dev/null +++ b/compliance/validations/istio/check-istio-admin-gateway-and-usage/validation.yaml @@ -0,0 +1,77 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +metadata: + name: check-istio-admin-gateway-and-usage + uuid: c6c9daf1-4196-406d-8679-312c0512ab2e +domain: + type: kubernetes + kubernetes-spec: + resources: + - name: adminGateway + resource-rule: + name: admin-gateway + group: networking.istio.io + version: v1beta1 + resource: gateways + namespaces: ["istio-admin-gateway"] + - name: virtualServices + resource-rule: + group: networking.istio.io + version: v1beta1 + resource: virtualservices + namespaces: [] +provider: + type: opa + opa-spec: + rego: | + package validate + import rego.v1 + + # Default values + default validate := false + default admin_gw_exists := false + default admin_vs_match := false + default msg := "Not evaluated" + + # Expected admin gateway details + expected_gateway := "admin-gateway" + expected_gateway_namespace := "istio-admin-gateway" + expected_ns_name := sprintf("%s/%s", [expected_gateway_namespace, expected_gateway]) + + validate if { + result_admin_gw_exixts.result + result_admin_vs_match.result + } + + msg = concat(" ", [result_admin_gw_exixts.msg, result_admin_vs_match.msg]) + + result_admin_gw_exixts = {"result": true, "msg": msg} if { + input.adminGateway.kind == "Gateway" + input.adminGateway.metadata.name == expected_gateway + input.adminGateway.metadata.namespace == expected_gateway_namespace + msg := sprintf("Admin gateway exists: %s.", [expected_ns_name]) + } else = {"result": false, "msg": msg} if { + msg := sprintf("Admin gateway does not exist, looking for: %s.", [expected_ns_name]) + } + + result_admin_vs_match = {"result": true, "msg": msg} if { + count(admin_vs-admin_vs_using_gateway) == 0 + count(all_vs_using_gateway-admin_vs_using_gateway) == 0 + msg := "Admin virtual services are using admin gateway." + } else = {"result": false, "msg": msg} if { + msg := sprintf("Mismatch of admin virtual services using gateway. Admin VS not using GW: %s. Non-Admin VS using gateway: %s.", [concat(", ", admin_vs-admin_vs_using_gateway), concat(", ", all_vs_using_gateway-admin_vs_using_gateway)]) + } + + # Count admin virtual services + admin_vs := {adminVs.metadata.name | adminVs := input.virtualServices[_]; adminVs.kind == "VirtualService"; contains(adminVs.metadata.name, "admin")} + + # Count admin VirtualServices correctly using the admin gateway (given by vs name containing "admin") + admin_vs_using_gateway := {adminVs.metadata.name | adminVs := input.virtualServices[_]; adminVs.kind == "VirtualService"; contains(adminVs.metadata.name, "admin"); adminVs.spec.gateways[_] == expected_ns_name} + + # Count all VirtualServices using the admin gateway + all_vs_using_gateway := {vs.metadata.name | vs := input.virtualServices[_]; vs.kind == "VirtualService"; vs.spec.gateways[_] == expected_ns_name} + output: + validation: validate.validate + observations: + - validate.msg diff --git a/compliance/validations/istio/check-istio-logging-all-traffic/README.md b/compliance/validations/istio/check-istio-logging-all-traffic/README.md new file mode 100644 index 000000000..d4f351a0f --- /dev/null +++ b/compliance/validations/istio/check-istio-logging-all-traffic/README.md @@ -0,0 +1,9 @@ +# README.md + +**NAME** - check-istio-logging-all-traffic + +**INPUT** - This validation collects the Istio Mesh Configuration from the `istio-system` namespace. + +**POLICY** - This policy checks if Istio's Mesh Configuration has logging enabled by verifying if the access log file is set to `/dev/stdout`. + +**NOTES** - Ensure that the Istio Mesh Configuration is correctly set up in the `istio-system` namespace. The policy specifically looks for the `accessLogFile` field to be set to `/dev/stdout`. \ No newline at end of file diff --git a/compliance/validations/istio/check-istio-logging-all-traffic/resources.json b/compliance/validations/istio/check-istio-logging-all-traffic/resources.json new file mode 100644 index 000000000..637faf937 --- /dev/null +++ b/compliance/validations/istio/check-istio-logging-all-traffic/resources.json @@ -0,0 +1,28 @@ +{ + "istioMeshConfig": { + "accessLogFile": "/dev/stdout", + "defaultConfig": { + "discoveryAddress": "istiod.istio-system.svc:15012", + "gatewayTopology": { + "forwardClientCertDetails": "SANITIZE" + }, + "holdApplicationUntilProxyStarts": true, + "tracing": { + "zipkin": { + "address": "zipkin.istio-system:9411" + } + } + }, + "defaultProviders": { + "metrics": [ + "prometheus" + ] + }, + "enablePrometheusMerge": true, + "pathNormalization": { + "normalization": "MERGE_SLASHES" + }, + "rootNamespace": "istio-system", + "trustDomain": "cluster.local" + } +} \ No newline at end of file diff --git a/compliance/validations/istio/check-istio-logging-all-traffic/tests.yaml b/compliance/validations/istio/check-istio-logging-all-traffic/tests.yaml new file mode 100644 index 000000000..3215d813b --- /dev/null +++ b/compliance/validations/istio/check-istio-logging-all-traffic/tests.yaml @@ -0,0 +1,18 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +pass: + - test: default + validation: validation.yaml + resources: resources.json + expected-validation: true + - test: change-accessLogFile-to-different-dir + validation: validation.yaml + resources: resources.json + permutation: '.istioMeshConfig.accessLogFile = "/log/test"' + expected-validation: false + - test: remove-accessLogFile + validation: validation.yaml + resources: resources.json + permutation: "del(.istioMeshConfig.accessLogFile)" + expected-validation: false diff --git a/compliance/validations/istio/check-istio-logging-all-traffic/validation.yaml b/compliance/validations/istio/check-istio-logging-all-traffic/validation.yaml new file mode 100644 index 000000000..f9f0d0b37 --- /dev/null +++ b/compliance/validations/istio/check-istio-logging-all-traffic/validation.yaml @@ -0,0 +1,49 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +metadata: + name: check-istio-logging-all-traffic + uuid: 90738c86-6315-450a-ac69-cc50eb4859cc +domain: + type: kubernetes + kubernetes-spec: + resources: + - name: istioMeshConfig + resource-rule: + field: + jsonpath: .data.mesh + type: yaml + namespaces: + - istio-system + resource: configmaps + version: v1 + name: istio +provider: + type: opa + opa-spec: + output: + observations: + - validate.msg + validation: validate.validate + rego: | + package validate + import rego.v1 + + # Default values + default validate := false + default msg := "Not evaluated" + + # Check if Istio's Mesh Configuration has logging enabled + validate if { + logging_enabled.result + } + + msg = logging_enabled.msg + + logging_enabled = {"result": true, "msg": msg} if { + # Check for access log file output to stdout + input.istioMeshConfig.accessLogFile == "/dev/stdout" + msg := "Istio is logging all traffic." + } else = {"result": false, "msg": msg} if { + msg := "Istio is not logging all traffic." + } diff --git a/compliance/validations/istio/communications-terminated-after-inactivity/README.md b/compliance/validations/istio/communications-terminated-after-inactivity/README.md new file mode 100644 index 000000000..5b3b48eae --- /dev/null +++ b/compliance/validations/istio/communications-terminated-after-inactivity/README.md @@ -0,0 +1,9 @@ +# README.md + +**NAME** - communications-terminated-after-inactivity-PLACEHOLDER + +**INPUT** - This validation currently does not collect any resources. + +**POLICY** - This policy is a placeholder and does not perform any validation. + +**NOTES** - The policy is a placeholder and needs to be updated to include the necessary checks for terminating communications after inactivity. \ No newline at end of file diff --git a/compliance/validations/istio/communications-terminated-after-inactivity/validation.yaml b/compliance/validations/istio/communications-terminated-after-inactivity/validation.yaml new file mode 100644 index 000000000..df4cf357f --- /dev/null +++ b/compliance/validations/istio/communications-terminated-after-inactivity/validation.yaml @@ -0,0 +1,20 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +metadata: + name: communications-terminated-after-inactivity-PLACEHOLDER + uuid: 663f5e92-6db4-4042-8b5a-eba3ebe5a622 +domain: + type: kubernetes + kubernetes-spec: + resources: [] +provider: + type: opa + opa-spec: + rego: | + package validate + + validate := false + + # Check on destination rule, outlier detection? + # -> Doesn't appear that UDS is configured to create destination rules. diff --git a/compliance/validations/istio/egress-gateway-exists-and-configured/README.md b/compliance/validations/istio/egress-gateway-exists-and-configured/README.md new file mode 100644 index 000000000..3e5e9ad89 --- /dev/null +++ b/compliance/validations/istio/egress-gateway-exists-and-configured/README.md @@ -0,0 +1,9 @@ +# README.md + +**NAME** - egress-gateway-exists-and-configured-PLACEHOLDER + +**INPUT** - This validation currently does not collect any resources. + +**POLICY** - This policy is a placeholder and does not perform any validation. + +**NOTES** - The policy is a placeholder and needs to be updated to include the necessary checks for the existence and configuration of the egress gateway. \ No newline at end of file diff --git a/compliance/validations/istio/egress-gateway-exists-and-configured/validation.yaml b/compliance/validations/istio/egress-gateway-exists-and-configured/validation.yaml new file mode 100644 index 000000000..c6d1ec602 --- /dev/null +++ b/compliance/validations/istio/egress-gateway-exists-and-configured/validation.yaml @@ -0,0 +1,17 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +metadata: + name: egress-gateway-exists-and-configured-PLACEHOLDER + uuid: c3b022eb-19a5-4711-8099-da4a90c9dd5d +domain: + type: kubernetes + kubernetes-spec: + resources: [] +provider: + type: opa + opa-spec: + rego: | + package validate + + default validate := false diff --git a/compliance/validations/istio/enforce-mtls-strict/README.md b/compliance/validations/istio/enforce-mtls-strict/README.md new file mode 100644 index 000000000..8c5fa459e --- /dev/null +++ b/compliance/validations/istio/enforce-mtls-strict/README.md @@ -0,0 +1,9 @@ +# README.md + +**NAME** - enforce-mtls-strict + +**INPUT** - This validation collects all `peerauthentications` from all namespaces. + +**POLICY** - This policy checks if all `PeerAuthentications` have mTLS mode set to `STRICT`. + +**NOTES** - Ensure that all `PeerAuthentications` are correctly configured with mTLS mode set to `STRICT`. The policy specifically looks for the `mtls.mode` field to be set to `STRICT`. \ No newline at end of file diff --git a/compliance/validations/istio/enforce-mtls-strict/resources.json b/compliance/validations/istio/enforce-mtls-strict/resources.json new file mode 100644 index 000000000..fac931181 --- /dev/null +++ b/compliance/validations/istio/enforce-mtls-strict/resources.json @@ -0,0 +1,225 @@ +{ + "peerAuths": [ + { + "apiVersion": "security.istio.io/v1beta1", + "kind": "PeerAuthentication", + "metadata": { + "annotations": { + "meta.helm.sh/release-name": "zarf-a102b532d6a523b085622665b606574b0cd82025", + "meta.helm.sh/release-namespace": "istio-system" + }, + "creationTimestamp": "2024-06-07T14:35:59Z", + "generation": 1, + "labels": { + "app.kubernetes.io/managed-by": "Helm" + }, + "name": "default-istio-system", + "namespace": "istio-system", + "resourceVersion": "1154", + "uid": "846d35fc-f942-4efc-b1ea-be35d3352db8" + }, + "spec": { + "mtls": { + "mode": "STRICT" + } + } + }, + { + "apiVersion": "security.istio.io/v1beta1", + "kind": "PeerAuthentication", + "metadata": { + "annotations": { + "meta.helm.sh/release-name": "zarf-a102b532d6a523b085622665b606574b0cd82025", + "meta.helm.sh/release-namespace": "istio-system" + }, + "creationTimestamp": "2024-06-07T14:35:59Z", + "generation": 1, + "labels": { + "app.kubernetes.io/managed-by": "Helm" + }, + "name": "permissive-pepr-webhook", + "namespace": "pepr-system", + "resourceVersion": "1155", + "uid": "8911bc2b-fc43-414c-9511-7712c463a8f3" + }, + "spec": { + "mtls": { + "mode": "STRICT" + }, + "portLevelMtls": { + "3000": { + "mode": "PERMISSIVE" + } + }, + "selector": { + "matchLabels": { + "pepr.dev/controller": "admission" + } + } + } + }, + { + "apiVersion": "security.istio.io/v1beta1", + "kind": "PeerAuthentication", + "metadata": { + "annotations": { + "meta.helm.sh/release-name": "uds-metrics-server-config", + "meta.helm.sh/release-namespace": "metrics-server" + }, + "creationTimestamp": "2024-06-07T14:36:34Z", + "generation": 1, + "labels": { + "app.kubernetes.io/managed-by": "Helm" + }, + "name": "metrics-server-api-exception", + "namespace": "metrics-server", + "resourceVersion": "1520", + "uid": "829a5b07-76c8-45f9-903e-f90976b677aa" + }, + "spec": { + "mtls": { + "mode": "STRICT" + }, + "portLevelMtls": { + "10250": { + "mode": "PERMISSIVE" + } + }, + "selector": { + "matchLabels": { + "app.kubernetes.io/name": "metrics-server" + } + } + } + }, + { + "apiVersion": "security.istio.io/v1beta1", + "kind": "PeerAuthentication", + "metadata": { + "annotations": { + "meta.helm.sh/release-name": "keycloak", + "meta.helm.sh/release-namespace": "keycloak" + }, + "creationTimestamp": "2024-06-07T14:37:03Z", + "generation": 1, + "labels": { + "app.kubernetes.io/managed-by": "Helm" + }, + "name": "keycloak", + "namespace": "keycloak", + "resourceVersion": "1659", + "uid": "21586733-a185-4a6b-b8cc-cc77bb77b012" + }, + "spec": { + "mtls": { + "mode": "STRICT" + } + } + }, + { + "apiVersion": "security.istio.io/v1beta1", + "kind": "PeerAuthentication", + "metadata": { + "annotations": { + "meta.helm.sh/release-name": "uds-neuvector-config", + "meta.helm.sh/release-namespace": "neuvector" + }, + "creationTimestamp": "2024-06-07T14:38:19Z", + "generation": 1, + "labels": { + "app.kubernetes.io/managed-by": "Helm" + }, + "name": "controller-neuvector", + "namespace": "neuvector", + "resourceVersion": "1912", + "uid": "c927e10e-e859-4f54-b2ad-ff457ae8a7e5" + }, + "spec": { + "mtls": { + "mode": "STRICT" + }, + "portLevelMtls": { + "18300": { + "mode": "PERMISSIVE" + }, + "30443": { + "mode": "PERMISSIVE" + } + }, + "selector": { + "matchLabels": { + "app": "neuvector-controller-pod" + } + } + } + }, + { + "apiVersion": "security.istio.io/v1beta1", + "kind": "PeerAuthentication", + "metadata": { + "annotations": { + "meta.helm.sh/release-name": "uds-loki-config", + "meta.helm.sh/release-namespace": "loki" + }, + "creationTimestamp": "2024-06-07T14:38:49Z", + "generation": 1, + "labels": { + "app.kubernetes.io/managed-by": "Helm" + }, + "name": "loki-simple-scalable", + "namespace": "loki", + "resourceVersion": "2382", + "uid": "78bfd0bf-5682-45b5-9a38-0fc4dee6ccd4" + }, + "spec": { + "mtls": { + "mode": "STRICT" + }, + "portLevelMtls": { + "9095": { + "mode": "PERMISSIVE" + } + }, + "selector": { + "matchLabels": { + "app.kubernetes.io/name": "loki" + } + } + } + }, + { + "apiVersion": "security.istio.io/v1beta1", + "kind": "PeerAuthentication", + "metadata": { + "annotations": { + "meta.helm.sh/release-name": "uds-prometheus-config", + "meta.helm.sh/release-namespace": "monitoring" + }, + "creationTimestamp": "2024-06-07T14:40:25Z", + "generation": 1, + "labels": { + "app.kubernetes.io/managed-by": "Helm" + }, + "name": "prometheus-operator-webhook", + "namespace": "monitoring", + "resourceVersion": "2862", + "uid": "1131d8b9-3c21-4076-b22a-e4bd3c0bdc44" + }, + "spec": { + "mtls": { + "mode": "STRICT" + }, + "portLevelMtls": { + "10250": { + "mode": "PERMISSIVE" + } + }, + "selector": { + "matchLabels": { + "app": "kube-prometheus-stack-operator" + } + } + } + } + ] +} \ No newline at end of file diff --git a/compliance/validations/istio/enforce-mtls-strict/tests.yaml b/compliance/validations/istio/enforce-mtls-strict/tests.yaml new file mode 100644 index 000000000..577a8531f --- /dev/null +++ b/compliance/validations/istio/enforce-mtls-strict/tests.yaml @@ -0,0 +1,13 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +pass: + - test: default + validation: validation.yaml + resources: resources.json + expected-validation: true + - test: not_all_strict + validation: validation.yaml + resources: resources.json + permutation: '.peerAuths[0].spec.mtls.mode = "PERMISSIVE"' + expected-validation: false diff --git a/compliance/validations/istio/enforce-mtls-strict/validation.yaml b/compliance/validations/istio/enforce-mtls-strict/validation.yaml new file mode 100644 index 000000000..47884b6c7 --- /dev/null +++ b/compliance/validations/istio/enforce-mtls-strict/validation.yaml @@ -0,0 +1,52 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +metadata: + name: enforce-mtls-strict + uuid: ca49ac97-487a-446a-a0b7-92b20e2c83cb +domain: + type: kubernetes + kubernetes-spec: + resources: + - name: peerAuths + resource-rule: + group: security.istio.io + version: v1beta1 + resource: peerauthentications + namespaces: [] +provider: + type: opa + opa-spec: + rego: | + package validate + import rego.v1 + + # Default values + default validate := false + default all_strict := false + default msg := "Not evaluated" + + validate if { + result_all_strict.result + } + + msg = concat(" ", [result_all_strict.msg]) + + # Evaluate if all PeerAuthentications have mtls mode set to STRICT + peer_auths := {sprintf("%s/%s", [pa.metadata.namespace, pa.metadata.name]) | pa := input.peerAuths[_]} + peer_auths_strict := {sprintf("%s/%s", [pa.metadata.namespace, pa.metadata.name]) | pa := input.peerAuths[_]; mtls_strict(pa)} + + result_all_strict = {"result": true, "msg": msg} if { + peer_auths == peer_auths_strict + msg := "All PeerAuthentications have mtls mode set to STRICT." + } else = {"result": false, "msg": msg} if { + msg := sprintf("Not all PeerAuthentications have mtls mode set to STRICT: %s.", [peer_auths - peer_auths_strict]) + } + + mtls_strict(pa) if { + pa.spec.mtls.mode == "STRICT" + } + output: + validation: validate.validate + observations: + - validate.msg diff --git a/compliance/validations/istio/external-traffic-managed/README.md b/compliance/validations/istio/external-traffic-managed/README.md new file mode 100644 index 000000000..ccd517728 --- /dev/null +++ b/compliance/validations/istio/external-traffic-managed/README.md @@ -0,0 +1,9 @@ +# README.md + +**NAME** - external-traffic-managed-PLACEHOLDER + +**INPUT** - This validation currently does not collect any resources. + +**POLICY** - This policy is a placeholder and does not perform any validation. + +**NOTES** - The policy is a placeholder and needs to be updated to include the necessary checks for managing external traffic, possibly involving `ServiceEntry` resources. \ No newline at end of file diff --git a/compliance/validations/istio/external-traffic-managed/validation.yaml b/compliance/validations/istio/external-traffic-managed/validation.yaml new file mode 100644 index 000000000..e75053697 --- /dev/null +++ b/compliance/validations/istio/external-traffic-managed/validation.yaml @@ -0,0 +1,21 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +metadata: + name: external-traffic-managed-PLACEHOLDER + uuid: 19faf69a-de74-4b78-a628-64a9f244ae13 +domain: + type: kubernetes + kubernetes-spec: + resources: [] +provider: + type: opa + opa-spec: + rego: | + package validate + + default validate := false + + # This policy could check meshConfig.outboundTrafficPolicy.mode (default is ALLOW_ANY) + # Possibly would need a ServiceEntry(?) + # (https://istio.io/latest/docs/tasks/traffic-management/egress/egress-control/#envoy-passthrough-to-external-services) diff --git a/compliance/validations/istio/fips-evaluation/README.md b/compliance/validations/istio/fips-evaluation/README.md new file mode 100644 index 000000000..486a4ffef --- /dev/null +++ b/compliance/validations/istio/fips-evaluation/README.md @@ -0,0 +1,9 @@ +# README.md + +**NAME** - fips-evaluation-PLACEHOLDER + +**INPUT** - This validation currently does not collect any resources. + +**POLICY** - This policy is a placeholder and does not perform any validation. + +**NOTES** - Update the `kubernetes-spec` and `opa-spec` in the `validation.yaml` file to perform the desired FIPS evaluation. \ No newline at end of file diff --git a/compliance/validations/istio/fips-evaluation/validation.yaml b/compliance/validations/istio/fips-evaluation/validation.yaml new file mode 100644 index 000000000..99381fd03 --- /dev/null +++ b/compliance/validations/istio/fips-evaluation/validation.yaml @@ -0,0 +1,17 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +metadata: + name: fips-evaluation-PLACEHOLDER + uuid: 73434890-2751-4894-b7b2-7e583b4a8977 +domain: + type: kubernetes + kubernetes-spec: + resources: [] +provider: + type: opa + opa-spec: + rego: | + package validate + + default validate := false diff --git a/compliance/validations/istio/gateway-configuration-check/README.md b/compliance/validations/istio/gateway-configuration-check/README.md new file mode 100644 index 000000000..3dcacdc4a --- /dev/null +++ b/compliance/validations/istio/gateway-configuration-check/README.md @@ -0,0 +1,9 @@ +# README.md + +**NAME** - gateway-configuration-check + +**INPUT** - This validation collects all Istio gateways in the Kubernetes cluster. + +**POLICY** - This policy checks that only allowed gateways ("admin", "tenant", "passthrough") are present and that all required gateway types are found. + +**NOTES** - Ensure that the allowed gateways are correctly specified and that all required gateway types are present in the cluster. \ No newline at end of file diff --git a/compliance/validations/istio/gateway-configuration-check/resources.json b/compliance/validations/istio/gateway-configuration-check/resources.json new file mode 100644 index 000000000..ee48519a3 --- /dev/null +++ b/compliance/validations/istio/gateway-configuration-check/resources.json @@ -0,0 +1,220 @@ +{ + "gateways": [ + { + "apiVersion": "networking.istio.io/v1beta1", + "kind": "Gateway", + "metadata": { + "annotations": { + "meta.helm.sh/release-name": "uds-istio-config", + "meta.helm.sh/release-namespace": "istio-admin-gateway" + }, + "creationTimestamp": "2024-06-07T14:36:07Z", + "generation": 1, + "labels": { + "app.kubernetes.io/managed-by": "Helm" + }, + "name": "admin-gateway", + "namespace": "istio-admin-gateway", + "resourceVersion": "1216", + "uid": "07ede0ee-0ffc-42d0-ae22-15fa69dfb45a" + }, + "spec": { + "selector": { + "app": "admin-ingressgateway" + }, + "servers": [ + { + "hosts": [ + "*.admin.uds.dev" + ], + "port": { + "name": "http-admin", + "number": 80, + "protocol": "HTTP" + }, + "tls": { + "httpsRedirect": true + } + }, + { + "hosts": [ + "*.admin.uds.dev" + ], + "port": { + "name": "https-admin", + "number": 443, + "protocol": "HTTPS" + }, + "tls": { + "credentialName": "gateway-tls", + "minProtocolVersion": "TLSV1_3", + "mode": "SIMPLE" + } + }, + { + "hosts": [ + "keycloak.admin.uds.dev" + ], + "port": { + "name": "http-keycloak", + "number": 80, + "protocol": "HTTP" + }, + "tls": { + "httpsRedirect": true + } + }, + { + "hosts": [ + "keycloak.admin.uds.dev" + ], + "port": { + "name": "https-keycloak", + "number": 443, + "protocol": "HTTPS" + }, + "tls": { + "credentialName": "gateway-tls", + "minProtocolVersion": "TLSV1_3", + "mode": "OPTIONAL_MUTUAL" + } + } + ] + } + }, + { + "apiVersion": "networking.istio.io/v1beta1", + "kind": "Gateway", + "metadata": { + "annotations": { + "meta.helm.sh/release-name": "uds-istio-config", + "meta.helm.sh/release-namespace": "istio-tenant-gateway" + }, + "creationTimestamp": "2024-06-07T14:36:11Z", + "generation": 1, + "labels": { + "app.kubernetes.io/managed-by": "Helm" + }, + "name": "tenant-gateway", + "namespace": "istio-tenant-gateway", + "resourceVersion": "1273", + "uid": "fb672c84-0a55-4ccc-84c7-7448868598f3" + }, + "spec": { + "selector": { + "app": "tenant-ingressgateway" + }, + "servers": [ + { + "hosts": [ + "sso.uds.dev" + ], + "port": { + "name": "http-keycloak", + "number": 80, + "protocol": "HTTP" + }, + "tls": { + "httpsRedirect": true + } + }, + { + "hosts": [ + "sso.uds.dev" + ], + "port": { + "name": "https-keycloak", + "number": 443, + "protocol": "HTTPS" + }, + "tls": { + "credentialName": "gateway-tls", + "minProtocolVersion": "TLSV1_3", + "mode": "OPTIONAL_MUTUAL" + } + }, + { + "hosts": [ + "*.uds.dev" + ], + "port": { + "name": "http-tenant", + "number": 80, + "protocol": "HTTP" + }, + "tls": { + "httpsRedirect": true + } + }, + { + "hosts": [ + "*.uds.dev" + ], + "port": { + "name": "https-tenant", + "number": 443, + "protocol": "HTTPS" + }, + "tls": { + "credentialName": "gateway-tls", + "minProtocolVersion": "TLSV1_3", + "mode": "SIMPLE" + } + } + ] + } + }, + { + "apiVersion": "networking.istio.io/v1beta1", + "kind": "Gateway", + "metadata": { + "annotations": { + "meta.helm.sh/release-name": "uds-istio-config", + "meta.helm.sh/release-namespace": "istio-passthrough-gateway" + }, + "creationTimestamp": "2024-06-07T14:36:15Z", + "generation": 1, + "labels": { + "app.kubernetes.io/managed-by": "Helm" + }, + "name": "passthrough-gateway", + "namespace": "istio-passthrough-gateway", + "resourceVersion": "1330", + "uid": "501528ef-4199-4804-994d-a1392d6f249e" + }, + "spec": { + "selector": { + "app": "passthrough-ingressgateway" + }, + "servers": [ + { + "hosts": [ + "*.uds.dev" + ], + "port": { + "name": "http-passthrough", + "number": 80, + "protocol": "HTTP" + }, + "tls": { + "httpsRedirect": true + } + }, + { + "hosts": [ + "*.uds.dev" + ], + "port": { + "name": "https-passthrough", + "number": 443, + "protocol": "HTTPS" + }, + "tls": { + "mode": "PASSTHROUGH" + } + } + ] + } + } + ] +} \ No newline at end of file diff --git a/compliance/validations/istio/gateway-configuration-check/tests.yaml b/compliance/validations/istio/gateway-configuration-check/tests.yaml new file mode 100644 index 000000000..3e99e140d --- /dev/null +++ b/compliance/validations/istio/gateway-configuration-check/tests.yaml @@ -0,0 +1,18 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +pass: + - test: default + validation: validation.yaml + resources: resources.json + expected-validation: true + - test: remove_first_gateway + validation: validation.yaml + resources: resources.json + permutation: "del(.gateways[0])" + expected-validation: false + - test: add_new_gateway + validation: validation.yaml + resources: resources.json + permutation: '.gateways += [{"apiVersion": "networking.istio.io/v1beta1", "kind": "Gateway", "metadata": {"name": "new-gateway", "namespace": "new-namespace"}}]' + expected-validation: false diff --git a/compliance/validations/istio/gateway-configuration-check/validation.yaml b/compliance/validations/istio/gateway-configuration-check/validation.yaml new file mode 100644 index 000000000..aac991e49 --- /dev/null +++ b/compliance/validations/istio/gateway-configuration-check/validation.yaml @@ -0,0 +1,66 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +metadata: + name: gateway-configuration-check + uuid: b0a8f21e-b12f-47ea-a967-2f4a3ec69e44 +domain: + type: kubernetes + kubernetes-spec: + resources: + - name: gateways + resource-rule: + group: networking.istio.io + resource: gateways + namespaces: [] + version: v1beta1 +provider: + type: opa + opa-spec: + rego: | + package validate + import rego.v1 + + # default values + default validate := false + default msg := "Not evaluated" + + validate if { + check_expected_gw.result + check_all_gw_found.result + } + + msg := concat(" ", [check_expected_gw.msg, check_all_gw_found.msg]) + msg_existing_gateways := concat(", ", gateways) + msg_allowed_gateways := concat(", ", allowed) + + # Check if only allowed gateways are in the system + allowed := {"admin", "tenant", "passthrough"} + gateways := {sprintf("%s/%s", [gw.metadata.namespace, gw.metadata.name]) | gw := input.gateways[_]} + allowed_gateways := {sprintf("%s/%s", [gw.metadata.namespace, gw.metadata.name]) | gw := input.gateways[_]; gw_in_list(gw, allowed)} + actual_allowed := {s | g := gateways[_]; s := allowed[_]; contains(g, s)} + + check_expected_gw = {"result": true, "msg": msg} if { + gateways == allowed_gateways + msg := "Only allowed gateways found." + } else = {"result": false, "msg": msg} if { + msg := sprintf("Some disallowed gateways found: %v.", [gateways-allowed_gateways]) + } + + gw_in_list(gw, allowed) if { + contains(gw.metadata.name, allowed[_]) + } + + # Check if the entire set contains all required gateways + check_all_gw_found = {"result": true, "msg": msg} if { + actual_allowed == allowed + msg := "All gateway types found." + } else = {"result": false, "msg": msg} if { + msg := sprintf("Gateway type(s) missing: %v.", [allowed - actual_allowed]) + } + output: + validation: validate.validate + observations: + - validate.msg + - validate.msg_existing_gateways + - validate.msg_allowed_gateways diff --git a/compliance/validations/istio/healthcheck/README.md b/compliance/validations/istio/healthcheck/README.md new file mode 100644 index 000000000..278857e12 --- /dev/null +++ b/compliance/validations/istio/healthcheck/README.md @@ -0,0 +1,9 @@ +# README.md + +**NAME** - istio-health-check + +**INPUT** - This validation collects the Istiod deployment and horizontal pod autoscaler (HPA) in the "istio-system" namespace. + +**POLICY** - This policy checks if the Istiod deployment is healthy and if the HPA has sufficient replicas. + +**NOTES** - Ensure that the Istiod deployment and HPA are correctly configured and running in the "istio-system" namespace. \ No newline at end of file diff --git a/compliance/validations/istio/healthcheck/resources.json b/compliance/validations/istio/healthcheck/resources.json new file mode 100644 index 000000000..7b8914043 --- /dev/null +++ b/compliance/validations/istio/healthcheck/resources.json @@ -0,0 +1,407 @@ +{ + "istioddeployment": { + "apiVersion": "apps/v1", + "kind": "Deployment", + "metadata": { + "annotations": { + "deployment.kubernetes.io/revision": "1", + "meta.helm.sh/release-name": "istiod", + "meta.helm.sh/release-namespace": "istio-system" + }, + "creationTimestamp": "2024-06-07T14:35:55Z", + "generation": 1, + "labels": { + "app": "istiod", + "app.kubernetes.io/managed-by": "Helm", + "install.operator.istio.io/owning-resource": "unknown", + "istio": "pilot", + "istio.io/rev": "default", + "operator.istio.io/component": "Pilot", + "release": "istiod" + }, + "name": "istiod", + "namespace": "istio-system", + "resourceVersion": "1141", + "uid": "c913f7f1-0ac7-4a73-9fd5-614715411fb6" + }, + "spec": { + "progressDeadlineSeconds": 600, + "replicas": 1, + "revisionHistoryLimit": 10, + "selector": { + "matchLabels": { + "istio": "pilot" + } + }, + "strategy": { + "rollingUpdate": { + "maxSurge": "100%", + "maxUnavailable": "25%" + }, + "type": "RollingUpdate" + }, + "template": { + "metadata": { + "annotations": { + "prometheus.io/port": "15014", + "prometheus.io/scrape": "true", + "sidecar.istio.io/inject": "false" + }, + "creationTimestamp": null, + "labels": { + "app": "istiod", + "install.operator.istio.io/owning-resource": "unknown", + "istio": "pilot", + "istio.io/dataplane-mode": "none", + "istio.io/rev": "default", + "operator.istio.io/component": "Pilot", + "sidecar.istio.io/inject": "false" + } + }, + "spec": { + "containers": [ + { + "args": [ + "discovery", + "--monitoringAddr=:15014", + "--log_output_level=default:info", + "--domain", + "cluster.local", + "--keepaliveMaxServerConnectionAge", + "30m" + ], + "env": [ + { + "name": "REVISION", + "value": "default" + }, + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "KUBECONFIG", + "value": "/var/run/secrets/remote/config" + }, + { + "name": "PILOT_TRACE_SAMPLING", + "value": "1" + }, + { + "name": "PILOT_ENABLE_ANALYSIS", + "value": "false" + }, + { + "name": "CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PLATFORM" + } + ], + "image": "docker.io/istio/pilot:1.22.1-distroless", + "imagePullPolicy": "IfNotPresent", + "name": "discovery", + "ports": [ + { + "containerPort": 8080, + "protocol": "TCP" + }, + { + "containerPort": 15010, + "protocol": "TCP" + }, + { + "containerPort": 15017, + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/ready", + "port": 8080, + "scheme": "HTTP" + }, + "initialDelaySeconds": 1, + "periodSeconds": 3, + "successThreshold": 1, + "timeoutSeconds": 5 + }, + "resources": { + "requests": { + "cpu": "500m", + "memory": "2Gi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true, + "runAsNonRoot": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/istio-dns", + "name": "local-certs" + }, + { + "mountPath": "/etc/cacerts", + "name": "cacerts", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/remote", + "name": "istio-kubeconfig", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/istiod/tls", + "name": "istio-csr-dns-cert", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/istiod/ca", + "name": "istio-csr-ca-configmap", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "serviceAccount": "istiod", + "serviceAccountName": "istiod", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "key": "cni.istio.io/not-ready", + "operator": "Exists" + } + ], + "volumes": [ + { + "emptyDir": { + "medium": "Memory" + }, + "name": "local-certs" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "name": "cacerts", + "secret": { + "defaultMode": 420, + "optional": true, + "secretName": "cacerts" + } + }, + { + "name": "istio-kubeconfig", + "secret": { + "defaultMode": 420, + "optional": true, + "secretName": "istio-kubeconfig" + } + }, + { + "name": "istio-csr-dns-cert", + "secret": { + "defaultMode": 420, + "optional": true, + "secretName": "istiod-tls" + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert", + "optional": true + }, + "name": "istio-csr-ca-configmap" + } + ] + } + } + }, + "status": { + "availableReplicas": 1, + "conditions": [ + { + "lastTransitionTime": "2024-06-07T14:35:57Z", + "lastUpdateTime": "2024-06-07T14:35:57Z", + "message": "Deployment has minimum availability.", + "reason": "MinimumReplicasAvailable", + "status": "True", + "type": "Available" + }, + { + "lastTransitionTime": "2024-06-07T14:35:55Z", + "lastUpdateTime": "2024-06-07T14:35:57Z", + "message": "ReplicaSet \"istiod-5d75444496\" has successfully progressed.", + "reason": "NewReplicaSetAvailable", + "status": "True", + "type": "Progressing" + } + ], + "observedGeneration": 1, + "readyReplicas": 1, + "replicas": 1, + "updatedReplicas": 1 + } + }, + "istiodhpa": { + "apiVersion": "autoscaling/v2", + "kind": "HorizontalPodAutoscaler", + "metadata": { + "annotations": { + "meta.helm.sh/release-name": "istiod", + "meta.helm.sh/release-namespace": "istio-system" + }, + "creationTimestamp": "2024-06-07T14:35:55Z", + "labels": { + "app": "istiod", + "app.kubernetes.io/managed-by": "Helm", + "install.operator.istio.io/owning-resource": "unknown", + "istio.io/rev": "default", + "operator.istio.io/component": "Pilot", + "release": "istiod" + }, + "name": "istiod", + "namespace": "istio-system", + "resourceVersion": "153610", + "uid": "595b2821-fb62-4203-9a4d-c3bba5689215" + }, + "spec": { + "maxReplicas": 5, + "metrics": [ + { + "resource": { + "name": "cpu", + "target": { + "averageUtilization": 80, + "type": "Utilization" + } + }, + "type": "Resource" + } + ], + "minReplicas": 1, + "scaleTargetRef": { + "apiVersion": "apps/v1", + "kind": "Deployment", + "name": "istiod" + } + }, + "status": { + "conditions": [ + { + "lastTransitionTime": "2024-06-11T12:12:51Z", + "message": "recent recommendations were higher than current one, applying the highest recent recommendation", + "reason": "ScaleDownStabilized", + "status": "True", + "type": "AbleToScale" + }, + { + "lastTransitionTime": "2024-06-07T14:37:10Z", + "message": "the HPA was able to successfully calculate a replica count from cpu resource utilization (percentage of request)", + "reason": "ValidMetricFound", + "status": "True", + "type": "ScalingActive" + }, + { + "lastTransitionTime": "2024-06-07T15:31:59Z", + "message": "the desired count is within the acceptable range", + "reason": "DesiredWithinRange", + "status": "False", + "type": "ScalingLimited" + } + ], + "currentMetrics": [ + { + "resource": { + "current": { + "averageUtilization": 0, + "averageValue": "3m" + }, + "name": "cpu" + }, + "type": "Resource" + } + ], + "currentReplicas": 1, + "desiredReplicas": 1 + } + } +} \ No newline at end of file diff --git a/compliance/validations/istio/healthcheck/tests.yaml b/compliance/validations/istio/healthcheck/tests.yaml new file mode 100644 index 000000000..a12115ab9 --- /dev/null +++ b/compliance/validations/istio/healthcheck/tests.yaml @@ -0,0 +1,18 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +pass: + - test: default + validation: validation.yaml + resources: resources.json + expected-validation: true + - test: hpa_zero_replicas + validation: validation.yaml + resources: resources.json + permutation: ".istiodhpa.status.currentReplicas = 0" + expected-validation: false + - test: deployment_condition_false + validation: validation.yaml + resources: resources.json + permutation: ".istioddeployment.status.availableReplicas = 0" + expected-validation: false diff --git a/compliance/validations/istio/healthcheck/validation.yaml b/compliance/validations/istio/healthcheck/validation.yaml new file mode 100644 index 000000000..6712453e1 --- /dev/null +++ b/compliance/validations/istio/healthcheck/validation.yaml @@ -0,0 +1,65 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +metadata: + name: istio-health-check + uuid: 67456ae8-4505-4c93-b341-d977d90cb125 +domain: + type: kubernetes + kubernetes-spec: + resources: + - name: istioddeployment + resource-rule: + group: apps + name: istiod + namespaces: + - istio-system + resource: deployments + version: v1 + - name: istiodhpa + resource-rule: + group: autoscaling + name: istiod + namespaces: + - istio-system + resource: horizontalpodautoscalers + version: v2 +provider: + type: opa + opa-spec: + output: + validation: validate.validate + observations: + - validate.msg + - validate.deployment_message + - validate.hpa_message + rego: | + package validate + import rego.v1 + + # Default values + default validate := false + default msg := "Not evaluated" + + # Check if the Istio Deployment is healthy + validate if { + check_deployment_health.result + check_hpa_health.result + } + + msg = concat(" ", [check_deployment_health.msg, check_hpa_health.msg]) + + check_deployment_health = {"result": true, "msg": msg} if { + input.istioddeployment.status.replicas > 0 + input.istioddeployment.status.availableReplicas == input.istioddeployment.status.replicas + msg := "Istiod Deployment is healthy." + } else = {"result": false, "msg": msg} if { + msg := "Istiod Deployment is not healthy." + } + + check_hpa_health = {"result": true, "msg": msg} if { + input.istiodhpa.status.currentReplicas >= input.istiodhpa.spec.minReplicas + msg := "HPA has sufficient replicas." + } else = {"result": false, "msg": msg} if { + msg := "HPA does not have sufficient replicas." + } diff --git a/compliance/validations/istio/ingress-traffic-encrypted/README.md b/compliance/validations/istio/ingress-traffic-encrypted/README.md new file mode 100644 index 000000000..6fc5c4032 --- /dev/null +++ b/compliance/validations/istio/ingress-traffic-encrypted/README.md @@ -0,0 +1,9 @@ +# README.md + +**NAME** - ingress-traffic-encrypted + +**INPUT** - This validation collects all Istio gateways in the Kubernetes cluster. + +**POLICY** - This policy checks that all gateways encrypt ingress traffic, except for the "istio-passthrough-gateway/passthrough-gateway". + +**NOTES** - The server spec in the gateways must have a `port.protocol` set to `HTTPS` and `tls.httpsRedirect` set to `true` OR `port.protocol` set to `HTTPS` and `tls.mode` either `SIMPLE` or `OPTIONAL_MUTUAL`. \ No newline at end of file diff --git a/compliance/validations/istio/ingress-traffic-encrypted/resources.json b/compliance/validations/istio/ingress-traffic-encrypted/resources.json new file mode 100644 index 000000000..ee48519a3 --- /dev/null +++ b/compliance/validations/istio/ingress-traffic-encrypted/resources.json @@ -0,0 +1,220 @@ +{ + "gateways": [ + { + "apiVersion": "networking.istio.io/v1beta1", + "kind": "Gateway", + "metadata": { + "annotations": { + "meta.helm.sh/release-name": "uds-istio-config", + "meta.helm.sh/release-namespace": "istio-admin-gateway" + }, + "creationTimestamp": "2024-06-07T14:36:07Z", + "generation": 1, + "labels": { + "app.kubernetes.io/managed-by": "Helm" + }, + "name": "admin-gateway", + "namespace": "istio-admin-gateway", + "resourceVersion": "1216", + "uid": "07ede0ee-0ffc-42d0-ae22-15fa69dfb45a" + }, + "spec": { + "selector": { + "app": "admin-ingressgateway" + }, + "servers": [ + { + "hosts": [ + "*.admin.uds.dev" + ], + "port": { + "name": "http-admin", + "number": 80, + "protocol": "HTTP" + }, + "tls": { + "httpsRedirect": true + } + }, + { + "hosts": [ + "*.admin.uds.dev" + ], + "port": { + "name": "https-admin", + "number": 443, + "protocol": "HTTPS" + }, + "tls": { + "credentialName": "gateway-tls", + "minProtocolVersion": "TLSV1_3", + "mode": "SIMPLE" + } + }, + { + "hosts": [ + "keycloak.admin.uds.dev" + ], + "port": { + "name": "http-keycloak", + "number": 80, + "protocol": "HTTP" + }, + "tls": { + "httpsRedirect": true + } + }, + { + "hosts": [ + "keycloak.admin.uds.dev" + ], + "port": { + "name": "https-keycloak", + "number": 443, + "protocol": "HTTPS" + }, + "tls": { + "credentialName": "gateway-tls", + "minProtocolVersion": "TLSV1_3", + "mode": "OPTIONAL_MUTUAL" + } + } + ] + } + }, + { + "apiVersion": "networking.istio.io/v1beta1", + "kind": "Gateway", + "metadata": { + "annotations": { + "meta.helm.sh/release-name": "uds-istio-config", + "meta.helm.sh/release-namespace": "istio-tenant-gateway" + }, + "creationTimestamp": "2024-06-07T14:36:11Z", + "generation": 1, + "labels": { + "app.kubernetes.io/managed-by": "Helm" + }, + "name": "tenant-gateway", + "namespace": "istio-tenant-gateway", + "resourceVersion": "1273", + "uid": "fb672c84-0a55-4ccc-84c7-7448868598f3" + }, + "spec": { + "selector": { + "app": "tenant-ingressgateway" + }, + "servers": [ + { + "hosts": [ + "sso.uds.dev" + ], + "port": { + "name": "http-keycloak", + "number": 80, + "protocol": "HTTP" + }, + "tls": { + "httpsRedirect": true + } + }, + { + "hosts": [ + "sso.uds.dev" + ], + "port": { + "name": "https-keycloak", + "number": 443, + "protocol": "HTTPS" + }, + "tls": { + "credentialName": "gateway-tls", + "minProtocolVersion": "TLSV1_3", + "mode": "OPTIONAL_MUTUAL" + } + }, + { + "hosts": [ + "*.uds.dev" + ], + "port": { + "name": "http-tenant", + "number": 80, + "protocol": "HTTP" + }, + "tls": { + "httpsRedirect": true + } + }, + { + "hosts": [ + "*.uds.dev" + ], + "port": { + "name": "https-tenant", + "number": 443, + "protocol": "HTTPS" + }, + "tls": { + "credentialName": "gateway-tls", + "minProtocolVersion": "TLSV1_3", + "mode": "SIMPLE" + } + } + ] + } + }, + { + "apiVersion": "networking.istio.io/v1beta1", + "kind": "Gateway", + "metadata": { + "annotations": { + "meta.helm.sh/release-name": "uds-istio-config", + "meta.helm.sh/release-namespace": "istio-passthrough-gateway" + }, + "creationTimestamp": "2024-06-07T14:36:15Z", + "generation": 1, + "labels": { + "app.kubernetes.io/managed-by": "Helm" + }, + "name": "passthrough-gateway", + "namespace": "istio-passthrough-gateway", + "resourceVersion": "1330", + "uid": "501528ef-4199-4804-994d-a1392d6f249e" + }, + "spec": { + "selector": { + "app": "passthrough-ingressgateway" + }, + "servers": [ + { + "hosts": [ + "*.uds.dev" + ], + "port": { + "name": "http-passthrough", + "number": 80, + "protocol": "HTTP" + }, + "tls": { + "httpsRedirect": true + } + }, + { + "hosts": [ + "*.uds.dev" + ], + "port": { + "name": "https-passthrough", + "number": 443, + "protocol": "HTTPS" + }, + "tls": { + "mode": "PASSTHROUGH" + } + } + ] + } + } + ] +} \ No newline at end of file diff --git a/compliance/validations/istio/ingress-traffic-encrypted/tests.yaml b/compliance/validations/istio/ingress-traffic-encrypted/tests.yaml new file mode 100644 index 000000000..aff605c07 --- /dev/null +++ b/compliance/validations/istio/ingress-traffic-encrypted/tests.yaml @@ -0,0 +1,18 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +pass: + - test: default + validation: validation.yaml + resources: resources.json + expected-validation: true + - test: change_admin_gateway_protocol_to_tcp + validation: validation.yaml + resources: resources.json + permutation: '.gateways |= map(if .metadata.name == "admin-gateway" then .spec.servers[0].port.protocol = "TCP" else . end)' + expected-validation: false + - test: change_admin_gateway_httpsRedirect_to_false + validation: validation.yaml + resources: resources.json + permutation: '.gateways |= map(if .metadata.name == "admin-gateway" then .spec.servers[0].tls.httpsRedirect = false else . end)' + expected-validation: false diff --git a/compliance/validations/istio/ingress-traffic-encrypted/validation.yaml b/compliance/validations/istio/ingress-traffic-encrypted/validation.yaml new file mode 100644 index 000000000..6ad35a610 --- /dev/null +++ b/compliance/validations/istio/ingress-traffic-encrypted/validation.yaml @@ -0,0 +1,77 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +metadata: + name: ingress-traffic-encrypted + uuid: fd071676-6b92-4e1c-a4f0-4c8d2bd55aed +domain: + type: kubernetes + kubernetes-spec: + resources: + - name: gateways + resource-rule: + group: networking.istio.io + version: v1beta1 + resource: gateways + namespaces: [] +provider: + type: opa + opa-spec: + rego: | + package validate + import rego.v1 + + # Default values + default validate := false + default msg := "Not evaluated" + + # Validation + validate if { + check_gateways_allowed.result + } + msg = check_gateways_allowed.msg + msg_exempted_gateways = concat(", ", exempt_gateways) + + # Collect gateways that do not encrypt ingress traffic + gateways_disallowed = {sprintf("%s/%s", [gateway.metadata.namespace, gateway.metadata.name]) | + gateway := input.gateways[_]; + not allowed_gateway(gateway) + } + + check_gateways_allowed = {"result": true, "msg": msg} if { + count(gateways_disallowed) == 0 + msg := "All gateways encrypt ingress traffic" + } else = {"result": false, "msg": msg} if { + msg := sprintf("Some gateways do not encrypt ingress traffic: %s", [concat(", ", gateways_disallowed)]) + } + + # Check allowed gateway + allowed_gateway(gateway) if { + every server in gateway.spec.servers { + allowed_server(server) + } + } + + exempt_gateways := {"istio-passthrough-gateway/passthrough-gateway"} + allowed_gateway(gateway) if { + sprintf("%s/%s", [gateway.metadata.namespace, gateway.metadata.name]) in exempt_gateways + # *Unchecked condition that exempted gateway is only used by virtual services that route https traffic + # Find all virtual services that use this gateway + # Check that vs has https scheme + } + + # Check allowed server spec in gateway + allowed_server(server) if { + server.port.protocol == "HTTP" + server.tls.httpsRedirect == true + } + + allowed_server(server) if { + server.port.protocol == "HTTPS" + server.tls.mode in {"SIMPLE", "OPTIONAL_MUTUAL"} + } + output: + validation: validate.validate + observations: + - validate.msg + - validate.msg_exempted_gateways diff --git a/compliance/validations/istio/metrics-logging-configured/README.md b/compliance/validations/istio/metrics-logging-configured/README.md new file mode 100644 index 000000000..0d4a63049 --- /dev/null +++ b/compliance/validations/istio/metrics-logging-configured/README.md @@ -0,0 +1,9 @@ +# README.md + +**NAME** - istio-metrics-logging-configured + +**INPUT** - This validation collects the "istioConfig" configmap in the "istio-system" namespace. + +**POLICY** - This policy checks if metrics logging is supported by validating the Istio configuration. + +**NOTES** - Ensure that the Istio configmap is correctly configured and located in the "istio-system" namespace. The policy specifically looks for the `enablePrometheusMerge` field to be not set to `false`. \ No newline at end of file diff --git a/compliance/validations/istio/metrics-logging-configured/resources.json b/compliance/validations/istio/metrics-logging-configured/resources.json new file mode 100644 index 000000000..f8161f0aa --- /dev/null +++ b/compliance/validations/istio/metrics-logging-configured/resources.json @@ -0,0 +1,28 @@ +{ + "istioConfig": { + "accessLogFile": "/dev/stdout", + "defaultConfig": { + "discoveryAddress": "istiod.istio-system.svc:15012", + "gatewayTopology": { + "forwardClientCertDetails": "SANITIZE" + }, + "holdApplicationUntilProxyStarts": true, + "tracing": { + "zipkin": { + "address": "zipkin.istio-system:9411" + } + } + }, + "defaultProviders": { + "metrics": [ + "prometheus" + ] + }, + "enablePrometheusMerge": true, + "pathNormalization": { + "normalization": "MERGE_SLASHES" + }, + "rootNamespace": "istio-system", + "trustDomain": "cluster.local" + } +} \ No newline at end of file diff --git a/compliance/validations/istio/metrics-logging-configured/tests.yaml b/compliance/validations/istio/metrics-logging-configured/tests.yaml new file mode 100644 index 000000000..165deb586 --- /dev/null +++ b/compliance/validations/istio/metrics-logging-configured/tests.yaml @@ -0,0 +1,18 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +pass: + - test: default + validation: validation.yaml + resources: resources.json + expected-validation: true + - test: change_enablePrometheusMerge_to_false + validation: validation.yaml + resources: resources.json + permutation: ".istioConfig.enablePrometheusMerge = false" + expected-validation: false + - test: change_enablePrometheusMerge_to_false + validation: validation.yaml + resources: resources.json + permutation: "del(.istioConfig.enablePrometheusMerge)" + expected-validation: true diff --git a/compliance/validations/istio/metrics-logging-configured/validation.yaml b/compliance/validations/istio/metrics-logging-configured/validation.yaml new file mode 100644 index 000000000..287b1bf3d --- /dev/null +++ b/compliance/validations/istio/metrics-logging-configured/validation.yaml @@ -0,0 +1,47 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +metadata: + name: istio-metrics-logging-configured + uuid: 70d99754-2918-400c-ac9a-319f874fff90 +domain: + type: kubernetes + kubernetes-spec: + resources: + - name: istioConfig + resource-rule: + resource: configmaps + namespaces: + - istio-system + version: v1 + name: istio + field: + jsonpath: .data.mesh + type: yaml +provider: + type: opa + opa-spec: + rego: | + package validate + import rego.v1 + + # Default values + default validate := false + default msg := "Not evaluated" + + # Validate Istio configuration for metrics logging support + validate if { + check_metrics_enabled.result + } + msg = check_metrics_enabled.msg + + check_metrics_enabled = { "result": false, "msg": msg } if { + input.istioConfig.enablePrometheusMerge == false + msg := "Metrics logging not supported." + } else = { "result": true, "msg": msg } if { + msg := "Metrics logging supported." + } + output: + validation: validate.validate + observations: + - validate.msg diff --git a/compliance/validations/istio/prometheus-annotations-validation/README.md b/compliance/validations/istio/prometheus-annotations-validation/README.md new file mode 100644 index 000000000..558d2758a --- /dev/null +++ b/compliance/validations/istio/prometheus-annotations-validation/README.md @@ -0,0 +1,9 @@ +# README.md + +**NAME** - istio-prometheus-annotations-validation + +**INPUT** - This validation collects all pods in the Kubernetes cluster. + +**POLICY** - This policy checks that all pods have the required Prometheus annotations for scraping metrics, except for those in exempted namespaces. + +**NOTES** - The exempted namespaces are "kube-system", "istio-system", "uds-dev-stack", and "zarf". Ensure that these namespaces are correct and update them if necessary. \ No newline at end of file diff --git a/compliance/validations/istio/prometheus-annotations-validation/resources.json b/compliance/validations/istio/prometheus-annotations-validation/resources.json new file mode 100644 index 000000000..e50da5902 --- /dev/null +++ b/compliance/validations/istio/prometheus-annotations-validation/resources.json @@ -0,0 +1,25428 @@ +{ + "pods": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "creationTimestamp": "2024-06-07T14:33:04Z", + "generateName": "metallb-controller-665d96757f-", + "labels": { + "app.kubernetes.io/component": "controller", + "app.kubernetes.io/instance": "metallb", + "app.kubernetes.io/name": "metallb", + "pod-template-hash": "665d96757f" + }, + "name": "metallb-controller-665d96757f-c4zbp", + "namespace": "uds-dev-stack", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "metallb-controller-665d96757f", + "uid": "3a41d478-929b-44df-a608-5a7fe1a2061e" + } + ], + "resourceVersion": "481", + "uid": "e740023f-2732-43fc-9e43-2da1b1dd23cf" + }, + "spec": { + "containers": [ + { + "args": [ + "--port=7472", + "--log-level=info", + "--tls-min-version=VersionTLS12" + ], + "env": [ + { + "name": "METALLB_ML_SECRET_NAME", + "value": "metallb-memberlist" + }, + { + "name": "METALLB_DEPLOYMENT", + "value": "metallb-controller" + }, + { + "name": "METALLB_BGP_TYPE", + "value": "frr" + } + ], + "image": "quay.io/metallb/controller:v0.14.5", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/metrics", + "port": "monitoring", + "scheme": "HTTP" + }, + "initialDelaySeconds": 10, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "name": "controller", + "ports": [ + { + "containerPort": 7472, + "name": "monitoring", + "protocol": "TCP" + }, + { + "containerPort": 9443, + "name": "webhook-server", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/metrics", + "port": "monitoring", + "scheme": "HTTP" + }, + "initialDelaySeconds": 10, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": {}, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/tmp/k8s-webhook-server/serving-certs", + "name": "cert", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-5t6md", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "nodeName": "k3d-uds-server-0", + "nodeSelector": { + "kubernetes.io/os": "linux" + }, + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 65534, + "runAsNonRoot": true, + "runAsUser": 65534 + }, + "serviceAccount": "metallb-controller", + "serviceAccountName": "metallb-controller", + "terminationGracePeriodSeconds": 0, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "name": "cert", + "secret": { + "defaultMode": 420, + "secretName": "metallb-webhook-cert" + } + }, + { + "name": "kube-api-access-5t6md", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:04Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:24Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:24Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:04Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://08db9740afe6a09b0788cf25e61ccd86fde100ade543a17e053201310572095e", + "image": "quay.io/metallb/controller:v0.14.5", + "imageID": "quay.io/metallb/controller@sha256:3f776529447094c8d318baeb4f9efe024cf154859762ec3eefcd878b1fe8a01f", + "lastState": {}, + "name": "controller", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:33:07Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "phase": "Running", + "podIP": "10.42.0.3", + "podIPs": [ + { + "ip": "10.42.0.3" + } + ], + "qosClass": "BestEffort", + "startTime": "2024-06-07T14:33:04Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "creationTimestamp": "2024-06-07T14:33:04Z", + "generateName": "metallb-speaker-", + "labels": { + "app.kubernetes.io/component": "speaker", + "app.kubernetes.io/instance": "metallb", + "app.kubernetes.io/name": "metallb", + "controller-revision-hash": "6c7b58bfd7", + "pod-template-generation": "1" + }, + "name": "metallb-speaker-w768g", + "namespace": "uds-dev-stack", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "DaemonSet", + "name": "metallb-speaker", + "uid": "b879fca1-6a2f-45ce-a137-337089d7c368" + } + ], + "resourceVersion": "530", + "uid": "f0b25b25-81a5-4cb7-910e-8197958949c6" + }, + "spec": { + "affinity": { + "nodeAffinity": { + "requiredDuringSchedulingIgnoredDuringExecution": { + "nodeSelectorTerms": [ + { + "matchFields": [ + { + "key": "metadata.name", + "operator": "In", + "values": [ + "k3d-uds-server-0" + ] + } + ] + } + ] + } + } + }, + "containers": [ + { + "args": [ + "--port=7472", + "--log-level=info" + ], + "env": [ + { + "name": "METALLB_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "METALLB_HOST", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "METALLB_ML_BIND_ADDR", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "METALLB_ML_LABELS", + "value": "app.kubernetes.io/name=metallb,app.kubernetes.io/component=speaker" + }, + { + "name": "METALLB_ML_BIND_PORT", + "value": "7946" + }, + { + "name": "METALLB_ML_SECRET_KEY_PATH", + "value": "/etc/ml_secret_key" + }, + { + "name": "FRR_CONFIG_FILE", + "value": "/etc/frr_reloader/frr.conf" + }, + { + "name": "FRR_RELOADER_PID_FILE", + "value": "/etc/frr_reloader/reloader.pid" + }, + { + "name": "METALLB_BGP_TYPE", + "value": "frr" + } + ], + "image": "quay.io/metallb/speaker:v0.14.5", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/metrics", + "port": "monitoring", + "scheme": "HTTP" + }, + "initialDelaySeconds": 10, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "name": "speaker", + "ports": [ + { + "containerPort": 7472, + "hostPort": 7472, + "name": "monitoring", + "protocol": "TCP" + }, + { + "containerPort": 7946, + "hostPort": 7946, + "name": "memberlist-tcp", + "protocol": "TCP" + }, + { + "containerPort": 7946, + "hostPort": 7946, + "name": "memberlist-udp", + "protocol": "UDP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/metrics", + "port": "monitoring", + "scheme": "HTTP" + }, + "initialDelaySeconds": 10, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": {}, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/ml_secret_key", + "name": "memberlist" + }, + { + "mountPath": "/etc/frr_reloader", + "name": "reloader" + }, + { + "mountPath": "/etc/metallb", + "name": "metallb-excludel2" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-qm2q8", + "readOnly": true + } + ] + }, + { + "command": [ + "/bin/sh", + "-c", + "/sbin/tini -- /usr/lib/frr/docker-start \u0026\nattempts=0\nuntil [[ -f /etc/frr/frr.log || $attempts -eq 60 ]]; do\n sleep 1\n attempts=$(( $attempts + 1 ))\ndone\ntail -f /etc/frr/frr.log\n" + ], + "env": [ + { + "name": "TINI_SUBREAPER", + "value": "true" + } + ], + "image": "quay.io/frrouting/frr:9.0.2", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "livez", + "port": 7473, + "scheme": "HTTP" + }, + "initialDelaySeconds": 10, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "name": "frr", + "resources": {}, + "securityContext": { + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW", + "SYS_ADMIN", + "NET_BIND_SERVICE" + ] + } + }, + "startupProbe": { + "failureThreshold": 30, + "httpGet": { + "path": "/livez", + "port": 7473, + "scheme": "HTTP" + }, + "periodSeconds": 5, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/frr", + "name": "frr-sockets" + }, + { + "mountPath": "/etc/frr", + "name": "frr-conf" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-qm2q8", + "readOnly": true + } + ] + }, + { + "command": [ + "/etc/frr_reloader/frr-reloader.sh" + ], + "image": "quay.io/frrouting/frr:9.0.2", + "imagePullPolicy": "IfNotPresent", + "name": "reloader", + "resources": {}, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/frr", + "name": "frr-sockets" + }, + { + "mountPath": "/etc/frr", + "name": "frr-conf" + }, + { + "mountPath": "/etc/frr_reloader", + "name": "reloader" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-qm2q8", + "readOnly": true + } + ] + }, + { + "args": [ + "--metrics-port=7473" + ], + "command": [ + "/etc/frr_metrics/frr-metrics" + ], + "image": "quay.io/frrouting/frr:9.0.2", + "imagePullPolicy": "IfNotPresent", + "name": "frr-metrics", + "ports": [ + { + "containerPort": 7473, + "hostPort": 7473, + "name": "monitoring", + "protocol": "TCP" + } + ], + "resources": {}, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/frr", + "name": "frr-sockets" + }, + { + "mountPath": "/etc/frr", + "name": "frr-conf" + }, + { + "mountPath": "/etc/frr_metrics", + "name": "metrics" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-qm2q8", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "hostNetwork": true, + "initContainers": [ + { + "command": [ + "/bin/sh", + "-c", + "cp -rLf /tmp/frr/* /etc/frr/" + ], + "image": "quay.io/frrouting/frr:9.0.2", + "imagePullPolicy": "IfNotPresent", + "name": "cp-frr-files", + "resources": {}, + "securityContext": { + "runAsGroup": 101, + "runAsUser": 100 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/tmp/frr", + "name": "frr-startup" + }, + { + "mountPath": "/etc/frr", + "name": "frr-conf" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-qm2q8", + "readOnly": true + } + ] + }, + { + "command": [ + "/bin/sh", + "-c", + "cp -f /frr-reloader.sh /etc/frr_reloader/" + ], + "image": "quay.io/metallb/speaker:v0.14.5", + "imagePullPolicy": "IfNotPresent", + "name": "cp-reloader", + "resources": {}, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/frr_reloader", + "name": "reloader" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-qm2q8", + "readOnly": true + } + ] + }, + { + "command": [ + "/bin/sh", + "-c", + "cp -f /frr-metrics /etc/frr_metrics/" + ], + "image": "quay.io/metallb/speaker:v0.14.5", + "imagePullPolicy": "IfNotPresent", + "name": "cp-metrics", + "resources": {}, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/frr_metrics", + "name": "metrics" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-qm2q8", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "nodeSelector": { + "kubernetes.io/os": "linux" + }, + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "serviceAccount": "metallb-speaker", + "serviceAccountName": "metallb-speaker", + "shareProcessNamespace": true, + "terminationGracePeriodSeconds": 0, + "tolerations": [ + { + "effect": "NoSchedule", + "key": "node-role.kubernetes.io/master", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node-role.kubernetes.io/control-plane", + "operator": "Exists" + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists" + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/disk-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/memory-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/pid-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/unschedulable", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/network-unavailable", + "operator": "Exists" + } + ], + "volumes": [ + { + "name": "memberlist", + "secret": { + "defaultMode": 420, + "secretName": "metallb-memberlist" + } + }, + { + "configMap": { + "defaultMode": 256, + "name": "metallb-excludel2" + }, + "name": "metallb-excludel2" + }, + { + "emptyDir": {}, + "name": "frr-sockets" + }, + { + "configMap": { + "defaultMode": 420, + "name": "metallb-frr-startup" + }, + "name": "frr-startup" + }, + { + "emptyDir": {}, + "name": "frr-conf" + }, + { + "emptyDir": {}, + "name": "reloader" + }, + { + "emptyDir": {}, + "name": "metrics" + }, + { + "name": "kube-api-access-qm2q8", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:17Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:28Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:28Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:04Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://a4fcaa6986eea88b60934b08f03c1dc5c4d826fc033dc5cbe7f356992eca4242", + "image": "quay.io/frrouting/frr:9.0.2", + "imageID": "quay.io/frrouting/frr@sha256:086acb1278fe86118345f456a1fbfafb80c34d03f7bca9137da0729a1aee5e9c", + "lastState": {}, + "name": "frr", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:33:18Z" + } + } + }, + { + "containerID": "containerd://8407398896d1bcf0c628096b3912e48cde1e11dc3680ffa57924c6daec04ae85", + "image": "quay.io/frrouting/frr:9.0.2", + "imageID": "quay.io/frrouting/frr@sha256:086acb1278fe86118345f456a1fbfafb80c34d03f7bca9137da0729a1aee5e9c", + "lastState": {}, + "name": "frr-metrics", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:33:18Z" + } + } + }, + { + "containerID": "containerd://dc156a3e9ffa1c3782ab106f8c522dd7adcd19bb8d695cad2c1ec31ce9b10bba", + "image": "quay.io/frrouting/frr:9.0.2", + "imageID": "quay.io/frrouting/frr@sha256:086acb1278fe86118345f456a1fbfafb80c34d03f7bca9137da0729a1aee5e9c", + "lastState": {}, + "name": "reloader", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:33:18Z" + } + } + }, + { + "containerID": "containerd://bf432de657a6b004d9c8fdb5c720fa47b5c464c82bef28f2d5bee4e148081c06", + "image": "quay.io/metallb/speaker:v0.14.5", + "imageID": "quay.io/metallb/speaker@sha256:34e9cc2db6d83ca3ad4d92a6e2eadaf6b78be65621798e90827041749898acc0", + "lastState": {}, + "name": "speaker", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:33:18Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://c4d49eb82f8230b3c0dd686fd997dd443a8a5f468a10d184f80e6dfc87bb328a", + "image": "quay.io/frrouting/frr:9.0.2", + "imageID": "quay.io/frrouting/frr@sha256:086acb1278fe86118345f456a1fbfafb80c34d03f7bca9137da0729a1aee5e9c", + "lastState": {}, + "name": "cp-frr-files", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://c4d49eb82f8230b3c0dd686fd997dd443a8a5f468a10d184f80e6dfc87bb328a", + "exitCode": 0, + "finishedAt": "2024-06-07T14:33:12Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:33:12Z" + } + } + }, + { + "containerID": "containerd://a3e7a06367976cd6d1422cb538b080051a347f777b266c56c359b733df3534a6", + "image": "quay.io/metallb/speaker:v0.14.5", + "imageID": "quay.io/metallb/speaker@sha256:34e9cc2db6d83ca3ad4d92a6e2eadaf6b78be65621798e90827041749898acc0", + "lastState": {}, + "name": "cp-reloader", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://a3e7a06367976cd6d1422cb538b080051a347f777b266c56c359b733df3534a6", + "exitCode": 0, + "finishedAt": "2024-06-07T14:33:16Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:33:16Z" + } + } + }, + { + "containerID": "containerd://36e42d6bb3d9a9008283fd26ee4ef97cbad58d541a323a0f89b10f9b1589c131", + "image": "quay.io/metallb/speaker:v0.14.5", + "imageID": "quay.io/metallb/speaker@sha256:34e9cc2db6d83ca3ad4d92a6e2eadaf6b78be65621798e90827041749898acc0", + "lastState": {}, + "name": "cp-metrics", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://36e42d6bb3d9a9008283fd26ee4ef97cbad58d541a323a0f89b10f9b1589c131", + "exitCode": 0, + "finishedAt": "2024-06-07T14:33:17Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:33:17Z" + } + } + } + ], + "phase": "Running", + "podIP": "172.19.0.3", + "podIPs": [ + { + "ip": "172.19.0.3" + } + ], + "qosClass": "BestEffort", + "startTime": "2024-06-07T14:33:04Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "creationTimestamp": "2024-06-07T14:33:26Z", + "generateName": "nginx-", + "labels": { + "controller-revision-hash": "796f655567", + "name": "nginx", + "pod-template-generation": "1", + "sidecar.istio.io/inject": "false" + }, + "name": "nginx-7x5gk", + "namespace": "uds-dev-stack", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "DaemonSet", + "name": "nginx", + "uid": "3355c296-e86c-45ff-8c40-dc211381667d" + } + ], + "resourceVersion": "543", + "uid": "4dbe8047-3902-49f7-9891-0ea680b055a3" + }, + "spec": { + "affinity": { + "nodeAffinity": { + "requiredDuringSchedulingIgnoredDuringExecution": { + "nodeSelectorTerms": [ + { + "matchFields": [ + { + "key": "metadata.name", + "operator": "In", + "values": [ + "k3d-uds-server-0" + ] + } + ] + } + ] + } + } + }, + "containers": [ + { + "command": [ + "nginx", + "-g", + "daemon off;" + ], + "image": "ghcr.io/defenseunicorns/oss/uds-k3d-nginx:alpine-1.25.3", + "imagePullPolicy": "IfNotPresent", + "name": "nginx", + "ports": [ + { + "containerPort": 80, + "hostPort": 80, + "protocol": "TCP" + }, + { + "containerPort": 443, + "hostPort": 443, + "protocol": "TCP" + } + ], + "resources": {}, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/nginx/nginx.conf", + "name": "config-volume", + "subPath": "nginx.conf" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-c2r2d", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "serviceAccount": "default", + "serviceAccountName": "default", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists" + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/disk-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/memory-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/pid-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/unschedulable", + "operator": "Exists" + } + ], + "volumes": [ + { + "configMap": { + "defaultMode": 420, + "name": "nginx-config" + }, + "name": "config-volume" + }, + { + "name": "kube-api-access-c2r2d", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:26Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:30Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:30Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:26Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://028a3419e247aa5b5b2693982ee5b406eca570e24368a7bae6b40772ec846f59", + "image": "ghcr.io/defenseunicorns/oss/uds-k3d-nginx:alpine-1.25.3", + "imageID": "ghcr.io/defenseunicorns/oss/uds-k3d-nginx@sha256:a59278fd22a9d411121e190b8cec8aa57b306aa3332459197777583beb728f59", + "lastState": {}, + "name": "nginx", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:33:29Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "phase": "Running", + "podIP": "10.42.0.6", + "podIPs": [ + { + "ip": "10.42.0.6" + } + ], + "qosClass": "BestEffort", + "startTime": "2024-06-07T14:33:26Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "creationTimestamp": "2024-06-07T14:33:26Z", + "generateName": "local-path-provisioner-6d9d9b57c9-", + "labels": { + "app": "local-path-provisioner", + "pod-template-hash": "6d9d9b57c9" + }, + "name": "local-path-provisioner-6d9d9b57c9-sxjml", + "namespace": "uds-dev-stack", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "local-path-provisioner-6d9d9b57c9", + "uid": "b3198f06-8d33-4c0c-a046-9e8a7b60c4d1" + } + ], + "resourceVersion": "545", + "uid": "d9ef6be9-697f-486d-9a68-94c125eb76d6" + }, + "spec": { + "containers": [ + { + "command": [ + "local-path-provisioner", + "--debug", + "start", + "--config", + "/etc/config/config.json" + ], + "env": [ + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + } + ], + "image": "rancher/local-path-provisioner:v0.0.26", + "imagePullPolicy": "IfNotPresent", + "name": "local-path-provisioner", + "resources": {}, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/config/", + "name": "config-volume" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-v9kg6", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "serviceAccount": "local-path-provisioner-service-account", + "serviceAccountName": "local-path-provisioner-service-account", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "configMap": { + "defaultMode": 420, + "name": "local-path-config" + }, + "name": "config-volume" + }, + { + "name": "kube-api-access-v9kg6", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:26Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:30Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:30Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:26Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://4d11a1ed56c82487ffc5f18d3eb5f53af22cad148f4a082801e7435d1fed378d", + "image": "docker.io/rancher/local-path-provisioner:v0.0.26", + "imageID": "docker.io/rancher/local-path-provisioner@sha256:aee53cadc62bd023911e7f077877d047c5b3c269f9bba25724d558654f43cea0", + "lastState": {}, + "name": "local-path-provisioner", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:33:29Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "phase": "Running", + "podIP": "10.42.0.5", + "podIPs": [ + { + "ip": "10.42.0.5" + } + ], + "qosClass": "BestEffort", + "startTime": "2024-06-07T14:33:26Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "creationTimestamp": "2024-06-07T14:33:26Z", + "generateName": "ensure-machine-id-", + "labels": { + "controller-revision-hash": "555967fc7b", + "name": "ensure-machine-id", + "pod-template-generation": "1" + }, + "name": "ensure-machine-id-df5h9", + "namespace": "uds-dev-stack", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "DaemonSet", + "name": "ensure-machine-id", + "uid": "03af65b4-778e-484a-98a9-ed00fb1109ce" + } + ], + "resourceVersion": "584", + "uid": "002c58a5-786d-41ff-acb4-1abab62bbd40" + }, + "spec": { + "affinity": { + "nodeAffinity": { + "requiredDuringSchedulingIgnoredDuringExecution": { + "nodeSelectorTerms": [ + { + "matchFields": [ + { + "key": "metadata.name", + "operator": "In", + "values": [ + "k3d-uds-server-0" + ] + } + ] + } + ] + } + } + }, + "containers": [ + { + "image": "registry.k8s.io/pause:3.9", + "imagePullPolicy": "IfNotPresent", + "name": "pause", + "resources": { + "limits": { + "cpu": "100m", + "memory": "50Mi" + }, + "requests": { + "cpu": "100m", + "memory": "50Mi" + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-j2rl4", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "hostPID": true, + "initContainers": [ + { + "args": [ + "echo \"B0D07F1F43F246409516ADBDCCC86FCE\" \u003e /mnt/host/etc/machine-id;" + ], + "command": [ + "/bin/sh", + "-c" + ], + "image": "cgr.dev/chainguard/wolfi-base:latest", + "imagePullPolicy": "Always", + "name": "generate-machine-id", + "resources": {}, + "securityContext": { + "privileged": true, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/mnt/host/etc", + "name": "machine-id" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-j2rl4", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "serviceAccount": "default", + "serviceAccountName": "default", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists" + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/disk-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/memory-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/pid-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/unschedulable", + "operator": "Exists" + } + ], + "volumes": [ + { + "hostPath": { + "path": "/etc", + "type": "" + }, + "name": "machine-id" + }, + { + "name": "kube-api-access-j2rl4", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:30Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:32Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:32Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:26Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://d14b7ef126f21af0b85aef91ee06b04ecb9c383641a6819bcacf24cb0da4762f", + "image": "registry.k8s.io/pause:3.9", + "imageID": "registry.k8s.io/pause@sha256:7031c1b283388d2c2e09b57badb803c05ebed362dc88d84b480cc47f72a21097", + "lastState": {}, + "name": "pause", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:33:31Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://32c24b23288ec1f9e850f1f905a88969c275a3c2b43f0c87a0256bf7ab7970e4", + "image": "cgr.dev/chainguard/wolfi-base:latest", + "imageID": "cgr.dev/chainguard/wolfi-base@sha256:3eff851ab805966c768d2a8107545a96218426cee1e5cc805865505edbe6ce92", + "lastState": {}, + "name": "generate-machine-id", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://32c24b23288ec1f9e850f1f905a88969c275a3c2b43f0c87a0256bf7ab7970e4", + "exitCode": 0, + "finishedAt": "2024-06-07T14:33:29Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:33:29Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.4", + "podIPs": [ + { + "ip": "10.42.0.4" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:33:26Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "checksum/config": "25ba5a36ee6bd1887b73590eee26c55e5673fbf1ef59d3f2e380255cea24fc78", + "checksum/secrets": "9dfc3e7275d6373dbf1aee60edc7c0db19fb00875cd3723b020c629dc646ba0c" + }, + "creationTimestamp": "2024-06-07T14:33:31Z", + "generateName": "minio-9f479d889-", + "labels": { + "app": "minio", + "pod-template-hash": "9f479d889", + "release": "minio" + }, + "name": "minio-9f479d889-79crp", + "namespace": "uds-dev-stack", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "minio-9f479d889", + "uid": "86fe59b2-087f-4990-9af8-43af36787cdf" + } + ], + "resourceVersion": "608", + "uid": "85ddc048-b51c-4719-a904-5ac2ffba2ac0" + }, + "spec": { + "containers": [ + { + "command": [ + "/bin/sh", + "-ce", + "/usr/bin/docker-entrypoint.sh minio server /export -S /etc/minio/certs/ --address :9000 --console-address :9001" + ], + "env": [ + { + "name": "MINIO_ROOT_USER", + "valueFrom": { + "secretKeyRef": { + "key": "rootUser", + "name": "minio" + } + } + }, + { + "name": "MINIO_ROOT_PASSWORD", + "valueFrom": { + "secretKeyRef": { + "key": "rootPassword", + "name": "minio" + } + } + }, + { + "name": "MINIO_PROMETHEUS_AUTH_TYPE", + "value": "public" + } + ], + "image": "quay.io/minio/minio:RELEASE.2024-04-18T19-09-19Z", + "imagePullPolicy": "IfNotPresent", + "name": "minio", + "ports": [ + { + "containerPort": 9000, + "name": "http", + "protocol": "TCP" + }, + { + "containerPort": 9001, + "name": "http-console", + "protocol": "TCP" + } + ], + "resources": { + "requests": { + "cpu": "150m", + "memory": "256Mi" + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/tmp/credentials", + "name": "minio-user", + "readOnly": true + }, + { + "mountPath": "/export", + "name": "export" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-4xhl7", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 1000, + "fsGroupChangePolicy": "OnRootMismatch", + "runAsGroup": 1000, + "runAsUser": 1000 + }, + "serviceAccount": "minio-sa", + "serviceAccountName": "minio-sa", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "name": "export", + "persistentVolumeClaim": { + "claimName": "minio" + } + }, + { + "name": "minio-user", + "secret": { + "defaultMode": 420, + "secretName": "minio" + } + }, + { + "name": "kube-api-access-4xhl7", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:35Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:39Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:39Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:35Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://7fb60fb93818d05af7391888524a93b66ef610b3765ad5936c89a4f8f2f3c7be", + "image": "quay.io/minio/minio:RELEASE.2024-04-18T19-09-19Z", + "imageID": "quay.io/minio/minio@sha256:036a068d7d6b69400da6bc07a480bee1e241ef3c341c41d988ed11f520f85124", + "lastState": {}, + "name": "minio", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:33:38Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "phase": "Running", + "podIP": "10.42.0.8", + "podIPs": [ + { + "ip": "10.42.0.8" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:33:35Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "kubectl.kubernetes.io/restartedAt": "2024-06-07T10:33:46-04:00" + }, + "creationTimestamp": "2024-06-07T14:33:46Z", + "generateName": "coredns-c7b7755fc-", + "labels": { + "k8s-app": "kube-dns", + "pod-template-hash": "c7b7755fc" + }, + "name": "coredns-c7b7755fc-brsr4", + "namespace": "kube-system", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "coredns-c7b7755fc", + "uid": "191bb204-9378-4221-bacd-9cab0aa1d834" + } + ], + "resourceVersion": "685", + "uid": "9e2faf64-250f-4b40-806f-c84e9429763b" + }, + "spec": { + "containers": [ + { + "args": [ + "-conf", + "/etc/coredns/Corefile" + ], + "image": "rancher/mirrored-coredns-coredns:1.10.1", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/health", + "port": 8080, + "scheme": "HTTP" + }, + "initialDelaySeconds": 60, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "name": "coredns", + "ports": [ + { + "containerPort": 53, + "name": "dns", + "protocol": "UDP" + }, + { + "containerPort": 53, + "name": "dns-tcp", + "protocol": "TCP" + }, + { + "containerPort": 9153, + "name": "metrics", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/ready", + "port": 8181, + "scheme": "HTTP" + }, + "periodSeconds": 2, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": { + "limits": { + "memory": "170Mi" + }, + "requests": { + "cpu": "100m", + "memory": "70Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_BIND_SERVICE" + ], + "drop": [ + "all" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/coredns", + "name": "config-volume", + "readOnly": true + }, + { + "mountPath": "/etc/coredns/custom", + "name": "custom-config-volume", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-lmgf5", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "Default", + "enableServiceLinks": true, + "nodeName": "k3d-uds-server-0", + "nodeSelector": { + "kubernetes.io/os": "linux" + }, + "preemptionPolicy": "PreemptLowerPriority", + "priority": 2000000000, + "priorityClassName": "system-cluster-critical", + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "serviceAccount": "coredns", + "serviceAccountName": "coredns", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "key": "CriticalAddonsOnly", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node-role.kubernetes.io/control-plane", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node-role.kubernetes.io/master", + "operator": "Exists" + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "topologySpreadConstraints": [ + { + "labelSelector": { + "matchLabels": { + "k8s-app": "kube-dns" + } + }, + "maxSkew": 1, + "topologyKey": "kubernetes.io/hostname", + "whenUnsatisfiable": "DoNotSchedule" + } + ], + "volumes": [ + { + "configMap": { + "defaultMode": 420, + "items": [ + { + "key": "Corefile", + "path": "Corefile" + }, + { + "key": "NodeHosts", + "path": "NodeHosts" + } + ], + "name": "coredns" + }, + "name": "config-volume" + }, + { + "configMap": { + "defaultMode": 420, + "name": "coredns-custom", + "optional": true + }, + "name": "custom-config-volume" + }, + { + "name": "kube-api-access-lmgf5", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:46Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:47Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:47Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:46Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://cd5aa584f79006e655641cd4f6c724cb161d759d106861700c23bd3f23fc628a", + "image": "docker.io/rancher/mirrored-coredns-coredns:1.10.1", + "imageID": "docker.io/rancher/mirrored-coredns-coredns@sha256:a11fafae1f8037cbbd66c5afa40ba2423936b72b4fd50a7034a7e8b955163594", + "lastState": {}, + "name": "coredns", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:33:46Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "phase": "Running", + "podIP": "10.42.0.10", + "podIPs": [ + { + "ip": "10.42.0.10" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:33:46Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "checksum/secret": "ebbd974057077dd4d2977c2e448b94c77c696bf3491d474c2483511093e5e992" + }, + "creationTimestamp": "2024-06-07T14:34:14Z", + "generateName": "zarf-docker-registry-7dc948f55b-", + "labels": { + "app": "docker-registry", + "pod-template-hash": "7dc948f55b", + "release": "zarf-docker-registry", + "zarf.dev/agent": "ignore" + }, + "name": "zarf-docker-registry-7dc948f55b-n4hpx", + "namespace": "zarf", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "zarf-docker-registry-7dc948f55b", + "uid": "f6ac21e6-98d4-49b9-9fe7-8c6376954d90" + } + ], + "resourceVersion": "841", + "uid": "1f775090-2171-41ae-ae78-42c25c1c086e" + }, + "spec": { + "affinity": { + "podAffinity": { + "preferredDuringSchedulingIgnoredDuringExecution": [ + { + "podAffinityTerm": { + "labelSelector": { + "matchExpressions": [ + { + "key": "app", + "operator": "In", + "values": [ + "docker-registry" + ] + } + ] + }, + "topologyKey": "kubernetes.io/hostname" + }, + "weight": 100 + } + ] + } + }, + "containers": [ + { + "command": [ + "/bin/registry", + "serve", + "/etc/docker/registry/config.yml" + ], + "env": [ + { + "name": "REGISTRY_AUTH", + "value": "htpasswd" + }, + { + "name": "REGISTRY_AUTH_HTPASSWD_REALM", + "value": "Registry Realm" + }, + { + "name": "REGISTRY_AUTH_HTPASSWD_PATH", + "value": "/etc/docker/registry/htpasswd" + }, + { + "name": "REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY", + "value": "/var/lib/registry" + }, + { + "name": "REGISTRY_STORAGE_DELETE_ENABLED", + "value": "true" + } + ], + "image": "127.0.0.1:31999/library/registry:2.8.3", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/", + "port": 5000, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "name": "docker-registry", + "ports": [ + { + "containerPort": 5000, + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/", + "port": 5000, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": { + "limits": { + "cpu": "3", + "memory": "2Gi" + }, + "requests": { + "cpu": "100m", + "memory": "256Mi" + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/lib/registry/", + "name": "data" + }, + { + "mountPath": "/etc/docker/registry", + "name": "config" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-5mtk7", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 2000001000, + "priorityClassName": "system-node-critical", + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 1000, + "runAsUser": 1000 + }, + "serviceAccount": "default", + "serviceAccountName": "default", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "name": "config", + "secret": { + "defaultMode": 420, + "items": [ + { + "key": "configData", + "path": "config.yml" + }, + { + "key": "htpasswd", + "path": "htpasswd" + } + ], + "secretName": "zarf-docker-registry-secret" + } + }, + { + "name": "data", + "persistentVolumeClaim": { + "claimName": "zarf-docker-registry" + } + }, + { + "name": "kube-api-access-5mtk7", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:34:14Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:34:15Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:34:15Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:34:14Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://f562cd15f5f447c467ee157d139a1f5dce710856856ddd4e53437a966d781620", + "image": "127.0.0.1:31999/library/registry:2.8.3", + "imageID": "127.0.0.1:31999/library/registry@sha256:53ee3286cf0400c2ec957e31594c77439ec959e26ca00c8264c5ce521f7859ac", + "lastState": {}, + "name": "docker-registry", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:34:15Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "phase": "Running", + "podIP": "10.42.0.14", + "podIPs": [ + { + "ip": "10.42.0.14" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:34:14Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "creationTimestamp": "2024-06-07T14:34:19Z", + "generateName": "agent-hook-fd5f6b7fd-", + "labels": { + "app": "agent-hook", + "pod-template-hash": "fd5f6b7fd", + "zarf.dev/agent": "ignore" + }, + "name": "agent-hook-fd5f6b7fd-mtvhh", + "namespace": "zarf", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "agent-hook-fd5f6b7fd", + "uid": "94e69251-8d88-4f9c-8c33-a3fd90fb4696" + } + ], + "resourceVersion": "914", + "uid": "3ede9ea5-a576-4c01-ad3c-ce836132369f" + }, + "spec": { + "containers": [ + { + "image": "127.0.0.1:31999/defenseunicorns/zarf/agent:v0.34.0", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/healthz", + "port": 8443, + "scheme": "HTTPS" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "name": "server", + "ports": [ + { + "containerPort": 8443, + "protocol": "TCP" + } + ], + "resources": { + "limits": { + "cpu": "500m", + "memory": "128Mi" + }, + "requests": { + "cpu": "100m", + "memory": "32Mi" + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/certs", + "name": "tls-certs", + "readOnly": true + }, + { + "mountPath": "/.config", + "name": "config" + }, + { + "mountPath": "/etc/xdg", + "name": "xdg" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-vnl6m", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 2000001000, + "priorityClassName": "system-node-critical", + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "serviceAccount": "zarf", + "serviceAccountName": "zarf", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "name": "tls-certs", + "secret": { + "defaultMode": 420, + "secretName": "agent-hook-tls" + } + }, + { + "emptyDir": {}, + "name": "config" + }, + { + "emptyDir": {}, + "name": "xdg" + }, + { + "name": "kube-api-access-vnl6m", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:34:19Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:34:21Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:34:21Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:34:19Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://8cddd8d76762dc47dd960f1fb3a06387316623cfed5b83b33d66c6dca78cc375", + "image": "127.0.0.1:31999/defenseunicorns/zarf/agent:v0.34.0", + "imageID": "127.0.0.1:31999/defenseunicorns/zarf/agent@sha256:f326633a23b6ecaf74ba7f4f115c24e47e78b7564116d40da978b2deb0840063", + "lastState": {}, + "name": "server", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:34:20Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "phase": "Running", + "podIP": "10.42.0.16", + "podIPs": [ + { + "ip": "10.42.0.16" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:34:19Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "creationTimestamp": "2024-06-07T14:34:19Z", + "generateName": "agent-hook-fd5f6b7fd-", + "labels": { + "app": "agent-hook", + "pod-template-hash": "fd5f6b7fd", + "zarf.dev/agent": "ignore" + }, + "name": "agent-hook-fd5f6b7fd-m9jnz", + "namespace": "zarf", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "agent-hook-fd5f6b7fd", + "uid": "94e69251-8d88-4f9c-8c33-a3fd90fb4696" + } + ], + "resourceVersion": "918", + "uid": "986f6460-eced-4b5d-a6fd-027720d12a79" + }, + "spec": { + "containers": [ + { + "image": "127.0.0.1:31999/defenseunicorns/zarf/agent:v0.34.0", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/healthz", + "port": 8443, + "scheme": "HTTPS" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "name": "server", + "ports": [ + { + "containerPort": 8443, + "protocol": "TCP" + } + ], + "resources": { + "limits": { + "cpu": "500m", + "memory": "128Mi" + }, + "requests": { + "cpu": "100m", + "memory": "32Mi" + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/certs", + "name": "tls-certs", + "readOnly": true + }, + { + "mountPath": "/.config", + "name": "config" + }, + { + "mountPath": "/etc/xdg", + "name": "xdg" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-qnxt2", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 2000001000, + "priorityClassName": "system-node-critical", + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "serviceAccount": "zarf", + "serviceAccountName": "zarf", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "name": "tls-certs", + "secret": { + "defaultMode": 420, + "secretName": "agent-hook-tls" + } + }, + { + "emptyDir": {}, + "name": "config" + }, + { + "emptyDir": {}, + "name": "xdg" + }, + { + "name": "kube-api-access-qnxt2", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:34:19Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:34:21Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:34:21Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:34:19Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://2bf73e9bfba5d66e92bbc74eb399f1edffa21d83d8b5733d5000dc4cf1748169", + "image": "127.0.0.1:31999/defenseunicorns/zarf/agent:v0.34.0", + "imageID": "127.0.0.1:31999/defenseunicorns/zarf/agent@sha256:f326633a23b6ecaf74ba7f4f115c24e47e78b7564116d40da978b2deb0840063", + "lastState": {}, + "name": "server", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:34:20Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "phase": "Running", + "podIP": "10.42.0.15", + "podIPs": [ + { + "ip": "10.42.0.15" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:34:19Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "prometheus.io/port": "15014", + "prometheus.io/scrape": "true", + "sidecar.istio.io/inject": "false" + }, + "creationTimestamp": "2024-06-07T14:35:55Z", + "generateName": "istiod-5d75444496-", + "labels": { + "app": "istiod", + "install.operator.istio.io/owning-resource": "unknown", + "istio": "pilot", + "istio.io/dataplane-mode": "none", + "istio.io/rev": "default", + "operator.istio.io/component": "Pilot", + "pod-template-hash": "5d75444496", + "sidecar.istio.io/inject": "false", + "zarf-agent": "patched" + }, + "name": "istiod-5d75444496-t85z7", + "namespace": "istio-system", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "istiod-5d75444496", + "uid": "88b31cbe-f985-49e4-b634-6432dd86b2f8" + } + ], + "resourceVersion": "1136", + "uid": "4d592fa4-18fa-46cd-b2df-f1a74f0c1507" + }, + "spec": { + "containers": [ + { + "args": [ + "discovery", + "--monitoringAddr=:15014", + "--log_output_level=default:info", + "--domain", + "cluster.local", + "--keepaliveMaxServerConnectionAge", + "30m" + ], + "env": [ + { + "name": "REVISION", + "value": "default" + }, + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "KUBECONFIG", + "value": "/var/run/secrets/remote/config" + }, + { + "name": "PILOT_TRACE_SAMPLING", + "value": "1" + }, + { + "name": "PILOT_ENABLE_ANALYSIS", + "value": "false" + }, + { + "name": "CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PLATFORM" + } + ], + "image": "127.0.0.1:31999/istio/pilot:1.22.1-distroless-zarf-4264239833", + "imagePullPolicy": "IfNotPresent", + "name": "discovery", + "ports": [ + { + "containerPort": 8080, + "protocol": "TCP" + }, + { + "containerPort": 15010, + "protocol": "TCP" + }, + { + "containerPort": 15017, + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/ready", + "port": 8080, + "scheme": "HTTP" + }, + "initialDelaySeconds": 1, + "periodSeconds": 3, + "successThreshold": 1, + "timeoutSeconds": 5 + }, + "resources": { + "requests": { + "cpu": "500m", + "memory": "2Gi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true, + "runAsNonRoot": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/istio-dns", + "name": "local-certs" + }, + { + "mountPath": "/etc/cacerts", + "name": "cacerts", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/remote", + "name": "istio-kubeconfig", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/istiod/tls", + "name": "istio-csr-dns-cert", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/istiod/ca", + "name": "istio-csr-ca-configmap", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-d9gkx", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "serviceAccount": "istiod", + "serviceAccountName": "istiod", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "key": "cni.istio.io/not-ready", + "operator": "Exists" + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": { + "medium": "Memory" + }, + "name": "local-certs" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "name": "cacerts", + "secret": { + "defaultMode": 420, + "optional": true, + "secretName": "cacerts" + } + }, + { + "name": "istio-kubeconfig", + "secret": { + "defaultMode": 420, + "optional": true, + "secretName": "istio-kubeconfig" + } + }, + { + "name": "istio-csr-dns-cert", + "secret": { + "defaultMode": 420, + "optional": true, + "secretName": "istiod-tls" + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert", + "optional": true + }, + "name": "istio-csr-ca-configmap" + }, + { + "name": "kube-api-access-d9gkx", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:35:55Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:35:57Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:35:57Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:35:55Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://c6dab073a0e0c52d289f345b2528e4613895bd5ac971b31324e8bc681627671c", + "image": "127.0.0.1:31999/istio/pilot:1.22.1-distroless-zarf-4264239833", + "imageID": "127.0.0.1:31999/istio/pilot@sha256:6ee01043f85cb2818363c5a7a2bf2f9ec191f2dc3d5353f97cedfa6678b94068", + "lastState": {}, + "name": "discovery", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:35:56Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "phase": "Running", + "podIP": "10.42.0.17", + "podIPs": [ + { + "ip": "10.42.0.17" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:35:55Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "inject.istio.io/templates": "gateway", + "istio.io/rev": "default", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "proxy.istio.io/overrides": "{\"containers\":[{\"name\":\"istio-proxy\",\"ports\":[{\"name\":\"http-envoy-prom\",\"containerPort\":15090,\"protocol\":\"TCP\"}],\"resources\":{\"limits\":{\"cpu\":\"2\",\"memory\":\"1Gi\"},\"requests\":{\"cpu\":\"100m\",\"memory\":\"128Mi\"}},\"volumeMounts\":[{\"name\":\"kube-api-access-wzbh2\",\"readOnly\":true,\"mountPath\":\"/var/run/secrets/kubernetes.io/serviceaccount\"}],\"terminationMessagePath\":\"/dev/termination-log\",\"terminationMessagePolicy\":\"File\",\"imagePullPolicy\":\"Always\",\"securityContext\":{\"capabilities\":{\"drop\":[\"ALL\"]},\"privileged\":false,\"runAsUser\":1337,\"runAsGroup\":1337,\"runAsNonRoot\":true,\"readOnlyRootFilesystem\":true,\"allowPrivilegeEscalation\":false}}]}", + "sidecar.istio.io/inject": "true", + "sidecar.istio.io/status": "{\"initContainers\":null,\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}" + }, + "creationTimestamp": "2024-06-07T14:36:02Z", + "generateName": "admin-ingressgateway-65c568569f-", + "labels": { + "app": "admin-ingressgateway", + "istio": "admin-ingressgateway", + "pod-template-hash": "65c568569f", + "service.istio.io/canonical-name": "admin-ingressgateway", + "service.istio.io/canonical-revision": "latest", + "sidecar.istio.io/inject": "true", + "zarf-agent": "patched" + }, + "name": "admin-ingressgateway-65c568569f-wfqd2", + "namespace": "istio-admin-gateway", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "admin-ingressgateway-65c568569f", + "uid": "cc279224-2176-4244-a31b-9cec94764295" + } + ], + "resourceVersion": "1207", + "uid": "f9b9118d-b6f1-4fac-ba20-0bf60638041d" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "router", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http-envoy-prom\",\"containerPort\":15090,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_APP_CONTAINERS" + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "admin-ingressgateway" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/istio-admin-gateway/deployments/admin-ingressgateway" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "Always", + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-wzbh2", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "sysctls": [ + { + "name": "net.ipv4.ip_unprivileged_port_start", + "value": "0" + } + ] + }, + "serviceAccount": "admin-ingressgateway", + "serviceAccountName": "admin-ingressgateway", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "kube-api-access-wzbh2", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:02Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:05Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:05Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:02Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://63b925a8e3ccd6439ad7bcb4ed945b66f168ccbf8ad0b2c985f5da3792755cff", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:36:05Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "phase": "Running", + "podIP": "10.42.0.18", + "podIPs": [ + { + "ip": "10.42.0.18" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:36:02Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "inject.istio.io/templates": "gateway", + "istio.io/rev": "default", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "proxy.istio.io/overrides": "{\"containers\":[{\"name\":\"istio-proxy\",\"ports\":[{\"name\":\"http-envoy-prom\",\"containerPort\":15090,\"protocol\":\"TCP\"}],\"resources\":{\"limits\":{\"cpu\":\"2\",\"memory\":\"1Gi\"},\"requests\":{\"cpu\":\"100m\",\"memory\":\"128Mi\"}},\"volumeMounts\":[{\"name\":\"kube-api-access-78bfd\",\"readOnly\":true,\"mountPath\":\"/var/run/secrets/kubernetes.io/serviceaccount\"}],\"terminationMessagePath\":\"/dev/termination-log\",\"terminationMessagePolicy\":\"File\",\"imagePullPolicy\":\"Always\",\"securityContext\":{\"capabilities\":{\"drop\":[\"ALL\"]},\"privileged\":false,\"runAsUser\":1337,\"runAsGroup\":1337,\"runAsNonRoot\":true,\"readOnlyRootFilesystem\":true,\"allowPrivilegeEscalation\":false}}]}", + "sidecar.istio.io/inject": "true", + "sidecar.istio.io/status": "{\"initContainers\":null,\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}" + }, + "creationTimestamp": "2024-06-07T14:36:08Z", + "generateName": "tenant-ingressgateway-79d5d77d67-", + "labels": { + "app": "tenant-ingressgateway", + "istio": "tenant-ingressgateway", + "pod-template-hash": "79d5d77d67", + "service.istio.io/canonical-name": "tenant-ingressgateway", + "service.istio.io/canonical-revision": "latest", + "sidecar.istio.io/inject": "true", + "zarf-agent": "patched" + }, + "name": "tenant-ingressgateway-79d5d77d67-j9m2x", + "namespace": "istio-tenant-gateway", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "tenant-ingressgateway-79d5d77d67", + "uid": "db714c67-44f2-4df3-b86b-81568c3b036e" + } + ], + "resourceVersion": "1261", + "uid": "b5dacd2c-6548-41b4-a176-c10cc4c9c3ae" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "router", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http-envoy-prom\",\"containerPort\":15090,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_APP_CONTAINERS" + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "tenant-ingressgateway" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/istio-tenant-gateway/deployments/tenant-ingressgateway" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "Always", + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-78bfd", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "sysctls": [ + { + "name": "net.ipv4.ip_unprivileged_port_start", + "value": "0" + } + ] + }, + "serviceAccount": "tenant-ingressgateway", + "serviceAccountName": "tenant-ingressgateway", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "kube-api-access-78bfd", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:08Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:09Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:09Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:08Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://48317375bcb597f850cc3ae14d3f7c3d6b5d3695669388c87d433c6445812be0", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:36:09Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "phase": "Running", + "podIP": "10.42.0.19", + "podIPs": [ + { + "ip": "10.42.0.19" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:36:08Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "inject.istio.io/templates": "gateway", + "istio.io/rev": "default", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "proxy.istio.io/overrides": "{\"containers\":[{\"name\":\"istio-proxy\",\"ports\":[{\"name\":\"http-envoy-prom\",\"containerPort\":15090,\"protocol\":\"TCP\"}],\"resources\":{\"limits\":{\"cpu\":\"2\",\"memory\":\"1Gi\"},\"requests\":{\"cpu\":\"100m\",\"memory\":\"128Mi\"}},\"volumeMounts\":[{\"name\":\"kube-api-access-8qtkj\",\"readOnly\":true,\"mountPath\":\"/var/run/secrets/kubernetes.io/serviceaccount\"}],\"terminationMessagePath\":\"/dev/termination-log\",\"terminationMessagePolicy\":\"File\",\"imagePullPolicy\":\"Always\",\"securityContext\":{\"capabilities\":{\"drop\":[\"ALL\"]},\"privileged\":false,\"runAsUser\":1337,\"runAsGroup\":1337,\"runAsNonRoot\":true,\"readOnlyRootFilesystem\":true,\"allowPrivilegeEscalation\":false}}]}", + "sidecar.istio.io/inject": "true", + "sidecar.istio.io/status": "{\"initContainers\":null,\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}" + }, + "creationTimestamp": "2024-06-07T14:36:12Z", + "generateName": "passthrough-ingressgateway-77f78c89b5-", + "labels": { + "app": "passthrough-ingressgateway", + "istio": "passthrough-ingressgateway", + "pod-template-hash": "77f78c89b5", + "service.istio.io/canonical-name": "passthrough-ingressgateway", + "service.istio.io/canonical-revision": "latest", + "sidecar.istio.io/inject": "true", + "zarf-agent": "patched" + }, + "name": "passthrough-ingressgateway-77f78c89b5-rt6c7", + "namespace": "istio-passthrough-gateway", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "passthrough-ingressgateway-77f78c89b5", + "uid": "de9c5861-af93-40d7-9e91-c3460186cbb0" + } + ], + "resourceVersion": "1322", + "uid": "4de86155-37d2-40ee-b162-5e55980f6168" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "router", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http-envoy-prom\",\"containerPort\":15090,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_APP_CONTAINERS" + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "passthrough-ingressgateway" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/istio-passthrough-gateway/deployments/passthrough-ingressgateway" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "Always", + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-8qtkj", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "sysctls": [ + { + "name": "net.ipv4.ip_unprivileged_port_start", + "value": "0" + } + ] + }, + "serviceAccount": "passthrough-ingressgateway", + "serviceAccountName": "passthrough-ingressgateway", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "kube-api-access-8qtkj", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:12Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:13Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:13Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:12Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://e206625af18cbc0abf79da22cee66dcb995356e62bc47fb6c940541b84f6a63b", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:36:13Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "phase": "Running", + "podIP": "10.42.0.20", + "podIPs": [ + { + "ip": "10.42.0.20" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:36:12Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "buildTimestamp": "1717701911533", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "server", + "kubectl.kubernetes.io/default-logs-container": "server", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}" + }, + "creationTimestamp": "2024-06-07T14:36:17Z", + "generateName": "pepr-uds-core-7fbff558dc-", + "labels": { + "app": "pepr-uds-core", + "pepr.dev/controller": "admission", + "pod-template-hash": "7fbff558dc", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "pepr-uds-core", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "pepr-uds-core-7fbff558dc-tq2p7", + "namespace": "pepr-system", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "pepr-uds-core-7fbff558dc", + "uid": "4b37bd01-3881-4f93-a050-26d4a39699b4" + } + ], + "resourceVersion": "1481", + "uid": "953e1f27-cf16-4a8f-86dc-8629870f18ce" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"containerPort\":3000,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "server" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "pepr-uds-core" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/pepr-system/deployments/pepr-uds-core" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/server/livez\":{\"httpGet\":{\"path\":\"/healthz\",\"port\":3000,\"scheme\":\"HTTPS\"},\"timeoutSeconds\":1},\"/app-health/server/readyz\":{\"httpGet\":{\"path\":\"/healthz\",\"port\":3000,\"scheme\":\"HTTPS\"},\"timeoutSeconds\":1}}" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-m7wwh", + "readOnly": true + } + ] + }, + { + "command": [ + "node", + "/app/node_modules/pepr/dist/controller.js", + "37b63af8e3363f0cbaf741d871cec5371c02cd285632b085a9aca57c6955f9ad" + ], + "env": [ + { + "name": "PEPR_WATCH_MODE", + "value": "false" + }, + { + "name": "PEPR_PRETTY_LOG", + "value": "false" + }, + { + "name": "LOG_LEVEL", + "value": "debug" + }, + { + "name": "UDS_DOMAIN", + "value": "uds.dev" + }, + { + "name": "UDS_ALLOW_ALL_NS_EXEMPTIONS", + "value": "###ZARF_VAR_ALLOW_ALL_NS_EXEMPTIONS###" + }, + { + "name": "UDS_SINGLE_TEST", + "value": "###ZARF_VAR_UDS_SINGLE_TEST###" + } + ], + "image": "127.0.0.1:31999/defenseunicorns/pepr/controller:v0.31.1-zarf-804409620", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/server/livez", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "name": "server", + "ports": [ + { + "containerPort": 3000, + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/server/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": { + "limits": { + "cpu": "500m", + "memory": "256Mi" + }, + "requests": { + "cpu": "100m", + "memory": "64Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "runAsGroup": 65532, + "runAsNonRoot": true, + "runAsUser": 65532 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/certs", + "name": "tls-certs", + "readOnly": true + }, + { + "mountPath": "/app/api-token", + "name": "api-token", + "readOnly": true + }, + { + "mountPath": "/app/load", + "name": "module", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-m7wwh", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-m7wwh", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 2000001000, + "priorityClassName": "system-node-critical", + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 65532, + "runAsGroup": 65532, + "runAsNonRoot": true, + "runAsUser": 65532 + }, + "serviceAccount": "pepr-uds-core", + "serviceAccountName": "pepr-uds-core", + "terminationGracePeriodSeconds": 5, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "tls-certs", + "secret": { + "defaultMode": 420, + "secretName": "pepr-uds-core-tls" + } + }, + { + "name": "api-token", + "secret": { + "defaultMode": 420, + "secretName": "pepr-uds-core-api-token" + } + }, + { + "name": "module", + "secret": { + "defaultMode": 420, + "secretName": "pepr-uds-core-module" + } + }, + { + "name": "kube-api-access-m7wwh", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:18Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:27Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:27Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:17Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://9a0e0bcb70b99980e5169fffe5d9d7f1d5a951f0854657f0f839a30fcd1b3b40", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:36:19Z" + } + } + }, + { + "containerID": "containerd://7cb57a3d0fca3d0cb26e8c1aa3dd514a533b50c84147e63b890a2f604d82940b", + "image": "127.0.0.1:31999/defenseunicorns/pepr/controller:v0.31.1-zarf-804409620", + "imageID": "127.0.0.1:31999/defenseunicorns/pepr/controller@sha256:3e21ce610d2ca67e31154a7d3f3afbe641f0b1fdd9616ad854fc34fb9bce8507", + "lastState": {}, + "name": "server", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:36:21Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://854c7cc3006ab176f0a6a48cf04f4fd44a229d7f21a7c3e860c5c0afa5c5bef9", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://854c7cc3006ab176f0a6a48cf04f4fd44a229d7f21a7c3e860c5c0afa5c5bef9", + "exitCode": 0, + "finishedAt": "2024-06-07T14:36:17Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:36:17Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.22", + "podIPs": [ + { + "ip": "10.42.0.22" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:36:17Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "buildTimestamp": "1717701911533", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "watcher", + "kubectl.kubernetes.io/default-logs-container": "watcher", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}" + }, + "creationTimestamp": "2024-06-07T14:36:17Z", + "generateName": "pepr-uds-core-watcher-79c68864c4-", + "labels": { + "app": "pepr-uds-core-watcher", + "pepr.dev/controller": "watcher", + "pod-template-hash": "79c68864c4", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "pepr-uds-core-watcher", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "pepr-uds-core-watcher-79c68864c4-xhbm7", + "namespace": "pepr-system", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "pepr-uds-core-watcher-79c68864c4", + "uid": "10d3f35e-1c57-45d0-bca6-92456b1d7455" + } + ], + "resourceVersion": "1485", + "uid": "c060c7d4-07c5-444c-a85d-edc84b2f3ffe" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"containerPort\":3000,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "watcher" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "pepr-uds-core-watcher" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/pepr-system/deployments/pepr-uds-core-watcher" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/watcher/livez\":{\"httpGet\":{\"path\":\"/healthz\",\"port\":3000,\"scheme\":\"HTTPS\"},\"timeoutSeconds\":1},\"/app-health/watcher/readyz\":{\"httpGet\":{\"path\":\"/healthz\",\"port\":3000,\"scheme\":\"HTTPS\"},\"timeoutSeconds\":1}}" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-65jv4", + "readOnly": true + } + ] + }, + { + "command": [ + "node", + "/app/node_modules/pepr/dist/controller.js", + "37b63af8e3363f0cbaf741d871cec5371c02cd285632b085a9aca57c6955f9ad" + ], + "env": [ + { + "name": "PEPR_WATCH_MODE", + "value": "true" + }, + { + "name": "PEPR_PRETTY_LOG", + "value": "false" + }, + { + "name": "LOG_LEVEL", + "value": "debug" + }, + { + "name": "UDS_DOMAIN", + "value": "uds.dev" + }, + { + "name": "UDS_ALLOW_ALL_NS_EXEMPTIONS", + "value": "###ZARF_VAR_ALLOW_ALL_NS_EXEMPTIONS###" + }, + { + "name": "UDS_SINGLE_TEST", + "value": "###ZARF_VAR_UDS_SINGLE_TEST###" + } + ], + "image": "127.0.0.1:31999/defenseunicorns/pepr/controller:v0.31.1-zarf-804409620", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/watcher/livez", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "name": "watcher", + "ports": [ + { + "containerPort": 3000, + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/watcher/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": { + "limits": { + "cpu": "500m", + "memory": "256Mi" + }, + "requests": { + "cpu": "100m", + "memory": "64Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "runAsGroup": 65532, + "runAsNonRoot": true, + "runAsUser": 65532 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/certs", + "name": "tls-certs", + "readOnly": true + }, + { + "mountPath": "/app/load", + "name": "module", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-65jv4", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-65jv4", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 65532, + "runAsGroup": 65532, + "runAsNonRoot": true, + "runAsUser": 65532 + }, + "serviceAccount": "pepr-uds-core", + "serviceAccountName": "pepr-uds-core", + "terminationGracePeriodSeconds": 5, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "tls-certs", + "secret": { + "defaultMode": 420, + "secretName": "pepr-uds-core-tls" + } + }, + { + "name": "module", + "secret": { + "defaultMode": 420, + "secretName": "pepr-uds-core-module" + } + }, + { + "name": "kube-api-access-65jv4", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:18Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:27Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:27Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:17Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://acc85506cb258f16a813e4af7efaa3a11ed88415951477118f40740835e78d21", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:36:19Z" + } + } + }, + { + "containerID": "containerd://0a48365f908b95ba85b41024755e658282379c6fbbe4fd2b733c7d67d584104c", + "image": "127.0.0.1:31999/defenseunicorns/pepr/controller:v0.31.1-zarf-804409620", + "imageID": "127.0.0.1:31999/defenseunicorns/pepr/controller@sha256:3e21ce610d2ca67e31154a7d3f3afbe641f0b1fdd9616ad854fc34fb9bce8507", + "lastState": {}, + "name": "watcher", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:36:21Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://9e37e9537e6bbb8fa43ff44c3b4a389367aff2fd33aa0992bfe5a08dcdeccd80", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://9e37e9537e6bbb8fa43ff44c3b4a389367aff2fd33aa0992bfe5a08dcdeccd80", + "exitCode": 0, + "finishedAt": "2024-06-07T14:36:18Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:36:18Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.23", + "podIPs": [ + { + "ip": "10.42.0.23" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:36:17Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "buildTimestamp": "1717701911533", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "server", + "kubectl.kubernetes.io/default-logs-container": "server", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}" + }, + "creationTimestamp": "2024-06-07T14:36:17Z", + "generateName": "pepr-uds-core-7fbff558dc-", + "labels": { + "app": "pepr-uds-core", + "pepr.dev/controller": "admission", + "pod-template-hash": "7fbff558dc", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "pepr-uds-core", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "pepr-uds-core-7fbff558dc-2222r", + "namespace": "pepr-system", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "pepr-uds-core-7fbff558dc", + "uid": "4b37bd01-3881-4f93-a050-26d4a39699b4" + } + ], + "resourceVersion": "1491", + "uid": "e4b36744-977b-4c37-b7c6-20822f309a5b" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"containerPort\":3000,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "server" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "pepr-uds-core" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/pepr-system/deployments/pepr-uds-core" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/server/livez\":{\"httpGet\":{\"path\":\"/healthz\",\"port\":3000,\"scheme\":\"HTTPS\"},\"timeoutSeconds\":1},\"/app-health/server/readyz\":{\"httpGet\":{\"path\":\"/healthz\",\"port\":3000,\"scheme\":\"HTTPS\"},\"timeoutSeconds\":1}}" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-whp7d", + "readOnly": true + } + ] + }, + { + "command": [ + "node", + "/app/node_modules/pepr/dist/controller.js", + "37b63af8e3363f0cbaf741d871cec5371c02cd285632b085a9aca57c6955f9ad" + ], + "env": [ + { + "name": "PEPR_WATCH_MODE", + "value": "false" + }, + { + "name": "PEPR_PRETTY_LOG", + "value": "false" + }, + { + "name": "LOG_LEVEL", + "value": "debug" + }, + { + "name": "UDS_DOMAIN", + "value": "uds.dev" + }, + { + "name": "UDS_ALLOW_ALL_NS_EXEMPTIONS", + "value": "###ZARF_VAR_ALLOW_ALL_NS_EXEMPTIONS###" + }, + { + "name": "UDS_SINGLE_TEST", + "value": "###ZARF_VAR_UDS_SINGLE_TEST###" + } + ], + "image": "127.0.0.1:31999/defenseunicorns/pepr/controller:v0.31.1-zarf-804409620", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/server/livez", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "name": "server", + "ports": [ + { + "containerPort": 3000, + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/server/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": { + "limits": { + "cpu": "500m", + "memory": "256Mi" + }, + "requests": { + "cpu": "100m", + "memory": "64Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "runAsGroup": 65532, + "runAsNonRoot": true, + "runAsUser": 65532 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/certs", + "name": "tls-certs", + "readOnly": true + }, + { + "mountPath": "/app/api-token", + "name": "api-token", + "readOnly": true + }, + { + "mountPath": "/app/load", + "name": "module", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-whp7d", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-whp7d", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 2000001000, + "priorityClassName": "system-node-critical", + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 65532, + "runAsGroup": 65532, + "runAsNonRoot": true, + "runAsUser": 65532 + }, + "serviceAccount": "pepr-uds-core", + "serviceAccountName": "pepr-uds-core", + "terminationGracePeriodSeconds": 5, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "tls-certs", + "secret": { + "defaultMode": 420, + "secretName": "pepr-uds-core-tls" + } + }, + { + "name": "api-token", + "secret": { + "defaultMode": 420, + "secretName": "pepr-uds-core-api-token" + } + }, + { + "name": "module", + "secret": { + "defaultMode": 420, + "secretName": "pepr-uds-core-module" + } + }, + { + "name": "kube-api-access-whp7d", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:18Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:27Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:27Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:17Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://dea96fb5ce3413827270115e359aa31f216fdacac06ed4883cdea945173400f3", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:36:19Z" + } + } + }, + { + "containerID": "containerd://bb85111c39f918e33eb7073c1cf1f539098aa052d5a5480943e08ab5ef2c7b0a", + "image": "127.0.0.1:31999/defenseunicorns/pepr/controller:v0.31.1-zarf-804409620", + "imageID": "127.0.0.1:31999/defenseunicorns/pepr/controller@sha256:3e21ce610d2ca67e31154a7d3f3afbe641f0b1fdd9616ad854fc34fb9bce8507", + "lastState": {}, + "name": "server", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:36:21Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://c56fd4106095f4ebb9fb1d74adc644851d72b70aa6a5b6201c1f307c0494cc3f", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://c56fd4106095f4ebb9fb1d74adc644851d72b70aa6a5b6201c1f307c0494cc3f", + "exitCode": 0, + "finishedAt": "2024-06-07T14:36:18Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:36:17Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.21", + "podIPs": [ + { + "ip": "10.42.0.21" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:36:17Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "metrics-server", + "kubectl.kubernetes.io/default-logs-container": "metrics-server", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-06-07T14:36:36Z", + "generateName": "metrics-server-69584cc865-", + "labels": { + "app.kubernetes.io/instance": "metrics-server", + "app.kubernetes.io/name": "metrics-server", + "pod-template-hash": "69584cc865", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "metrics-server", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "metrics-server-69584cc865-qf86j", + "namespace": "metrics-server", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "metrics-server-69584cc865", + "uid": "135cc85a-83a7-4082-bfa9-b7d302ad5b20" + } + ], + "resourceVersion": "1611", + "uid": "c188458e-8c7e-42b3-bfd9-7efbb0ac9bf2" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"https\",\"containerPort\":10250,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "metrics-server" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "metrics-server" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/metrics-server/deployments/metrics-server" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/metrics-server/livez\":{\"httpGet\":{\"path\":\"/livez\",\"port\":10250,\"scheme\":\"HTTPS\"},\"timeoutSeconds\":1},\"/app-health/metrics-server/readyz\":{\"httpGet\":{\"path\":\"/readyz\",\"port\":10250,\"scheme\":\"HTTPS\"},\"timeoutSeconds\":1}}" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-79cnp", + "readOnly": true + } + ] + }, + { + "args": [ + "--secure-port=10250", + "--cert-dir=/tmp", + "--kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname", + "--kubelet-use-node-status-port", + "--metric-resolution=15s", + "--authorization-always-allow-paths=/metrics" + ], + "image": "127.0.0.1:31999/metrics-server/metrics-server:v0.7.1-zarf-459117927", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/metrics-server/livez", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "name": "metrics-server", + "ports": [ + { + "containerPort": 10250, + "name": "https", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 5, + "httpGet": { + "path": "/app-health/metrics-server/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 10, + "periodSeconds": 5, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": { + "requests": { + "cpu": "100m", + "memory": "200Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true, + "runAsNonRoot": true, + "runAsUser": 1000, + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/tmp", + "name": "tmp" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-79cnp", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-79cnp", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 2000000000, + "priorityClassName": "system-cluster-critical", + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "runAsGroup": 1000, + "runAsNonRoot": true, + "runAsUser": 1000 + }, + "serviceAccount": "metrics-server", + "serviceAccountName": "metrics-server", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "emptyDir": {}, + "name": "tmp" + }, + { + "name": "kube-api-access-79cnp", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:38Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:51Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:51Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:36Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://a3bcdc94ec898ec637d718935d40a44f8402b7c66cce86ed5f170fe43f1ff705", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:36:38Z" + } + } + }, + { + "containerID": "containerd://5acf1d7c184ca85550f35fbd819e0bfd298d5885a4b340481ce92c0bee56fe5b", + "image": "127.0.0.1:31999/metrics-server/metrics-server:v0.7.1-zarf-459117927", + "imageID": "127.0.0.1:31999/metrics-server/metrics-server@sha256:7f0fc3565b6d4655d078bb8e250d0423d7c79aeb05fbc71e1ffa6ff664264d70", + "lastState": {}, + "name": "metrics-server", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:36:39Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://56321e146f957771c00c61f86a2f9a6f74f0ed917d6df3f92464e1cd4dffea8f", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://56321e146f957771c00c61f86a2f9a6f74f0ed917d6df3f92464e1cd4dffea8f", + "exitCode": 0, + "finishedAt": "2024-06-07T14:36:36Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:36:36Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.24", + "podIPs": [ + { + "ip": "10.42.0.24" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:36:36Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "keycloak", + "kubectl.kubernetes.io/default-logs-container": "keycloak", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-06-07T14:37:03Z", + "generateName": "keycloak-", + "labels": { + "app.kubernetes.io/instance": "keycloak", + "app.kubernetes.io/name": "keycloak", + "apps.kubernetes.io/pod-index": "0", + "controller-revision-hash": "keycloak-584d5fcfb7", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "keycloak", + "service.istio.io/canonical-revision": "latest", + "statefulset.kubernetes.io/pod-name": "keycloak-0", + "zarf-agent": "patched" + }, + "name": "keycloak-0", + "namespace": "keycloak", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "StatefulSet", + "name": "keycloak", + "uid": "3ec2c2f6-c634-4e4b-8e87-ae401174b745" + } + ], + "resourceVersion": "1823", + "uid": "7f4d0caa-3b1e-4c7e-bbcb-80f31728e776" + }, + "spec": { + "affinity": { + "podAntiAffinity": { + "preferredDuringSchedulingIgnoredDuringExecution": [ + { + "podAffinityTerm": { + "labelSelector": { + "matchExpressions": [ + { + "key": "app.kubernetes.io/component", + "operator": "NotIn", + "values": [ + "test" + ] + } + ], + "matchLabels": { + "app.kubernetes.io/instance": "keycloak", + "app.kubernetes.io/name": "keycloak" + } + }, + "topologyKey": "failure-domain.beta.kubernetes.io/zone" + }, + "weight": 100 + } + ] + } + }, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http\",\"containerPort\":8080,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "keycloak" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "keycloak" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/keycloak/statefulsets/keycloak" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/keycloak/livez\":{\"httpGet\":{\"path\":\"/health/live\",\"port\":8080,\"scheme\":\"HTTP\"},\"timeoutSeconds\":2},\"/app-health/keycloak/readyz\":{\"httpGet\":{\"path\":\"/health/ready\",\"port\":8080,\"scheme\":\"HTTP\"},\"timeoutSeconds\":2}}" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-nlkpn", + "readOnly": true + } + ] + }, + { + "args": [ + "start-dev", + "--spi-theme-static-max-age=-1", + "--spi-theme-cache-themes=false", + "--spi-theme-cache-templates=false", + "--import-realm", + "--features=preview" + ], + "command": [ + "/opt/keycloak/bin/kc.sh" + ], + "env": [ + { + "name": "UDS_DOMAIN", + "value": "uds.dev" + }, + { + "name": "KC_HEALTH_ENABLED", + "value": "true" + }, + { + "name": "KC_METRICS_ENABLED", + "value": "true" + }, + { + "name": "QUARKUS_HTTP_ACCESS_LOG_ENABLED", + "value": "true" + }, + { + "name": "KC_HOSTNAME_STRICT", + "value": "false" + }, + { + "name": "KC_HOSTNAME_STRICT_HTTPS", + "value": "false" + }, + { + "name": "KC_PROXY", + "value": "edge" + }, + { + "name": "KC_HTTPS_CLIENT_AUTH", + "value": "request" + }, + { + "name": "KC_SPI_X509CERT_LOOKUP_PROVIDER", + "value": "nginx" + }, + { + "name": "KC_SPI_X509CERT_LOOKUP_NGINX_SSL_CLIENT_CERT", + "value": "istio-mtls-client-certificate" + }, + { + "name": "KC_SPI_X509CERT_LOOKUP_NGINX_SSL_CLIENT_CERT_CHAIN_PREFIX", + "value": "UNUSED" + }, + { + "name": "KC_LOG_LEVEL", + "value": "DEBUG" + }, + { + "name": "QUARKUS_LOG_CATEGORY__ORG_APACHE_HTTP__LEVEL", + "value": "DEBUG" + }, + { + "name": "QUARKUS_LOG_CATEGORY__ORG_KEYCLOAK_SERVICES_X509__LEVEL", + "value": "TRACE" + } + ], + "envFrom": [ + { + "secretRef": { + "name": "keycloak-realm-env" + } + } + ], + "image": "127.0.0.1:31999/keycloak/keycloak:24.0.5-zarf-2242132316", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 15, + "httpGet": { + "path": "/app-health/keycloak/livez", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 10, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 2 + }, + "name": "keycloak", + "ports": [ + { + "containerPort": 8080, + "name": "http", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 15, + "httpGet": { + "path": "/app-health/keycloak/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 10, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 2 + }, + "resources": { + "limits": { + "cpu": "1", + "memory": "1Gi" + }, + "requests": { + "cpu": "500m", + "memory": "512Mi" + } + }, + "securityContext": { + "capabilities": { + "drop": [ + "ALL" + ] + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/opt/keycloak/providers", + "name": "providers" + }, + { + "mountPath": "/opt/keycloak/data", + "name": "data" + }, + { + "mountPath": "/opt/keycloak/themes", + "name": "themes" + }, + { + "mountPath": "/opt/keycloak/conf", + "name": "conf", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-nlkpn", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "hostname": "keycloak-0", + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "image": "127.0.0.1:31999/defenseunicorns/uds/identity-config:0.4.5-zarf-1934043158", + "imagePullPolicy": "IfNotPresent", + "name": "uds-config", + "resources": { + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "capabilities": { + "drop": [ + "ALL" + ] + }, + "runAsGroup": 65532, + "runAsUser": 65532 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/opt/keycloak/providers", + "name": "providers" + }, + { + "mountPath": "/opt/keycloak/data", + "name": "data" + }, + { + "mountPath": "/opt/keycloak/themes", + "name": "themes" + }, + { + "mountPath": "/opt/keycloak/conf", + "name": "conf" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-nlkpn", + "readOnly": true + } + ] + }, + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-nlkpn", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 1000, + "runAsGroup": 1000, + "runAsNonRoot": true, + "runAsUser": 1000 + }, + "serviceAccount": "default", + "serviceAccountName": "default", + "subdomain": "keycloak-headless", + "terminationGracePeriodSeconds": 5, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "emptyDir": {}, + "name": "providers" + }, + { + "emptyDir": {}, + "name": "conf" + }, + { + "name": "data", + "persistentVolumeClaim": { + "claimName": "keycloak-data" + } + }, + { + "name": "themes", + "persistentVolumeClaim": { + "claimName": "keycloak-themes" + } + }, + { + "name": "kube-api-access-nlkpn", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:37:09Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:37:56Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:37:56Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:37:06Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://98b723747fbc4ab069941b409c2c1364803055710b556efc4a281bef03a1f9d0", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:37:09Z" + } + } + }, + { + "containerID": "containerd://24cffc7e3667dbd48ef3f53817f81df065610a8e2231ce22f807bbaf28dfc28a", + "image": "127.0.0.1:31999/keycloak/keycloak:24.0.5-zarf-2242132316", + "imageID": "127.0.0.1:31999/keycloak/keycloak@sha256:6508f327b24f3b21dc712fdfedf7dc613720806752f958f3ae90d53f05bfffb3", + "lastState": {}, + "name": "keycloak", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:37:12Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://61198b4b3f3f80e4b1f1d70d1175723fb4e113315b5733f6139827c6716ae3cf", + "image": "127.0.0.1:31999/defenseunicorns/uds/identity-config:0.4.5-zarf-1934043158", + "imageID": "127.0.0.1:31999/defenseunicorns/uds/identity-config@sha256:3fbab8e7cfa010251aa29a1bbec2e73a7bdc236f358fb57db3943a9f0307bf1f", + "lastState": {}, + "name": "uds-config", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://61198b4b3f3f80e4b1f1d70d1175723fb4e113315b5733f6139827c6716ae3cf", + "exitCode": 0, + "finishedAt": "2024-06-07T14:37:07Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:37:07Z" + } + } + }, + { + "containerID": "containerd://42656b79a9c7579dc5b3b04b00be6b95189d0c863549ff35ae072aa778897083", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://42656b79a9c7579dc5b3b04b00be6b95189d0c863549ff35ae072aa778897083", + "exitCode": 0, + "finishedAt": "2024-06-07T14:37:08Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:37:08Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.27", + "podIPs": [ + { + "ip": "10.42.0.27" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:37:06Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "neuvector-enforcer-pod", + "kubectl.kubernetes.io/default-logs-container": "neuvector-enforcer-pod", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/uds-core-policies": "succeeded", + "uds-core.pepr.dev/uds-core-policies.DisallowHostNamespaces": "exempted", + "uds-core.pepr.dev/uds-core-policies.DisallowPrivileged": "exempted", + "uds-core.pepr.dev/uds-core-policies.DropAllCapabilities": "exempted", + "uds-core.pepr.dev/uds-core-policies.RequireNonRootUser": "exempted", + "uds-core.pepr.dev/uds-core-policies.RestrictHostPathWrite": "exempted", + "uds-core.pepr.dev/uds-core-policies.RestrictVolumeTypes": "exempted" + }, + "creationTimestamp": "2024-06-07T14:38:20Z", + "generateName": "neuvector-enforcer-pod-", + "labels": { + "app": "neuvector-enforcer-pod", + "controller-revision-hash": "6775c5c797", + "pod-template-generation": "1", + "release": "core", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "neuvector-enforcer-pod", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "neuvector-enforcer-pod-nt94p", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "DaemonSet", + "name": "neuvector-enforcer-pod", + "uid": "6dccb27d-6ee5-4ce7-9212-a01b1420cbfb" + } + ], + "resourceVersion": "2221", + "uid": "5f5fce1b-9cba-4e19-8fe8-81105c64a17a" + }, + "spec": { + "affinity": { + "nodeAffinity": { + "requiredDuringSchedulingIgnoredDuringExecution": { + "nodeSelectorTerms": [ + { + "matchFields": [ + { + "key": "metadata.name", + "operator": "In", + "values": [ + "k3d-uds-server-0" + ] + } + ] + } + ] + } + } + }, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "neuvector-enforcer-pod" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "neuvector-enforcer-pod" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/neuvector/daemonsets/neuvector-enforcer-pod" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-hps9b", + "readOnly": true + } + ] + }, + { + "env": [ + { + "name": "CLUSTER_JOIN_ADDR", + "value": "neuvector-svc-controller.neuvector" + }, + { + "name": "CLUSTER_ADVERTISED_ADDR", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "CLUSTER_BIND_ADDR", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + } + ], + "image": "127.0.0.1:31999/neuvector/enforcer:5.3.2-zarf-2886042343", + "imagePullPolicy": "IfNotPresent", + "name": "neuvector-enforcer-pod", + "resources": {}, + "securityContext": { + "privileged": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/lib/modules", + "name": "modules-vol", + "readOnly": true + }, + { + "mountPath": "/var/nv_debug", + "name": "nv-debug" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-hps9b", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "hostPID": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-hps9b", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "serviceAccount": "enforcer", + "serviceAccountName": "enforcer", + "terminationGracePeriodSeconds": 1200, + "tolerations": [ + { + "effect": "NoSchedule", + "key": "node-role.kubernetes.io/master" + }, + { + "effect": "NoSchedule", + "key": "node-role.kubernetes.io/control-plane" + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists" + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/disk-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/memory-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/pid-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/unschedulable", + "operator": "Exists" + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "hostPath": { + "path": "/lib/modules", + "type": "" + }, + "name": "modules-vol" + }, + { + "hostPath": { + "path": "/var/nv_debug", + "type": "" + }, + "name": "nv-debug" + }, + { + "name": "kube-api-access-hps9b", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:38:21Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:38:28Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:38:28Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:38:20Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://977a00abbbc0e201f32cc068fcd3b84546b25dfe873196358ee56620519af4b4", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:38:21Z" + } + } + }, + { + "containerID": "containerd://786d6b11b69d7becbefa39703c471dd2dcd506e08fdcf6e2254e0a584cded575", + "image": "127.0.0.1:31999/neuvector/enforcer:5.3.2-zarf-2886042343", + "imageID": "127.0.0.1:31999/neuvector/enforcer@sha256:043f6f02afae05861eee20248bba17e58afbe33dcc2cafcca2cf83c7df361fac", + "lastState": {}, + "name": "neuvector-enforcer-pod", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:38:26Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://10e8bca0a1e6b216fa1e7c7cf33a224262959fe8e64fbc9dc1d398facb035d38", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://10e8bca0a1e6b216fa1e7c7cf33a224262959fe8e64fbc9dc1d398facb035d38", + "exitCode": 0, + "finishedAt": "2024-06-07T14:38:21Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:38:21Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.28", + "podIPs": [ + { + "ip": "10.42.0.28" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:38:20Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "neuvector-manager-pod", + "kubectl.kubernetes.io/default-logs-container": "neuvector-manager-pod", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-06-07T14:38:20Z", + "generateName": "neuvector-manager-pod-56ddd789bb-", + "labels": { + "app": "neuvector-manager-pod", + "pod-template-hash": "56ddd789bb", + "release": "core", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "neuvector-manager-pod", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "neuvector-manager-pod-56ddd789bb-pzdsg", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "neuvector-manager-pod-56ddd789bb", + "uid": "88dd6d25-f771-4ff6-a703-375660b4d43d" + } + ], + "resourceVersion": "2233", + "uid": "aebb54f0-cbcf-428d-91d2-43403fc6595d" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http\",\"containerPort\":8443,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "neuvector-manager-pod" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "neuvector-manager-pod" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/neuvector/deployments/neuvector-manager-pod" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-7226g", + "readOnly": true + } + ] + }, + { + "env": [ + { + "name": "CTRL_SERVER_IP", + "value": "neuvector-svc-controller.neuvector" + }, + { + "name": "MANAGER_SSL", + "value": "off" + } + ], + "image": "127.0.0.1:31999/neuvector/manager:5.3.2-zarf-1801671909", + "imagePullPolicy": "IfNotPresent", + "name": "neuvector-manager-pod", + "ports": [ + { + "containerPort": 8443, + "name": "http", + "protocol": "TCP" + } + ], + "resources": {}, + "securityContext": { + "capabilities": { + "drop": [ + "ALL" + ] + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-7226g", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-7226g", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "runAsGroup": 1000, + "runAsNonRoot": true, + "runAsUser": 1000 + }, + "serviceAccount": "basic", + "serviceAccountName": "basic", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "kube-api-access-7226g", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:38:21Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:38:30Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:38:30Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:38:20Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://743909c516a206891e8807685cbfe81a597b79ff2887a4fbd4cefabd1849590c", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:38:21Z" + } + } + }, + { + "containerID": "containerd://93bcda13255ce6bce3fdb9848c39512377e0700f35188fd23c371d64aaa5ff87", + "image": "127.0.0.1:31999/neuvector/manager:5.3.2-zarf-1801671909", + "imageID": "127.0.0.1:31999/neuvector/manager@sha256:3a65e2c2916a058293638620b712cfac1a559824ac4d295cd08474c98a3e7381", + "lastState": {}, + "name": "neuvector-manager-pod", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:38:28Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://475c52820b00e4cc57f4c5a6dd2f790d7ac3606e83c70fbf105c97fd10f2ab40", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://475c52820b00e4cc57f4c5a6dd2f790d7ac3606e83c70fbf105c97fd10f2ab40", + "exitCode": 0, + "finishedAt": "2024-06-07T14:38:21Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:38:21Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.31", + "podIPs": [ + { + "ip": "10.42.0.31" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:38:20Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "checksum/init-configmap": "d2907592400cb73cef987a87115b0c6a17428bfdbda232ddf0de6ea52f3eb571", + "checksum/uds-sso-secret": "", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "neuvector-controller-pod", + "kubectl.kubernetes.io/default-logs-container": "neuvector-controller-pod", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/uds-core-policies": "succeeded", + "uds-core.pepr.dev/uds-core-policies.DisallowPrivileged": "exempted", + "uds-core.pepr.dev/uds-core-policies.DropAllCapabilities": "exempted", + "uds-core.pepr.dev/uds-core-policies.RequireNonRootUser": "exempted", + "uds-core.pepr.dev/uds-core-policies.RestrictHostPathWrite": "exempted", + "uds-core.pepr.dev/uds-core-policies.RestrictVolumeTypes": "exempted" + }, + "creationTimestamp": "2024-06-07T14:38:38Z", + "generateName": "neuvector-controller-pod-5d7c9d5588-", + "labels": { + "app": "neuvector-controller-pod", + "pod-template-hash": "5d7c9d5588", + "release": "core", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "neuvector-controller-pod", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "neuvector-controller-pod-5d7c9d5588-mgzsf", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "neuvector-controller-pod-5d7c9d5588", + "uid": "eb3a14bf-c3f0-4fef-a657-a25c5a712a93" + } + ], + "resourceVersion": "2509", + "uid": "f3fe50db-0d40-4f4f-94e2-4ab30d3095d3" + }, + "spec": { + "affinity": { + "podAntiAffinity": { + "preferredDuringSchedulingIgnoredDuringExecution": [ + { + "podAffinityTerm": { + "labelSelector": { + "matchExpressions": [ + { + "key": "app", + "operator": "In", + "values": [ + "neuvector-controller-pod" + ] + } + ] + }, + "topologyKey": "kubernetes.io/hostname" + }, + "weight": 100 + } + ] + } + }, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "neuvector-controller-pod" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "neuvector-controller-pod" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/neuvector/deployments/neuvector-controller-pod" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-k4946", + "readOnly": true + } + ] + }, + { + "env": [ + { + "name": "CLUSTER_JOIN_ADDR", + "value": "neuvector-svc-controller.neuvector" + }, + { + "name": "CLUSTER_ADVERTISED_ADDR", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "CLUSTER_BIND_ADDR", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "NO_DEFAULT_ADMIN", + "value": "1" + } + ], + "image": "127.0.0.1:31999/neuvector/controller:5.3.2-zarf-4157091163", + "imagePullPolicy": "IfNotPresent", + "name": "neuvector-controller-pod", + "readinessProbe": { + "exec": { + "command": [ + "cat", + "/tmp/ready" + ] + }, + "failureThreshold": 3, + "initialDelaySeconds": 5, + "periodSeconds": 5, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": {}, + "securityContext": { + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/config", + "name": "config-volume", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-k4946", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-k4946", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "serviceAccount": "controller", + "serviceAccountName": "controller", + "terminationGracePeriodSeconds": 300, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "config-volume", + "projected": { + "defaultMode": 420, + "sources": [ + { + "configMap": { + "name": "neuvector-init", + "optional": true + } + }, + { + "secret": { + "name": "neuvector-init", + "optional": true + } + }, + { + "secret": { + "name": "neuvector-secret", + "optional": true + } + } + ] + } + }, + { + "name": "kube-api-access-k4946", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:38:39Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:38:53Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:38:53Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:38:38Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://f09a16a3f79ff3f62a59a9c7ed431043815978aa2c5fb0e5402c1a02389d3e7f", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:38:39Z" + } + } + }, + { + "containerID": "containerd://3088539b3933c2fd668c3b02a9e3a23a7994978f2c2e65ec50d5f349117aa70f", + "image": "127.0.0.1:31999/neuvector/controller:5.3.2-zarf-4157091163", + "imageID": "127.0.0.1:31999/neuvector/controller@sha256:c5d6ff1924fdad2b8e4fdb428a7636edd82ea50ef94ab15e9a0c7117fc607d1c", + "lastState": {}, + "name": "neuvector-controller-pod", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:38:40Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://446f36a71ada6e7d3e09a043c06ef19ae0bdff71c47220c26fe586b6a3fc2c76", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://446f36a71ada6e7d3e09a043c06ef19ae0bdff71c47220c26fe586b6a3fc2c76", + "exitCode": 0, + "finishedAt": "2024-06-07T14:38:38Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:38:38Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.37", + "podIPs": [ + { + "ip": "10.42.0.37" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:38:38Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "checksum/config": "aa54d1c46dc4de580885be8c1184da75a3838afa977449fdf39bf419da521275", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "nginx", + "kubectl.kubernetes.io/default-logs-container": "nginx", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-06-07T14:38:51Z", + "generateName": "loki-gateway-d7c788676-", + "labels": { + "app.kubernetes.io/component": "gateway", + "app.kubernetes.io/instance": "loki", + "app.kubernetes.io/name": "loki", + "pod-template-hash": "d7c788676", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "loki", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "loki-gateway-d7c788676-4srwc", + "namespace": "loki", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "loki-gateway-d7c788676", + "uid": "e34a955a-a9ce-4e08-b438-cee5a06b0eb6" + } + ], + "resourceVersion": "2670", + "uid": "89db0787-f4c9-4ab5-b02b-67defbbdb9a6" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http\",\"containerPort\":8080,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "nginx" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "loki-gateway" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/loki/deployments/loki-gateway" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/nginx/readyz\":{\"httpGet\":{\"path\":\"/\",\"port\":8080,\"scheme\":\"HTTP\"},\"timeoutSeconds\":1}}" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-cpqvb", + "readOnly": true + } + ] + }, + { + "image": "127.0.0.1:31999/nginxinc/nginx-unprivileged:1.25-alpine-zarf-1006365545", + "imagePullPolicy": "IfNotPresent", + "name": "nginx", + "ports": [ + { + "containerPort": 8080, + "name": "http", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/nginx/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 15, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": {}, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/nginx", + "name": "config" + }, + { + "mountPath": "/tmp", + "name": "tmp" + }, + { + "mountPath": "/docker-entrypoint.d", + "name": "docker-entrypoint-d-override" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-cpqvb", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-cpqvb", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 101, + "runAsGroup": 101, + "runAsNonRoot": true, + "runAsUser": 101 + }, + "serviceAccount": "loki", + "serviceAccountName": "loki", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "configMap": { + "defaultMode": 420, + "name": "loki-gateway" + }, + "name": "config" + }, + { + "emptyDir": {}, + "name": "tmp" + }, + { + "emptyDir": {}, + "name": "docker-entrypoint-d-override" + }, + { + "name": "kube-api-access-cpqvb", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:38:55Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:39:23Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:39:23Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:38:52Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://5f264ee0271c2825510e9b372383053db4659e357fac618c08fecb8ee373c3ba", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:38:56Z" + } + } + }, + { + "containerID": "containerd://82a48ad0040bde0f60f786d7a0e658bd2a4bab8bfa7cb3280d3eed0cd49e30e5", + "image": "127.0.0.1:31999/nginxinc/nginx-unprivileged:1.25-alpine-zarf-1006365545", + "imageID": "127.0.0.1:31999/nginxinc/nginx-unprivileged@sha256:31e948e116a2ac07338d1f0d8578bbc96776f8dcf580a8e658550ba01d5092c4", + "lastState": {}, + "name": "nginx", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:39:06Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://59bacbddd363664ec02221f6fe141218d05e2c56c146f59eb10b433da6ebd338", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://59bacbddd363664ec02221f6fe141218d05e2c56c146f59eb10b433da6ebd338", + "exitCode": 0, + "finishedAt": "2024-06-07T14:38:55Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:38:54Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.38", + "podIPs": [ + { + "ip": "10.42.0.38" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:38:52Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "checksum/config": "40704e20dbbda1ca58cfa8d9ce03976b283d6b1d9b3274118a95cf4180009906", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "loki", + "kubectl.kubernetes.io/default-logs-container": "loki", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-06-07T14:38:52Z", + "generateName": "loki-backend-", + "labels": { + "app.kubernetes.io/component": "backend", + "app.kubernetes.io/instance": "loki", + "app.kubernetes.io/name": "loki", + "app.kubernetes.io/part-of": "memberlist", + "apps.kubernetes.io/pod-index": "0", + "controller-revision-hash": "loki-backend-6f5b99f4f4", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "loki", + "service.istio.io/canonical-revision": "latest", + "statefulset.kubernetes.io/pod-name": "loki-backend-0", + "zarf-agent": "patched" + }, + "name": "loki-backend-0", + "namespace": "loki", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "StatefulSet", + "name": "loki-backend", + "uid": "90b63b4e-2726-4b30-ac3a-42e21400e1cb" + } + ], + "resourceVersion": "2695", + "uid": "09cdbc78-d89b-43fa-a5f6-2d7eedfef742" + }, + "spec": { + "automountServiceAccountToken": true, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http-metrics\",\"containerPort\":3100,\"protocol\":\"TCP\"}\n ,{\"name\":\"grpc\",\"containerPort\":9095,\"protocol\":\"TCP\"}\n ,{\"name\":\"http-memberlist\",\"containerPort\":7946,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "loki" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "loki-backend" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/loki/statefulsets/loki-backend" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/loki/readyz\":{\"httpGet\":{\"path\":\"/ready\",\"port\":3100,\"scheme\":\"HTTP\"},\"timeoutSeconds\":1}}" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-4pwkx", + "readOnly": true + } + ] + }, + { + "args": [ + "-config.file=/etc/loki/config/config.yaml", + "-target=backend", + "-legacy-read-mode=false" + ], + "image": "127.0.0.1:31999/grafana/loki:2.9.6-zarf-176807990", + "imagePullPolicy": "IfNotPresent", + "name": "loki", + "ports": [ + { + "containerPort": 3100, + "name": "http-metrics", + "protocol": "TCP" + }, + { + "containerPort": 9095, + "name": "grpc", + "protocol": "TCP" + }, + { + "containerPort": 7946, + "name": "http-memberlist", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/loki/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 30, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": {}, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/loki/config", + "name": "config" + }, + { + "mountPath": "/etc/loki/runtime-config", + "name": "runtime-config" + }, + { + "mountPath": "/tmp", + "name": "tmp" + }, + { + "mountPath": "/var/loki", + "name": "data" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-4pwkx", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "hostname": "loki-backend-0", + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-4pwkx", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 10001, + "runAsGroup": 10001, + "runAsNonRoot": true, + "runAsUser": 10001 + }, + "serviceAccount": "loki", + "serviceAccountName": "loki", + "subdomain": "loki-backend-headless", + "terminationGracePeriodSeconds": 300, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "data", + "persistentVolumeClaim": { + "claimName": "data-loki-backend-0" + } + }, + { + "emptyDir": {}, + "name": "tmp" + }, + { + "configMap": { + "defaultMode": 420, + "items": [ + { + "key": "config.yaml", + "path": "config.yaml" + } + ], + "name": "loki" + }, + "name": "config" + }, + { + "configMap": { + "defaultMode": 420, + "name": "loki-runtime" + }, + "name": "runtime-config" + }, + { + "name": "kube-api-access-4pwkx", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:39:03Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:39:40Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:39:40Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:38:59Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://f7cf99f7432e06180757d37d6cb2048544be45b66b5367f0d99c7cd8cc15b5b8", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:39:04Z" + } + } + }, + { + "containerID": "containerd://a347cd31324e8c4c86561a9174a8174436da20b2cd74f492af633199a8ec2609", + "image": "127.0.0.1:31999/grafana/loki:2.9.6-zarf-176807990", + "imageID": "127.0.0.1:31999/grafana/loki@sha256:ac12e5e83d9d77d1f62dd273f1ced8b55ed9a2429acc9e17ff7cbdee126eb4c1", + "lastState": {}, + "name": "loki", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:39:07Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://a78785d642a7a2e14c962a51b8865d4a3dd9f689a6c42c512ce605a5e770a745", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://a78785d642a7a2e14c962a51b8865d4a3dd9f689a6c42c512ce605a5e770a745", + "exitCode": 0, + "finishedAt": "2024-06-07T14:39:02Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:39:02Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.42", + "podIPs": [ + { + "ip": "10.42.0.42" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:38:59Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "checksum/config": "40704e20dbbda1ca58cfa8d9ce03976b283d6b1d9b3274118a95cf4180009906", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "loki", + "kubectl.kubernetes.io/default-logs-container": "loki", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-06-07T14:38:52Z", + "generateName": "loki-read-965cc8d57-", + "labels": { + "app.kubernetes.io/component": "read", + "app.kubernetes.io/instance": "loki", + "app.kubernetes.io/name": "loki", + "app.kubernetes.io/part-of": "memberlist", + "pod-template-hash": "965cc8d57", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "loki", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "loki-read-965cc8d57-q9xqw", + "namespace": "loki", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "loki-read-965cc8d57", + "uid": "a096c654-21f2-41a0-a080-67bd402af70a" + } + ], + "resourceVersion": "2711", + "uid": "ab88bad5-aaba-4ff0-a18d-64b9fa7d5d29" + }, + "spec": { + "automountServiceAccountToken": true, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http-metrics\",\"containerPort\":3100,\"protocol\":\"TCP\"}\n ,{\"name\":\"grpc\",\"containerPort\":9095,\"protocol\":\"TCP\"}\n ,{\"name\":\"http-memberlist\",\"containerPort\":7946,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "loki" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "loki-read" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/loki/deployments/loki-read" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/loki/readyz\":{\"httpGet\":{\"path\":\"/ready\",\"port\":3100,\"scheme\":\"HTTP\"},\"timeoutSeconds\":1}}" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-n2kwj", + "readOnly": true + } + ] + }, + { + "args": [ + "-config.file=/etc/loki/config/config.yaml", + "-target=read", + "-legacy-read-mode=false", + "-common.compactor-grpc-address=loki-backend.loki.svc.cluster.local:9095" + ], + "image": "127.0.0.1:31999/grafana/loki:2.9.6-zarf-176807990", + "imagePullPolicy": "IfNotPresent", + "name": "loki", + "ports": [ + { + "containerPort": 3100, + "name": "http-metrics", + "protocol": "TCP" + }, + { + "containerPort": 9095, + "name": "grpc", + "protocol": "TCP" + }, + { + "containerPort": 7946, + "name": "http-memberlist", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/loki/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 30, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": {}, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/loki/config", + "name": "config" + }, + { + "mountPath": "/etc/loki/runtime-config", + "name": "runtime-config" + }, + { + "mountPath": "/tmp", + "name": "tmp" + }, + { + "mountPath": "/var/loki", + "name": "data" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-n2kwj", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-n2kwj", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 10001, + "runAsGroup": 10001, + "runAsNonRoot": true, + "runAsUser": 10001 + }, + "serviceAccount": "loki", + "serviceAccountName": "loki", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "emptyDir": {}, + "name": "tmp" + }, + { + "emptyDir": {}, + "name": "data" + }, + { + "configMap": { + "defaultMode": 420, + "items": [ + { + "key": "config.yaml", + "path": "config.yaml" + } + ], + "name": "loki" + }, + "name": "config" + }, + { + "configMap": { + "defaultMode": 420, + "name": "loki-runtime" + }, + "name": "runtime-config" + }, + { + "name": "kube-api-access-n2kwj", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:38:55Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:39:43Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:39:43Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:38:52Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://c861470957edbe2926ec656294db8c78238efc7ac026dfe58bf8ad0a25049112", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:38:56Z" + } + } + }, + { + "containerID": "containerd://69f206cfa0f0b469ecd7ce7b9c5b10b30aaaa1e0f6570f61777e9c13a9ab52c4", + "image": "127.0.0.1:31999/grafana/loki:2.9.6-zarf-176807990", + "imageID": "127.0.0.1:31999/grafana/loki@sha256:ac12e5e83d9d77d1f62dd273f1ced8b55ed9a2429acc9e17ff7cbdee126eb4c1", + "lastState": {}, + "name": "loki", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:39:06Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://c4d5994d71e34abcbbe8c66c67db76a5428d1c8a3a930813095968ebf2bb62c7", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://c4d5994d71e34abcbbe8c66c67db76a5428d1c8a3a930813095968ebf2bb62c7", + "exitCode": 0, + "finishedAt": "2024-06-07T14:38:54Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:38:54Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.39", + "podIPs": [ + { + "ip": "10.42.0.39" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:38:52Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "checksum/config": "40704e20dbbda1ca58cfa8d9ce03976b283d6b1d9b3274118a95cf4180009906", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "loki", + "kubectl.kubernetes.io/default-logs-container": "loki", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-06-07T14:38:52Z", + "generateName": "loki-write-", + "labels": { + "app.kubernetes.io/component": "write", + "app.kubernetes.io/instance": "loki", + "app.kubernetes.io/name": "loki", + "app.kubernetes.io/part-of": "memberlist", + "apps.kubernetes.io/pod-index": "0", + "controller-revision-hash": "loki-write-79659b658", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "loki", + "service.istio.io/canonical-revision": "latest", + "statefulset.kubernetes.io/pod-name": "loki-write-0", + "zarf-agent": "patched" + }, + "name": "loki-write-0", + "namespace": "loki", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "StatefulSet", + "name": "loki-write", + "uid": "7e976ccc-6bed-4478-9f9b-4eedbf659a0a" + } + ], + "resourceVersion": "2791", + "uid": "804e6369-2e8b-47d2-b928-2bb63dd24b29" + }, + "spec": { + "automountServiceAccountToken": true, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http-metrics\",\"containerPort\":3100,\"protocol\":\"TCP\"}\n ,{\"name\":\"grpc\",\"containerPort\":9095,\"protocol\":\"TCP\"}\n ,{\"name\":\"http-memberlist\",\"containerPort\":7946,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "loki" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "loki-write" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/loki/statefulsets/loki-write" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/loki/readyz\":{\"httpGet\":{\"path\":\"/ready\",\"port\":3100,\"scheme\":\"HTTP\"},\"timeoutSeconds\":1}}" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-ncjjq", + "readOnly": true + } + ] + }, + { + "args": [ + "-config.file=/etc/loki/config/config.yaml", + "-target=write" + ], + "image": "127.0.0.1:31999/grafana/loki:2.9.6-zarf-176807990", + "imagePullPolicy": "IfNotPresent", + "name": "loki", + "ports": [ + { + "containerPort": 3100, + "name": "http-metrics", + "protocol": "TCP" + }, + { + "containerPort": 9095, + "name": "grpc", + "protocol": "TCP" + }, + { + "containerPort": 7946, + "name": "http-memberlist", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/loki/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 30, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": {}, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/loki/config", + "name": "config" + }, + { + "mountPath": "/etc/loki/runtime-config", + "name": "runtime-config" + }, + { + "mountPath": "/var/loki", + "name": "data" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-ncjjq", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "hostname": "loki-write-0", + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-ncjjq", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 10001, + "runAsGroup": 10001, + "runAsNonRoot": true, + "runAsUser": 10001 + }, + "serviceAccount": "loki", + "serviceAccountName": "loki", + "subdomain": "loki-write-headless", + "terminationGracePeriodSeconds": 300, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "data", + "persistentVolumeClaim": { + "claimName": "data-loki-write-0" + } + }, + { + "configMap": { + "defaultMode": 420, + "items": [ + { + "key": "config.yaml", + "path": "config.yaml" + } + ], + "name": "loki" + }, + "name": "config" + }, + { + "configMap": { + "defaultMode": 420, + "name": "loki-runtime" + }, + "name": "runtime-config" + }, + { + "name": "kube-api-access-ncjjq", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:39:03Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:40:00Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:40:00Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:38:59Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://c2900e7dc1ea13ef0cad59f3890e5a87440335eb506fc74aef8cd477061494e9", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:39:04Z" + } + } + }, + { + "containerID": "containerd://76e63a1ad41c12f9723f810f6bbabe14616a53829d5b754fe10534a3a0387c36", + "image": "127.0.0.1:31999/grafana/loki:2.9.6-zarf-176807990", + "imageID": "127.0.0.1:31999/grafana/loki@sha256:ac12e5e83d9d77d1f62dd273f1ced8b55ed9a2429acc9e17ff7cbdee126eb4c1", + "lastState": {}, + "name": "loki", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:39:07Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://d4643293917635ef11462519cc95cace56beae16a233c19f0431e277fe824d30", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://d4643293917635ef11462519cc95cace56beae16a233c19f0431e277fe824d30", + "exitCode": 0, + "finishedAt": "2024-06-07T14:39:02Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:39:02Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.43", + "podIPs": [ + { + "ip": "10.42.0.43" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:38:59Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "checksum/init-configmap": "d2907592400cb73cef987a87115b0c6a17428bfdbda232ddf0de6ea52f3eb571", + "checksum/uds-sso-secret": "", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "neuvector-controller-pod", + "kubectl.kubernetes.io/default-logs-container": "neuvector-controller-pod", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/uds-core-policies": "succeeded", + "uds-core.pepr.dev/uds-core-policies.DisallowPrivileged": "exempted", + "uds-core.pepr.dev/uds-core-policies.DropAllCapabilities": "exempted", + "uds-core.pepr.dev/uds-core-policies.RequireNonRootUser": "exempted", + "uds-core.pepr.dev/uds-core-policies.RestrictHostPathWrite": "exempted", + "uds-core.pepr.dev/uds-core-policies.RestrictVolumeTypes": "exempted" + }, + "creationTimestamp": "2024-06-07T14:39:53Z", + "generateName": "neuvector-controller-pod-5d7c9d5588-", + "labels": { + "app": "neuvector-controller-pod", + "pod-template-hash": "5d7c9d5588", + "release": "core", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "neuvector-controller-pod", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "neuvector-controller-pod-5d7c9d5588-884hh", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "neuvector-controller-pod-5d7c9d5588", + "uid": "eb3a14bf-c3f0-4fef-a657-a25c5a712a93" + } + ], + "resourceVersion": "2820", + "uid": "afc727be-bc60-4201-9f4e-2f912e9394cb" + }, + "spec": { + "affinity": { + "podAntiAffinity": { + "preferredDuringSchedulingIgnoredDuringExecution": [ + { + "podAffinityTerm": { + "labelSelector": { + "matchExpressions": [ + { + "key": "app", + "operator": "In", + "values": [ + "neuvector-controller-pod" + ] + } + ] + }, + "topologyKey": "kubernetes.io/hostname" + }, + "weight": 100 + } + ] + } + }, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "neuvector-controller-pod" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "neuvector-controller-pod" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/neuvector/deployments/neuvector-controller-pod" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-l28mp", + "readOnly": true + } + ] + }, + { + "env": [ + { + "name": "CLUSTER_JOIN_ADDR", + "value": "neuvector-svc-controller.neuvector" + }, + { + "name": "CLUSTER_ADVERTISED_ADDR", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "CLUSTER_BIND_ADDR", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "NO_DEFAULT_ADMIN", + "value": "1" + } + ], + "image": "127.0.0.1:31999/neuvector/controller:5.3.2-zarf-4157091163", + "imagePullPolicy": "IfNotPresent", + "name": "neuvector-controller-pod", + "readinessProbe": { + "exec": { + "command": [ + "cat", + "/tmp/ready" + ] + }, + "failureThreshold": 3, + "initialDelaySeconds": 5, + "periodSeconds": 5, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": {}, + "securityContext": { + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/config", + "name": "config-volume", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-l28mp", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-l28mp", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "serviceAccount": "controller", + "serviceAccountName": "controller", + "terminationGracePeriodSeconds": 300, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "config-volume", + "projected": { + "defaultMode": 420, + "sources": [ + { + "configMap": { + "name": "neuvector-init", + "optional": true + } + }, + { + "secret": { + "name": "neuvector-init", + "optional": true + } + }, + { + "secret": { + "name": "neuvector-secret", + "optional": true + } + } + ] + } + }, + { + "name": "kube-api-access-l28mp", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:39:54Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:40:09Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:40:09Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:39:53Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://24c510311a248260324ffed1d8fec9f24495fa9f19ab16281eeb2cbddfe9cd1e", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:39:55Z" + } + } + }, + { + "containerID": "containerd://29bb9a60e7875e06563a9b94c268a6c0b638de4bd51e68b82886ba4b7d184f80", + "image": "127.0.0.1:31999/neuvector/controller:5.3.2-zarf-4157091163", + "imageID": "127.0.0.1:31999/neuvector/controller@sha256:c5d6ff1924fdad2b8e4fdb428a7636edd82ea50ef94ab15e9a0c7117fc607d1c", + "lastState": {}, + "name": "neuvector-controller-pod", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:39:56Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://7b5a488f9c4532c234492e7f71a84a7565f599de35eb097fd09bc8a6e59fe7e3", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://7b5a488f9c4532c234492e7f71a84a7565f599de35eb097fd09bc8a6e59fe7e3", + "exitCode": 0, + "finishedAt": "2024-06-07T14:39:54Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:39:54Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.44", + "podIPs": [ + { + "ip": "10.42.0.44" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:39:53Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "kube-prometheus-stack", + "kubectl.kubernetes.io/default-logs-container": "kube-prometheus-stack", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-06-07T14:40:36Z", + "generateName": "kube-prometheus-stack-operator-6db8586956-", + "labels": { + "app": "kube-prometheus-stack-operator", + "app.kubernetes.io/component": "prometheus-operator", + "app.kubernetes.io/instance": "kube-prometheus-stack", + "app.kubernetes.io/managed-by": "Helm", + "app.kubernetes.io/name": "kube-prometheus-stack-prometheus-operator", + "app.kubernetes.io/part-of": "kube-prometheus-stack", + "app.kubernetes.io/version": "58.7.2", + "chart": "kube-prometheus-stack-58.7.2", + "heritage": "Helm", + "pod-template-hash": "6db8586956", + "release": "kube-prometheus-stack", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "kube-prometheus-stack-prometheus-operator", + "service.istio.io/canonical-revision": "58.7.2", + "zarf-agent": "patched" + }, + "name": "kube-prometheus-stack-operator-6db8586956-rf74f", + "namespace": "monitoring", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "kube-prometheus-stack-operator-6db8586956", + "uid": "126d925c-8844-48ce-832d-09c499c20d50" + } + ], + "resourceVersion": "3204", + "uid": "5b75b4bb-f8f7-4d18-936c-cba1a8f6e3ba" + }, + "spec": { + "automountServiceAccountToken": true, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"https\",\"containerPort\":10250,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "kube-prometheus-stack" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "kube-prometheus-stack-operator" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/monitoring/deployments/kube-prometheus-stack-operator" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-n477l", + "readOnly": true + } + ] + }, + { + "args": [ + "--kubelet-service=kube-system/kube-prometheus-stack-kubelet", + "--localhost=127.0.0.1", + "--prometheus-config-reloader=quay.io/prometheus-operator/prometheus-config-reloader:v0.74.0", + "--config-reloader-cpu-request=50m", + "--config-reloader-cpu-limit=100m", + "--config-reloader-memory-request=128Mi", + "--config-reloader-memory-limit=128Mi", + "--thanos-default-base-image=quay.io/thanos/thanos:v0.35.0", + "--secret-field-selector=type!=kubernetes.io/dockercfg,type!=kubernetes.io/service-account-token,type!=helm.sh/release.v1", + "--web.enable-tls=true", + "--web.cert-file=/cert/cert", + "--web.key-file=/cert/key", + "--web.listen-address=:10250", + "--web.tls-min-version=VersionTLS13" + ], + "env": [ + { + "name": "GOGC", + "value": "30" + } + ], + "image": "127.0.0.1:31999/prometheus-operator/prometheus-operator:v0.74.0-zarf-2469397602", + "imagePullPolicy": "IfNotPresent", + "name": "kube-prometheus-stack", + "ports": [ + { + "containerPort": 10250, + "name": "https", + "protocol": "TCP" + } + ], + "resources": { + "limits": { + "cpu": "500m", + "memory": "512Mi" + }, + "requests": { + "cpu": "100m", + "memory": "512Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/cert", + "name": "tls-secret", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-n477l", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-n477l", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 65534, + "runAsGroup": 65534, + "runAsNonRoot": true, + "runAsUser": 65534, + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "serviceAccount": "kube-prometheus-stack-operator", + "serviceAccountName": "kube-prometheus-stack-operator", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "tls-secret", + "secret": { + "defaultMode": 420, + "secretName": "kube-prometheus-stack-admission" + } + }, + { + "name": "kube-api-access-n477l", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:40:38Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:40:41Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:40:41Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:40:36Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://300e1c3160811b142d6fc7e6118b758b4d4d7b6deefd6ba3509faf05f2ba4023", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:40:38Z" + } + } + }, + { + "containerID": "containerd://16ab87c01034dc64a06308b99f53f3799f9daa45fd37eba4ffb38314b97549e6", + "image": "127.0.0.1:31999/prometheus-operator/prometheus-operator:v0.74.0-zarf-2469397602", + "imageID": "127.0.0.1:31999/prometheus-operator/prometheus-operator@sha256:70d94e60cabd216a16769a4443878d807b66461737eae0525cb7c04eaf011757", + "lastState": {}, + "name": "kube-prometheus-stack", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:40:39Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://39bcdbce8270a9a5a79b14ee903685ff7a9379a0453d27386dc1f4b4527146c6", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://39bcdbce8270a9a5a79b14ee903685ff7a9379a0453d27386dc1f4b4527146c6", + "exitCode": 0, + "finishedAt": "2024-06-07T14:40:37Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:40:37Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.48", + "podIPs": [ + { + "ip": "10.42.0.48" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:40:37Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "cluster-autoscaler.kubernetes.io/safe-to-evict": "true", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "node-exporter", + "kubectl.kubernetes.io/default-logs-container": "node-exporter", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded", + "uds-core.pepr.dev/uds-core-policies.RestrictVolumeTypes": "exempted" + }, + "creationTimestamp": "2024-06-07T14:40:36Z", + "generateName": "kube-prometheus-stack-prometheus-node-exporter-", + "labels": { + "app.kubernetes.io/component": "metrics", + "app.kubernetes.io/instance": "kube-prometheus-stack", + "app.kubernetes.io/managed-by": "Helm", + "app.kubernetes.io/name": "prometheus-node-exporter", + "app.kubernetes.io/part-of": "prometheus-node-exporter", + "app.kubernetes.io/version": "1.8.0", + "controller-revision-hash": "6fd5474c88", + "helm.sh/chart": "prometheus-node-exporter-4.34.0", + "jobLabel": "node-exporter", + "pod-template-generation": "1", + "release": "kube-prometheus-stack", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "prometheus-node-exporter", + "service.istio.io/canonical-revision": "1.8.0", + "zarf-agent": "patched" + }, + "name": "kube-prometheus-stack-prometheus-node-exporter-wn72h", + "namespace": "monitoring", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "DaemonSet", + "name": "kube-prometheus-stack-prometheus-node-exporter", + "uid": "666ae069-d804-49c8-ab5d-34a2ab7a8b12" + } + ], + "resourceVersion": "3210", + "uid": "998565a1-5d93-46a0-af81-74cb6c23086a" + }, + "spec": { + "affinity": { + "nodeAffinity": { + "requiredDuringSchedulingIgnoredDuringExecution": { + "nodeSelectorTerms": [ + { + "matchFields": [ + { + "key": "metadata.name", + "operator": "In", + "values": [ + "k3d-uds-server-0" + ] + } + ] + } + ] + } + } + }, + "automountServiceAccountToken": false, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http-metrics\",\"containerPort\":9100,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "node-exporter" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "kube-prometheus-stack-prometheus-node-exporter" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/monitoring/daemonsets/kube-prometheus-stack-prometheus-node-exporter" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/node-exporter/livez\":{\"httpGet\":{\"path\":\"/\",\"port\":9100,\"scheme\":\"HTTP\"},\"timeoutSeconds\":1},\"/app-health/node-exporter/readyz\":{\"httpGet\":{\"path\":\"/\",\"port\":9100,\"scheme\":\"HTTP\"},\"timeoutSeconds\":1}}" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + } + ] + }, + { + "args": [ + "--path.procfs=/host/proc", + "--path.sysfs=/host/sys", + "--path.rootfs=/host/root", + "--path.udev.data=/host/root/run/udev/data", + "--web.listen-address=[$(HOST_IP)]:9100", + "--collector.filesystem.mount-points-exclude=^/(dev|proc|sys|var/lib/docker/.+|var/lib/kubelet/.+)($|/)", + "--collector.filesystem.fs-types-exclude=^(autofs|binfmt_misc|bpf|cgroup2?|configfs|debugfs|devpts|devtmpfs|fusectl|hugetlbfs|iso9660|mqueue|nsfs|overlay|proc|procfs|pstore|rpc_pipefs|securityfs|selinuxfs|squashfs|sysfs|tracefs)$" + ], + "env": [ + { + "name": "HOST_IP", + "value": "0.0.0.0" + } + ], + "image": "127.0.0.1:31999/prometheus/node-exporter:v1.8.1-zarf-3836483114", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/node-exporter/livez", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "name": "node-exporter", + "ports": [ + { + "containerPort": 9100, + "name": "http-metrics", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/node-exporter/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": {}, + "securityContext": { + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/host/proc", + "name": "proc", + "readOnly": true + }, + { + "mountPath": "/host/sys", + "name": "sys", + "readOnly": true + }, + { + "mountPath": "/host/root", + "mountPropagation": "HostToContainer", + "name": "root", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File" + } + ], + "nodeName": "k3d-uds-server-0", + "nodeSelector": { + "kubernetes.io/os": "linux" + }, + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 65534, + "runAsGroup": 65534, + "runAsNonRoot": true, + "runAsUser": 65534 + }, + "serviceAccount": "kube-prometheus-stack-prometheus-node-exporter", + "serviceAccountName": "kube-prometheus-stack-prometheus-node-exporter", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoSchedule", + "operator": "Exists" + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists" + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/disk-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/memory-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/pid-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/unschedulable", + "operator": "Exists" + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "hostPath": { + "path": "/proc", + "type": "" + }, + "name": "proc" + }, + { + "hostPath": { + "path": "/sys", + "type": "" + }, + "name": "sys" + }, + { + "hostPath": { + "path": "/", + "type": "" + }, + "name": "root" + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:40:38Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:40:41Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:40:41Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:40:36Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://4406c0f4ff43d6c508b48594bce2dab82d88e5498c587271f507cf546d18ee23", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:40:38Z" + } + } + }, + { + "containerID": "containerd://98a9836cd7f3996caca67754b18b504e5f686c80cd7b545d157462d3dc012a38", + "image": "127.0.0.1:31999/prometheus/node-exporter:v1.8.1-zarf-3836483114", + "imageID": "127.0.0.1:31999/prometheus/node-exporter@sha256:c13575817446993529a7192d00ec3f3480a3216e93a291dad3ed87bc23887152", + "lastState": {}, + "name": "node-exporter", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:40:39Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://335d322c7a3b61e89b4d477062315217543c2737ae2c479593d09afa799a25f4", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://335d322c7a3b61e89b4d477062315217543c2737ae2c479593d09afa799a25f4", + "exitCode": 0, + "finishedAt": "2024-06-07T14:40:37Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:40:37Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.47", + "podIPs": [ + { + "ip": "10.42.0.47" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:40:36Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "alertmanager", + "kubectl.kubernetes.io/default-logs-container": "alertmanager", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-06-07T14:40:40Z", + "generateName": "alertmanager-kube-prometheus-stack-alertmanager-", + "labels": { + "alertmanager": "kube-prometheus-stack-alertmanager", + "app.kubernetes.io/instance": "kube-prometheus-stack-alertmanager", + "app.kubernetes.io/managed-by": "prometheus-operator", + "app.kubernetes.io/name": "alertmanager", + "app.kubernetes.io/version": "0.27.0", + "apps.kubernetes.io/pod-index": "0", + "controller-revision-hash": "alertmanager-kube-prometheus-stack-alertmanager-78f4944b59", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "alertmanager", + "service.istio.io/canonical-revision": "0.27.0", + "statefulset.kubernetes.io/pod-name": "alertmanager-kube-prometheus-stack-alertmanager-0", + "zarf-agent": "patched" + }, + "name": "alertmanager-kube-prometheus-stack-alertmanager-0", + "namespace": "monitoring", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "StatefulSet", + "name": "alertmanager-kube-prometheus-stack-alertmanager", + "uid": "6a488ae0-5112-4b96-853b-9cd35f6866be" + } + ], + "resourceVersion": "3275", + "uid": "3e5d010a-d2f3-439b-98a4-b869f51951f5" + }, + "spec": { + "automountServiceAccountToken": true, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http-web\",\"containerPort\":9093,\"protocol\":\"TCP\"}\n ,{\"name\":\"mesh-tcp\",\"containerPort\":9094,\"protocol\":\"TCP\"}\n ,{\"name\":\"mesh-udp\",\"containerPort\":9094,\"protocol\":\"UDP\"}\n ,{\"name\":\"reloader-web\",\"containerPort\":8080,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "alertmanager,config-reloader" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "alertmanager-kube-prometheus-stack-alertmanager" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/monitoring/statefulsets/alertmanager-kube-prometheus-stack-alertmanager" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/alertmanager/livez\":{\"httpGet\":{\"path\":\"/-/healthy\",\"port\":9093,\"scheme\":\"HTTP\"},\"timeoutSeconds\":3},\"/app-health/alertmanager/readyz\":{\"httpGet\":{\"path\":\"/-/ready\",\"port\":9093,\"scheme\":\"HTTP\"},\"timeoutSeconds\":3}}" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-48zfn", + "readOnly": true + } + ] + }, + { + "args": [ + "--config.file=/etc/alertmanager/config_out/alertmanager.env.yaml", + "--storage.path=/alertmanager", + "--data.retention=120h", + "--cluster.listen-address=", + "--web.listen-address=:9093", + "--web.external-url=http://kube-prometheus-stack-alertmanager.monitoring:9093", + "--web.route-prefix=/", + "--cluster.label=monitoring/kube-prometheus-stack-alertmanager", + "--cluster.peer=alertmanager-kube-prometheus-stack-alertmanager-0.alertmanager-operated:9094", + "--cluster.reconnect-timeout=5m", + "--web.config.file=/etc/alertmanager/web_config/web-config.yaml" + ], + "env": [ + { + "name": "POD_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + } + ], + "image": "127.0.0.1:31999/prometheus/alertmanager:v0.27.0-zarf-3373367403", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 10, + "httpGet": { + "path": "/app-health/alertmanager/livez", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "name": "alertmanager", + "ports": [ + { + "containerPort": 9093, + "name": "http-web", + "protocol": "TCP" + }, + { + "containerPort": 9094, + "name": "mesh-tcp", + "protocol": "TCP" + }, + { + "containerPort": 9094, + "name": "mesh-udp", + "protocol": "UDP" + } + ], + "readinessProbe": { + "failureThreshold": 10, + "httpGet": { + "path": "/app-health/alertmanager/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 3, + "periodSeconds": 5, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "requests": { + "memory": "200Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "FallbackToLogsOnError", + "volumeMounts": [ + { + "mountPath": "/etc/alertmanager/config", + "name": "config-volume" + }, + { + "mountPath": "/etc/alertmanager/config_out", + "name": "config-out", + "readOnly": true + }, + { + "mountPath": "/etc/alertmanager/certs", + "name": "tls-assets", + "readOnly": true + }, + { + "mountPath": "/alertmanager", + "name": "alertmanager-kube-prometheus-stack-alertmanager-db" + }, + { + "mountPath": "/etc/alertmanager/web_config/web-config.yaml", + "name": "web-config", + "readOnly": true, + "subPath": "web-config.yaml" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-48zfn", + "readOnly": true + } + ] + }, + { + "args": [ + "--listen-address=:8080", + "--reload-url=http://127.0.0.1:9093/-/reload", + "--config-file=/etc/alertmanager/config/alertmanager.yaml.gz", + "--config-envsubst-file=/etc/alertmanager/config_out/alertmanager.env.yaml", + "--watched-dir=/etc/alertmanager/config" + ], + "command": [ + "/bin/prometheus-config-reloader" + ], + "env": [ + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "SHARD", + "value": "-1" + } + ], + "image": "127.0.0.1:31999/prometheus-operator/prometheus-config-reloader:v0.74.0-zarf-3626352270", + "imagePullPolicy": "IfNotPresent", + "name": "config-reloader", + "ports": [ + { + "containerPort": 8080, + "name": "reloader-web", + "protocol": "TCP" + } + ], + "resources": { + "limits": { + "cpu": "100m", + "memory": "128Mi" + }, + "requests": { + "cpu": "50m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "FallbackToLogsOnError", + "volumeMounts": [ + { + "mountPath": "/etc/alertmanager/config", + "name": "config-volume", + "readOnly": true + }, + { + "mountPath": "/etc/alertmanager/config_out", + "name": "config-out" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-48zfn", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "hostname": "alertmanager-kube-prometheus-stack-alertmanager-0", + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "--watch-interval=0", + "--listen-address=:8080", + "--config-file=/etc/alertmanager/config/alertmanager.yaml.gz", + "--config-envsubst-file=/etc/alertmanager/config_out/alertmanager.env.yaml", + "--watched-dir=/etc/alertmanager/config" + ], + "command": [ + "/bin/prometheus-config-reloader" + ], + "env": [ + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "SHARD", + "value": "-1" + } + ], + "image": "127.0.0.1:31999/prometheus-operator/prometheus-config-reloader:v0.74.0-zarf-3626352270", + "imagePullPolicy": "IfNotPresent", + "name": "init-config-reloader", + "ports": [ + { + "containerPort": 8080, + "name": "reloader-web", + "protocol": "TCP" + } + ], + "resources": { + "limits": { + "cpu": "100m", + "memory": "128Mi" + }, + "requests": { + "cpu": "50m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "FallbackToLogsOnError", + "volumeMounts": [ + { + "mountPath": "/etc/alertmanager/config", + "name": "config-volume", + "readOnly": true + }, + { + "mountPath": "/etc/alertmanager/config_out", + "name": "config-out" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-48zfn", + "readOnly": true + } + ] + }, + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-48zfn", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 2000, + "runAsGroup": 2000, + "runAsNonRoot": true, + "runAsUser": 1000, + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "serviceAccount": "kube-prometheus-stack-alertmanager", + "serviceAccountName": "kube-prometheus-stack-alertmanager", + "subdomain": "alertmanager-operated", + "terminationGracePeriodSeconds": 120, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "config-volume", + "secret": { + "defaultMode": 420, + "secretName": "alertmanager-kube-prometheus-stack-alertmanager-generated" + } + }, + { + "name": "tls-assets", + "projected": { + "defaultMode": 420, + "sources": [ + { + "secret": { + "name": "alertmanager-kube-prometheus-stack-alertmanager-tls-assets-0" + } + } + ] + } + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "config-out" + }, + { + "name": "web-config", + "secret": { + "defaultMode": 420, + "secretName": "alertmanager-kube-prometheus-stack-alertmanager-web-config" + } + }, + { + "emptyDir": {}, + "name": "alertmanager-kube-prometheus-stack-alertmanager-db" + }, + { + "name": "kube-api-access-48zfn", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:40:43Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:40:47Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:40:47Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:40:40Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://3f0de68c04b02ba3cbab300a9bc068d07ee9df5691ad2d844103ad55ba010739", + "image": "127.0.0.1:31999/prometheus/alertmanager:v0.27.0-zarf-3373367403", + "imageID": "127.0.0.1:31999/prometheus/alertmanager@sha256:2fbdd4c66d91e740fe3fd462d8f52fc3d305a5b403bab3a58feb62be237a84fb", + "lastState": {}, + "name": "alertmanager", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:40:44Z" + } + } + }, + { + "containerID": "containerd://e776e053c29f01987e2f495f590f509c842044d12d107795e364294058afd841", + "image": "127.0.0.1:31999/prometheus-operator/prometheus-config-reloader:v0.74.0-zarf-3626352270", + "imageID": "127.0.0.1:31999/prometheus-operator/prometheus-config-reloader@sha256:2f391ccd12088306b68f620ee4c8ad308d82e746e22484a21edbfa1aaff51df5", + "lastState": {}, + "name": "config-reloader", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:40:44Z" + } + } + }, + { + "containerID": "containerd://946a964dfc5c57b5f9a650d625b04470f2dd95ca3b366b4dfc35d80d20c5ce67", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:40:43Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://c855457cbe7619fd72c332202f6028543bc953c498ef0039f342546d10bc949e", + "image": "127.0.0.1:31999/prometheus-operator/prometheus-config-reloader:v0.74.0-zarf-3626352270", + "imageID": "127.0.0.1:31999/prometheus-operator/prometheus-config-reloader@sha256:2f391ccd12088306b68f620ee4c8ad308d82e746e22484a21edbfa1aaff51df5", + "lastState": {}, + "name": "init-config-reloader", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://c855457cbe7619fd72c332202f6028543bc953c498ef0039f342546d10bc949e", + "exitCode": 0, + "finishedAt": "2024-06-07T14:40:42Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:40:41Z" + } + } + }, + { + "containerID": "containerd://eb4afdfc9260c7e826760af025c0ee12ada879d9282eec2537cafdd305a6755f", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://eb4afdfc9260c7e826760af025c0ee12ada879d9282eec2537cafdd305a6755f", + "exitCode": 0, + "finishedAt": "2024-06-07T14:40:42Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:40:42Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.49", + "podIPs": [ + { + "ip": "10.42.0.49" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:40:40Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "kube-state-metrics", + "kubectl.kubernetes.io/default-logs-container": "kube-state-metrics", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-06-07T14:40:36Z", + "generateName": "kube-prometheus-stack-kube-state-metrics-65594f9476-", + "labels": { + "app.kubernetes.io/component": "metrics", + "app.kubernetes.io/instance": "kube-prometheus-stack", + "app.kubernetes.io/managed-by": "Helm", + "app.kubernetes.io/name": "kube-state-metrics", + "app.kubernetes.io/part-of": "kube-state-metrics", + "app.kubernetes.io/version": "2.12.0", + "helm.sh/chart": "kube-state-metrics-5.19.0", + "pod-template-hash": "65594f9476", + "release": "kube-prometheus-stack", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "kube-state-metrics", + "service.istio.io/canonical-revision": "2.12.0", + "zarf-agent": "patched" + }, + "name": "kube-prometheus-stack-kube-state-metrics-65594f9476-2slwt", + "namespace": "monitoring", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "kube-prometheus-stack-kube-state-metrics-65594f9476", + "uid": "3907c223-9229-433f-b8d5-dbde08ebb417" + } + ], + "resourceVersion": "3283", + "uid": "6ef328fe-f9b7-4096-9d62-428d08d83846" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http\",\"containerPort\":8080,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "kube-state-metrics" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "kube-prometheus-stack-kube-state-metrics" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/monitoring/deployments/kube-prometheus-stack-kube-state-metrics" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/kube-state-metrics/livez\":{\"httpGet\":{\"path\":\"/healthz\",\"port\":8080,\"scheme\":\"HTTP\"},\"timeoutSeconds\":5},\"/app-health/kube-state-metrics/readyz\":{\"httpGet\":{\"path\":\"/\",\"port\":8080,\"scheme\":\"HTTP\"},\"timeoutSeconds\":5}}" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-bhqx5", + "readOnly": true + } + ] + }, + { + "args": [ + "--port=8080", + "--resources=certificatesigningrequests,configmaps,cronjobs,daemonsets,deployments,endpoints,horizontalpodautoscalers,ingresses,jobs,leases,limitranges,mutatingwebhookconfigurations,namespaces,networkpolicies,nodes,persistentvolumeclaims,persistentvolumes,poddisruptionbudgets,pods,replicasets,replicationcontrollers,resourcequotas,secrets,services,statefulsets,storageclasses,validatingwebhookconfigurations,volumeattachments" + ], + "image": "127.0.0.1:31999/kube-state-metrics/kube-state-metrics:v2.12.0-zarf-3970135638", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/kube-state-metrics/livez", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 5, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 5 + }, + "name": "kube-state-metrics", + "ports": [ + { + "containerPort": 8080, + "name": "http", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/kube-state-metrics/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 5, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 5 + }, + "resources": {}, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-bhqx5", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-bhqx5", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 65534, + "runAsGroup": 65534, + "runAsNonRoot": true, + "runAsUser": 65534, + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "serviceAccount": "kube-prometheus-stack-kube-state-metrics", + "serviceAccountName": "kube-prometheus-stack-kube-state-metrics", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "kube-api-access-bhqx5", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:40:38Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:40:47Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:40:47Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:40:37Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://ec96f7c2c7a98a6357c94d5b2a781a609711f20a43d648da26de81c4c6c2731d", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:40:38Z" + } + } + }, + { + "containerID": "containerd://7ff7eb875d8cd5356fa58effc23fad66a140ca93993e6cab41d79dae449865cc", + "image": "127.0.0.1:31999/kube-state-metrics/kube-state-metrics:v2.12.0-zarf-3970135638", + "imageID": "127.0.0.1:31999/kube-state-metrics/kube-state-metrics@sha256:0b849c2a1fd2a8e3a8465803c0e0853e063fd89b33ad10847f82152b8f1f7066", + "lastState": {}, + "name": "kube-state-metrics", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:40:39Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://a6e05bbe29a830534010f6447eb2f86ea4016a7f54e69dff89fe2f43f52c74d7", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://a6e05bbe29a830534010f6447eb2f86ea4016a7f54e69dff89fe2f43f52c74d7", + "exitCode": 0, + "finishedAt": "2024-06-07T14:40:37Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:40:37Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.46", + "podIPs": [ + { + "ip": "10.42.0.46" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:40:37Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "prometheus", + "kubectl.kubernetes.io/default-logs-container": "prometheus", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "proxy.istio.io/config": "proxyMetadata:\n OUTPUT_CERTS: /etc/istio-output-certs\n", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "sidecar.istio.io/userVolumeMount": "[{\"name\": \"istio-certs\", \"mountPath\": \"/etc/istio-output-certs\"}]", + "traffic.sidecar.istio.io/includeOutboundIPRanges": "", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded", + "uds-core.pepr.dev/uds-core-policies.RestrictHostPathWrite": "exempted", + "uds-core.pepr.dev/uds-core-policies.RestrictVolumeTypes": "exempted" + }, + "creationTimestamp": "2024-06-07T14:40:40Z", + "generateName": "prometheus-kube-prometheus-stack-prometheus-", + "labels": { + "app": "prometheus", + "app.kubernetes.io/instance": "kube-prometheus-stack-prometheus", + "app.kubernetes.io/managed-by": "prometheus-operator", + "app.kubernetes.io/name": "prometheus", + "app.kubernetes.io/version": "2.52.0", + "apps.kubernetes.io/pod-index": "0", + "controller-revision-hash": "prometheus-kube-prometheus-stack-prometheus-7fdcfb85d6", + "operator.prometheus.io/name": "kube-prometheus-stack-prometheus", + "operator.prometheus.io/shard": "0", + "prometheus": "kube-prometheus-stack-prometheus", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "prometheus", + "service.istio.io/canonical-revision": "2.52.0", + "statefulset.kubernetes.io/pod-name": "prometheus-kube-prometheus-stack-prometheus-0", + "zarf-agent": "patched" + }, + "name": "prometheus-kube-prometheus-stack-prometheus-0", + "namespace": "monitoring", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "StatefulSet", + "name": "prometheus-kube-prometheus-stack-prometheus", + "uid": "381a9a1e-c0bf-4ae6-bee6-e45ab1b164dd" + } + ], + "resourceVersion": "3396", + "uid": "ec959d87-ee81-4018-8633-cfbdd070a726" + }, + "spec": { + "automountServiceAccountToken": true, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"proxyMetadata\":{\"OUTPUT_CERTS\":\"/etc/istio-output-certs\"},\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http-web\",\"containerPort\":9090,\"protocol\":\"TCP\"}\n ,{\"name\":\"reloader-web\",\"containerPort\":8080,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "prometheus,config-reloader" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "prometheus-kube-prometheus-stack-prometheus" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/monitoring/statefulsets/prometheus-kube-prometheus-stack-prometheus" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "OUTPUT_CERTS", + "value": "/etc/istio-output-certs" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/prometheus/livez\":{\"httpGet\":{\"path\":\"/-/healthy\",\"port\":9090,\"scheme\":\"HTTP\"},\"timeoutSeconds\":3},\"/app-health/prometheus/readyz\":{\"httpGet\":{\"path\":\"/-/ready\",\"port\":9090,\"scheme\":\"HTTP\"},\"timeoutSeconds\":3},\"/app-health/prometheus/startupz\":{\"httpGet\":{\"path\":\"/-/ready\",\"port\":9090,\"scheme\":\"HTTP\"},\"timeoutSeconds\":3}}" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/etc/istio-output-certs", + "name": "istio-certs" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-zch2v", + "readOnly": true + } + ] + }, + { + "args": [ + "--web.console.templates=/etc/prometheus/consoles", + "--web.console.libraries=/etc/prometheus/console_libraries", + "--config.file=/etc/prometheus/config_out/prometheus.env.yaml", + "--web.enable-lifecycle", + "--enable-feature=remote-write-receiver", + "--web.external-url=http://kube-prometheus-stack-prometheus.monitoring:9090", + "--web.route-prefix=/", + "--storage.tsdb.retention.time=10d", + "--storage.tsdb.path=/prometheus", + "--storage.tsdb.wal-compression", + "--web.config.file=/etc/prometheus/web_config/web-config.yaml" + ], + "image": "127.0.0.1:31999/prometheus/prometheus:v2.52.0-zarf-1047855950", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 6, + "httpGet": { + "path": "/app-health/prometheus/livez", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 5, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "name": "prometheus", + "ports": [ + { + "containerPort": 9090, + "name": "http-web", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/prometheus/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 5, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "300m", + "memory": "2Gi" + }, + "requests": { + "cpu": "100m", + "memory": "512Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "startupProbe": { + "failureThreshold": 60, + "httpGet": { + "path": "/app-health/prometheus/startupz", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "FallbackToLogsOnError", + "volumeMounts": [ + { + "mountPath": "/etc/prometheus/config_out", + "name": "config-out", + "readOnly": true + }, + { + "mountPath": "/etc/prometheus/certs", + "name": "tls-assets", + "readOnly": true + }, + { + "mountPath": "/prometheus", + "name": "prometheus-kube-prometheus-stack-prometheus-db", + "subPath": "prometheus-db" + }, + { + "mountPath": "/etc/prom-certs/", + "name": "istio-certs" + }, + { + "mountPath": "/etc/prometheus/rules/prometheus-kube-prometheus-stack-prometheus-rulefiles-0", + "name": "prometheus-kube-prometheus-stack-prometheus-rulefiles-0" + }, + { + "mountPath": "/etc/prometheus/web_config/web-config.yaml", + "name": "web-config", + "readOnly": true, + "subPath": "web-config.yaml" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-zch2v", + "readOnly": true + } + ] + }, + { + "args": [ + "--listen-address=:8080", + "--reload-url=http://127.0.0.1:9090/-/reload", + "--config-file=/etc/prometheus/config/prometheus.yaml.gz", + "--config-envsubst-file=/etc/prometheus/config_out/prometheus.env.yaml", + "--watched-dir=/etc/prometheus/rules/prometheus-kube-prometheus-stack-prometheus-rulefiles-0" + ], + "command": [ + "/bin/prometheus-config-reloader" + ], + "env": [ + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "SHARD", + "value": "0" + } + ], + "image": "127.0.0.1:31999/prometheus-operator/prometheus-config-reloader:v0.74.0-zarf-3626352270", + "imagePullPolicy": "IfNotPresent", + "name": "config-reloader", + "ports": [ + { + "containerPort": 8080, + "name": "reloader-web", + "protocol": "TCP" + } + ], + "resources": { + "limits": { + "cpu": "100m", + "memory": "128Mi" + }, + "requests": { + "cpu": "50m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "FallbackToLogsOnError", + "volumeMounts": [ + { + "mountPath": "/etc/prometheus/config", + "name": "config" + }, + { + "mountPath": "/etc/prometheus/config_out", + "name": "config-out" + }, + { + "mountPath": "/etc/prometheus/rules/prometheus-kube-prometheus-stack-prometheus-rulefiles-0", + "name": "prometheus-kube-prometheus-stack-prometheus-rulefiles-0" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-zch2v", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "hostname": "prometheus-kube-prometheus-stack-prometheus-0", + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "--watch-interval=0", + "--listen-address=:8080", + "--config-file=/etc/prometheus/config/prometheus.yaml.gz", + "--config-envsubst-file=/etc/prometheus/config_out/prometheus.env.yaml", + "--watched-dir=/etc/prometheus/rules/prometheus-kube-prometheus-stack-prometheus-rulefiles-0" + ], + "command": [ + "/bin/prometheus-config-reloader" + ], + "env": [ + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "SHARD", + "value": "0" + } + ], + "image": "127.0.0.1:31999/prometheus-operator/prometheus-config-reloader:v0.74.0-zarf-3626352270", + "imagePullPolicy": "IfNotPresent", + "name": "init-config-reloader", + "ports": [ + { + "containerPort": 8080, + "name": "reloader-web", + "protocol": "TCP" + } + ], + "resources": { + "limits": { + "cpu": "100m", + "memory": "128Mi" + }, + "requests": { + "cpu": "50m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "FallbackToLogsOnError", + "volumeMounts": [ + { + "mountPath": "/etc/prometheus/config", + "name": "config" + }, + { + "mountPath": "/etc/prometheus/config_out", + "name": "config-out" + }, + { + "mountPath": "/etc/prometheus/rules/prometheus-kube-prometheus-stack-prometheus-rulefiles-0", + "name": "prometheus-kube-prometheus-stack-prometheus-rulefiles-0" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-zch2v", + "readOnly": true + } + ] + }, + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "OUTPUT_CERTS", + "value": "/etc/istio-output-certs" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-zch2v", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 2000, + "runAsGroup": 2000, + "runAsNonRoot": true, + "runAsUser": 1000, + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "serviceAccount": "kube-prometheus-stack-prometheus", + "serviceAccountName": "kube-prometheus-stack-prometheus", + "shareProcessNamespace": false, + "subdomain": "prometheus-operated", + "terminationGracePeriodSeconds": 600, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "prometheus-kube-prometheus-stack-prometheus-db", + "persistentVolumeClaim": { + "claimName": "prometheus-kube-prometheus-stack-prometheus-db-prometheus-kube-prometheus-stack-prometheus-0" + } + }, + { + "name": "config", + "secret": { + "defaultMode": 420, + "secretName": "prometheus-kube-prometheus-stack-prometheus" + } + }, + { + "name": "tls-assets", + "projected": { + "defaultMode": 420, + "sources": [ + { + "secret": { + "name": "prometheus-kube-prometheus-stack-prometheus-tls-assets-0" + } + } + ] + } + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "config-out" + }, + { + "configMap": { + "defaultMode": 420, + "name": "prometheus-kube-prometheus-stack-prometheus-rulefiles-0" + }, + "name": "prometheus-kube-prometheus-stack-prometheus-rulefiles-0" + }, + { + "name": "web-config", + "secret": { + "defaultMode": 420, + "secretName": "prometheus-kube-prometheus-stack-prometheus-web-config" + } + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-certs" + }, + { + "name": "kube-api-access-zch2v", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:40:47Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:41:00Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:41:00Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:40:44Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://86023ec56c04e539dbeb150747ffdb73ed4db0e6af05fe19a80ebc03dc698356", + "image": "127.0.0.1:31999/prometheus-operator/prometheus-config-reloader:v0.74.0-zarf-3626352270", + "imageID": "127.0.0.1:31999/prometheus-operator/prometheus-config-reloader@sha256:2f391ccd12088306b68f620ee4c8ad308d82e746e22484a21edbfa1aaff51df5", + "lastState": {}, + "name": "config-reloader", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:40:49Z" + } + } + }, + { + "containerID": "containerd://2860f0575865ade2911ba880f45f070844a844b691f491e6bc6adf864983984e", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:40:47Z" + } + } + }, + { + "containerID": "containerd://ab41954c1d1aed6af64c9107fbc2b3052f5eaea167c56f2a534820225898f315", + "image": "127.0.0.1:31999/prometheus/prometheus:v2.52.0-zarf-1047855950", + "imageID": "127.0.0.1:31999/prometheus/prometheus@sha256:b922bb8c3ddb40066be79e704e22b94513acaada413fd22eb99ea4afe8740b43", + "lastState": {}, + "name": "prometheus", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:40:49Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://ecad69b5666b61947da072fbe6d161f43fef167201774ce899824141aee820fe", + "image": "127.0.0.1:31999/prometheus-operator/prometheus-config-reloader:v0.74.0-zarf-3626352270", + "imageID": "127.0.0.1:31999/prometheus-operator/prometheus-config-reloader@sha256:2f391ccd12088306b68f620ee4c8ad308d82e746e22484a21edbfa1aaff51df5", + "lastState": {}, + "name": "init-config-reloader", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://ecad69b5666b61947da072fbe6d161f43fef167201774ce899824141aee820fe", + "exitCode": 0, + "finishedAt": "2024-06-07T14:40:45Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:40:45Z" + } + } + }, + { + "containerID": "containerd://afa5faa7fb1c89b49d309d4ecc89fd93681e6ab9f8ea4b23e1c9762bb11225ff", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://afa5faa7fb1c89b49d309d4ecc89fd93681e6ab9f8ea4b23e1c9762bb11225ff", + "exitCode": 0, + "finishedAt": "2024-06-07T14:40:46Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:40:46Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.51", + "podIPs": [ + { + "ip": "10.42.0.51" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:40:44Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "checksum/init-configmap": "d2907592400cb73cef987a87115b0c6a17428bfdbda232ddf0de6ea52f3eb571", + "checksum/uds-sso-secret": "", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "neuvector-controller-pod", + "kubectl.kubernetes.io/default-logs-container": "neuvector-controller-pod", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/uds-core-policies": "succeeded", + "uds-core.pepr.dev/uds-core-policies.DisallowPrivileged": "exempted", + "uds-core.pepr.dev/uds-core-policies.DropAllCapabilities": "exempted", + "uds-core.pepr.dev/uds-core-policies.RequireNonRootUser": "exempted", + "uds-core.pepr.dev/uds-core-policies.RestrictHostPathWrite": "exempted", + "uds-core.pepr.dev/uds-core-policies.RestrictVolumeTypes": "exempted" + }, + "creationTimestamp": "2024-06-07T14:41:09Z", + "generateName": "neuvector-controller-pod-5d7c9d5588-", + "labels": { + "app": "neuvector-controller-pod", + "pod-template-hash": "5d7c9d5588", + "release": "core", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "neuvector-controller-pod", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "neuvector-controller-pod-5d7c9d5588-nxn6p", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "neuvector-controller-pod-5d7c9d5588", + "uid": "eb3a14bf-c3f0-4fef-a657-a25c5a712a93" + } + ], + "resourceVersion": "3566", + "uid": "cc4d43f8-aa36-429e-aa94-f827d5cb915c" + }, + "spec": { + "affinity": { + "podAntiAffinity": { + "preferredDuringSchedulingIgnoredDuringExecution": [ + { + "podAffinityTerm": { + "labelSelector": { + "matchExpressions": [ + { + "key": "app", + "operator": "In", + "values": [ + "neuvector-controller-pod" + ] + } + ] + }, + "topologyKey": "kubernetes.io/hostname" + }, + "weight": 100 + } + ] + } + }, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "neuvector-controller-pod" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "neuvector-controller-pod" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/neuvector/deployments/neuvector-controller-pod" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-q4k2v", + "readOnly": true + } + ] + }, + { + "env": [ + { + "name": "CLUSTER_JOIN_ADDR", + "value": "neuvector-svc-controller.neuvector" + }, + { + "name": "CLUSTER_ADVERTISED_ADDR", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "CLUSTER_BIND_ADDR", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "NO_DEFAULT_ADMIN", + "value": "1" + } + ], + "image": "127.0.0.1:31999/neuvector/controller:5.3.2-zarf-4157091163", + "imagePullPolicy": "IfNotPresent", + "name": "neuvector-controller-pod", + "readinessProbe": { + "exec": { + "command": [ + "cat", + "/tmp/ready" + ] + }, + "failureThreshold": 3, + "initialDelaySeconds": 5, + "periodSeconds": 5, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": {}, + "securityContext": { + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/config", + "name": "config-volume", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-q4k2v", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-q4k2v", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "serviceAccount": "controller", + "serviceAccountName": "controller", + "terminationGracePeriodSeconds": 300, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "config-volume", + "projected": { + "defaultMode": 420, + "sources": [ + { + "configMap": { + "name": "neuvector-init", + "optional": true + } + }, + { + "secret": { + "name": "neuvector-init", + "optional": true + } + }, + { + "secret": { + "name": "neuvector-secret", + "optional": true + } + } + ] + } + }, + { + "name": "kube-api-access-q4k2v", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:41:12Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:41:31Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:41:31Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:41:09Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://95214988c5f738e7d783d5486867b1262db461e51ac0fe44aa1da7cadb982390", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:41:12Z" + } + } + }, + { + "containerID": "containerd://bb10636ff8f86e1faed4105e47dc92f9d71192271867421be5edf1763ae697af", + "image": "127.0.0.1:31999/neuvector/controller:5.3.2-zarf-4157091163", + "imageID": "127.0.0.1:31999/neuvector/controller@sha256:c5d6ff1924fdad2b8e4fdb428a7636edd82ea50ef94ab15e9a0c7117fc607d1c", + "lastState": {}, + "name": "neuvector-controller-pod", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:41:15Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://87c33d4712b6b7fe0fe3a33257677cb8fa1b4898e956e2144044d1909cfc5251", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://87c33d4712b6b7fe0fe3a33257677cb8fa1b4898e956e2144044d1909cfc5251", + "exitCode": 0, + "finishedAt": "2024-06-07T14:41:11Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:41:11Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.55", + "podIPs": [ + { + "ip": "10.42.0.55" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:41:09Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "checksum/config": "5e25fa9a618f14d4d9593ca3a824ce003a30a8cbb52327a8e9b818ac547c3cc5", + "checksum/sc-dashboard-provider-config": "593c0a8778b83f11fe80ccb21dfb20bc46705e2be3178df1dc4c89d164c8cd9c", + "checksum/secret": "4b38b5e9fc91844d569e9bebd5496fd9ad287f48dbe68676c670b0a3a12dd139", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "grafana", + "kubectl.kubernetes.io/default-logs-container": "grafana-sc-dashboard", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-06-07T14:41:48Z", + "generateName": "grafana-686487c574-", + "labels": { + "app.kubernetes.io/instance": "grafana", + "app.kubernetes.io/name": "grafana", + "pod-template-hash": "686487c574", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "grafana", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "grafana-686487c574-48lqp", + "namespace": "grafana", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "grafana-686487c574", + "uid": "33cb3601-ba2a-4f7c-a637-605d9840731d" + } + ], + "resourceVersion": "3736", + "uid": "2b71baf7-7125-4567-a82d-4447558f7672" + }, + "spec": { + "automountServiceAccountToken": true, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"grafana\",\"containerPort\":3000,\"protocol\":\"TCP\"}\n ,{\"name\":\"gossip-tcp\",\"containerPort\":9094,\"protocol\":\"TCP\"}\n ,{\"name\":\"gossip-udp\",\"containerPort\":9094,\"protocol\":\"UDP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "grafana-sc-dashboard,grafana-sc-datasources,grafana" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "grafana" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/grafana/deployments/grafana" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/grafana/livez\":{\"httpGet\":{\"path\":\"/api/health\",\"port\":3000,\"scheme\":\"HTTP\"},\"timeoutSeconds\":30},\"/app-health/grafana/readyz\":{\"httpGet\":{\"path\":\"/api/health\",\"port\":3000,\"scheme\":\"HTTP\"},\"timeoutSeconds\":1}}" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-bn7rz", + "readOnly": true + } + ] + }, + { + "env": [ + { + "name": "METHOD", + "value": "WATCH" + }, + { + "name": "LABEL", + "value": "grafana_dashboard" + }, + { + "name": "FOLDER", + "value": "/tmp/dashboards" + }, + { + "name": "RESOURCE", + "value": "both" + }, + { + "name": "NAMESPACE", + "value": "ALL" + }, + { + "name": "REQ_USERNAME", + "valueFrom": { + "secretKeyRef": { + "key": "admin-user", + "name": "grafana" + } + } + }, + { + "name": "REQ_PASSWORD", + "valueFrom": { + "secretKeyRef": { + "key": "admin-password", + "name": "grafana" + } + } + }, + { + "name": "REQ_URL", + "value": "http://localhost:3000/api/admin/provisioning/dashboards/reload" + }, + { + "name": "REQ_METHOD", + "value": "POST" + } + ], + "image": "127.0.0.1:31999/kiwigrid/k8s-sidecar:1.26.1-zarf-4221900739", + "imagePullPolicy": "IfNotPresent", + "name": "grafana-sc-dashboard", + "resources": {}, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/tmp/dashboards", + "name": "sc-dashboard-volume" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-bn7rz", + "readOnly": true + } + ] + }, + { + "env": [ + { + "name": "METHOD", + "value": "WATCH" + }, + { + "name": "LABEL", + "value": "grafana_datasource" + }, + { + "name": "FOLDER", + "value": "/etc/grafana/provisioning/datasources" + }, + { + "name": "RESOURCE", + "value": "both" + }, + { + "name": "REQ_USERNAME", + "valueFrom": { + "secretKeyRef": { + "key": "admin-user", + "name": "grafana" + } + } + }, + { + "name": "REQ_PASSWORD", + "valueFrom": { + "secretKeyRef": { + "key": "admin-password", + "name": "grafana" + } + } + }, + { + "name": "REQ_URL", + "value": "http://localhost:3000/api/admin/provisioning/datasources/reload" + }, + { + "name": "REQ_METHOD", + "value": "POST" + } + ], + "image": "127.0.0.1:31999/kiwigrid/k8s-sidecar:1.26.1-zarf-4221900739", + "imagePullPolicy": "IfNotPresent", + "name": "grafana-sc-datasources", + "resources": {}, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/grafana/provisioning/datasources", + "name": "sc-datasources-volume" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-bn7rz", + "readOnly": true + } + ] + }, + { + "env": [ + { + "name": "POD_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "GF_SECURITY_ADMIN_USER", + "valueFrom": { + "secretKeyRef": { + "key": "admin-user", + "name": "grafana" + } + } + }, + { + "name": "GF_SECURITY_ADMIN_PASSWORD", + "valueFrom": { + "secretKeyRef": { + "key": "admin-password", + "name": "grafana" + } + } + }, + { + "name": "GF_PATHS_DATA", + "value": "/var/lib/grafana/" + }, + { + "name": "GF_PATHS_LOGS", + "value": "/var/log/grafana" + }, + { + "name": "GF_PATHS_PLUGINS", + "value": "/var/lib/grafana/plugins" + }, + { + "name": "GF_PATHS_PROVISIONING", + "value": "/etc/grafana/provisioning" + } + ], + "image": "127.0.0.1:31999/grafana/grafana:10.4.2-zarf-855602154", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 10, + "httpGet": { + "path": "/app-health/grafana/livez", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 60, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 30 + }, + "name": "grafana", + "ports": [ + { + "containerPort": 3000, + "name": "grafana", + "protocol": "TCP" + }, + { + "containerPort": 9094, + "name": "gossip-tcp", + "protocol": "TCP" + }, + { + "containerPort": 9094, + "name": "gossip-udp", + "protocol": "UDP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/grafana/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": {}, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/grafana/grafana.ini", + "name": "config", + "subPath": "grafana.ini" + }, + { + "mountPath": "/var/lib/grafana", + "name": "storage" + }, + { + "mountPath": "/tmp/dashboards", + "name": "sc-dashboard-volume" + }, + { + "mountPath": "/etc/grafana/provisioning/dashboards/sc-dashboardproviders.yaml", + "name": "sc-dashboard-provider", + "subPath": "provider.yaml" + }, + { + "mountPath": "/etc/grafana/provisioning/datasources", + "name": "sc-datasources-volume" + }, + { + "mountPath": "/etc/secrets/auth_generic_oauth", + "name": "auth-generic-oauth-secret-mount", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-bn7rz", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-bn7rz", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 472, + "runAsGroup": 472, + "runAsNonRoot": true, + "runAsUser": 472 + }, + "serviceAccount": "grafana", + "serviceAccountName": "grafana", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "configMap": { + "defaultMode": 420, + "name": "grafana" + }, + "name": "config" + }, + { + "emptyDir": {}, + "name": "storage" + }, + { + "emptyDir": {}, + "name": "sc-dashboard-volume" + }, + { + "configMap": { + "defaultMode": 420, + "name": "grafana-config-dashboards" + }, + "name": "sc-dashboard-provider" + }, + { + "emptyDir": {}, + "name": "sc-datasources-volume" + }, + { + "name": "auth-generic-oauth-secret-mount", + "secret": { + "defaultMode": 288, + "secretName": "sso-client-uds-core-admin-grafana" + } + }, + { + "name": "kube-api-access-bn7rz", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:41:57Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:42:07Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:42:07Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:41:48Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://8758e045b633cc11094f4c891a56a432b56a6874ab8a15473c68b96b93a7003d", + "image": "127.0.0.1:31999/grafana/grafana:10.4.2-zarf-855602154", + "imageID": "127.0.0.1:31999/grafana/grafana@sha256:173b46f35cdbcb4b137868a5488be265eb0bb8487d959bb970e62171225f202f", + "lastState": {}, + "name": "grafana", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:42:04Z" + } + } + }, + { + "containerID": "containerd://667eaa618923b71ef9eb723f5b1f5f38b4b60120aa3289e50d1786f318622182", + "image": "127.0.0.1:31999/kiwigrid/k8s-sidecar:1.26.1-zarf-4221900739", + "imageID": "127.0.0.1:31999/kiwigrid/k8s-sidecar@sha256:b2e05106a897584f31a33dbd9f3efd1a5153f2197d2bd3213d94e23a6f32f725", + "lastState": {}, + "name": "grafana-sc-dashboard", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:41:59Z" + } + } + }, + { + "containerID": "containerd://5f5ed8e1abe482780cf6ae0cfd2b40af044f5dfdbf1eb9898f3bb9bc67b933bf", + "image": "127.0.0.1:31999/kiwigrid/k8s-sidecar:1.26.1-zarf-4221900739", + "imageID": "127.0.0.1:31999/kiwigrid/k8s-sidecar@sha256:b2e05106a897584f31a33dbd9f3efd1a5153f2197d2bd3213d94e23a6f32f725", + "lastState": {}, + "name": "grafana-sc-datasources", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:41:59Z" + } + } + }, + { + "containerID": "containerd://d7d3d74612b6b1b8f2fed8a9cfc29aa12c9d008953225878eafb2601512e6ca9", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:41:57Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://64084b27ff629f5e4bb83082243539ed0475d0f0ba2dd54dcde057467b6968dc", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://64084b27ff629f5e4bb83082243539ed0475d0f0ba2dd54dcde057467b6968dc", + "exitCode": 0, + "finishedAt": "2024-06-07T14:41:57Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:41:56Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.57", + "podIPs": [ + { + "ip": "10.42.0.57" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:41:48Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "checksum/config": "f0969d09510ef78afd7c2ce0bcab5032fd83dd4fab9b7455113fa6d4d7197026", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "authservice", + "kubectl.kubernetes.io/default-logs-container": "authservice", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-06-07T14:42:14Z", + "generateName": "authservice-5dbcd95947-", + "labels": { + "app.kubernetes.io/instance": "authservice", + "app.kubernetes.io/name": "authservice", + "pod-template-hash": "5dbcd95947", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "authservice", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "authservice-5dbcd95947-p9snb", + "namespace": "authservice", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "authservice-5dbcd95947", + "uid": "6c0d36a6-4b81-4b40-ac7c-76ab963e2679" + } + ], + "resourceVersion": "3834", + "uid": "eb91bbd4-18ed-4da6-a672-1c61fdbd3a9f" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http\",\"containerPort\":10003,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "authservice" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "authservice" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/authservice/deployments/authservice" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/authservice/livez\":{\"tcpSocket\":{\"port\":10003},\"timeoutSeconds\":1},\"/app-health/authservice/readyz\":{\"tcpSocket\":{\"port\":10003},\"timeoutSeconds\":1}}" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-q92n7", + "readOnly": true + } + ] + }, + { + "image": "127.0.0.1:31999/istio-ecosystem/authservice/authservice:0.5.3-zarf-3409882933", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/authservice/livez", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "name": "authservice", + "ports": [ + { + "containerPort": 10003, + "name": "http", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/authservice/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": {}, + "securityContext": { + "capabilities": { + "drop": [ + "ALL" + ] + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/authservice", + "name": "authservice" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-q92n7", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-q92n7", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "runAsGroup": 1000, + "runAsNonRoot": true, + "runAsUser": 1000 + }, + "serviceAccount": "default", + "serviceAccountName": "default", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "authservice", + "secret": { + "defaultMode": 420, + "secretName": "authservice" + } + }, + { + "name": "kube-api-access-q92n7", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:42:16Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:42:20Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:42:20Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:42:14Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://3649352210284b1182b34bac205eba605ff6d74a030fe9d90f1df4b09adf9560", + "image": "127.0.0.1:31999/istio-ecosystem/authservice/authservice:0.5.3-zarf-3409882933", + "imageID": "127.0.0.1:31999/istio-ecosystem/authservice/authservice@sha256:eeb082929ebf22bebd3141f23916694add1e4ab607b2c15ffa30a919998a6528", + "lastState": {}, + "name": "authservice", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:42:18Z" + } + } + }, + { + "containerID": "containerd://fe10bfd4a4c2b9f92d2e49168ad69df0dcb172c6e46c01bdafb2c08979510d9a", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:42:17Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://cd30bb943578b69f28539b8a557632663ed71d94565c353a1be25e4d4904bc27", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://cd30bb943578b69f28539b8a557632663ed71d94565c353a1be25e4d4904bc27", + "exitCode": 0, + "finishedAt": "2024-06-07T14:42:15Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:42:15Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.59", + "podIPs": [ + { + "ip": "10.42.0.59" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:42:14Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "checksum/secret": "79f899ac6a4a76b043e67e4b17b25dfdf1b899526953bf3015fc1b4e41123ee5", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "velero", + "kubectl.kubernetes.io/default-logs-container": "velero", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-06-07T14:42:59Z", + "generateName": "velero-5d99fdc5b5-", + "labels": { + "app.kubernetes.io/instance": "velero", + "app.kubernetes.io/managed-by": "Helm", + "app.kubernetes.io/name": "velero", + "helm.sh/chart": "velero-6.6.0", + "name": "velero", + "pod-template-hash": "5d99fdc5b5", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "velero", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "velero-5d99fdc5b5-6rk9f", + "namespace": "velero", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "velero-5d99fdc5b5", + "uid": "d76f7c15-69e5-4c4c-8607-be0149ea25e0" + } + ], + "resourceVersion": "4167", + "uid": "4748be5d-80a0-4556-bf6b-d327ec8f3008" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http-monitoring\",\"containerPort\":8085,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "velero" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "velero" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/velero/deployments/velero" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/velero/livez\":{\"httpGet\":{\"path\":\"/metrics\",\"port\":8085,\"scheme\":\"HTTP\"},\"timeoutSeconds\":5},\"/app-health/velero/readyz\":{\"httpGet\":{\"path\":\"/metrics\",\"port\":8085,\"scheme\":\"HTTP\"},\"timeoutSeconds\":5}}" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-2gnxr", + "readOnly": true + } + ] + }, + { + "args": [ + "server", + "--uploader-type=kopia" + ], + "command": [ + "/velero" + ], + "env": [ + { + "name": "VELERO_SCRATCH_DIR", + "value": "/scratch" + }, + { + "name": "VELERO_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "LD_LIBRARY_PATH", + "value": "/plugins" + }, + { + "name": "AWS_SHARED_CREDENTIALS_FILE", + "value": "/credentials/cloud" + }, + { + "name": "GOOGLE_APPLICATION_CREDENTIALS", + "value": "/credentials/cloud" + }, + { + "name": "AZURE_CREDENTIALS_FILE", + "value": "/credentials/cloud" + }, + { + "name": "ALIBABA_CLOUD_CREDENTIALS_FILE", + "value": "/credentials/cloud" + } + ], + "image": "127.0.0.1:31999/velero/velero:v1.13.2-zarf-726794283", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 5, + "httpGet": { + "path": "/app-health/velero/livez", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 10, + "periodSeconds": 30, + "successThreshold": 1, + "timeoutSeconds": 5 + }, + "name": "velero", + "ports": [ + { + "containerPort": 8085, + "name": "http-monitoring", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 5, + "httpGet": { + "path": "/app-health/velero/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 10, + "periodSeconds": 30, + "successThreshold": 1, + "timeoutSeconds": 5 + }, + "resources": { + "limits": { + "cpu": "1", + "memory": "512Mi" + }, + "requests": { + "cpu": "500m", + "memory": "128Mi" + } + }, + "securityContext": { + "capabilities": { + "drop": [ + "ALL" + ] + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/plugins", + "name": "plugins" + }, + { + "mountPath": "/credentials", + "name": "cloud-credentials" + }, + { + "mountPath": "/scratch", + "name": "scratch" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-2gnxr", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "image": "127.0.0.1:31999/velero/velero-plugin-for-aws:v1.9.2-zarf-3048596433", + "imagePullPolicy": "IfNotPresent", + "name": "velero-plugin-for-aws", + "resources": {}, + "securityContext": { + "capabilities": { + "drop": [ + "ALL" + ] + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/target", + "name": "plugins" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-2gnxr", + "readOnly": true + } + ] + }, + { + "image": "127.0.0.1:31999/velero/velero-plugin-for-csi:v0.7.1-zarf-792660929", + "imagePullPolicy": "IfNotPresent", + "name": "velero-plugin-for-csi", + "resources": {}, + "securityContext": { + "capabilities": { + "drop": [ + "ALL" + ] + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/target", + "name": "plugins" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-2gnxr", + "readOnly": true + } + ] + }, + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-2gnxr", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "runAsGroup": 1000, + "runAsNonRoot": true, + "runAsUser": 1000 + }, + "serviceAccount": "velero-server", + "serviceAccountName": "velero-server", + "terminationGracePeriodSeconds": 3600, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "cloud-credentials", + "secret": { + "defaultMode": 420, + "secretName": "velero-bucket-credentials" + } + }, + { + "emptyDir": {}, + "name": "plugins" + }, + { + "emptyDir": {}, + "name": "scratch" + }, + { + "name": "kube-api-access-2gnxr", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:43:04Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:43:29Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:43:29Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:42:59Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://3a5b45dc41df6b3431ef268b83129a2e58a9d7e1c6107ad48d8cdcd7e2f80c32", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:43:04Z" + } + } + }, + { + "containerID": "containerd://ef189f589c4bb96baf1e9787c84423f70d56d6eb907e9de21c292d7b372ff97a", + "image": "127.0.0.1:31999/velero/velero:v1.13.2-zarf-726794283", + "imageID": "127.0.0.1:31999/velero/velero@sha256:94c06080c3297fbdfd9877c60fdbfd0e9ee6ff04368dcdfb5343f5fb2d29568a", + "lastState": {}, + "name": "velero", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:43:04Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://44cd80e33ce5c513f01467f04c99358348cfb34d666ee5ff95c5c2c41d3427e1", + "image": "127.0.0.1:31999/velero/velero-plugin-for-aws:v1.9.2-zarf-3048596433", + "imageID": "127.0.0.1:31999/velero/velero-plugin-for-aws@sha256:3c0114ecb87368556cf8415959ceb82e1fca053ca1d049f115a43c2e0e2c3c66", + "lastState": {}, + "name": "velero-plugin-for-aws", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://44cd80e33ce5c513f01467f04c99358348cfb34d666ee5ff95c5c2c41d3427e1", + "exitCode": 0, + "finishedAt": "2024-06-07T14:43:00Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:43:00Z" + } + } + }, + { + "containerID": "containerd://7315f8c7db9149bf9abd9128ac1c42e46a604f605aacfda4cf71393ec20b2199", + "image": "127.0.0.1:31999/velero/velero-plugin-for-csi:v0.7.1-zarf-792660929", + "imageID": "127.0.0.1:31999/velero/velero-plugin-for-csi@sha256:d9e0d38f3d46596d293f118269f2e08da5e14cbc3c10f1bb612035938bec674d", + "lastState": {}, + "name": "velero-plugin-for-csi", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://7315f8c7db9149bf9abd9128ac1c42e46a604f605aacfda4cf71393ec20b2199", + "exitCode": 0, + "finishedAt": "2024-06-07T14:43:02Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:43:02Z" + } + } + }, + { + "containerID": "containerd://0af4e7f30ecd4098890b50dc1cb0e624d63d64e0b492393c2ea3c63c16d24b2c", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://0af4e7f30ecd4098890b50dc1cb0e624d63d64e0b492393c2ea3c63c16d24b2c", + "exitCode": 0, + "finishedAt": "2024-06-07T14:43:03Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:43:03Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.61", + "podIPs": [ + { + "ip": "10.42.0.61" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:42:59Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "neuvector-updater-pod", + "kubectl.kubernetes.io/default-logs-container": "neuvector-updater-pod", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\",\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-06-08T11:31:45Z", + "generateName": "neuvector-updater-pod-28630080-", + "labels": { + "app": "neuvector-updater-pod", + "batch.kubernetes.io/controller-uid": "69a3dfd3-1798-4541-abaf-9fd045080de1", + "batch.kubernetes.io/job-name": "neuvector-updater-pod-28630080", + "controller-uid": "69a3dfd3-1798-4541-abaf-9fd045080de1", + "job-name": "neuvector-updater-pod-28630080", + "release": "core", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "neuvector-updater-pod", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "neuvector-updater-pod-28630080-nk5f5", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "batch/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "Job", + "name": "neuvector-updater-pod-28630080", + "uid": "69a3dfd3-1798-4541-abaf-9fd045080de1" + } + ], + "resourceVersion": "39926", + "uid": "f3c05205-e1b8-43a5-95dd-cd1b1c02bc0a" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "neuvector-updater-pod" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "neuvector-updater-pod" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/batch/v1/namespaces/neuvector/cronjobs/neuvector-updater-pod" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-htlkn", + "readOnly": true + } + ] + }, + { + "command": [ + "/bin/sh", + "-c", + "/usr/bin/curl -kv -X PATCH -H \"Authorization:Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)\" -H \"Content-Type:application/strategic-merge-patch+json\" -d '{\"spec\":{\"template\":{\"metadata\":{\"annotations\":{\"kubectl.kubernetes.io/restartedAt\":\"'`date +%Y-%m-%dT%H:%M:%S%z`'\"}}}}}' 'https://kubernetes.default/apis/apps/v1/namespaces/neuvector/deployments/neuvector-scanner-pod'" + ], + "image": "127.0.0.1:31999/neuvector/updater:latest-zarf-2735231738", + "imagePullPolicy": "Always", + "name": "neuvector-updater-pod", + "resources": {}, + "securityContext": { + "capabilities": { + "drop": [ + "ALL" + ] + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-htlkn", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-htlkn", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Never", + "schedulerName": "default-scheduler", + "securityContext": { + "runAsGroup": 1000, + "runAsNonRoot": true, + "runAsUser": 1000 + }, + "serviceAccount": "updater", + "serviceAccountName": "updater", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "kube-api-access-htlkn", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-08T11:31:47Z", + "reason": "PodCompleted", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-08T11:31:45Z", + "reason": "PodCompleted", + "status": "False", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-08T11:31:45Z", + "reason": "PodCompleted", + "status": "False", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-08T11:31:45Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://d9347e9017d5617a7de62560cf88ef083c8ada121d990de1f018f99bd14679ca", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": false, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://d9347e9017d5617a7de62560cf88ef083c8ada121d990de1f018f99bd14679ca", + "exitCode": 0, + "finishedAt": "2024-06-08T11:48:39Z", + "reason": "Completed", + "startedAt": "2024-06-08T11:31:47Z" + } + } + }, + { + "containerID": "containerd://ee6790449c2b5e20ed19274f3a62702d326fa3121e4647bb09e09417591b9178", + "image": "127.0.0.1:31999/neuvector/updater:latest-zarf-2735231738", + "imageID": "127.0.0.1:31999/neuvector/updater@sha256:60a8546b96ae2e702dcdac424db81566ebe28e2e2fc1449bf188dda0cad6aee3", + "lastState": {}, + "name": "neuvector-updater-pod", + "ready": false, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://ee6790449c2b5e20ed19274f3a62702d326fa3121e4647bb09e09417591b9178", + "exitCode": 0, + "finishedAt": "2024-06-08T11:31:48Z", + "reason": "Completed", + "startedAt": "2024-06-08T11:31:48Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://29f61aa06527ee52396a19aa736ddc72af53e22473846388985dffc5150f7072", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://29f61aa06527ee52396a19aa736ddc72af53e22473846388985dffc5150f7072", + "exitCode": 0, + "finishedAt": "2024-06-08T11:31:46Z", + "reason": "Completed", + "startedAt": "2024-06-08T11:31:46Z" + } + } + } + ], + "phase": "Succeeded", + "podIP": "10.42.0.63", + "podIPs": [ + { + "ip": "10.42.0.63" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-08T11:31:45Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "neuvector-updater-pod", + "kubectl.kubernetes.io/default-logs-container": "neuvector-updater-pod", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\",\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-06-10T00:55:32Z", + "generateName": "neuvector-updater-pod-28632960-", + "labels": { + "app": "neuvector-updater-pod", + "batch.kubernetes.io/controller-uid": "8373aa55-0ea9-49f1-b9b8-97bdded4f35d", + "batch.kubernetes.io/job-name": "neuvector-updater-pod-28632960", + "controller-uid": "8373aa55-0ea9-49f1-b9b8-97bdded4f35d", + "job-name": "neuvector-updater-pod-28632960", + "release": "core", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "neuvector-updater-pod", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "neuvector-updater-pod-28632960-srlcm", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "batch/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "Job", + "name": "neuvector-updater-pod-28632960", + "uid": "8373aa55-0ea9-49f1-b9b8-97bdded4f35d" + } + ], + "resourceVersion": "86760", + "uid": "1986d29e-0aae-4950-ad47-f0aafa4731da" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "neuvector-updater-pod" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "neuvector-updater-pod" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/batch/v1/namespaces/neuvector/cronjobs/neuvector-updater-pod" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-lk4bq", + "readOnly": true + } + ] + }, + { + "command": [ + "/bin/sh", + "-c", + "/usr/bin/curl -kv -X PATCH -H \"Authorization:Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)\" -H \"Content-Type:application/strategic-merge-patch+json\" -d '{\"spec\":{\"template\":{\"metadata\":{\"annotations\":{\"kubectl.kubernetes.io/restartedAt\":\"'`date +%Y-%m-%dT%H:%M:%S%z`'\"}}}}}' 'https://kubernetes.default/apis/apps/v1/namespaces/neuvector/deployments/neuvector-scanner-pod'" + ], + "image": "127.0.0.1:31999/neuvector/updater:latest-zarf-2735231738", + "imagePullPolicy": "Always", + "name": "neuvector-updater-pod", + "resources": {}, + "securityContext": { + "capabilities": { + "drop": [ + "ALL" + ] + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-lk4bq", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-lk4bq", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Never", + "schedulerName": "default-scheduler", + "securityContext": { + "runAsGroup": 1000, + "runAsNonRoot": true, + "runAsUser": 1000 + }, + "serviceAccount": "updater", + "serviceAccountName": "updater", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "kube-api-access-lk4bq", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-10T00:55:33Z", + "reason": "PodCompleted", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-10T00:55:32Z", + "reason": "PodCompleted", + "status": "False", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-10T00:55:32Z", + "reason": "PodCompleted", + "status": "False", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-10T00:55:32Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://bf16d1f44e578b7dc9799c600d907aa1ba6cd8da18ad9160441b047f0565e15a", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": false, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://bf16d1f44e578b7dc9799c600d907aa1ba6cd8da18ad9160441b047f0565e15a", + "exitCode": 0, + "finishedAt": "2024-06-10T01:00:14Z", + "reason": "Completed", + "startedAt": "2024-06-10T00:55:33Z" + } + } + }, + { + "containerID": "containerd://c633a58176a56e81c28a3f6dd89df85c7510f30d83e31aeb49dea202542f67e7", + "image": "127.0.0.1:31999/neuvector/updater:latest-zarf-2735231738", + "imageID": "127.0.0.1:31999/neuvector/updater@sha256:60a8546b96ae2e702dcdac424db81566ebe28e2e2fc1449bf188dda0cad6aee3", + "lastState": {}, + "name": "neuvector-updater-pod", + "ready": false, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://c633a58176a56e81c28a3f6dd89df85c7510f30d83e31aeb49dea202542f67e7", + "exitCode": 0, + "finishedAt": "2024-06-10T00:55:34Z", + "reason": "Completed", + "startedAt": "2024-06-10T00:55:34Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://b22e1a4cc3028ccab180463eb23d8e5bb60b95fbb89be72c0c9cc56b90b69197", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://b22e1a4cc3028ccab180463eb23d8e5bb60b95fbb89be72c0c9cc56b90b69197", + "exitCode": 0, + "finishedAt": "2024-06-10T00:55:33Z", + "reason": "Completed", + "startedAt": "2024-06-10T00:55:32Z" + } + } + } + ], + "phase": "Succeeded", + "podIP": "10.42.0.67", + "podIPs": [ + { + "ip": "10.42.0.67" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-10T00:55:32Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "checksum/config": "a54b4b978607806a73c1e79d416367816e4d9407c7f1cffa13519cfc40a654fc", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "promtail", + "kubectl.kubernetes.io/default-logs-container": "promtail", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded", + "uds-core.pepr.dev/uds-core-policies.DisallowPrivileged": "exempted", + "uds-core.pepr.dev/uds-core-policies.RequireNonRootUser": "exempted", + "uds-core.pepr.dev/uds-core-policies.RestrictHostPathWrite": "exempted", + "uds-core.pepr.dev/uds-core-policies.RestrictSELinuxType": "exempted", + "uds-core.pepr.dev/uds-core-policies.RestrictVolumeTypes": "exempted" + }, + "creationTimestamp": "2024-06-07T14:41:06Z", + "generateName": "promtail-", + "labels": { + "app.kubernetes.io/instance": "promtail", + "app.kubernetes.io/name": "promtail", + "controller-revision-hash": "7fdf7b776f", + "pod-template-generation": "1", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "promtail", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "promtail-zkfwh", + "namespace": "promtail", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "DaemonSet", + "name": "promtail", + "uid": "a2aecb14-ea43-49fd-86c3-d8d5e196c826" + } + ], + "resourceVersion": "87037", + "uid": "5db68d80-533b-4d72-a5ea-560a3363b9af" + }, + "spec": { + "affinity": { + "nodeAffinity": { + "requiredDuringSchedulingIgnoredDuringExecution": { + "nodeSelectorTerms": [ + { + "matchFields": [ + { + "key": "metadata.name", + "operator": "In", + "values": [ + "k3d-uds-server-0" + ] + } + ] + } + ] + } + } + }, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http-metrics\",\"containerPort\":3101,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "promtail" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "promtail" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/promtail/daemonsets/promtail" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/promtail/readyz\":{\"httpGet\":{\"path\":\"/ready\",\"port\":3101,\"scheme\":\"HTTP\"},\"timeoutSeconds\":1}}" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-scgmx", + "readOnly": true + } + ] + }, + { + "args": [ + "-config.file=/etc/promtail/promtail.yaml", + "-config.expand-env=true" + ], + "env": [ + { + "name": "HOSTNAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "NODE_HOSTNAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + } + ], + "image": "127.0.0.1:31999/grafana/promtail:2.9.6-zarf-1225602080", + "imagePullPolicy": "IfNotPresent", + "name": "promtail", + "ports": [ + { + "containerPort": 3101, + "name": "http-metrics", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 5, + "httpGet": { + "path": "/app-health/promtail/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 10, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": { + "limits": { + "cpu": "500m", + "memory": "750Mi" + }, + "requests": { + "cpu": "100m", + "memory": "256Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsUser": 0, + "seLinuxOptions": { + "type": "spc_t" + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/promtail", + "name": "config" + }, + { + "mountPath": "/run/promtail", + "name": "run" + }, + { + "mountPath": "/var/lib/docker/containers", + "name": "containers", + "readOnly": true + }, + { + "mountPath": "/var/log/pods", + "name": "pods", + "readOnly": true + }, + { + "mountPath": "/var/log", + "name": "varlog", + "readOnly": true + }, + { + "mountPath": "/etc/machine-id", + "name": "machine-id", + "readOnly": true, + "subPath": "machine-id" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-scgmx", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-scgmx", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "runAsGroup": 0, + "runAsUser": 0 + }, + "serviceAccount": "promtail", + "serviceAccountName": "promtail", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoSchedule", + "key": "node-role.kubernetes.io/master", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node-role.kubernetes.io/control-plane", + "operator": "Exists" + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists" + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/disk-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/memory-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/pid-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/unschedulable", + "operator": "Exists" + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "config", + "secret": { + "defaultMode": 420, + "secretName": "promtail" + } + }, + { + "hostPath": { + "path": "/run/promtail", + "type": "" + }, + "name": "run" + }, + { + "hostPath": { + "path": "/var/lib/docker/containers", + "type": "" + }, + "name": "containers" + }, + { + "hostPath": { + "path": "/var/log/pods", + "type": "" + }, + "name": "pods" + }, + { + "hostPath": { + "path": "/var/log", + "type": "" + }, + "name": "varlog" + }, + { + "hostPath": { + "path": "/etc", + "type": "" + }, + "name": "machine-id" + }, + { + "name": "kube-api-access-scgmx", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:41:07Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-10T01:06:08Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-10T01:06:08Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:41:06Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://1dc041a71a446c38cdc81140347809723b69c991cf5411cc1d16ffc8d9bf2841", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:41:07Z" + } + } + }, + { + "containerID": "containerd://f9860f638119e65159c9d69c8388948029967b934bdc418639cac5c8cddd27f7", + "image": "127.0.0.1:31999/grafana/promtail:2.9.6-zarf-1225602080", + "imageID": "127.0.0.1:31999/grafana/promtail@sha256:1b407c081c4da6e32489b21aa2972b1621f4daf10c94e8404d1cd90517f3750e", + "lastState": {}, + "name": "promtail", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:41:18Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://96b2c6ab5ca922aaf00fc6921ae36994ef2051c744f180fbd1420a2e744add7c", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://96b2c6ab5ca922aaf00fc6921ae36994ef2051c744f180fbd1420a2e744add7c", + "exitCode": 0, + "finishedAt": "2024-06-07T14:41:06Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:41:06Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.54", + "podIPs": [ + { + "ip": "10.42.0.54" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:41:06Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "neuvector-scanner-pod", + "kubectl.kubernetes.io/default-logs-container": "neuvector-scanner-pod", + "kubectl.kubernetes.io/restartedAt": "2024-06-11T07:25:47+0000", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-06-11T07:25:47Z", + "generateName": "neuvector-scanner-pod-b5d7d59f-", + "labels": { + "app": "neuvector-scanner-pod", + "pod-template-hash": "b5d7d59f", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "neuvector-scanner-pod", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "neuvector-scanner-pod-b5d7d59f-rf24r", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "neuvector-scanner-pod-b5d7d59f", + "uid": "b7559932-31e0-471e-91c0-f91c55c4e223" + } + ], + "resourceVersion": "138526", + "uid": "1ba0dcf8-45d3-4393-92b1-00817ec2493b" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "neuvector-scanner-pod" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "neuvector-scanner-pod" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/neuvector/deployments/neuvector-scanner-pod" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-98vks", + "readOnly": true + } + ] + }, + { + "env": [ + { + "name": "CLUSTER_JOIN_ADDR", + "value": "neuvector-svc-controller.neuvector" + } + ], + "image": "127.0.0.1:31999/neuvector/scanner:latest-zarf-3299389045", + "imagePullPolicy": "Always", + "name": "neuvector-scanner-pod", + "resources": {}, + "securityContext": { + "capabilities": { + "drop": [ + "ALL" + ] + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-98vks", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-98vks", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "runAsGroup": 1000, + "runAsNonRoot": true, + "runAsUser": 1000 + }, + "serviceAccount": "scanner", + "serviceAccountName": "scanner", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "kube-api-access-98vks", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-11T07:25:47Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-11T07:25:50Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-11T07:25:50Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-11T07:25:47Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://647e5e933b75f3e70c893a63f96d513cd0b623445dc5d429939d1354fb03cc94", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-11T07:25:47Z" + } + } + }, + { + "containerID": "containerd://5c51efbb71dc083324abfc457ce7eed5c0cbe57af2cd09fcfe169e2d99a58736", + "image": "127.0.0.1:31999/neuvector/scanner:latest-zarf-3299389045", + "imageID": "127.0.0.1:31999/neuvector/scanner@sha256:bd2056b7d73208d0a24ac464cee5cdc37e8fa8428df76b0b2f61f9530863cbd0", + "lastState": {}, + "name": "neuvector-scanner-pod", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-11T07:25:49Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://c326c54f411815f5683dfd974c736f517b0e87592c961bdf5ae25d4b339df2c5", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://c326c54f411815f5683dfd974c736f517b0e87592c961bdf5ae25d4b339df2c5", + "exitCode": 0, + "finishedAt": "2024-06-11T07:25:47Z", + "reason": "Completed", + "startedAt": "2024-06-11T07:25:47Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.72", + "podIPs": [ + { + "ip": "10.42.0.72" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-11T07:25:47Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "neuvector-updater-pod", + "kubectl.kubernetes.io/default-logs-container": "neuvector-updater-pod", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\",\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-06-11T07:25:44Z", + "generateName": "neuvector-updater-pod-28634400-", + "labels": { + "app": "neuvector-updater-pod", + "batch.kubernetes.io/controller-uid": "5d3ea4c8-1beb-4807-8370-1ea6cd8580a4", + "batch.kubernetes.io/job-name": "neuvector-updater-pod-28634400", + "controller-uid": "5d3ea4c8-1beb-4807-8370-1ea6cd8580a4", + "job-name": "neuvector-updater-pod-28634400", + "release": "core", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "neuvector-updater-pod", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "neuvector-updater-pod-28634400-v9nc8", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "batch/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "Job", + "name": "neuvector-updater-pod-28634400", + "uid": "5d3ea4c8-1beb-4807-8370-1ea6cd8580a4" + } + ], + "resourceVersion": "138550", + "uid": "62475b5a-c8be-4be5-8060-b70fc86461d6" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "neuvector-updater-pod" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "neuvector-updater-pod" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/batch/v1/namespaces/neuvector/cronjobs/neuvector-updater-pod" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-ddtp7", + "readOnly": true + } + ] + }, + { + "command": [ + "/bin/sh", + "-c", + "/usr/bin/curl -kv -X PATCH -H \"Authorization:Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)\" -H \"Content-Type:application/strategic-merge-patch+json\" -d '{\"spec\":{\"template\":{\"metadata\":{\"annotations\":{\"kubectl.kubernetes.io/restartedAt\":\"'`date +%Y-%m-%dT%H:%M:%S%z`'\"}}}}}' 'https://kubernetes.default/apis/apps/v1/namespaces/neuvector/deployments/neuvector-scanner-pod'" + ], + "image": "127.0.0.1:31999/neuvector/updater:latest-zarf-2735231738", + "imagePullPolicy": "Always", + "name": "neuvector-updater-pod", + "resources": {}, + "securityContext": { + "capabilities": { + "drop": [ + "ALL" + ] + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-ddtp7", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-ddtp7", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Never", + "schedulerName": "default-scheduler", + "securityContext": { + "runAsGroup": 1000, + "runAsNonRoot": true, + "runAsUser": 1000 + }, + "serviceAccount": "updater", + "serviceAccountName": "updater", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "kube-api-access-ddtp7", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-11T07:25:45Z", + "reason": "PodCompleted", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-11T07:25:44Z", + "reason": "PodCompleted", + "status": "False", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-11T07:25:44Z", + "reason": "PodCompleted", + "status": "False", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-11T07:25:44Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://31cd2632709a932190127d542486373c4e430c0283272027ce62d87da1d15297", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": false, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://31cd2632709a932190127d542486373c4e430c0283272027ce62d87da1d15297", + "exitCode": 0, + "finishedAt": "2024-06-11T07:25:47Z", + "reason": "Completed", + "startedAt": "2024-06-11T07:25:45Z" + } + } + }, + { + "containerID": "containerd://7bbe44f88ba5d60455901cf3d72b062febd747ea00d8f86eaa09e0e319609564", + "image": "127.0.0.1:31999/neuvector/updater:latest-zarf-2735231738", + "imageID": "127.0.0.1:31999/neuvector/updater@sha256:60a8546b96ae2e702dcdac424db81566ebe28e2e2fc1449bf188dda0cad6aee3", + "lastState": {}, + "name": "neuvector-updater-pod", + "ready": false, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://7bbe44f88ba5d60455901cf3d72b062febd747ea00d8f86eaa09e0e319609564", + "exitCode": 0, + "finishedAt": "2024-06-11T07:25:47Z", + "reason": "Completed", + "startedAt": "2024-06-11T07:25:46Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://0f86c6046ed396b80875c078e48cabbc9f1f62c26d60915837af8abb12cecb42", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://0f86c6046ed396b80875c078e48cabbc9f1f62c26d60915837af8abb12cecb42", + "exitCode": 0, + "finishedAt": "2024-06-11T07:25:45Z", + "reason": "Completed", + "startedAt": "2024-06-11T07:25:45Z" + } + } + } + ], + "phase": "Succeeded", + "podIP": "10.42.0.71", + "podIPs": [ + { + "ip": "10.42.0.71" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-11T07:25:44Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "neuvector-scanner-pod", + "kubectl.kubernetes.io/default-logs-container": "neuvector-scanner-pod", + "kubectl.kubernetes.io/restartedAt": "2024-06-11T07:25:47+0000", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-06-11T07:25:51Z", + "generateName": "neuvector-scanner-pod-b5d7d59f-", + "labels": { + "app": "neuvector-scanner-pod", + "pod-template-hash": "b5d7d59f", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "neuvector-scanner-pod", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "neuvector-scanner-pod-b5d7d59f-cwktq", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "neuvector-scanner-pod-b5d7d59f", + "uid": "b7559932-31e0-471e-91c0-f91c55c4e223" + } + ], + "resourceVersion": "138586", + "uid": "5b0b8948-e33f-4297-8925-1a61c7291ccc" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "neuvector-scanner-pod" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "neuvector-scanner-pod" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/neuvector/deployments/neuvector-scanner-pod" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-fhcbk", + "readOnly": true + } + ] + }, + { + "env": [ + { + "name": "CLUSTER_JOIN_ADDR", + "value": "neuvector-svc-controller.neuvector" + } + ], + "image": "127.0.0.1:31999/neuvector/scanner:latest-zarf-3299389045", + "imagePullPolicy": "Always", + "name": "neuvector-scanner-pod", + "resources": {}, + "securityContext": { + "capabilities": { + "drop": [ + "ALL" + ] + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-fhcbk", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-fhcbk", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "runAsGroup": 1000, + "runAsNonRoot": true, + "runAsUser": 1000 + }, + "serviceAccount": "scanner", + "serviceAccountName": "scanner", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "kube-api-access-fhcbk", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-11T07:25:53Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-11T07:25:58Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-11T07:25:58Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-11T07:25:51Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://798c5d64425e4e8b2c7ccc7c62261c243f0c8aadef350586b990f1613a75fb99", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-11T07:25:54Z" + } + } + }, + { + "containerID": "containerd://70ae20d4a72d5e82acaec8f9578e2848b7caa87bb655cfa7a354bcb9d4761075", + "image": "127.0.0.1:31999/neuvector/scanner:latest-zarf-3299389045", + "imageID": "127.0.0.1:31999/neuvector/scanner@sha256:bd2056b7d73208d0a24ac464cee5cdc37e8fa8428df76b0b2f61f9530863cbd0", + "lastState": {}, + "name": "neuvector-scanner-pod", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-11T07:25:56Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://bdf5ff10ecc5803860394337c1292e6ecf70697237c475d45f3709f9be182c22", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://bdf5ff10ecc5803860394337c1292e6ecf70697237c475d45f3709f9be182c22", + "exitCode": 0, + "finishedAt": "2024-06-11T07:25:53Z", + "reason": "Completed", + "startedAt": "2024-06-11T07:25:53Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.73", + "podIPs": [ + { + "ip": "10.42.0.73" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-11T07:25:51Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "neuvector-scanner-pod", + "kubectl.kubernetes.io/default-logs-container": "neuvector-scanner-pod", + "kubectl.kubernetes.io/restartedAt": "2024-06-11T07:25:47+0000", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-06-11T07:25:58Z", + "generateName": "neuvector-scanner-pod-b5d7d59f-", + "labels": { + "app": "neuvector-scanner-pod", + "pod-template-hash": "b5d7d59f", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "neuvector-scanner-pod", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "neuvector-scanner-pod-b5d7d59f-2ql2b", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "neuvector-scanner-pod-b5d7d59f", + "uid": "b7559932-31e0-471e-91c0-f91c55c4e223" + } + ], + "resourceVersion": "138639", + "uid": "bb6e8ac5-e279-4a60-b8be-48fad5c09ad0" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "neuvector-scanner-pod" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "neuvector-scanner-pod" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/neuvector/deployments/neuvector-scanner-pod" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-8fdrp", + "readOnly": true + } + ] + }, + { + "env": [ + { + "name": "CLUSTER_JOIN_ADDR", + "value": "neuvector-svc-controller.neuvector" + } + ], + "image": "127.0.0.1:31999/neuvector/scanner:latest-zarf-3299389045", + "imagePullPolicy": "Always", + "name": "neuvector-scanner-pod", + "resources": {}, + "securityContext": { + "capabilities": { + "drop": [ + "ALL" + ] + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-8fdrp", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-8fdrp", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "runAsGroup": 1000, + "runAsNonRoot": true, + "runAsUser": 1000 + }, + "serviceAccount": "scanner", + "serviceAccountName": "scanner", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "kube-api-access-8fdrp", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-11T07:26:00Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-11T07:26:05Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-11T07:26:05Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-11T07:25:58Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://122a7872b5f34d96da8607e4020dfd7a80c98d44150dcae36e6cbc40f98a5b2d", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-11T07:26:00Z" + } + } + }, + { + "containerID": "containerd://be1e0c4652b178c5bab2265deb3118f095837420337b411619f5cb87e78e67d1", + "image": "127.0.0.1:31999/neuvector/scanner:latest-zarf-3299389045", + "imageID": "127.0.0.1:31999/neuvector/scanner@sha256:bd2056b7d73208d0a24ac464cee5cdc37e8fa8428df76b0b2f61f9530863cbd0", + "lastState": {}, + "name": "neuvector-scanner-pod", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-11T07:26:03Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://8a954c6decc8bd6157607955078629f0d43b2629c89efd24900b5d317b92d547", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://8a954c6decc8bd6157607955078629f0d43b2629c89efd24900b5d317b92d547", + "exitCode": 0, + "finishedAt": "2024-06-11T07:25:59Z", + "reason": "Completed", + "startedAt": "2024-06-11T07:25:59Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.74", + "podIPs": [ + { + "ip": "10.42.0.74" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-11T07:25:58Z" + } + } + ] +} \ No newline at end of file diff --git a/compliance/validations/istio/prometheus-annotations-validation/tests.yaml b/compliance/validations/istio/prometheus-annotations-validation/tests.yaml new file mode 100644 index 000000000..a17450e71 --- /dev/null +++ b/compliance/validations/istio/prometheus-annotations-validation/tests.yaml @@ -0,0 +1,13 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +pass: + - test: default + validation: validation.yaml + resources: resources.json + expected-validation: true + - test: grafana-pods-missing-annotations + validation: validation.yaml + resources: resources.json + permutation: '.pods |= map(if .metadata.namespace == "grafana" then .metadata.annotations["prometheus.io/scrape"] = false else . end)' + expected-validation: false diff --git a/compliance/validations/istio/prometheus-annotations-validation/validation.yaml b/compliance/validations/istio/prometheus-annotations-validation/validation.yaml new file mode 100644 index 000000000..1d736e563 --- /dev/null +++ b/compliance/validations/istio/prometheus-annotations-validation/validation.yaml @@ -0,0 +1,63 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +metadata: + name: istio-prometheus-annotations-validation + uuid: f345c359-3208-46fb-9348-959bd628301e +domain: + type: kubernetes + kubernetes-spec: + resources: + - name: pods + resource-rule: + resource: pods + version: v1 + namespaces: [] +provider: + type: opa + opa-spec: + rego: | + package validate + import rego.v1 + + # Default values + default validate := false + default msg := "Not evaluated" + + # Check for required Istio and Prometheus annotations + validate if { + has_prometheus_annotation.result + } + + msg = has_prometheus_annotation.msg + msg_exempted_namespaces = concat(", ", exempt_namespaces) + + # Check for prometheus annotations in pod spec + no_annotation = [sprintf("%s/%s", [pod.metadata.namespace, pod.metadata.name]) | pod := input.pods[_]; not contains_annotation(pod); not is_exempt(pod)] + + has_prometheus_annotation = {"result": true, "msg": msg} if { + count(no_annotation) == 0 + msg := "All pods have correct prometheus annotations." + } else = {"result": false, "msg": msg} if { + msg := sprintf("Prometheus annotations not found in pods: %s.", [concat(", ", no_annotation)]) + } + + contains_annotation(pod) if { + annotations := pod.metadata.annotations + annotations["prometheus.io/scrape"] == "true" + annotations["prometheus.io/path"] != "" + annotations["prometheus.io/port"] == "15020" + } + + # Exemptions + exempt_namespaces = {"kube-system", "istio-system", "uds-dev-stack", "zarf"} + + is_exempt(pod) if { + pod.metadata.namespace in exempt_namespaces + } + + output: + validation: validate.validate + observations: + - validate.msg + - validate.msg_exempted_namespaces diff --git a/compliance/validations/istio/rbac-enforcement-check/README.md b/compliance/validations/istio/rbac-enforcement-check/README.md new file mode 100644 index 000000000..22103df95 --- /dev/null +++ b/compliance/validations/istio/rbac-enforcement-check/README.md @@ -0,0 +1,9 @@ +# README.md + +**NAME** - istio-rbac-enforcement-check + +**INPUT** - This validation collects AuthorizationPolicy resources from all namespaces in the Kubernetes cluster. + +**POLICY** - This policy checks that Istio RBAC is enforced by ensuring that AuthorizationPolicy resources are present in the cluster. + +**NOTES** - Ensure that the AuthorizationPolicy resources are correctly specified in the policy. The policy will fail if no AuthorizationPolicy resources are found. \ No newline at end of file diff --git a/compliance/validations/istio/rbac-enforcement-check/resources.json b/compliance/validations/istio/rbac-enforcement-check/resources.json new file mode 100644 index 000000000..999d1ea81 --- /dev/null +++ b/compliance/validations/istio/rbac-enforcement-check/resources.json @@ -0,0 +1,177 @@ +{ + "authorizationPolicies": [ + { + "apiVersion": "security.istio.io/v1beta1", + "kind": "AuthorizationPolicy", + "metadata": { + "annotations": { + "meta.helm.sh/release-name": "keycloak", + "meta.helm.sh/release-namespace": "keycloak" + }, + "creationTimestamp": "2024-06-07T14:37:02Z", + "generation": 1, + "labels": { + "app.kubernetes.io/managed-by": "Helm" + }, + "name": "keycloak-block-admin-access-from-public-gateway", + "namespace": "keycloak", + "resourceVersion": "1656", + "uid": "cda7ec8f-f7b7-4873-a1e2-5c6ec722f7e4" + }, + "spec": { + "action": "DENY", + "rules": [ + { + "from": [ + { + "source": { + "notNamespaces": [ + "istio-admin-gateway" + ] + } + } + ], + "to": [ + { + "operation": { + "paths": [ + "/admin*", + "/realms/master*" + ] + } + } + ] + }, + { + "from": [ + { + "source": { + "notNamespaces": [ + "istio-admin-gateway", + "monitoring" + ] + } + } + ], + "to": [ + { + "operation": { + "paths": [ + "/metrics*" + ] + } + } + ] + }, + { + "from": [ + { + "source": { + "notNamespaces": [ + "pepr-system" + ] + } + } + ], + "to": [ + { + "operation": { + "paths": [ + "/realms/uds/clients-registrations/*" + ] + } + } + ] + } + ], + "selector": { + "matchLabels": { + "app.kubernetes.io/instance": "keycloak", + "app.kubernetes.io/name": "keycloak" + } + } + } + }, + { + "apiVersion": "security.istio.io/v1beta1", + "kind": "AuthorizationPolicy", + "metadata": { + "annotations": { + "meta.helm.sh/release-name": "authservice", + "meta.helm.sh/release-namespace": "authservice" + }, + "creationTimestamp": "2024-06-07T14:42:13Z", + "generation": 1, + "labels": { + "app.kubernetes.io/managed-by": "Helm" + }, + "name": "jwt-authz", + "namespace": "istio-system", + "resourceVersion": "3764", + "uid": "de7038cb-62fc-449e-b846-abab3432e39e" + }, + "spec": { + "rules": [ + { + "from": [ + { + "source": { + "requestPrincipals": [ + "https://login.uds.dev/auth/realms/doug/*" + ] + } + } + ] + } + ], + "selector": { + "matchLabels": { + "protect": "keycloak" + } + } + } + }, + { + "apiVersion": "security.istio.io/v1beta1", + "kind": "AuthorizationPolicy", + "metadata": { + "annotations": { + "meta.helm.sh/release-name": "authservice", + "meta.helm.sh/release-namespace": "authservice" + }, + "creationTimestamp": "2024-06-07T14:42:13Z", + "generation": 1, + "labels": { + "app.kubernetes.io/managed-by": "Helm" + }, + "name": "authservice", + "namespace": "istio-system", + "resourceVersion": "3767", + "uid": "5ca626af-4cd3-4652-90d5-3ab8b0d5d72c" + }, + "spec": { + "action": "CUSTOM", + "provider": { + "name": "authservice" + }, + "rules": [ + { + "when": [ + { + "key": "request.headers[authorization]", + "notValues": [ + "*" + ] + } + ] + } + ], + "selector": { + "matchLabels": { + "protect": "keycloak" + } + } + } + } + ] +} \ No newline at end of file diff --git a/compliance/validations/istio/rbac-enforcement-check/tests.yaml b/compliance/validations/istio/rbac-enforcement-check/tests.yaml new file mode 100644 index 000000000..52e2a0aca --- /dev/null +++ b/compliance/validations/istio/rbac-enforcement-check/tests.yaml @@ -0,0 +1,13 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +pass: + - test: default + validation: validation.yaml + resources: resources.json + expected-validation: true + - test: remove-authorization-policies + validation: validation.yaml + resources: resources.json + permutation: ".authorizationPolicies = []" + expected-validation: false diff --git a/compliance/validations/istio/rbac-enforcement-check/validation.yaml b/compliance/validations/istio/rbac-enforcement-check/validation.yaml new file mode 100644 index 000000000..105bddb22 --- /dev/null +++ b/compliance/validations/istio/rbac-enforcement-check/validation.yaml @@ -0,0 +1,45 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +metadata: + name: istio-rbac-enforcement-check + uuid: 7b045b2a-106f-4c8c-85d9-ae3d7a8e0e28 +domain: + type: kubernetes + kubernetes-spec: + resources: + - name: authorizationPolicies + resource-rule: + group: security.istio.io + resource: authorizationpolicies + version: v1beta1 + namespaces: [] +provider: + type: opa + opa-spec: + rego: | + package validate + import rego.v1 + + # Default values + default validate := false + default msg := "Istio RBAC not enforced: No authorization policies found." + + # Evaluation for Istio Authorization Policies + validate if { + count(all_auth_policies) > 0 + } + + # Get all authorization policies + all_auth_policies := { sprintf("%s/%s", [authPolicy.metadata.namespace, authPolicy.metadata.name]) | + authPolicy := input.authorizationPolicies[_]; authPolicy.kind == "AuthorizationPolicy" } + + msg = "Istio RBAC enforced" if { + validate + } + msg_all_auth_policies = concat(", ", all_auth_policies) + output: + validation: validate.validate + observations: + - validate.msg + - validate.msg_all_auth_policies diff --git a/compliance/validations/istio/rbac-for-approved-personnel/README.md b/compliance/validations/istio/rbac-for-approved-personnel/README.md new file mode 100644 index 000000000..e287175b1 --- /dev/null +++ b/compliance/validations/istio/rbac-for-approved-personnel/README.md @@ -0,0 +1,9 @@ +# README.md + +**NAME** - istio-rbac-for-approved-personnel-PLACEHOLDER + +**INPUT** - This validation currently does not collect any resources. + +**POLICY** - This policy is a placeholder for checking RBAC for approved personnel. + +**NOTES** - The policy needs to be updated to include the necessary resources and logic to check for RBAC for approved personnel. \ No newline at end of file diff --git a/compliance/validations/istio/rbac-for-approved-personnel/validation.yaml b/compliance/validations/istio/rbac-for-approved-personnel/validation.yaml new file mode 100644 index 000000000..562a24113 --- /dev/null +++ b/compliance/validations/istio/rbac-for-approved-personnel/validation.yaml @@ -0,0 +1,17 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +metadata: + name: istio-rbac-for-approved-personnel-PLACEHOLDER + uuid: 9b361d7b-4e07-40db-8b86-3854ed499a4b +domain: + type: kubernetes + kubernetes-spec: + resources: [] +provider: + type: opa + opa-spec: + rego: | + package validate + + default validate := false diff --git a/compliance/validations/istio/request-authentication-and-auth-policies-configured-DEPRECATED/README.md b/compliance/validations/istio/request-authentication-and-auth-policies-configured-DEPRECATED/README.md new file mode 100644 index 000000000..60bd209cd --- /dev/null +++ b/compliance/validations/istio/request-authentication-and-auth-policies-configured-DEPRECATED/README.md @@ -0,0 +1,9 @@ +# README.md + +**NAME** - request-authenication-and-auth-policies-configured + +**INPUT** - This validation collects RequestAuthentication and AuthorizationPolicy resources from all namespaces in the Kubernetes cluster. + +**POLICY** - This policy checks that both RequestAuthentication and AuthorizationPolicy resources are configured correctly in the cluster. + +**NOTES** - Ensure that the RequestAuthentication and AuthorizationPolicy resources are correctly specified in the policy. The policy will fail if any of these resources are missing or improperly configured. \ No newline at end of file diff --git a/compliance/validations/istio/request-authentication-and-auth-policies-configured-DEPRECATED/resources.json b/compliance/validations/istio/request-authentication-and-auth-policies-configured-DEPRECATED/resources.json new file mode 100644 index 000000000..2f862bcb6 --- /dev/null +++ b/compliance/validations/istio/request-authentication-and-auth-policies-configured-DEPRECATED/resources.json @@ -0,0 +1,212 @@ +{ + "authorizationPolicy": [ + { + "apiVersion": "security.istio.io/v1beta1", + "kind": "AuthorizationPolicy", + "metadata": { + "annotations": { + "meta.helm.sh/release-name": "keycloak", + "meta.helm.sh/release-namespace": "keycloak" + }, + "creationTimestamp": "2024-06-07T14:37:02Z", + "generation": 1, + "labels": { + "app.kubernetes.io/managed-by": "Helm" + }, + "name": "keycloak-block-admin-access-from-public-gateway", + "namespace": "keycloak", + "resourceVersion": "1656", + "uid": "cda7ec8f-f7b7-4873-a1e2-5c6ec722f7e4" + }, + "spec": { + "action": "DENY", + "rules": [ + { + "from": [ + { + "source": { + "notNamespaces": [ + "istio-admin-gateway" + ] + } + } + ], + "to": [ + { + "operation": { + "paths": [ + "/admin*", + "/realms/master*" + ] + } + } + ] + }, + { + "from": [ + { + "source": { + "notNamespaces": [ + "istio-admin-gateway", + "monitoring" + ] + } + } + ], + "to": [ + { + "operation": { + "paths": [ + "/metrics*" + ] + } + } + ] + }, + { + "from": [ + { + "source": { + "notNamespaces": [ + "pepr-system" + ] + } + } + ], + "to": [ + { + "operation": { + "paths": [ + "/realms/uds/clients-registrations/*" + ] + } + } + ] + } + ], + "selector": { + "matchLabels": { + "app.kubernetes.io/instance": "keycloak", + "app.kubernetes.io/name": "keycloak" + } + } + } + }, + { + "apiVersion": "security.istio.io/v1beta1", + "kind": "AuthorizationPolicy", + "metadata": { + "annotations": { + "meta.helm.sh/release-name": "authservice", + "meta.helm.sh/release-namespace": "authservice" + }, + "creationTimestamp": "2024-06-07T14:42:13Z", + "generation": 1, + "labels": { + "app.kubernetes.io/managed-by": "Helm" + }, + "name": "jwt-authz", + "namespace": "istio-system", + "resourceVersion": "3764", + "uid": "de7038cb-62fc-449e-b846-abab3432e39e" + }, + "spec": { + "rules": [ + { + "from": [ + { + "source": { + "requestPrincipals": [ + "https://login.uds.dev/auth/realms/doug/*" + ] + } + } + ] + } + ], + "selector": { + "matchLabels": { + "protect": "keycloak" + } + } + } + }, + { + "apiVersion": "security.istio.io/v1beta1", + "kind": "AuthorizationPolicy", + "metadata": { + "annotations": { + "meta.helm.sh/release-name": "authservice", + "meta.helm.sh/release-namespace": "authservice" + }, + "creationTimestamp": "2024-06-07T14:42:13Z", + "generation": 1, + "labels": { + "app.kubernetes.io/managed-by": "Helm" + }, + "name": "authservice", + "namespace": "istio-system", + "resourceVersion": "3767", + "uid": "5ca626af-4cd3-4652-90d5-3ab8b0d5d72c" + }, + "spec": { + "action": "CUSTOM", + "provider": { + "name": "authservice" + }, + "rules": [ + { + "when": [ + { + "key": "request.headers[authorization]", + "notValues": [ + "*" + ] + } + ] + } + ], + "selector": { + "matchLabels": { + "protect": "keycloak" + } + } + } + } + ], + "requestAuthentication": [ + { + "apiVersion": "security.istio.io/v1beta1", + "kind": "RequestAuthentication", + "metadata": { + "annotations": { + "meta.helm.sh/release-name": "authservice", + "meta.helm.sh/release-namespace": "authservice" + }, + "creationTimestamp": "2024-06-07T14:42:14Z", + "generation": 1, + "labels": { + "app.kubernetes.io/managed-by": "Helm" + }, + "name": "jwt-authn", + "namespace": "istio-system", + "resourceVersion": "3773", + "uid": "108e0c7d-15d5-429e-ab45-a8a0eda7aee0" + }, + "spec": { + "jwtRules": [ + { + "forwardOriginalToken": true, + "issuer": "https://login.uds.dev/auth/realms/doug", + "jwksUri": "https://login.uds.dev/auth/realms/doug/protocol/openid-connect/certs" + } + ], + "selector": { + "matchLabels": { + "protect": "keycloak" + } + } + } + } + ] +} \ No newline at end of file diff --git a/compliance/validations/istio/request-authentication-and-auth-policies-configured-DEPRECATED/tests.yaml b/compliance/validations/istio/request-authentication-and-auth-policies-configured-DEPRECATED/tests.yaml new file mode 100644 index 000000000..3205dd54e --- /dev/null +++ b/compliance/validations/istio/request-authentication-and-auth-policies-configured-DEPRECATED/tests.yaml @@ -0,0 +1,28 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +pass: + - test: default + validation: validation.yaml + resources: resources.json + expected-validation: true + - test: remove-jwt-rules + validation: validation.yaml + resources: resources.json + permutation: "del(.requestAuthentication[0].spec.jwtRules)" + expected-validation: false + - test: remove-auth-rules + validation: validation.yaml + resources: resources.json + permutation: "del(.authorizationPolicy[0].spec.rules)" + expected-validation: false + - test: remove-authorization-policies + validation: validation.yaml + resources: resources.json + permutation: ".authorizationPolicy = []" + expected-validation: false + - test: remove-request-authentications + validation: validation.yaml + resources: resources.json + permutation: ".requestAuthentication = []" + expected-validation: false diff --git a/compliance/validations/istio/request-authentication-and-auth-policies-configured-DEPRECATED/validation.yaml b/compliance/validations/istio/request-authentication-and-auth-policies-configured-DEPRECATED/validation.yaml new file mode 100644 index 000000000..2d4994c87 --- /dev/null +++ b/compliance/validations/istio/request-authentication-and-auth-policies-configured-DEPRECATED/validation.yaml @@ -0,0 +1,89 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +metadata: + name: request-authenication-and-auth-policies-configured + uuid: 3e217577-930e-4469-a999-1a5704b5cecb +domain: + type: kubernetes + kubernetes-spec: + resources: + - name: requestAuthentication + resource-rule: + group: security.istio.io + resource: requestauthentications + namespaces: [] + version: v1beta1 + - name: authorizationPolicy + resource-rule: + group: security.istio.io + resource: authorizationpolicies + namespaces: [] + version: v1beta1 +provider: + type: opa + opa-spec: + rego: | + package validate + + # Default policy result + default validate := false + default msg := "Not evaluated" + + # Validate both RequestAuthentication and AuthorizationPolicy are configured + validate { + authorization_policies_exist_and_configured.result + request_authentications_exist_and_configured.result + } + + msg = concat(" ", [authorization_policies_exist_and_configured.msg, request_authentications_exist_and_configured.msg]) + + # Check AuthorizationPolicies exist and are configured + bad_auth_policies := {sprintf("%s/%s", [authPolicy.metadata.namespace, authPolicy.metadata.name]) | + authPolicy := input.authorizationPolicy[_] + authPolicy.kind == "AuthorizationPolicy" + authorization_policy_not_configured(authPolicy) + } + + authorization_policy_not_configured(ap) { + # Check for missing or improperly configured rules + not ap.spec.rules + } + + authorization_policies_exist_and_configured = {"result": true, "msg": msg} { + count(input.authorizationPolicy) > 0 + count(bad_auth_policies) == 0 + msg := "All AuthorizationPolicies properly configured." + } else = {"result": false, "msg": msg} { + count(input.authorizationPolicy) == 0 + msg := "No AuthorizationPolicies found." + } else = {"result": false, "msg": msg} { + msg := sprintf("Some AuthorizationPolicies not properly configured: %v.", [concat(", ", bad_auth_policies)]) + } + + # Check RequestAuthentications exist and are configured + bad_request_authentications := {sprintf("%s/%s", [ra.metadata.namespace, ra.metadata.name]) | + ra := input.requestAuthentication[_] + ra.kind == "RequestAuthentication" + request_authentication_not_configured(ra) + } + + request_authentication_not_configured(ra) { + # Check for missing or improperly configured JWT rules + not ra.spec.jwtRules + } + + request_authentications_exist_and_configured = {"result": true, "msg": msg} { + count(input.requestAuthentication) > 0 + count(bad_request_authentications) == 0 + msg := "All RequestAuthentications properly configured." + } else = {"result": false, "msg": msg} { + count(input.requestAuthentication) == 0 + msg := "No RequestAuthentications found." + } else = {"result": false, "msg": msg} { + msg := sprintf("Some RequestAuthentications not properly configured: %v.", [concat(", ", bad_request_authentications)]) + } + output: + validation: validate.validate + observations: + - validate.msg diff --git a/compliance/validations/istio/secure-communication-with-istiod/README.md b/compliance/validations/istio/secure-communication-with-istiod/README.md new file mode 100644 index 000000000..6d2ea4b5b --- /dev/null +++ b/compliance/validations/istio/secure-communication-with-istiod/README.md @@ -0,0 +1,9 @@ +# README.md + +**NAME** - secure-communication-with-istiod + +**INPUT** - This validation collects NetworkPolicy resources from all namespaces in the Kubernetes cluster. + +**POLICY** - This policy checks that NetworkPolicies are correctly configured for istiod egress in the required namespaces. Specifically, it verifies that the NetworkPolicies have the expected port (15012) and protocol (TCP) for istiod egress. It also ensures that these configurations are present in the required namespaces and not in any improper namespaces. + +**NOTES** - The required namespaces for the NetworkPolicies are: "authservice", "grafana", "keycloak", "loki", "metrics-server", "monitoring", "neuvector", "promtail", "velero". diff --git a/compliance/validations/istio/secure-communication-with-istiod/resources.json b/compliance/validations/istio/secure-communication-with-istiod/resources.json new file mode 100644 index 000000000..6c5ea9b1c --- /dev/null +++ b/compliance/validations/istio/secure-communication-with-istiod/resources.json @@ -0,0 +1,4751 @@ +{ + "networkPolicies": [ + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "DNS lookup via CoreDNS" + }, + "creationTimestamp": "2024-06-07T14:36:34Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "metrics-server" + }, + "name": "allow-metrics-server-egress-dns-lookup-via-coredns", + "namespace": "metrics-server", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "metrics-server", + "uid": "be44af9c-845b-41b4-9b4b-3aa9899d3076" + } + ], + "resourceVersion": "1525", + "uid": "9b55a9ee-3344-4c53-86f5-99d89fc02d6e" + }, + "spec": { + "egress": [ + { + "ports": [ + { + "port": 53, + "protocol": "UDP" + } + ], + "to": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "kube-system" + } + } + }, + { + "podSelector": { + "matchLabels": { + "k8s-app": "kube-dns" + } + } + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Istiod communication" + }, + "creationTimestamp": "2024-06-07T14:36:34Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "metrics-server" + }, + "name": "allow-metrics-server-egress-istiod-communication", + "namespace": "metrics-server", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "metrics-server", + "uid": "be44af9c-845b-41b4-9b4b-3aa9899d3076" + } + ], + "resourceVersion": "1526", + "uid": "9103ec43-cfb8-4d13-b30f-43f8b35c4169" + }, + "spec": { + "egress": [ + { + "ports": [ + { + "port": 15012, + "protocol": "TCP" + } + ], + "to": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "istio-system" + } + } + }, + { + "podSelector": { + "matchLabels": { + "istio": "pilot" + } + } + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Sidecar monitoring" + }, + "creationTimestamp": "2024-06-07T14:36:35Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "metrics-server" + }, + "name": "allow-metrics-server-ingress-sidecar-monitoring", + "namespace": "metrics-server", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "metrics-server", + "uid": "be44af9c-845b-41b4-9b4b-3aa9899d3076" + } + ], + "resourceVersion": "1527", + "uid": "a266a52b-fd6a-4578-8a04-6bd9d4aa8f1e" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "monitoring" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app": "prometheus" + } + } + } + ], + "ports": [ + { + "port": 15020, + "protocol": "TCP" + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:36:35Z", + "generation": 1, + "labels": { + "uds/generated": "Anywhere", + "uds/generation": "1", + "uds/package": "metrics-server" + }, + "name": "allow-metrics-server-egress-metrics-server-anywhere", + "namespace": "metrics-server", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "metrics-server", + "uid": "be44af9c-845b-41b4-9b4b-3aa9899d3076" + } + ], + "resourceVersion": "1528", + "uid": "046927d4-7346-454d-9c54-94b92977a398" + }, + "spec": { + "egress": [ + { + "ports": [ + { + "port": 10250, + "protocol": "TCP" + } + ], + "to": [ + { + "ipBlock": { + "cidr": "0.0.0.0/0", + "except": [ + "169.254.169.254/32" + ] + } + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "metrics-server" + } + }, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:36:35Z", + "generation": 1, + "labels": { + "uds/generated": "Anywhere", + "uds/generation": "1", + "uds/package": "metrics-server" + }, + "name": "allow-metrics-server-ingress-metrics-server-anywhere", + "namespace": "metrics-server", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "metrics-server", + "uid": "be44af9c-845b-41b4-9b4b-3aa9899d3076" + } + ], + "resourceVersion": "1530", + "uid": "84aaea33-0b7a-4e1f-9aa3-93a893c51e11" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "ipBlock": { + "cidr": "0.0.0.0/0", + "except": [ + "169.254.169.254/32" + ] + } + } + ], + "ports": [ + { + "port": 10250, + "protocol": "TCP" + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "metrics-server" + } + }, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "DNS lookup via CoreDNS" + }, + "creationTimestamp": "2024-06-07T14:37:03Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "keycloak" + }, + "name": "allow-keycloak-egress-dns-lookup-via-coredns", + "namespace": "keycloak", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "keycloak", + "uid": "828c2d2a-07e2-4976-a1c3-318e7161d9c2" + } + ], + "resourceVersion": "1671", + "uid": "946dd3b8-bc7c-4acf-87de-353322dcb705" + }, + "spec": { + "egress": [ + { + "ports": [ + { + "port": 53, + "protocol": "UDP" + } + ], + "to": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "kube-system" + } + } + }, + { + "podSelector": { + "matchLabels": { + "k8s-app": "kube-dns" + } + } + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Istiod communication" + }, + "creationTimestamp": "2024-06-07T14:37:03Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "keycloak" + }, + "name": "allow-keycloak-egress-istiod-communication", + "namespace": "keycloak", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "keycloak", + "uid": "828c2d2a-07e2-4976-a1c3-318e7161d9c2" + } + ], + "resourceVersion": "1678", + "uid": "df03af54-f57b-4cbc-898f-03dbc2dc3890" + }, + "spec": { + "egress": [ + { + "ports": [ + { + "port": 15012, + "protocol": "TCP" + } + ], + "to": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "istio-system" + } + } + }, + { + "podSelector": { + "matchLabels": { + "istio": "pilot" + } + } + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Sidecar monitoring" + }, + "creationTimestamp": "2024-06-07T14:37:03Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "keycloak" + }, + "name": "allow-keycloak-ingress-sidecar-monitoring", + "namespace": "keycloak", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "keycloak", + "uid": "828c2d2a-07e2-4976-a1c3-318e7161d9c2" + } + ], + "resourceVersion": "1682", + "uid": "bb3b9dcc-a1df-441f-ab8c-53de750d30c2" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "monitoring" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app": "prometheus" + } + } + } + ], + "ports": [ + { + "port": 15020, + "protocol": "TCP" + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "UDS Operator" + }, + "creationTimestamp": "2024-06-07T14:37:03Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "keycloak" + }, + "name": "allow-keycloak-ingress-uds-operator", + "namespace": "keycloak", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "keycloak", + "uid": "828c2d2a-07e2-4976-a1c3-318e7161d9c2" + } + ], + "resourceVersion": "1683", + "uid": "58948be1-896c-4177-bbad-5e02b89ee0b4" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "pepr-system" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app": "pepr-uds-core-watcher" + } + } + } + ], + "ports": [ + { + "port": 8080, + "protocol": "TCP" + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "keycloak" + } + }, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Keycloak backchannel access" + }, + "creationTimestamp": "2024-06-07T14:37:03Z", + "generation": 1, + "labels": { + "uds/generated": "Anywhere", + "uds/generation": "1", + "uds/package": "keycloak" + }, + "name": "allow-keycloak-ingress-keycloak-backchannel-access", + "namespace": "keycloak", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "keycloak", + "uid": "828c2d2a-07e2-4976-a1c3-318e7161d9c2" + } + ], + "resourceVersion": "1684", + "uid": "1789f83a-6b30-49f3-9b6c-e20858481dd7" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "ipBlock": { + "cidr": "0.0.0.0/0", + "except": [ + "169.254.169.254/32" + ] + } + } + ], + "ports": [ + { + "port": 8080, + "protocol": "TCP" + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "keycloak" + } + }, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "OCSP Lookup" + }, + "creationTimestamp": "2024-06-07T14:37:03Z", + "generation": 1, + "labels": { + "uds/generated": "Anywhere", + "uds/generation": "1", + "uds/package": "keycloak" + }, + "name": "allow-keycloak-egress-ocsp-lookup", + "namespace": "keycloak", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "keycloak", + "uid": "828c2d2a-07e2-4976-a1c3-318e7161d9c2" + } + ], + "resourceVersion": "1685", + "uid": "fba85bc8-5dfe-41c2-8436-fadf59f59dda" + }, + "spec": { + "egress": [ + { + "ports": [ + { + "port": 443, + "protocol": "TCP" + }, + { + "port": 80, + "protocol": "TCP" + } + ], + "to": [ + { + "ipBlock": { + "cidr": "0.0.0.0/0", + "except": [ + "169.254.169.254/32" + ] + } + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "keycloak" + } + }, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "keycloak Istio tenant gateway" + }, + "creationTimestamp": "2024-06-07T14:37:03Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "keycloak" + }, + "name": "allow-keycloak-ingress-keycloak-istio-tenant-gateway", + "namespace": "keycloak", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "keycloak", + "uid": "828c2d2a-07e2-4976-a1c3-318e7161d9c2" + } + ], + "resourceVersion": "1686", + "uid": "10aed744-db64-4daa-868e-b1a44bfcb66a" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "istio-tenant-gateway" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app": "tenant-ingressgateway" + } + } + } + ], + "ports": [ + { + "port": 8080, + "protocol": "TCP" + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "keycloak" + } + }, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "keycloak Istio admin gateway" + }, + "creationTimestamp": "2024-06-07T14:37:03Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "keycloak" + }, + "name": "allow-keycloak-ingress-keycloak-istio-admin-gateway", + "namespace": "keycloak", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "keycloak", + "uid": "828c2d2a-07e2-4976-a1c3-318e7161d9c2" + } + ], + "resourceVersion": "1687", + "uid": "f414ac16-c301-4472-8b6c-60e3382fd6f3" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "istio-admin-gateway" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app": "admin-ingressgateway" + } + } + } + ], + "ports": [ + { + "port": 8080, + "protocol": "TCP" + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "keycloak" + } + }, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "http,keycloak Metrics" + }, + "creationTimestamp": "2024-06-07T14:37:03Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "keycloak" + }, + "name": "allow-keycloak-ingress-http-keycloak-metrics", + "namespace": "keycloak", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "keycloak", + "uid": "828c2d2a-07e2-4976-a1c3-318e7161d9c2" + } + ], + "resourceVersion": "1688", + "uid": "a165fcc5-7b63-4f67-a0f5-f214493a3387" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "monitoring" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app": "prometheus" + } + } + } + ], + "ports": [ + { + "port": 8080, + "protocol": "TCP" + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "keycloak" + } + }, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "DNS lookup via CoreDNS" + }, + "creationTimestamp": "2024-06-07T14:38:19Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "neuvector" + }, + "name": "allow-neuvector-egress-dns-lookup-via-coredns", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "neuvector", + "uid": "91b75744-bd1b-497b-8875-2a258d8b23cc" + } + ], + "resourceVersion": "1916", + "uid": "004eea79-71b9-45d5-9ceb-ea57acfb6e27" + }, + "spec": { + "egress": [ + { + "ports": [ + { + "port": 53, + "protocol": "UDP" + } + ], + "to": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "kube-system" + } + } + }, + { + "podSelector": { + "matchLabels": { + "k8s-app": "kube-dns" + } + } + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Istiod communication" + }, + "creationTimestamp": "2024-06-07T14:38:19Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "neuvector" + }, + "name": "allow-neuvector-egress-istiod-communication", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "neuvector", + "uid": "91b75744-bd1b-497b-8875-2a258d8b23cc" + } + ], + "resourceVersion": "1917", + "uid": "e7bfd8ab-f0a9-405f-8bbc-a3745c108e93" + }, + "spec": { + "egress": [ + { + "ports": [ + { + "port": 15012, + "protocol": "TCP" + } + ], + "to": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "istio-system" + } + } + }, + { + "podSelector": { + "matchLabels": { + "istio": "pilot" + } + } + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Sidecar monitoring" + }, + "creationTimestamp": "2024-06-07T14:38:19Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "neuvector" + }, + "name": "allow-neuvector-ingress-sidecar-monitoring", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "neuvector", + "uid": "91b75744-bd1b-497b-8875-2a258d8b23cc" + } + ], + "resourceVersion": "1918", + "uid": "ba445407-9e39-4d6e-b29f-93403e58b867" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "monitoring" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app": "prometheus" + } + } + } + ], + "ports": [ + { + "port": 15020, + "protocol": "TCP" + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Webhook" + }, + "creationTimestamp": "2024-06-07T14:38:19Z", + "generation": 1, + "labels": { + "uds/generated": "Anywhere", + "uds/generation": "1", + "uds/package": "neuvector" + }, + "name": "allow-neuvector-ingress-webhook", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "neuvector", + "uid": "91b75744-bd1b-497b-8875-2a258d8b23cc" + } + ], + "resourceVersion": "1925", + "uid": "bb131aa5-77bd-4298-92ae-07bada798e1e" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "ipBlock": { + "cidr": "0.0.0.0/0", + "except": [ + "169.254.169.254/32" + ] + } + } + ], + "ports": [ + { + "port": 30443, + "protocol": "TCP" + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app": "neuvector-controller-pod" + } + }, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Tempo" + }, + "creationTimestamp": "2024-06-07T14:38:19Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "neuvector" + }, + "name": "allow-neuvector-egress-tempo", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "neuvector", + "uid": "91b75744-bd1b-497b-8875-2a258d8b23cc" + } + ], + "resourceVersion": "1926", + "uid": "f7dbab02-de2d-4cf2-8396-e1b1a83df964" + }, + "spec": { + "egress": [ + { + "ports": [ + { + "port": 9411, + "protocol": "TCP" + } + ], + "to": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "tempo" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "tempo" + } + } + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "neuvector-manager-pod Istio admin gateway" + }, + "creationTimestamp": "2024-06-07T14:38:19Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "neuvector" + }, + "name": "allow-neuvector-ingress-neuvector-manager-pod-istio-admin-gateway", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "neuvector", + "uid": "91b75744-bd1b-497b-8875-2a258d8b23cc" + } + ], + "resourceVersion": "1927", + "uid": "39be918e-aff5-4ab4-845a-2c091eda94ce" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "istio-admin-gateway" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app": "admin-ingressgateway" + } + } + } + ], + "ports": [ + { + "port": 8443, + "protocol": "TCP" + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app": "neuvector-manager-pod" + } + }, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "DNS lookup via CoreDNS" + }, + "creationTimestamp": "2024-06-07T14:38:49Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "loki" + }, + "name": "allow-loki-egress-dns-lookup-via-coredns", + "namespace": "loki", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "loki", + "uid": "e7e59ebe-6388-4233-872e-94065e29b3c4" + } + ], + "resourceVersion": "2386", + "uid": "d901089d-7fd0-43f2-86d5-a70e5ddb6e4d" + }, + "spec": { + "egress": [ + { + "ports": [ + { + "port": 53, + "protocol": "UDP" + } + ], + "to": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "kube-system" + } + } + }, + { + "podSelector": { + "matchLabels": { + "k8s-app": "kube-dns" + } + } + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Istiod communication" + }, + "creationTimestamp": "2024-06-07T14:38:49Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "loki" + }, + "name": "allow-loki-egress-istiod-communication", + "namespace": "loki", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "loki", + "uid": "e7e59ebe-6388-4233-872e-94065e29b3c4" + } + ], + "resourceVersion": "2387", + "uid": "88590deb-8725-479a-ac63-145ee3b783d6" + }, + "spec": { + "egress": [ + { + "ports": [ + { + "port": 15012, + "protocol": "TCP" + } + ], + "to": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "istio-system" + } + } + }, + { + "podSelector": { + "matchLabels": { + "istio": "pilot" + } + } + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Sidecar monitoring" + }, + "creationTimestamp": "2024-06-07T14:38:49Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "loki" + }, + "name": "allow-loki-ingress-sidecar-monitoring", + "namespace": "loki", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "loki", + "uid": "e7e59ebe-6388-4233-872e-94065e29b3c4" + } + ], + "resourceVersion": "2388", + "uid": "2bbd00b4-fbae-4686-ba70-8e75ca8b6136" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "monitoring" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app": "prometheus" + } + } + } + ], + "ports": [ + { + "port": 15020, + "protocol": "TCP" + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Grafana Log Queries" + }, + "creationTimestamp": "2024-06-07T14:38:49Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "loki" + }, + "name": "allow-loki-ingress-grafana-log-queries", + "namespace": "loki", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "loki", + "uid": "e7e59ebe-6388-4233-872e-94065e29b3c4" + } + ], + "resourceVersion": "2391", + "uid": "7af2c554-1698-4f34-a9a0-1017a65d2e82" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "grafana" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "grafana" + } + } + } + ], + "ports": [ + { + "port": 8080, + "protocol": "TCP" + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "loki" + } + }, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Prometheus Metrics" + }, + "creationTimestamp": "2024-06-07T14:38:49Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "loki" + }, + "name": "allow-loki-ingress-prometheus-metrics", + "namespace": "loki", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "loki", + "uid": "e7e59ebe-6388-4233-872e-94065e29b3c4" + } + ], + "resourceVersion": "2392", + "uid": "b40f0657-bc46-4d03-941c-45b7e2458b47" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "monitoring" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "prometheus" + } + } + } + ], + "ports": [ + { + "port": 3100, + "protocol": "TCP" + }, + { + "port": 8080, + "protocol": "TCP" + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "loki" + } + }, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Promtail Log Storage" + }, + "creationTimestamp": "2024-06-07T14:38:49Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "loki" + }, + "name": "allow-loki-ingress-promtail-log-storage", + "namespace": "loki", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "loki", + "uid": "e7e59ebe-6388-4233-872e-94065e29b3c4" + } + ], + "resourceVersion": "2394", + "uid": "c035b1ed-16c1-4a53-81a6-df94e2ac3248" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "promtail" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "promtail" + } + } + } + ], + "ports": [ + { + "port": 8080, + "protocol": "TCP" + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "loki" + } + }, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Tempo" + }, + "creationTimestamp": "2024-06-07T14:38:49Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "loki" + }, + "name": "allow-loki-egress-tempo", + "namespace": "loki", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "loki", + "uid": "e7e59ebe-6388-4233-872e-94065e29b3c4" + } + ], + "resourceVersion": "2396", + "uid": "55eb91b4-d223-4051-8ee0-1120bc0f10b3" + }, + "spec": { + "egress": [ + { + "ports": [ + { + "port": 9411, + "protocol": "TCP" + } + ], + "to": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "tempo" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "tempo" + } + } + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "DNS lookup via CoreDNS" + }, + "creationTimestamp": "2024-06-07T14:40:25Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "prometheus-stack" + }, + "name": "allow-prometheus-stack-egress-dns-lookup-via-coredns", + "namespace": "monitoring", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "prometheus-stack", + "uid": "ff51ba04-5590-4945-8ec5-1965bdbcdb76" + } + ], + "resourceVersion": "2868", + "uid": "43efd06f-7785-4053-987d-95452545e42c" + }, + "spec": { + "egress": [ + { + "ports": [ + { + "port": 53, + "protocol": "UDP" + } + ], + "to": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "kube-system" + } + } + }, + { + "podSelector": { + "matchLabels": { + "k8s-app": "kube-dns" + } + } + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Istiod communication" + }, + "creationTimestamp": "2024-06-07T14:40:25Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "prometheus-stack" + }, + "name": "allow-prometheus-stack-egress-istiod-communication", + "namespace": "monitoring", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "prometheus-stack", + "uid": "ff51ba04-5590-4945-8ec5-1965bdbcdb76" + } + ], + "resourceVersion": "2869", + "uid": "ac0cc2fa-39c4-4c6e-8c1a-b0caa96ec828" + }, + "spec": { + "egress": [ + { + "ports": [ + { + "port": 15012, + "protocol": "TCP" + } + ], + "to": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "istio-system" + } + } + }, + { + "podSelector": { + "matchLabels": { + "istio": "pilot" + } + } + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Sidecar monitoring" + }, + "creationTimestamp": "2024-06-07T14:40:25Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "prometheus-stack" + }, + "name": "allow-prometheus-stack-ingress-sidecar-monitoring", + "namespace": "monitoring", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "prometheus-stack", + "uid": "ff51ba04-5590-4945-8ec5-1965bdbcdb76" + } + ], + "resourceVersion": "2870", + "uid": "96c427b0-8b40-447c-ab8e-e0a3f9f71923" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "monitoring" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app": "prometheus" + } + } + } + ], + "ports": [ + { + "port": 15020, + "protocol": "TCP" + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Webhook" + }, + "creationTimestamp": "2024-06-07T14:40:25Z", + "generation": 1, + "labels": { + "uds/generated": "Anywhere", + "uds/generation": "1", + "uds/package": "prometheus-stack" + }, + "name": "allow-prometheus-stack-ingress-webhook", + "namespace": "monitoring", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "prometheus-stack", + "uid": "ff51ba04-5590-4945-8ec5-1965bdbcdb76" + } + ], + "resourceVersion": "2879", + "uid": "0f1fcef1-99d8-4fcf-ab3b-3319fd613463" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "ipBlock": { + "cidr": "0.0.0.0/0", + "except": [ + "169.254.169.254/32" + ] + } + } + ], + "ports": [ + { + "port": 10250, + "protocol": "TCP" + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app": "kube-prometheus-stack-operator" + } + }, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Grafana Metrics Queries" + }, + "creationTimestamp": "2024-06-07T14:40:25Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "prometheus-stack" + }, + "name": "allow-prometheus-stack-ingress-grafana-metrics-queries", + "namespace": "monitoring", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "prometheus-stack", + "uid": "ff51ba04-5590-4945-8ec5-1965bdbcdb76" + } + ], + "resourceVersion": "2881", + "uid": "5b2b669b-42ab-4a0d-aa89-254a545d7bd9" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "grafana" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "grafana" + } + } + } + ], + "ports": [ + { + "port": 9090, + "protocol": "TCP" + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "prometheus" + } + }, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Tempo" + }, + "creationTimestamp": "2024-06-07T14:40:25Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "prometheus-stack" + }, + "name": "allow-prometheus-stack-egress-tempo", + "namespace": "monitoring", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "prometheus-stack", + "uid": "ff51ba04-5590-4945-8ec5-1965bdbcdb76" + } + ], + "resourceVersion": "2882", + "uid": "f56b6b6d-cbf3-446c-b9fd-d03aa2e27bf0" + }, + "spec": { + "egress": [ + { + "ports": [ + { + "port": 9411, + "protocol": "TCP" + } + ], + "to": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "tempo" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "tempo" + } + } + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "DNS lookup via CoreDNS" + }, + "creationTimestamp": "2024-06-07T14:41:05Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "promtail" + }, + "name": "allow-promtail-egress-dns-lookup-via-coredns", + "namespace": "promtail", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "promtail", + "uid": "1e35a512-9c9c-47a8-877e-272d87932866" + } + ], + "resourceVersion": "3427", + "uid": "ae38b310-a500-4199-b5e8-eaa05e50af83" + }, + "spec": { + "egress": [ + { + "ports": [ + { + "port": 53, + "protocol": "UDP" + } + ], + "to": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "kube-system" + } + } + }, + { + "podSelector": { + "matchLabels": { + "k8s-app": "kube-dns" + } + } + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Istiod communication" + }, + "creationTimestamp": "2024-06-07T14:41:05Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "promtail" + }, + "name": "allow-promtail-egress-istiod-communication", + "namespace": "promtail", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "promtail", + "uid": "1e35a512-9c9c-47a8-877e-272d87932866" + } + ], + "resourceVersion": "3428", + "uid": "2f64b3ec-29db-4ccc-ae2b-da45c01b31bb" + }, + "spec": { + "egress": [ + { + "ports": [ + { + "port": 15012, + "protocol": "TCP" + } + ], + "to": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "istio-system" + } + } + }, + { + "podSelector": { + "matchLabels": { + "istio": "pilot" + } + } + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Sidecar monitoring" + }, + "creationTimestamp": "2024-06-07T14:41:05Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "promtail" + }, + "name": "allow-promtail-ingress-sidecar-monitoring", + "namespace": "promtail", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "promtail", + "uid": "1e35a512-9c9c-47a8-877e-272d87932866" + } + ], + "resourceVersion": "3429", + "uid": "b3101049-323d-45e9-91b4-a542f645821b" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "monitoring" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app": "prometheus" + } + } + } + ], + "ports": [ + { + "port": 15020, + "protocol": "TCP" + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Prometheus Metrics" + }, + "creationTimestamp": "2024-06-07T14:41:05Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "promtail" + }, + "name": "allow-promtail-ingress-prometheus-metrics", + "namespace": "promtail", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "promtail", + "uid": "1e35a512-9c9c-47a8-877e-272d87932866" + } + ], + "resourceVersion": "3430", + "uid": "52c0d085-bc1d-4577-a861-97a9727c790b" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "monitoring" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "prometheus" + } + } + } + ], + "ports": [ + { + "port": 3101, + "protocol": "TCP" + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Tempo" + }, + "creationTimestamp": "2024-06-07T14:41:05Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "promtail" + }, + "name": "allow-promtail-egress-tempo", + "namespace": "promtail", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "promtail", + "uid": "1e35a512-9c9c-47a8-877e-272d87932866" + } + ], + "resourceVersion": "3432", + "uid": "f9704a6a-2a83-4c90-86b8-f543e38839dd" + }, + "spec": { + "egress": [ + { + "ports": [ + { + "port": 9411, + "protocol": "TCP" + } + ], + "to": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "tempo" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "tempo" + } + } + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Write Logs to Loki" + }, + "creationTimestamp": "2024-06-07T14:41:05Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "promtail" + }, + "name": "allow-promtail-egress-write-logs-to-loki", + "namespace": "promtail", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "promtail", + "uid": "1e35a512-9c9c-47a8-877e-272d87932866" + } + ], + "resourceVersion": "3433", + "uid": "e5ecbbc4-7e90-4819-ab97-f078244785ce" + }, + "spec": { + "egress": [ + { + "ports": [ + { + "port": 8080, + "protocol": "TCP" + } + ], + "to": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "loki" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "loki" + } + } + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "promtail" + } + }, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "promtail Metrics" + }, + "creationTimestamp": "2024-06-07T14:41:05Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "promtail" + }, + "name": "allow-promtail-ingress-promtail-metrics", + "namespace": "promtail", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "promtail", + "uid": "1e35a512-9c9c-47a8-877e-272d87932866" + } + ], + "resourceVersion": "3434", + "uid": "757f4a86-51b9-4057-b7c6-c5e1fbd8d32a" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "monitoring" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app": "prometheus" + } + } + } + ], + "ports": [ + { + "port": 3101, + "protocol": "TCP" + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "promtail" + } + }, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "DNS lookup via CoreDNS" + }, + "creationTimestamp": "2024-06-07T14:41:43Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "grafana" + }, + "name": "allow-grafana-egress-dns-lookup-via-coredns", + "namespace": "grafana", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "grafana", + "uid": "eb4ad385-6506-4881-99b3-b133f70c83ec" + } + ], + "resourceVersion": "3601", + "uid": "5be3c893-cf9d-4e2e-9fc3-c5d10933908f" + }, + "spec": { + "egress": [ + { + "ports": [ + { + "port": 53, + "protocol": "UDP" + } + ], + "to": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "kube-system" + } + } + }, + { + "podSelector": { + "matchLabels": { + "k8s-app": "kube-dns" + } + } + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Istiod communication" + }, + "creationTimestamp": "2024-06-07T14:41:43Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "grafana" + }, + "name": "allow-grafana-egress-istiod-communication", + "namespace": "grafana", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "grafana", + "uid": "eb4ad385-6506-4881-99b3-b133f70c83ec" + } + ], + "resourceVersion": "3602", + "uid": "07968bea-ab81-4e17-a9cd-bbde317776c6" + }, + "spec": { + "egress": [ + { + "ports": [ + { + "port": 15012, + "protocol": "TCP" + } + ], + "to": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "istio-system" + } + } + }, + { + "podSelector": { + "matchLabels": { + "istio": "pilot" + } + } + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Sidecar monitoring" + }, + "creationTimestamp": "2024-06-07T14:41:43Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "grafana" + }, + "name": "allow-grafana-ingress-sidecar-monitoring", + "namespace": "grafana", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "grafana", + "uid": "eb4ad385-6506-4881-99b3-b133f70c83ec" + } + ], + "resourceVersion": "3603", + "uid": "dd2336fa-2119-4a58-a3b4-4f9c0dfe71b8" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "monitoring" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app": "prometheus" + } + } + } + ], + "ports": [ + { + "port": 15020, + "protocol": "TCP" + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Tempo Datasource" + }, + "creationTimestamp": "2024-06-07T14:41:43Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "grafana" + }, + "name": "allow-grafana-ingress-tempo-datasource", + "namespace": "grafana", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "grafana", + "uid": "eb4ad385-6506-4881-99b3-b133f70c83ec" + } + ], + "resourceVersion": "3604", + "uid": "f4f5a07e-01cd-4d77-8ec2-3338bb5c4590" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "tempo" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "tempo" + } + } + } + ], + "ports": [ + { + "port": 9090, + "protocol": "TCP" + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "grafana" + } + }, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Tempo" + }, + "creationTimestamp": "2024-06-07T14:41:44Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "grafana" + }, + "name": "allow-grafana-egress-tempo", + "namespace": "grafana", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "grafana", + "uid": "eb4ad385-6506-4881-99b3-b133f70c83ec" + } + ], + "resourceVersion": "3606", + "uid": "79d52a98-23a9-4b19-8270-e1e7679d0275" + }, + "spec": { + "egress": [ + { + "ports": [ + { + "port": 9411, + "protocol": "TCP" + } + ], + "to": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "tempo" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "tempo" + } + } + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "grafana Istio admin gateway" + }, + "creationTimestamp": "2024-06-07T14:41:44Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "grafana" + }, + "name": "allow-grafana-ingress-grafana-istio-admin-gateway", + "namespace": "grafana", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "grafana", + "uid": "eb4ad385-6506-4881-99b3-b133f70c83ec" + } + ], + "resourceVersion": "3608", + "uid": "f5b474c3-d943-4bae-a77a-72b225fe7f61" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "istio-admin-gateway" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app": "admin-ingressgateway" + } + } + } + ], + "ports": [ + { + "port": 3000, + "protocol": "TCP" + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "grafana" + } + }, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "grafana Metrics" + }, + "creationTimestamp": "2024-06-07T14:41:44Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "grafana" + }, + "name": "allow-grafana-ingress-grafana-metrics", + "namespace": "grafana", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "grafana", + "uid": "eb4ad385-6506-4881-99b3-b133f70c83ec" + } + ], + "resourceVersion": "3615", + "uid": "24a89a49-4261-4df3-ada8-1f70511b7a9b" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "monitoring" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app": "prometheus" + } + } + } + ], + "ports": [ + { + "port": 3000, + "protocol": "TCP" + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "grafana" + } + }, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "DNS lookup via CoreDNS" + }, + "creationTimestamp": "2024-06-07T14:42:14Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "authservice" + }, + "name": "allow-authservice-egress-dns-lookup-via-coredns", + "namespace": "authservice", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "authservice", + "uid": "046a178c-e731-44d8-a487-e424f8034789" + } + ], + "resourceVersion": "3779", + "uid": "18a6dadf-f1e3-4466-add1-0d852b8ff529" + }, + "spec": { + "egress": [ + { + "ports": [ + { + "port": 53, + "protocol": "UDP" + } + ], + "to": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "kube-system" + } + } + }, + { + "podSelector": { + "matchLabels": { + "k8s-app": "kube-dns" + } + } + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Istiod communication" + }, + "creationTimestamp": "2024-06-07T14:42:14Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "authservice" + }, + "name": "allow-authservice-egress-istiod-communication", + "namespace": "authservice", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "authservice", + "uid": "046a178c-e731-44d8-a487-e424f8034789" + } + ], + "resourceVersion": "3782", + "uid": "e922febc-a442-415c-83e8-ce53b653ba44" + }, + "spec": { + "egress": [ + { + "ports": [ + { + "port": 15012, + "protocol": "TCP" + } + ], + "to": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "istio-system" + } + } + }, + { + "podSelector": { + "matchLabels": { + "istio": "pilot" + } + } + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Sidecar monitoring" + }, + "creationTimestamp": "2024-06-07T14:42:14Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "authservice" + }, + "name": "allow-authservice-ingress-sidecar-monitoring", + "namespace": "authservice", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "authservice", + "uid": "046a178c-e731-44d8-a487-e424f8034789" + } + ], + "resourceVersion": "3783", + "uid": "1f7a1385-b33c-4cdb-b165-912471696796" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "monitoring" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app": "prometheus" + } + } + } + ], + "ports": [ + { + "port": 15020, + "protocol": "TCP" + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Protected Apps" + }, + "creationTimestamp": "2024-06-07T14:42:14Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "authservice" + }, + "name": "allow-authservice-ingress-protected-apps", + "namespace": "authservice", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "authservice", + "uid": "046a178c-e731-44d8-a487-e424f8034789" + } + ], + "resourceVersion": "3787", + "uid": "7334e55f-45b2-47f4-bdec-2b7a53177f97" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "namespaceSelector": {} + }, + { + "podSelector": { + "matchLabels": { + "protect": "keycloak" + } + } + } + ], + "ports": [ + { + "port": 10003, + "protocol": "TCP" + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "authservice" + } + }, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "DNS lookup via CoreDNS" + }, + "creationTimestamp": "2024-06-07T14:42:39Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "velero" + }, + "name": "allow-velero-egress-dns-lookup-via-coredns", + "namespace": "velero", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "velero", + "uid": "acf82b1d-57d0-47ce-8880-e54543180a04" + } + ], + "resourceVersion": "3897", + "uid": "3a9fda9e-59ca-432d-9f2a-3775443cf964" + }, + "spec": { + "egress": [ + { + "ports": [ + { + "port": 53, + "protocol": "UDP" + } + ], + "to": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "kube-system" + } + } + }, + { + "podSelector": { + "matchLabels": { + "k8s-app": "kube-dns" + } + } + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Istiod communication" + }, + "creationTimestamp": "2024-06-07T14:42:39Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "velero" + }, + "name": "allow-velero-egress-istiod-communication", + "namespace": "velero", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "velero", + "uid": "acf82b1d-57d0-47ce-8880-e54543180a04" + } + ], + "resourceVersion": "3898", + "uid": "7315782c-a390-42ea-9c52-7e4f28e3c15c" + }, + "spec": { + "egress": [ + { + "ports": [ + { + "port": 15012, + "protocol": "TCP" + } + ], + "to": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "istio-system" + } + } + }, + { + "podSelector": { + "matchLabels": { + "istio": "pilot" + } + } + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Sidecar monitoring" + }, + "creationTimestamp": "2024-06-07T14:42:39Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "velero" + }, + "name": "allow-velero-ingress-sidecar-monitoring", + "namespace": "velero", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "velero", + "uid": "acf82b1d-57d0-47ce-8880-e54543180a04" + } + ], + "resourceVersion": "3899", + "uid": "1a5f853e-518d-4b4f-bd79-89e7fa52332b" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "monitoring" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app": "prometheus" + } + } + } + ], + "ports": [ + { + "port": 15020, + "protocol": "TCP" + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Prometheus Metrics" + }, + "creationTimestamp": "2024-06-07T14:42:39Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "velero" + }, + "name": "allow-velero-ingress-prometheus-metrics", + "namespace": "velero", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "velero", + "uid": "acf82b1d-57d0-47ce-8880-e54543180a04" + } + ], + "resourceVersion": "3905", + "uid": "642b650d-daee-46c9-98b3-0732e1cfb2b7" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "monitoring" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app": "prometheus" + } + } + } + ], + "ports": [ + { + "port": 8085, + "protocol": "TCP" + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "velero" + } + }, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:36:34Z", + "generation": 2, + "labels": { + "uds/generation": "1", + "uds/package": "metrics-server" + }, + "name": "deny-metrics-server-default", + "namespace": "metrics-server", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "metrics-server", + "uid": "be44af9c-845b-41b4-9b4b-3aa9899d3076" + } + ], + "resourceVersion": "174925", + "uid": "ddd12bef-6fdc-4a5f-a14a-f2241377233e" + }, + "spec": { + "podSelector": {}, + "policyTypes": [ + "Ingress", + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:36:35Z", + "generation": 2, + "labels": { + "uds/generated": "KubeAPI", + "uds/generation": "1", + "uds/package": "metrics-server" + }, + "name": "allow-metrics-server-egress-metrics-server-kubeapi", + "namespace": "metrics-server", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "metrics-server", + "uid": "be44af9c-845b-41b4-9b4b-3aa9899d3076" + } + ], + "resourceVersion": "174926", + "uid": "9acffae9-2899-45c7-9845-ec14d72661c9" + }, + "spec": { + "egress": [ + { + "to": [ + { + "ipBlock": { + "cidr": "172.19.0.3/32" + } + }, + { + "ipBlock": { + "cidr": "10.43.0.1/32" + } + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "metrics-server" + } + }, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:37:03Z", + "generation": 2, + "labels": { + "uds/generation": "1", + "uds/package": "keycloak" + }, + "name": "deny-keycloak-default", + "namespace": "keycloak", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "keycloak", + "uid": "828c2d2a-07e2-4976-a1c3-318e7161d9c2" + } + ], + "resourceVersion": "174929", + "uid": "59140c79-d6b1-41f7-8539-e470a94caa25" + }, + "spec": { + "podSelector": {}, + "policyTypes": [ + "Ingress", + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:38:49Z", + "generation": 2, + "labels": { + "uds/generation": "1", + "uds/package": "loki" + }, + "name": "deny-loki-default", + "namespace": "loki", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "loki", + "uid": "e7e59ebe-6388-4233-872e-94065e29b3c4" + } + ], + "resourceVersion": "174956", + "uid": "eb6a63fe-cd8b-4720-9dba-e3ae07e91c93" + }, + "spec": { + "podSelector": {}, + "policyTypes": [ + "Ingress", + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:38:49Z", + "generation": 2, + "labels": { + "uds/generated": "IntraNamespace", + "uds/generation": "1", + "uds/package": "loki" + }, + "name": "allow-loki-ingress-all-pods-intranamespace", + "namespace": "loki", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "loki", + "uid": "e7e59ebe-6388-4233-872e-94065e29b3c4" + } + ], + "resourceVersion": "174957", + "uid": "cdcbaf50-75d3-4991-b739-c7bc07fe8b9b" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "podSelector": {} + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:38:49Z", + "generation": 2, + "labels": { + "uds/generated": "IntraNamespace", + "uds/generation": "1", + "uds/package": "loki" + }, + "name": "allow-loki-egress-all-pods-intranamespace", + "namespace": "loki", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "loki", + "uid": "e7e59ebe-6388-4233-872e-94065e29b3c4" + } + ], + "resourceVersion": "174959", + "uid": "36077323-34b7-4a3c-9f15-907acfb3a22e" + }, + "spec": { + "egress": [ + { + "to": [ + { + "podSelector": {} + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:38:49Z", + "generation": 2, + "labels": { + "uds/generated": "Anywhere", + "uds/generation": "1", + "uds/package": "loki" + }, + "name": "allow-loki-egress-loki-anywhere", + "namespace": "loki", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "loki", + "uid": "e7e59ebe-6388-4233-872e-94065e29b3c4" + } + ], + "resourceVersion": "174960", + "uid": "aa29c669-9f41-4ead-9d04-ef643a4dfc65" + }, + "spec": { + "egress": [ + { + "to": [ + { + "ipBlock": { + "cidr": "0.0.0.0/0", + "except": [ + "169.254.169.254/32" + ] + } + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "loki" + } + }, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:40:25Z", + "generation": 2, + "labels": { + "uds/generation": "1", + "uds/package": "prometheus-stack" + }, + "name": "deny-prometheus-stack-default", + "namespace": "monitoring", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "prometheus-stack", + "uid": "ff51ba04-5590-4945-8ec5-1965bdbcdb76" + } + ], + "resourceVersion": "174963", + "uid": "347b1bee-7524-4837-9fa6-dba07cfe586d" + }, + "spec": { + "podSelector": {}, + "policyTypes": [ + "Ingress", + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:40:25Z", + "generation": 2, + "labels": { + "uds/generated": "IntraNamespace", + "uds/generation": "1", + "uds/package": "prometheus-stack" + }, + "name": "allow-prometheus-stack-ingress-all-pods-intranamespace", + "namespace": "monitoring", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "prometheus-stack", + "uid": "ff51ba04-5590-4945-8ec5-1965bdbcdb76" + } + ], + "resourceVersion": "174964", + "uid": "7777a5fa-8aad-4a8d-ad6c-0ecb4c75e83d" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "podSelector": {} + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:40:25Z", + "generation": 2, + "labels": { + "uds/generated": "IntraNamespace", + "uds/generation": "1", + "uds/package": "prometheus-stack" + }, + "name": "allow-prometheus-stack-egress-all-pods-intranamespace", + "namespace": "monitoring", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "prometheus-stack", + "uid": "ff51ba04-5590-4945-8ec5-1965bdbcdb76" + } + ], + "resourceVersion": "174965", + "uid": "fb903f70-76fc-436b-9e93-43e7608fee4e" + }, + "spec": { + "egress": [ + { + "to": [ + { + "podSelector": {} + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:40:25Z", + "generation": 2, + "labels": { + "uds/generated": "KubeAPI", + "uds/generation": "1", + "uds/package": "prometheus-stack" + }, + "name": "allow-prometheus-stack-egress-kube-prometheus-stack-operator-kubeapi", + "namespace": "monitoring", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "prometheus-stack", + "uid": "ff51ba04-5590-4945-8ec5-1965bdbcdb76" + } + ], + "resourceVersion": "174966", + "uid": "671f5b00-ac45-4814-a922-0390dcaaaedf" + }, + "spec": { + "egress": [ + { + "to": [ + { + "ipBlock": { + "cidr": "172.19.0.3/32" + } + }, + { + "ipBlock": { + "cidr": "10.43.0.1/32" + } + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app": "kube-prometheus-stack-operator" + } + }, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:40:25Z", + "generation": 2, + "labels": { + "uds/generated": "KubeAPI", + "uds/generation": "1", + "uds/package": "prometheus-stack" + }, + "name": "allow-prometheus-stack-egress-prometheus-kubeapi", + "namespace": "monitoring", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "prometheus-stack", + "uid": "ff51ba04-5590-4945-8ec5-1965bdbcdb76" + } + ], + "resourceVersion": "174967", + "uid": "3cb1b9bd-6ba0-4c2b-ab71-2aafa3292366" + }, + "spec": { + "egress": [ + { + "to": [ + { + "ipBlock": { + "cidr": "172.19.0.3/32" + } + }, + { + "ipBlock": { + "cidr": "10.43.0.1/32" + } + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app": "prometheus" + } + }, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:40:25Z", + "generation": 2, + "labels": { + "uds/generated": "KubeAPI", + "uds/generation": "1", + "uds/package": "prometheus-stack" + }, + "name": "allow-prometheus-stack-egress-kube-state-metrics-kubeapi", + "namespace": "monitoring", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "prometheus-stack", + "uid": "ff51ba04-5590-4945-8ec5-1965bdbcdb76" + } + ], + "resourceVersion": "174968", + "uid": "e2b32f01-9cf0-42ab-8682-531e3832a14f" + }, + "spec": { + "egress": [ + { + "to": [ + { + "ipBlock": { + "cidr": "172.19.0.3/32" + } + }, + { + "ipBlock": { + "cidr": "10.43.0.1/32" + } + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "kube-state-metrics" + } + }, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:40:25Z", + "generation": 2, + "labels": { + "uds/generated": "KubeAPI", + "uds/generation": "1", + "uds/package": "prometheus-stack" + }, + "name": "allow-prometheus-stack-egress-kube-prometheus-stack-admission-create-kubeapi", + "namespace": "monitoring", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "prometheus-stack", + "uid": "ff51ba04-5590-4945-8ec5-1965bdbcdb76" + } + ], + "resourceVersion": "174969", + "uid": "5aa261c9-7e7f-4635-8c2f-6bd5e4c146f3" + }, + "spec": { + "egress": [ + { + "to": [ + { + "ipBlock": { + "cidr": "172.19.0.3/32" + } + }, + { + "ipBlock": { + "cidr": "10.43.0.1/32" + } + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app": "kube-prometheus-stack-admission-create" + } + }, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:40:25Z", + "generation": 2, + "labels": { + "uds/generated": "KubeAPI", + "uds/generation": "1", + "uds/package": "prometheus-stack" + }, + "name": "allow-prometheus-stack-egress-kube-prometheus-stack-admission-patch-kubeapi", + "namespace": "monitoring", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "prometheus-stack", + "uid": "ff51ba04-5590-4945-8ec5-1965bdbcdb76" + } + ], + "resourceVersion": "174970", + "uid": "ef7e2fc4-ce21-424a-bfab-0c5f6f73005e" + }, + "spec": { + "egress": [ + { + "to": [ + { + "ipBlock": { + "cidr": "172.19.0.3/32" + } + }, + { + "ipBlock": { + "cidr": "10.43.0.1/32" + } + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app": "kube-prometheus-stack-admission-patch" + } + }, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Metrics Scraping" + }, + "creationTimestamp": "2024-06-07T14:40:25Z", + "generation": 2, + "labels": { + "uds/generation": "1", + "uds/package": "prometheus-stack" + }, + "name": "allow-prometheus-stack-egress-metrics-scraping", + "namespace": "monitoring", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "prometheus-stack", + "uid": "ff51ba04-5590-4945-8ec5-1965bdbcdb76" + } + ], + "resourceVersion": "174971", + "uid": "8cd1ad66-b953-4656-8f28-ccd27505424a" + }, + "spec": { + "egress": [ + { + "to": [ + { + "namespaceSelector": {} + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "prometheus" + } + }, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:41:05Z", + "generation": 2, + "labels": { + "uds/generation": "1", + "uds/package": "promtail" + }, + "name": "deny-promtail-default", + "namespace": "promtail", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "promtail", + "uid": "1e35a512-9c9c-47a8-877e-272d87932866" + } + ], + "resourceVersion": "174975", + "uid": "8574f041-8228-4288-a54c-e577703e7130" + }, + "spec": { + "podSelector": {}, + "policyTypes": [ + "Ingress", + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:41:05Z", + "generation": 2, + "labels": { + "uds/generated": "KubeAPI", + "uds/generation": "1", + "uds/package": "promtail" + }, + "name": "allow-promtail-egress-all-pods-kubeapi", + "namespace": "promtail", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "promtail", + "uid": "1e35a512-9c9c-47a8-877e-272d87932866" + } + ], + "resourceVersion": "174976", + "uid": "2887cd8d-acdf-4c98-b5c3-c7759d2cf770" + }, + "spec": { + "egress": [ + { + "to": [ + { + "ipBlock": { + "cidr": "172.19.0.3/32" + } + }, + { + "ipBlock": { + "cidr": "10.43.0.1/32" + } + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:42:14Z", + "generation": 2, + "labels": { + "uds/generation": "1", + "uds/package": "authservice" + }, + "name": "deny-authservice-default", + "namespace": "authservice", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "authservice", + "uid": "046a178c-e731-44d8-a487-e424f8034789" + } + ], + "resourceVersion": "174989", + "uid": "df70aa97-b5a9-47c8-bb9e-4280549525ac" + }, + "spec": { + "podSelector": {}, + "policyTypes": [ + "Ingress", + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:42:14Z", + "generation": 2, + "labels": { + "uds/generated": "IntraNamespace", + "uds/generation": "1", + "uds/package": "authservice" + }, + "name": "allow-authservice-ingress-all-pods-intranamespace", + "namespace": "authservice", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "authservice", + "uid": "046a178c-e731-44d8-a487-e424f8034789" + } + ], + "resourceVersion": "174990", + "uid": "28d4089f-be25-4c88-bb45-f45f39d44382" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "podSelector": {} + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:42:14Z", + "generation": 2, + "labels": { + "uds/generated": "IntraNamespace", + "uds/generation": "1", + "uds/package": "authservice" + }, + "name": "allow-authservice-egress-all-pods-intranamespace", + "namespace": "authservice", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "authservice", + "uid": "046a178c-e731-44d8-a487-e424f8034789" + } + ], + "resourceVersion": "174991", + "uid": "df4fcfe9-6685-424e-9e26-cc82c6a87b06" + }, + "spec": { + "egress": [ + { + "to": [ + { + "podSelector": {} + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "SSO Provider" + }, + "creationTimestamp": "2024-06-07T14:42:14Z", + "generation": 2, + "labels": { + "uds/generated": "Anywhere", + "uds/generation": "1", + "uds/package": "authservice" + }, + "name": "allow-authservice-egress-sso-provider", + "namespace": "authservice", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "authservice", + "uid": "046a178c-e731-44d8-a487-e424f8034789" + } + ], + "resourceVersion": "174992", + "uid": "4afdf83f-9eef-489c-81b1-7757e0e50f5d" + }, + "spec": { + "egress": [ + { + "to": [ + { + "ipBlock": { + "cidr": "0.0.0.0/0", + "except": [ + "169.254.169.254/32" + ] + } + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:42:39Z", + "generation": 2, + "labels": { + "uds/generation": "1", + "uds/package": "velero" + }, + "name": "deny-velero-default", + "namespace": "velero", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "velero", + "uid": "acf82b1d-57d0-47ce-8880-e54543180a04" + } + ], + "resourceVersion": "174995", + "uid": "54a38b70-38b9-41f1-b6c4-1d12a2c9723d" + }, + "spec": { + "podSelector": {}, + "policyTypes": [ + "Ingress", + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:42:39Z", + "generation": 2, + "labels": { + "uds/generated": "Anywhere", + "uds/generation": "1", + "uds/package": "velero" + }, + "name": "allow-velero-egress-velero-anywhere", + "namespace": "velero", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "velero", + "uid": "acf82b1d-57d0-47ce-8880-e54543180a04" + } + ], + "resourceVersion": "174996", + "uid": "0cfec493-e5a0-4cd1-b7b1-89bb302a9d9b" + }, + "spec": { + "egress": [ + { + "to": [ + { + "ipBlock": { + "cidr": "0.0.0.0/0", + "except": [ + "169.254.169.254/32" + ] + } + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "velero" + } + }, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:42:39Z", + "generation": 2, + "labels": { + "uds/generated": "KubeAPI", + "uds/generation": "1", + "uds/package": "velero" + }, + "name": "allow-velero-egress-velero-upgrade-crds-kubeapi", + "namespace": "velero", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "velero", + "uid": "acf82b1d-57d0-47ce-8880-e54543180a04" + } + ], + "resourceVersion": "174997", + "uid": "ac8647b6-053b-428b-a131-e091c3fc4af5" + }, + "spec": { + "egress": [ + { + "to": [ + { + "ipBlock": { + "cidr": "172.19.0.3/32" + } + }, + { + "ipBlock": { + "cidr": "10.43.0.1/32" + } + } + ] + } + ], + "podSelector": { + "matchLabels": { + "batch.kubernetes.io/job-name": "velero-upgrade-crds" + } + }, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:38:19Z", + "generation": 74, + "labels": { + "uds/generation": "1", + "uds/package": "neuvector" + }, + "name": "deny-neuvector-default", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "neuvector", + "uid": "91b75744-bd1b-497b-8875-2a258d8b23cc" + } + ], + "resourceVersion": "176365", + "uid": "e76d1965-d0c9-41df-8e13-b662157680cc" + }, + "spec": { + "podSelector": {}, + "policyTypes": [ + "Ingress", + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:38:19Z", + "generation": 74, + "labels": { + "uds/generated": "IntraNamespace", + "uds/generation": "1", + "uds/package": "neuvector" + }, + "name": "allow-neuvector-ingress-all-pods-intranamespace", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "neuvector", + "uid": "91b75744-bd1b-497b-8875-2a258d8b23cc" + } + ], + "resourceVersion": "176366", + "uid": "1a5a1afd-d18c-4bdf-aaa1-71000047dfc7" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "podSelector": {} + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:38:19Z", + "generation": 74, + "labels": { + "uds/generated": "IntraNamespace", + "uds/generation": "1", + "uds/package": "neuvector" + }, + "name": "allow-neuvector-egress-all-pods-intranamespace", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "neuvector", + "uid": "91b75744-bd1b-497b-8875-2a258d8b23cc" + } + ], + "resourceVersion": "176367", + "uid": "810c1d2e-76a7-4313-9694-983eee61aaae" + }, + "spec": { + "egress": [ + { + "to": [ + { + "podSelector": {} + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:38:19Z", + "generation": 74, + "labels": { + "uds/generated": "KubeAPI", + "uds/generation": "1", + "uds/package": "neuvector" + }, + "name": "allow-neuvector-egress-neuvector-controller-pod-kubeapi", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "neuvector", + "uid": "91b75744-bd1b-497b-8875-2a258d8b23cc" + } + ], + "resourceVersion": "176368", + "uid": "0c813cba-4a96-475b-8034-5b98078de1b2" + }, + "spec": { + "egress": [ + { + "to": [ + { + "ipBlock": { + "cidr": "172.19.0.3/32" + } + }, + { + "ipBlock": { + "cidr": "10.43.0.1/32" + } + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app": "neuvector-controller-pod" + } + }, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:38:19Z", + "generation": 74, + "labels": { + "uds/generated": "Anywhere", + "uds/generation": "1", + "uds/package": "neuvector" + }, + "name": "allow-neuvector-egress-neuvector-controller-pod-anywhere", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "neuvector", + "uid": "91b75744-bd1b-497b-8875-2a258d8b23cc" + } + ], + "resourceVersion": "176369", + "uid": "e5155b3d-542d-4093-8eba-cfa7ab19421b" + }, + "spec": { + "egress": [ + { + "to": [ + { + "ipBlock": { + "cidr": "0.0.0.0/0", + "except": [ + "169.254.169.254/32" + ] + } + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app": "neuvector-controller-pod" + } + }, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:38:19Z", + "generation": 74, + "labels": { + "uds/generated": "KubeAPI", + "uds/generation": "1", + "uds/package": "neuvector" + }, + "name": "allow-neuvector-egress-neuvector-updater-pod-kubeapi", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "neuvector", + "uid": "91b75744-bd1b-497b-8875-2a258d8b23cc" + } + ], + "resourceVersion": "176370", + "uid": "7b5cc5bf-f7c5-4116-927b-69abb95da536" + }, + "spec": { + "egress": [ + { + "to": [ + { + "ipBlock": { + "cidr": "172.19.0.3/32" + } + }, + { + "ipBlock": { + "cidr": "10.43.0.1/32" + } + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app": "neuvector-updater-pod" + } + }, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:38:19Z", + "generation": 74, + "labels": { + "uds/generated": "KubeAPI", + "uds/generation": "1", + "uds/package": "neuvector" + }, + "name": "allow-neuvector-egress-neuvector-enforcer-pod-kubeapi", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "neuvector", + "uid": "91b75744-bd1b-497b-8875-2a258d8b23cc" + } + ], + "resourceVersion": "176371", + "uid": "6e0b20e1-921a-491e-a2df-ceae75737076" + }, + "spec": { + "egress": [ + { + "to": [ + { + "ipBlock": { + "cidr": "172.19.0.3/32" + } + }, + { + "ipBlock": { + "cidr": "10.43.0.1/32" + } + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app": "neuvector-enforcer-pod" + } + }, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:41:43Z", + "generation": 71, + "labels": { + "uds/generation": "1", + "uds/package": "grafana" + }, + "name": "deny-grafana-default", + "namespace": "grafana", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "grafana", + "uid": "eb4ad385-6506-4881-99b3-b133f70c83ec" + } + ], + "resourceVersion": "176431", + "uid": "fc4c1fb4-9469-4c34-bd5e-23ba883a50e8" + }, + "spec": { + "podSelector": {}, + "policyTypes": [ + "Ingress", + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:41:43Z", + "generation": 71, + "labels": { + "uds/generated": "Anywhere", + "uds/generation": "1", + "uds/package": "grafana" + }, + "name": "allow-grafana-egress-grafana-anywhere", + "namespace": "grafana", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "grafana", + "uid": "eb4ad385-6506-4881-99b3-b133f70c83ec" + } + ], + "resourceVersion": "176432", + "uid": "2dc9ff63-bd48-4121-839c-bf221476f59b" + }, + "spec": { + "egress": [ + { + "to": [ + { + "ipBlock": { + "cidr": "0.0.0.0/0", + "except": [ + "169.254.169.254/32" + ] + } + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "grafana" + } + }, + "policyTypes": [ + "Egress" + ] + } + } + ] +} \ No newline at end of file diff --git a/compliance/validations/istio/secure-communication-with-istiod/tests.yaml b/compliance/validations/istio/secure-communication-with-istiod/tests.yaml new file mode 100644 index 000000000..9b952d82d --- /dev/null +++ b/compliance/validations/istio/secure-communication-with-istiod/tests.yaml @@ -0,0 +1,28 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +pass: + - test: default + validation: validation.yaml + resources: resources.json + expected-validation: true + - test: remove-istio-egress-on-metrics-server + validation: validation.yaml + resources: resources.json + permutation: '(.networkPolicies[] | select(.metadata.name == "allow-metrics-server-egress-istiod-communication") | .spec.egress) |= map(select(.to | any(.podSelector | select(.matchLabels.istio != "pilot"))))' + expected-validation: false + - test: change-egress-port-on-metrics-server + validation: validation.yaml + resources: resources.json + permutation: '(.networkPolicies[] | select(.metadata.name == "allow-metrics-server-egress-istiod-communication") | .spec.egress[].ports[] | select(.port == 15012) | .port) |= 1000' + expected-validation: false + - test: change-egress-protocol-on-metrics-server + validation: validation.yaml + resources: resources.json + permutation: '(.networkPolicies[] | select(.metadata.name == "allow-metrics-server-egress-istiod-communication") | .spec.egress[].ports[] | select(.port == 15012) | .protocol) |= "HTTP"' + expected-validation: false + - test: add-disallowed-egress-to-istiod + validation: validation.yaml + resources: resources.json + permutation: '.networkPolicies += [{"kind": "NetworkPolicy", "metadata": {"name": "istiod-egress", "namespace": "not-allowed-netpol"}, "spec": {"egress": [{"ports": [{"port": 15012, "protocol": "TCP"}], "to": [{"podSelector": {"matchLabels": {"istio": "pilot"}}}]}]}}]' + expected-validation: false diff --git a/compliance/validations/istio/secure-communication-with-istiod/validation.yaml b/compliance/validations/istio/secure-communication-with-istiod/validation.yaml new file mode 100644 index 000000000..a0670ff07 --- /dev/null +++ b/compliance/validations/istio/secure-communication-with-istiod/validation.yaml @@ -0,0 +1,70 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +metadata: + name: secure-communication-with-istiod + uuid: 570e2dc7-e6c2-4ad5-8ea3-f07974f59747 +domain: + type: kubernetes + kubernetes-spec: + resources: + - name: networkPolicies + resource-rule: + group: networking.k8s.io + resource: networkpolicies + namespaces: [] + version: v1 +provider: + type: opa + opa-spec: + rego: | + package validate + import rego.v1 + + # Default values + default validate := false + default msg := "Not evaluated" + + # Expected values + expected_istiod_port := 15012 + expected_istiod_protocol := "TCP" + required_namespaces := {"authservice", "grafana", "keycloak", "loki", "metrics-server", "monitoring", "neuvector", "vector", "velero", "uds-runtime"} + + # Validate NetworkPolicy for Istiod in required namespaces + validate if { + check_netpol_config_correct.result + } + + msg = check_netpol_config_correct.msg + msg_expected_istiod = sprintf("Expected Istiod port: %v, protocol: %v.", [expected_istiod_port, expected_istiod_protocol]) + msg_required_namespaces = concat(", ", required_namespaces) + + check_netpol_config_correct = {"result": true, "msg": msg} if { + required_namespaces == correct_istiod_namespaces + msg := "NetworkPolicies correctly configured for istiod in required namespaces." + } else = {"result": false, "msg": msg} if { + count(required_namespaces-correct_istiod_namespaces) > 0 + msg := sprintf("NetworkPolicies not correctly configured for istiod egress in namespaces: %v.", [concat(", ", (required_namespaces-correct_istiod_namespaces))]) + } else = {"result": false, "msg": msg} if { + count(correct_istiod_namespaces-required_namespaces) > 0 + msg := sprintf("NetworkPolicies configured for istiod egress in improper namespaces: %v.", [concat(", ", (correct_istiod_namespaces-required_namespaces))]) + } + + # Helper to find correct NetworkPolicies + correct_istiod_policies = {policy | + policy := input.networkPolicies[_] + policy.spec.egress[_].to[_].podSelector.matchLabels["istio"] == "pilot" + policy.spec.egress[_].ports[_].port == expected_istiod_port + policy.spec.egress[_].ports[_].protocol == expected_istiod_protocol + } + + # Helper to extract namespaces of correct NetworkPolicies + correct_istiod_namespaces = {policy.metadata.namespace | + policy := correct_istiod_policies[_] + } + output: + validation: validate.validate + observations: + - validate.msg + - validate.msg_expected_istiod + - validate.msg_required_namespaces diff --git a/compliance/validations/istio/tls-origination-at-egress/README.md b/compliance/validations/istio/tls-origination-at-egress/README.md new file mode 100644 index 000000000..c2b65a62e --- /dev/null +++ b/compliance/validations/istio/tls-origination-at-egress/README.md @@ -0,0 +1,9 @@ +# README.md + +**NAME** - tls-origination-at-egress-PLACEHOLDER + +**INPUT** - This validation currently does not collect any resources. + +**POLICY** - This policy is a placeholder for checking TLS origination at egress. + +**NOTES** - The policy needs to be updated to include the necessary resources and logic to check for TLS origination at egress. \ No newline at end of file diff --git a/compliance/validations/istio/tls-origination-at-egress/validation.yaml b/compliance/validations/istio/tls-origination-at-egress/validation.yaml new file mode 100644 index 000000000..79149a6da --- /dev/null +++ b/compliance/validations/istio/tls-origination-at-egress/validation.yaml @@ -0,0 +1,20 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +metadata: + name: tls-origination-at-egress-PLACEHOLDER + uuid: 8be1601e-5870-4573-ab4f-c1c199944815 +domain: + type: kubernetes + kubernetes-spec: + resources: [] +provider: + type: opa + opa-spec: + rego: | + package validate + + default validate := false + + # How to prove TLS origination is configured at egress + # DestinationRule? diff --git a/compliance/validations/istio/tracing-logging-support/README.md b/compliance/validations/istio/tracing-logging-support/README.md new file mode 100644 index 000000000..e1cb56f8d --- /dev/null +++ b/compliance/validations/istio/tracing-logging-support/README.md @@ -0,0 +1,9 @@ +# README.md + +**NAME** - istio-tracing-logging-support + +**INPUT** - This validation collects the "istioConfig" configmap from the "istio-system" namespace. + +**POLICY** - This policy checks that tracing logging is supported in the Istio configuration, specifically by verifying that the "defaultConfig.tracing" is not null and "zipkin.address" field is not empty. + +**NOTES** - Ensure that the Istio ConfigMap is correctly specified in the policy. The policy will fail if tracing logging is not supported in the Istio configuration. \ No newline at end of file diff --git a/compliance/validations/istio/tracing-logging-support/resources.json b/compliance/validations/istio/tracing-logging-support/resources.json new file mode 100644 index 000000000..40e61987a --- /dev/null +++ b/compliance/validations/istio/tracing-logging-support/resources.json @@ -0,0 +1,23 @@ +{ + "istioConfig": { + "accessLogFile": "/dev/stdout", + "defaultConfig": { + "discoveryAddress": "istiod.istio-system.svc:15012", + "gatewayTopology": { + "forwardClientCertDetails": "SANITIZE" + }, + "holdApplicationUntilProxyStarts": true + }, + "defaultProviders": { + "metrics": [ + "prometheus" + ] + }, + "enablePrometheusMerge": true, + "pathNormalization": { + "normalization": "MERGE_SLASHES" + }, + "rootNamespace": "istio-system", + "trustDomain": "cluster.local" + } +} \ No newline at end of file diff --git a/compliance/validations/istio/tracing-logging-support/tests.yaml b/compliance/validations/istio/tracing-logging-support/tests.yaml new file mode 100644 index 000000000..c661466f0 --- /dev/null +++ b/compliance/validations/istio/tracing-logging-support/tests.yaml @@ -0,0 +1,13 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +pass: + - test: default + validation: validation.yaml + resources: resources.json + expected-validation: false + - test: add-tracing + validation: validation.yaml + resources: resources.json + permutation: '(.istioConfig.defaultConfig.tracing.zipkin.address) |= "zipkin.istio-system.svc.cluster.local:9411"' + expected-validation: true diff --git a/compliance/validations/istio/tracing-logging-support/validation.yaml b/compliance/validations/istio/tracing-logging-support/validation.yaml new file mode 100644 index 000000000..f06511702 --- /dev/null +++ b/compliance/validations/istio/tracing-logging-support/validation.yaml @@ -0,0 +1,48 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +metadata: + name: istio-tracing-logging-support + uuid: f346b797-be35-40a8-a93a-585db6fd56ec +domain: + type: kubernetes + kubernetes-spec: + resources: + - name: istioConfig + resource-rule: + resource: configmaps + namespaces: + - istio-system + version: v1 + name: istio + field: + jsonpath: .data.mesh + type: yaml +provider: + type: opa + opa-spec: + rego: | + package validate + import rego.v1 + + # Default policy result + default validate := false + default msg := "Not evaluated" + + # Validate Istio configuration for event logging support + validate if { + check_tracing_enabled.result + } + msg = check_tracing_enabled.msg + + check_tracing_enabled = { "result": true, "msg": msg } if { + input.istioConfig.defaultConfig.tracing != null + input.istioConfig.defaultConfig.tracing.zipkin.address != "" + msg := "Tracing logging supported." + } else = { "result": false, "msg": msg } if { + msg := "Tracing logging not supported." + } + output: + validation: validate.validate + observations: + - validate.msg diff --git a/docs/configuration/_index.md b/docs/configuration/_index.md deleted file mode 100644 index 1d8ab0844..000000000 --- a/docs/configuration/_index.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Configure UDS Core -type: docs -weight: 3 ---- diff --git a/docs/configuration/istio/_index.md b/docs/configuration/istio/_index.md deleted file mode 100644 index 6872802db..000000000 --- a/docs/configuration/istio/_index.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Istio Configuration for UDS Core -type: docs -weight: 5 ---- diff --git a/docs/deployment/_index.md b/docs/deployment/_index.md deleted file mode 100644 index 9cbb18a82..000000000 --- a/docs/deployment/_index.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Deploying UDS Core -type: docs -weight: 2 ---- diff --git a/docs/deployment/uds-deploy.md b/docs/deployment/uds-deploy.md deleted file mode 100644 index 97455a7c8..000000000 --- a/docs/deployment/uds-deploy.md +++ /dev/null @@ -1,123 +0,0 @@ ---- -title: Deploy UDS Core -type: docs -weight: 3 ---- - -## Prerequisites - -Please ensure that the following prerequisites are on your machine prior to deploying UDS Core: - -- [Docker](https://formulae.brew.sh/formula/docker#default), or as an open source alternative, you can use [Colima](https://formulae.brew.sh/formula/colima#default). - - If using Colima, please declare the following resources after installing: - -```git -colima start --cpu 7 --memory 14 --disk 50 -``` - -- [K3d](https://formulae.brew.sh/formula/k3d#default) for development and test environments or a [CNCF Certified Kubernetes Cluster](https://www.cncf.io/training/certification/software-conformance/#logos) if deploying to production environments. -- Dynamic [load-balancer](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer) provisioning such as [MetalLB](https://metallb.universe.tf/). -- Object storage of your choosing such as [Minio](https://min.io/product/kubernetes) or [S3](https://aws.amazon.com/s3/). - -## UDS Bundles - -UDS Core provides published [bundles](https://uds.defenseunicorns.com/bundles/) that serve multiple purposes: you can utilize them for experimenting with UDS Core or for UDS Package development when you only require specific components of UDS Core. These bundles leverage [UDS K3d](https://github.com/defenseunicorns/uds-k3d) to establish a local k3d cluster. - -UDS Bundles deployed for development and testing purposes are comprised of a shared configuration that equips users with essential tools, emulating a development environment for convenience. If deploying to a production environment, users have the ability to modify variables and configurations to best fit specific mission needs by creating their own bundle. - -{{% alert-note %}} -These UDS Bundles are designed specifically for development and testing environments and are *not intended for production use*. Additionally, they serve as examples for creating customized bundles. -{{% /alert-note %}} - -## Quickstart: Development and Test Environments - -**Step 1: Install the [UDS CLI](https://uds.defenseunicorns.com/cli/)** - -It is recommended to update to the latest version, all releases can be found in the [UDS CLI GitHub repository](https://github.com/defenseunicorns/uds-cli/releases). - -```git -brew tap defenseunicorns/tap && brew install uds -``` - -**Step 2: Deploy the UDS Bundle** - -The UDS Bundle being deployed in this example is the [`k3d-core-demo`](https://github.com/defenseunicorns/uds-core/blob/main/bundles/k3d-standard/README.md) bundle which creates a local k3d cluster with UDS Core installed. - -```cli -uds deploy k3d-core-demo:0.20.0 - -# deploy this bundle? -y -``` - -For additional information on UDS Bundles, please see the [UDS Bundles documentation.](https://uds.defenseunicorns.com/bundles/) - -**Optional:** - -Use the following command to visualize resources in the cluster via [k9s:](https://k9scli.io/) - -```git -uds zarf tools monitor -``` - -**Step 3: Clean Up** - -Use the following command to tear down the k3d cluster: - -```git -k3d cluster delete uds -``` - -If you opted to use Colima, use the following command to tear down the virtual machine that the cluster was running on: - -```git -colima delete -f -``` - -## UDS Bundle Development - -In addition to the demo bundle, there is also a [`k3d-slim-dev bundle`](https://github.com/defenseunicorns/uds-core/tree/main/bundles/k3d-istio) designed specifically for working with UDS Core with *only* Istio, Keycloak, and Pepr installed. To use it, execute the following command: - -```cli -uds deploy k3d-core-slim-dev:0.20.0 -``` - -## Developing UDS Core - -UDS Core development leverages the `uds zarf dev deploy` command. To simplify the setup process, a dedicated UDS Task is available. Please ensure you have [NodeJS](https://nodejs.org/en/download/) version 20 or later installed before proceeding. - -Below is an example of the workflow developing the [metrics-server package](https://github.com/defenseunicorns/uds-core/tree/main/src/metrics-server): - -```cli -# Create the dev environment -uds run dev-setup - -# If developing the Pepr module: -npx pepr dev - -# If not developing the Pepr module (can be run multiple times): -npx pepr deploy - -# Deploy the package (can be run multiple times) -uds run dev-deploy --set PKG=metrics-server -``` - -## Testing UDS Core - -You can perform a complete test of UDS Core by running the following command: - -```cli -uds run test-uds-core -``` - -This command initiates the creation of a local k3d cluster, installs UDS Core, and executes a set of tests identical to those performed in CI. If you wish to run tests targeting a specific package, you can utilize the `PKG` environment variable. - -The example below runs tests against the metrics-server package: - -```cli -UDS_PKG=metrics-server uds run test-single-package -``` - -{{% alert-note %}} -You can specify the `--set FLAVOR=registry1` flag to test using Iron Bank images instead of the upstream images. -{{% /alert-note %}} diff --git a/docs/development/_index.md b/docs/development/_index.md deleted file mode 100644 index d49d49f68..000000000 --- a/docs/development/_index.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: UDS Core Development -type: docs -weight: 4 ---- diff --git a/docs/deployment/distribution-support.md b/docs/reference/UDS Core/distribution-support.md similarity index 70% rename from docs/deployment/distribution-support.md rename to docs/reference/UDS Core/distribution-support.md index 268366559..89afcf8e9 100644 --- a/docs/deployment/distribution-support.md +++ b/docs/reference/UDS Core/distribution-support.md @@ -1,7 +1,5 @@ --- title: Distribution Support -type: docs -weight: 1 --- UDS Core is a versatile software baseline designed to operate effectively across a variety of Kubernetes distributions. While it is not specifically tailored to any single Kubernetes distribution, it is compatible with multiple environments. This documentation provides an overview of UDS Core's compatibility with different distributions and the level of support provided. @@ -12,8 +10,8 @@ UDS Core is a versatile software baseline designed to operate effectively across - **Compatible:** Kubernetes distributions listed under this category may not have undergone extensive testing in UDS Core's CI environments. While UDS Core may be compatible on these distributions, users should exercise caution and be prepared for potential compatibility issues or limitations. -| Distribution | Category | Support Level | -| ------------------- | ---------------------- | --------------------------------------------------------------------------------------------------------- | +| Distribution | Category | Support Level | +| --------------- | ---------------------- | --------------------------------------------------------------------------------------------------------- | | K3d/K3s, Amazon EKS | Tested | Supported Kubernetes distributions undergoing testing in CI environments. | -| RKE2 | Tested | Supported Kubernetes distribution tested in production environments other than CI. | -| Other | Untested/Unknown state | Compatible Kubernetes distributions that are not explicitly tested, documented, or supported by UDS Core. | +| RKE2 | Tested | Supported Kubernetes distribution tested in production environments other than CI. | +| Other | Untested/Unknown state | Compatible Kubernetes distributions that are not explicitly tested, documented, or supported by UDS Core. | diff --git a/docs/deployment/dns.md b/docs/reference/UDS Core/dns.md similarity index 90% rename from docs/deployment/dns.md rename to docs/reference/UDS Core/dns.md index b1dcef9bc..9d493e6bd 100644 --- a/docs/deployment/dns.md +++ b/docs/reference/UDS Core/dns.md @@ -1,24 +1,23 @@ --- title: DNS Configuration -type: docs -weight: 2 --- -UDS Core deploys two Gateways by default - a Tenant Gateway for end-user applications and an Admin Gateway for administrative applications. You can read more about Istio configuration in UDS Core [here](https://uds.defenseunicorns.com/core/configuration/istio/ingress/). This section covers how to configure DNS for these Gateways. +UDS Core deploys two Gateways by default - a Tenant Gateway for end-user applications and an Admin Gateway for administrative applications. You can read more about Istio configuration in UDS Core [here](https://uds.defenseunicorns.com/reference/configuration/ingress/). This section covers how to configure DNS for these Gateways. ### Domain Configuration Each Gateway is associated to a wildcard DNS entry that is derived from the `DOMAIN` [variable](https://github.com/defenseunicorns/uds-core/blob/e624d73f79bd6739b6808fbdbf5ca75ebb7c1d3c/src/istio/zarf.yaml#L8) in the UDS Core Istio package. When deploying UDS Core, you can expect two Gateways to be created that match the following domain names: - `*.` / Tenant Gateway - `*.admin.` / Admin Gateway -{{% alert-note %}} -The default value for `DOMAIN` is `uds.dev`, which is intended for development purposes only. For non-development purposes, you should override this value by specifying a value for `domain` in your `uds-config.yaml`. You can find instructions on how to do so [here](https://uds.defenseunicorns.com/core/configuration/istio/ingress/#configure-domain-name-and-tls-for-istio-gateways). -{{% /alert-note %}} +:::note +The default value for `DOMAIN` is `uds.dev`, which is intended for development purposes only. For non-development purposes, you should override this value by specifying a value for `domain` in your `uds-config.yaml`. You can find instructions on how to do so [here](https://uds.defenseunicorns.com/reference/configuration/ingress/#configure-domain-name-and-tls-for-istio-gateways). +::: ### Bundle Configuration -{{% alert-note %}} + +:::note UDS Core does not include any cloud provider specific configuration by default. Additional overrides are required to deploy UDS Core on a given provider. This section will refer to AWS, but values can be substituted as needed for other providers. -{{% /alert-note %}} +::: The Admin and Tenant Gateways will be each be bound to an external Load Balancer that is exposed on TCP ports 80 and 443 by default. The Admin Gateway should be configured to use an internal facing Load Balancer and the Tenant Gateway should be configured to use an external facing Load Balancer. Below is an example of overrides that would accomplish this: ```yaml @@ -71,4 +70,4 @@ istio-admin-gateway admin-ingressgateway Loa istio-tenant-gateway tenant-ingressgateway LoadBalancer 10.43.47.182 k8s-istioten-tenant...elb.us-east-1.amazonaws.com 15021:31222/TCP,80:30456/TCP,443:32508/TCP 1h ``` -From here, you can register your domain and/or create DNS records for your environment that point to the appropriate Gateways/Load Balancers. Refer to your DNS provider's documentation. \ No newline at end of file +From here, you can register your domain and/or create DNS records for your environment that point to the appropriate Gateways/Load Balancers. Refer to your DNS provider's documentation. diff --git a/docs/development/flavor-specific-dev.md b/docs/reference/UDS Core/flavor-specific-development-notes.md similarity index 98% rename from docs/development/flavor-specific-dev.md rename to docs/reference/UDS Core/flavor-specific-development-notes.md index 8928a949d..7a576c5b8 100644 --- a/docs/development/flavor-specific-dev.md +++ b/docs/reference/UDS Core/flavor-specific-development-notes.md @@ -1,7 +1,5 @@ --- title: Flavor Specific Development Notes -type: docs -weight: 5 --- Specific flavors of UDS Core have access and architecture restrictions when used for development work. The `upstream` flavor is generally recommended for development as it does not have any restrictions or requirements. diff --git a/docs/reference/UDS Core/functional-layers.md b/docs/reference/UDS Core/functional-layers.md new file mode 100644 index 000000000..47345dc9b --- /dev/null +++ b/docs/reference/UDS Core/functional-layers.md @@ -0,0 +1,51 @@ +--- +title: Functional Layers +--- + +## Background + +Context on the inclusion of "functional layers" can be viewed in our [ADR](https://github.com/defenseunicorns/uds-core/blob/main/adrs/0002-uds-core-functional-layers.md). In short, UDS Core publishes smaller Zarf packages that contain subsets of core's capabilities, grouped by their function (such as monitoring, logging, backup/restore, etc) to allow more flexibility in deployment. This helps to support resource constrained environments (edge deployments) and other situations where an environment has different needs than the default core stack. + +Each layer is published as an individual OCI Zarf package. Package sources can be viewed under the [`packages` directory](https://github.com/defenseunicorns/uds-core/tree/main/packages), with each folder containing a readme detailing the contents and any dependencies. All layers assume the requirement of the base layer which provides Istio, the UDS Operator, and UDS Policy Engine. + +:::caution +By removing pieces of core from your deployment you may affect your security and compliance posture as well as reduce functionality of the stack. Deploying core using these layers should be the exception in most cases and only done after carefully weighing needs for your environment. +::: + +## Example Usage + +Functional layers are designed to be combined into a UDS bundle for deployment. The example below shows all layers in the correct order. Keep in mind that 'base' must always be the first layer, and any other layers should follow based on their dependency order. When building your bundle, you can skip layers that don't fit your deployment needs and apply overrides to individual layers as needed. Ensure all layers are using the same version for compatibility. + +```yaml +kind: UDSBundle +metadata: + name: functional-layer-core-bundle + description: An example bundle for deploying all of core using functional layers + version: "0.1.0" + +packages: + - name: core-base + repository: ghcr.io/defenseunicorns/packages/uds/core-base + ref: 0.29.0-upstream + - name: core-identity-authorization + repository: ghcr.io/defenseunicorns/packages/uds/core-identity-authorization + ref: 0.29.0-upstream + - name: core-metrics-server + repository: ghcr.io/defenseunicorns/packages/uds/core-metrics-server + ref: 0.29.0-upstream + - name: core-runtime-security + repository: ghcr.io/defenseunicorns/packages/uds/core-runtime-security + ref: 0.29.0-upstream + - name: core-logging + repository: ghcr.io/defenseunicorns/packages/uds/core-logging + ref: 0.29.0-upstream + - name: core-monitoring + repository: ghcr.io/defenseunicorns/packages/uds/core-monitoring + ref: 0.29.0-upstream + - name: core-ui + repository: ghcr.io/defenseunicorns/packages/uds/core-ui + ref: 0.29.0-upstream + - name: core-backup-restore + repository: ghcr.io/defenseunicorns/packages/uds/core-backup-restore + ref: 0.29.0-upstream +``` diff --git a/docs/_index.md b/docs/reference/UDS Core/overview.md old mode 100755 new mode 100644 similarity index 96% rename from docs/_index.md rename to docs/reference/UDS Core/overview.md index 3d7fb94d4..94c3fa810 --- a/docs/_index.md +++ b/docs/reference/UDS Core/overview.md @@ -1,10 +1,7 @@ --- -title: UDS Core -linkTitle: UDS Core -type: docs -menu: - main: - weight: 30 +title: Overview +sidebar: + order: 1 --- ## What is UDS Core? diff --git a/docs/deployment/prerequisites.md b/docs/reference/UDS Core/prerequisites.md similarity index 98% rename from docs/deployment/prerequisites.md rename to docs/reference/UDS Core/prerequisites.md index ddc8e038e..14d8b7fcf 100644 --- a/docs/deployment/prerequisites.md +++ b/docs/reference/UDS Core/prerequisites.md @@ -1,11 +1,9 @@ --- -title: UDS Core Prerequisites -type: docs -weight: 4 +title: Prerequisites +sidebar: + order: 2 --- -## UDS Core Prerequisites - `UDS Core` can run in any [CNCF conformant Kubernetes distribution](https://www.cncf.io/training/certification/software-conformance/), but sometimes customizations are needed based on environments. This is an attempt to document and link to relevant information to aid in setting up your Kubernetes environment and hosts to ensure a successful `UDS Core` installation. ### Cluster Requirements diff --git a/docs/configuration/istio/ingress.md b/docs/reference/configuration/ingress.md similarity index 88% rename from docs/configuration/istio/ingress.md rename to docs/reference/configuration/ingress.md index e94cceec5..5015bc928 100644 --- a/docs/configuration/istio/ingress.md +++ b/docs/reference/configuration/ingress.md @@ -1,7 +1,5 @@ --- -title: Configuring Istio Ingress -type: docs -weight: 1 +title: Istio Ingress --- UDS Core leverages Istio for ingress into the service mesh. This document provides an overview and examples of the Istio resources that UDS Core deploys to handle ingress. @@ -38,7 +36,7 @@ packages: By default, the UDS Core Istio Gateways are set up to use the `uds.dev` domain and have a valid TLS certificate packaged. You will want to change the domain name for your environment and provide a valid TLS certificate for this domain. -You can set the TLS certs via overrides in a [UDS Bundle](https://uds.defenseunicorns.com/bundles/) (see below). UDS Core Istio Gateways default to only supporting TLS v1.3, but this can also be overridden per gateway if clients use TLS 1.2 (as seen in the tenant gateway example `value` below). +You can set the TLS certs via overrides in a [UDS Bundle](https://uds.defenseunicorns.com/structure/bundles/) (see below). UDS Core Istio Gateways default to only supporting TLS v1.3, but this can also be overridden per gateway if clients use TLS 1.2 (as seen in the tenant gateway example `value` below). ```yaml kind: UDSBundle @@ -46,7 +44,7 @@ metadata: name: core-with-cert-override description: A UDS example bundle for packaging UDS core with a custom TLS certificate version: "0.0.1" - + packages: - name: core repository: oci://ghcr.io/defenseunicorns/packages/uds/core @@ -54,6 +52,9 @@ packages: overrides: istio-admin-gateway: uds-istio-config: + values: + - path: tls.supportTLSV1_2 + value: true # Add support for TLS 1.2 on this gateway, can be specified via variables if needed at deploy time variables: - name: ADMIN_TLS_CERT description: "The TLS cert for the admin gateway (must be base64 encoded)" @@ -63,9 +64,6 @@ packages: path: tls.key istio-tenant-gateway: uds-istio-config: - values: - - path: tls.supportTLSV1_2 - value: true # Add support for TLS 1.2 on this gateway, can be specified via variables if needed at deploy time variables: - name: TENANT_TLS_CERT description: "The TLS cert for the tenant gateway (must be base64 encoded)" @@ -77,14 +75,14 @@ packages: You can then either use environment variables (`UDS_ADMIN_TLS_CERT`, `UDS_ADMIN_TLS_KEY`, `UDS_TENANT_TLS_CERT`, and `UDS_TENANT_TLS_KEY`) or a config file to configure the certs for each gateway. These values should be base64 encoded strings of the TLS certificate and key for the admin and tenant gateways respectively. -Domain should be set via your [uds-config](https://uds.defenseunicorns.com/cli/quickstart-and-usage/#variables-and-configuration) file using the shared key to override the Zarf Domain Variable (see example `uds-config.yaml` below). +Domain should be set via your [uds-config](https://uds.defenseunicorns.com/reference/cli/quickstart-and-usage/#variables-and-configuration) file using the shared key to override the Zarf Domain Variable (see example `uds-config.yaml` below). ```yaml shared: domain: yourawesomedomain.com # shared across all packages in a bundle # TLS Certs/Keys if not provided via environment variables -variables: +variables: core: admin_tls_cert: # base64 encoded admin cert here admin_tls_key: # base64 encoded admin key here @@ -92,6 +90,6 @@ variables: tenant_tls_key: # base64 encoded tenant key here ``` -{{% alert-note %}} -If you are using Private PKI or self-signed certificates for your tenant certificates it is necessary to additionally configure `UDS_CA_CERT` with additional [trusted certificate authorities](https://uds.defenseunicorns.com/core/configuration/uds-operator/#trusted-certificate-authority). -{{% /alert-note %}} +:::note +If you are using Private PKI or self-signed certificates for your tenant certificates it is necessary to additionally configure `UDS_CA_CERT` with additional [trusted certificate authorities](https://uds.defenseunicorns.com/reference/configuration/uds-operator/#trusted-certificate-authority). +::: diff --git a/docs/reference/configuration/pepr-policies.md b/docs/reference/configuration/pepr-policies.md new file mode 100644 index 000000000..f2cf82b77 --- /dev/null +++ b/docs/reference/configuration/pepr-policies.md @@ -0,0 +1,52 @@ +--- +title: Pepr Policies +--- + +## Common Pepr Policies for UDS Core + +### Pepr Policy Exemptions {#pepr-policy-exemptions} +These policies are based on the [Big Bang](https://p1.dso.mil/services/big-bang) policies created with Kyverno. You can find the source policies [here](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies), Policy Names below also have links to the referenced Big Bang policy. + +Exemptions can be specified by a [UDS Exemption CR](../uds-operator#exemption). These take the place of Kyverno Exceptions. + +If a resource is exempted, it will be annotated as `uds-core.pepr.dev/uds-core-policies.: exempted` + +### Pepr Policy Mutations + +{{% alert-note %}} +Mutations can be exempted using the same [Pepr Policy Exemptions](#pepr-policy-exemptions) references as the validations. +{{% /alert-note %}} + +| Pepr Mutation🔗 | Mutated Fields | Mutation Logic | +| --------------- | -------------- | -------------- | +| [Disallow Privilege Escalation](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L14-L75) | `containers[].securityContext.allowPrivilegeEscalation` | Mutates `allowPrivilegeEscalation` to `false` if undefined, unless the container is privileged or `CAP_SYS_ADMIN` is added. | +| [Require Non-root User](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L77-L167) | `securityContext.runAsUser`,
`securityContext.runAsGroup`,
`securityContext.fsGroup`,
`securityContext.runAsNonRoot` | Pods are mutated to ensure workloads do not run as root, mutating `runAsNonRoot: true`. Users can define user, group, and fsGroup IDs to run the pod as by using the `uds/user`, `uds/group`, `uds/fsgroup` pod labels. If not provided these default to `runAsUser: 1000` and `runAsGroup: 1000`. | +| [Drop All Capabilities](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L329-L376) | `containers[].securityContext.capabilities.drop` | Ensures all capabilities are dropped by setting `capabilities.drop` to `["ALL"]` for all containers. | + +### Pepr Policy Validations + +| Policy Name🔗 | Exemption Reference🔗 | Policy Description | +| ------------- | :-------------------: | ------------------ | +| [Disallow Host Namespaces](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/disallow-host-namespaces.yaml) | [`DisallowHostNamespaces`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/networking.ts#L7-L35) | Implemented: ✅
Subject: **Pod**
Severity: **high**

Host namespaces (Process ID namespace, Inter-Process Communication namespace, and network namespace) allow access to shared information and can be used to elevate privileges. Pods should not be allowed access to host namespaces. This policy ensures fields which make use of these host namespaces are set to `false`. | +|[Disallow NodePort Services](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/disallow-nodeport-services.yaml) | [`DisallowNodePortServices`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/networking.ts#L88-L110) | Implemented: ✅
Subject: **Service**
Severity: **medium**

A Kubernetes Service of type NodePort uses a host port to receive traffic from any source. A NetworkPolicy cannot be used to control traffic to host ports. Although NodePort Services can be useful, their use must be limited to Services with additional upstream security checks. This policy validates that any new Services do not use the `NodePort` type. | +|Disallow Privileged [Escalation](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/disallow-privilege-escalation.yaml) and [Pods](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/disallow-privileged-containers.yaml) | [`DisallowPrivileged`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L14-L75) | Implemented: ✅
Subject: **Pod**
Severity: **high**

Privilege escalation, such as via set-user-ID or set-group-ID file mode, should not be allowed. Privileged mode also disables most security mechanisms and must not be allowed. This policy ensures the `allowPrivilegeEscalation` field is set to false and `privileged` is set to false or undefined. | +|[Disallow SELinux Options](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/disallow-selinux-options.yaml) | [`DisallowSELinuxOptions`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L244-L285) | Implemented: ✅
Subject: **Pod**
Severity: **high**

SELinux options can be used to escalate privileges. This policy ensures that the `seLinuxOptions` specified are not used. | +|[Drop All Capabilities](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/require-drop-all-capabilities.yaml) | [`DropAllCapabilities`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L329-L376) | Implemented: ✅
Subject: **Pod**
Severity: **medium**

Capabilities permit privileged actions without giving full root access. All capabilities should be dropped from a Pod, with only those required added back. This policy ensures that all containers explicitly specify `drop: ["ALL"]`. | +|[Require Non-root User](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/require-non-root-user.yaml) | [`RequireNonRootUser`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L77-L167) | Implemented: ✅
Subject: **Pod**
Severity: **high**

Following the least privilege principle, containers should not be run as root. This policy ensures containers either have `runAsNonRoot` set to `true` or `runAsUser` > 0. | +|[Restrict Capabilities](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-capabilities.yaml) | [`RestrictCapabilities`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L378-L413) | Implemented: ✅
Subject: **Pod**
Severity: **high**

Capabilities permit privileged actions without giving full root access. Adding capabilities beyond the default set must not be allowed. This policy ensures users cannot add additional capabilities beyond the allowed list to a Pod. | +|[Restrict External Names (CVE-2020-8554)](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-external-names.yaml) | [`RestrictExternalNames`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/networking.ts#L67-L86) | Implemented: ✅
Subject: **Service**
Severity: **medium**

Service external names can be used for a MITM attack (CVE-2020-8554). External names can be used by an attacker to point back to localhost or internal IP addresses for exploitation. This policy restricts services using external names to a specified list. | +|[Restrict hostPath Volume Writable Paths](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-host-path-write.yaml) | [`RestrictHostPathWrite`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/storage.ts#L54-L92) | Implemented: ✅
Subject: **Pod**
Severity: **medium**

hostPath volumes consume the underlying node's file system. If hostPath volumes are not universally disabled, they should be required to be read-only. Pods which are allowed to mount hostPath volumes in read/write mode pose a security risk even if confined to a "safe" file system on the host and may escape those confines. This policy checks containers for hostPath volumes and validates they are explicitly mounted in readOnly mode. | +|[Restrict Host Ports](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-host-ports.yaml) | [`RestrictHostPorts`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/networking.ts#L37-L65) | Implemented: ✅
Subject: **Pod**
Severity: **high**

Access to host ports allows potential snooping of network traffic and should not be allowed, or at minimum restricted to a known list. This policy ensures only approved ports are defined in container's `hostPort` field. | +|[Restrict Proc Mount](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-proc-mount.yaml) | [`RestrictProcMount`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L169-L198) | Implemented: ✅
Subject: **Pod**
Severity: **high**

The default /proc masks are set up to reduce the attack surface. This policy ensures nothing but the specified procMount can be used. By default only "Default" is allowed. | +|[Restrict Seccomp](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-seccomp.yaml) | [`RestrictSeccomp`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L200-L242) | Implemented: ✅
Subject: **Pod**
Severity: **high**

The SecComp profile should not be explicitly set to Unconfined. This policy, requiring Kubernetes v1.19 or later, ensures that the `seccompProfile.Type` is undefined or restricted to the values in the allowed list. By default, this is `RuntimeDefault` or `Localhost`. | +|[Restrict SELinux Type](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-selinux-type.yaml) | [`RestrictSELinuxType`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/security.ts#L287-L327) | Implemented: ✅
Subject: **Pod**
Severity: **high**

SELinux options can be used to escalate privileges. This policy ensures that the `seLinuxOptions` type field is undefined or restricted to the allowed list. | +|[Restrict Volume Types](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-volume-types.yaml) | [`RestrictVolumeTypes`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/storage.ts#L7-L52) | Implemented: ✅
Subject: **Pod**
Severity: **medium**

Volume types, beyond the core set, should be restricted to limit exposure to potential vulnerabilities in Container Storage Interface (CSI) drivers. In addition, HostPath volumes should not be. | +|[Restrict Sysctls](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-sysctls.yaml) | Not Implemented | Implemented: ❌
Subject: **Pod**
Severity: **high**

Sysctl can disable security mechanisms or affect all containers on a host, and should be restricted to an allowed "safe" subset. A sysctl is considered safe if it is namespaced and is isolated from other Pods and processes on the same Node. This policy ensures that all sysctls are in the allowed list. +|[Restrict Image Registries](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-image-registries.yaml) | Not Implemented | Implemented: ❌
Subject: **Pod**
Severity: **high**

Images from unknown, public registries can be of dubious quality and may not be scanned and secured, representing a high degree of risk. Requiring use of known, approved registries helps reduce threat exposure by ensuring image pulls only come from them. This policy validates that all images originate from a registry in the approved list.| +|[Restrict hostPath Volume Mountable Paths](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-host-path-mount-pv.yaml) | Not Implemented | Implemented: ❌
Subject: **PersistentVolume**
Severity: **medium**

PersistentVolume using hostPath consume the underlying node's file system. If not universally disabled, they should be restricted to specific host paths to prevent access to sensitive information. This policy ensures that PV hostPath is in the allowed list. | +|[Restrict hostPath Volume Mountable Paths](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-host-path-mount.yaml) | Not Implemented | Implemented: ❌
Subject: **Pod**
Severity: **medium**

hostPath volumes consume the underlying node's file system. If hostPath volumes are not universally disabled, they should be restricted to specific host paths to prevent access to sensitive information. This policy ensures that hostPath volume paths are in the allowed list. | +|[Restrict External IPs (CVE-2020-8554)](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-external-ips.yaml) | Not Implemented | Implemented: ❌
Subject: **Service**
Severity: **medium**

Service externalIPs can be used for a MITM attack (CVE-2020-8554). This policy restricts externalIPs to a specified list. | +|[Restrict AppArmor Profile](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-apparmor.yaml) | Not Implemented | Implemented: ❌
Subject: **Pod**
Severity: **high**

On hosts using Debian Linux distros, AppArmor is used as an access control framework. AppArmor uses the 'runtime/default' profile by default. This policy ensures Pods do not override the AppArmor profile with values outside of the allowed list. | +|[Require Image Signature](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/require-image-signature.yaml) | Not Implemented | Implemented: ❌
Subject: **Pod**
Severity: **high**

Using the Cosign project, OCI images may be signed to ensure supply chain security is maintained. Those signatures can be verified before pulling into a cluster. This policy checks the signature to ensure it has been signed by verifying its signature against the public key. | +|[Require Non-root Group](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/require-non-root-group.yaml) | Not Implemented | Implemented: ❌
Subject: **Pod**
Severity: **high**

Following the least privilege principle, access to the root group ID should be forbidden in containers. This policy ensures containers are running with groups > 0. | +|[Disallow AutoMount Service Account Tokens](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/disallow-auto-mount-service-account-token.yaml) | Not Implemented | Implemented: ❌
Subject: **Pod, ServiceAccount**
Severity: **high**

Auto-mounting of Kubernetes API credentials is not ideal in all circumstances. This policy finds Pods and Service Accounts that automount kubernetes api credentials. | diff --git a/docs/configuration/resource-configuration-and-ha.md b/docs/reference/configuration/resource-configuration-and-ha.md similarity index 77% rename from docs/configuration/resource-configuration-and-ha.md rename to docs/reference/configuration/resource-configuration-and-ha.md index df0daa9fe..1993862c9 100644 --- a/docs/configuration/resource-configuration-and-ha.md +++ b/docs/reference/configuration/resource-configuration-and-ha.md @@ -1,7 +1,5 @@ --- title: Resource Configuration and High Availability -type: docs -weight: 3.5 --- Depending on your environment and the scale of your cluster, you might need to adjust UDS Core components for high availability or to optimize resources. Below are common areas where resource overrides can be useful when deploying UDS Core. @@ -36,7 +34,42 @@ packages: ### Grafana -To scale Grafana for high availability, its database must be externalized (see [Grafana's database configuration docs](https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#database)). UDS Core has not yet done extensive testing on this setup. You can also override the `resources` helm value to customize Grafana pods' resource limits and requests (using the component and chart name of `grafana`). +Grafana can be configured in a high availability (HA) setup by utilizing an external PostgreSQL database. See the example values below for configuring Grafana in HA mode: + +```yaml +# Example HA Bundle Configuration +packages: + - name: core + repository: oci://ghcr.io/defenseunicorns/packages/uds/core + ref: x.x.x + overrides: + grafana: + grafana: + variables: + - name: GRAFANA_HA + description: Enable HA Grafana + path: autoscaling.enabled + uds-grafana-config: + variables: + - name: GRAFANA_PG_HOST + description: Grafana postgresql host + path: postgresql.host + - name: GRAFANA_PG_PORT + description: Grafana postgresql port + path: postgresql.port + - name: GRAFANA_PG_PORT + description: Grafana postgresql port + path: postgresql.port + - name: GRAFANA_PG_DATABASE + description: Grafana postgresql database + path: postgresql.database + - name: GRAFANA_PG_PASSWORD + description: Grafana postgresql password + path: postgresql.password + - name: GRAFANA_PG_USER + description: Grafana postgresql username + path: postgresql.user +``` ## Logging diff --git a/docs/configuration/uds-configure-policy-exemptions.md b/docs/reference/configuration/uds-configure-policy-exemptions.md similarity index 98% rename from docs/configuration/uds-configure-policy-exemptions.md rename to docs/reference/configuration/uds-configure-policy-exemptions.md index 2e405cbc1..c68b35b1e 100644 --- a/docs/configuration/uds-configure-policy-exemptions.md +++ b/docs/reference/configuration/uds-configure-policy-exemptions.md @@ -1,7 +1,5 @@ --- title: Configuring Policy Exemptions -type: docs -weight: 4 --- By default policy exemptions ([UDSExemptions](https://github.com/defenseunicorns/uds-core/blob/uds-docs/src/pepr/operator/crd/generated/exemption-v1alpha1.ts)) are only allowed in a single namespace -- `uds-policy-exemptions`. We recognize this is not a conventional pattern in K8s, but believe it is ideal for UDS for the following reasons: diff --git a/docs/configuration/uds-monitoring-metrics.md b/docs/reference/configuration/uds-monitoring-metrics.md similarity index 99% rename from docs/configuration/uds-monitoring-metrics.md rename to docs/reference/configuration/uds-monitoring-metrics.md index 909d5ad5f..c5ef0da68 100644 --- a/docs/configuration/uds-monitoring-metrics.md +++ b/docs/reference/configuration/uds-monitoring-metrics.md @@ -1,7 +1,5 @@ --- title: Monitoring and Metrics -type: docs -weight: 1 --- UDS Core leverages Pepr to handle setup of Prometheus scraping metrics endpoints, with the particular configuration necessary to work in a STRICT mTLS (Istio) environment. We handle this via a default scrapeClass in prometheus to add the istio certs. When a monitor needs to be exempt from that tlsConfig a mutation is performed to leverage a plain scrape class without istio certs. @@ -14,9 +12,9 @@ Generally it is beneficial to use service and pod monitor resources from existin 1. Individual monitors can explicitly set the `exempt` scrape class to opt out of the Istio certificate configuration. This should typically only be done if your service exposes metrics on a PERMISSIVE mTLS port. 1. If setting a `scrapeClass` is not an option due to lack of configuration in a helm chart, or for other reasons, monitors can use the `uds/skip-mutate` annotation (with any value) to have Pepr mutate the `exempt` scrape class onto the monitor. -{{% alert-note %}} +:::note There is a deprecated functionality in Pepr that will mutate `tlsConfig` onto individual service monitors, rather than using the scrape class approach. This has been kept in the current code temporarily to prevent any metrics downtime during the switch to `scrapeClass`. In a future release this behavior will be removed to reduce the complexity of the setup and required mutations. -{{% /alert-note %}} +::: ## Package CR `monitor` field diff --git a/docs/configuration/uds-operator.md b/docs/reference/configuration/uds-operator.md similarity index 85% rename from docs/configuration/uds-operator.md rename to docs/reference/configuration/uds-operator.md index a054b9c3d..5593a91ee 100644 --- a/docs/configuration/uds-operator.md +++ b/docs/reference/configuration/uds-operator.md @@ -1,7 +1,5 @@ --- title: UDS Operator -type: docs -weight: 2 --- The UDS Operator plays a pivotal role in managing the lifecycle of UDS Package Custom Resources (CRs) along with their associated resources like NetworkPolicies and Istio VirtualServices. Leveraging [Pepr](https://github.com/defenseunicorns/pepr), the operator binds watch operations to the enqueue and reconciler, taking on several key responsibilities for UDS Packages and exemptions: @@ -163,9 +161,9 @@ spec: app: httpbin ``` -{{% alert-note %}} +:::note The UDS Operator uses the first `redirectUris` to populate the `match.prefix` hostname and `callback_uri` in the authservice chain. -{{% /alert-note %}} +::: For a complete example, see [app-authservice-tenant.yaml](https://github.com/defenseunicorns/uds-core/blob/main/src/test/app-authservice-tenant.yaml) @@ -183,7 +181,7 @@ variables: CA_CERT: ``` -See [configuring Istio Ingress](https://uds.defenseunicorns.com/core/configuration/istio/ingress/#configure-domain-name-and-tls-for-istio-gateways) for the relevant documentation on configuring ingress certificates. +See [configuring Istio Ingress](https://uds.defenseunicorns.com/reference/configuration/ingress/#configure-domain-name-and-tls-for-istio-gateways) for the relevant documentation on configuring ingress certificates. ### Creating a UDS Package with a Device Flow client @@ -207,6 +205,44 @@ spec: This configuration does not create a secret in the cluster and instead tells the UDS Operator to create a public client (one that requires no auth secret) that enables the `oauth2.device.authorization.grant.enabled` flow and disables the standard redirect auth flow. Because this creates a public client configuration that deviates from this is limited - if your application requires both the Device Authorization Grant and the standard flow this is currently not supported without creating two separate clients. +### Creating a UDS Package with a Service Account Roles client + +Some applications may need to access resources / obtain OAuth tokens on behalf of *themselves* vice users. This may be needed to allow API access to Authservice protected applications (outside of a web browser). This is commonly used in machine-to-machine authentication for automated processes. This type of grant in OAuth 2.0 is known as the [Client Credentials Grant](https://oauth.net/2/grant-types/client-credentials/) and is supported in a UDS Package with the following configuration: + +```yaml +apiVersion: uds.dev/v1alpha1 +kind: Package +metadata: + name: client-cred + namespace: argo +spec: + sso: + - name: httpbin-api-client + clientId: httpbin-api-client + standardFlowEnabled: false + serviceAccountsEnabled: true + + # By default, Keycloak will not set the audience `aud` claim for service account access token JWTs. + # You can optionally add a protocolMapper to set the audience. + # If you map the audience to the same client used for authservice, you can enable access to authservice protected apps with a service account JWT. + protocolMappers: + - name: audience + protocol: "openid-connect" + protocolMapper: "oidc-audience-mapper" + config: + included.client.audience: "uds-core-httpbin" # Set this to match the app's authservice client id + access.token.claim: "true" + introspection.token.claim: "true" + id.token.claim: "false" + lightweight.claim: "false" + userinfo.token.claim: "false" +``` +Setting `serviceAccountsEnabled: true` requires `standardFlowEnabled: false` and is incompatible with `publicClient: true`. + +If needed, multiple clients can be added to the same application: an AuthService client, a device flow client, and as many service account clients as required. + +A keycloak service account JWT can be distinguished by a username prefix of `service-account-` and a new claim called `client_id`. Note that the `aud` field is not set by default, hence the mapper in the example. + ### SSO Client Attribute Validation The SSO spec supports a subset of the Keycloak attributes for clients, but does not support all of them. The current supported attributes are: diff --git a/docs/configuration/uds-user-groups.md b/docs/reference/configuration/uds-user-groups.md similarity index 97% rename from docs/configuration/uds-user-groups.md rename to docs/reference/configuration/uds-user-groups.md index a654e551a..bcce50fdd 100644 --- a/docs/configuration/uds-user-groups.md +++ b/docs/reference/configuration/uds-user-groups.md @@ -1,7 +1,5 @@ --- title: User Groups -type: docs -weight: 5 --- UDS Core deploys Keycloak which has some preconfigured groups that applications inherit from SSO and IDP configurations. @@ -30,9 +28,9 @@ Neuvector [maps the groups](https://github.com/defenseunicorns/uds-core/blob/mai ## Keycloak -{{% alert-note %}} +:::note All groups are under the Uds Core parent group. Frequently a group will be referred to as Uds Core/Admin or Uds Core/Auditor. In the Keycloak UI this requires an additional click to get down to the sub groups. -{{% /alert-note %}} +::: ### Identity Providers ( IDP ) diff --git a/docs/deployment/flavors.md b/docs/reference/deployment/flavors.md similarity index 94% rename from docs/deployment/flavors.md rename to docs/reference/deployment/flavors.md index 680a2872e..26349aa16 100644 --- a/docs/deployment/flavors.md +++ b/docs/reference/deployment/flavors.md @@ -1,14 +1,12 @@ --- title: Published Flavors -type: docs -weight: 2 --- UDS Core is published with multiple variations (Zarf flavors). Each flavor uses a separate source registry for the images. Each flavor is used as the suffix on the OCI tags for packages. For production use cases we recommend the `registry1` or `unicorn` flavors as these images tend to be more secure than their `upstream` counterparts. -{{% alert-note %}} +:::note Demo and dev bundles (`k3d-core-demo` and `k3d-core-slim-dev`) are only published from the upstream flavor. -{{% /alert-note %}} +::: ### Flavors @@ -18,6 +16,6 @@ Demo and dev bundles (`k3d-core-demo` and `k3d-core-slim-dev`) are only publishe | `upstream` | `ghcr.io/defenseunicorns/packages/uds` | Various sources, typically DockerHub/GHCR/Quay, these are the default images used by helm charts | | **ALPHA** `unicorn` | `ghcr.io/defenseunicorns/packages/private/uds` | Industry best images designed with security and minimalism in mind | -{{% alert-note %}} +:::note The `unicorn` flavored packages are only available in a private repository. These packages are available for all members of the Defense Unicorns organization/company, if you are outside the organization [contact us](https://www.defenseunicorns.com/contactus) if you are interested in using this flavor for your mission. -{{% /alert-note %}} +::: diff --git a/jest.setup.js b/jest.setup.js index 32b832d64..3d5852167 100644 --- a/jest.setup.js +++ b/jest.setup.js @@ -1,3 +1,8 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + const { K8s, kind } = require("kubernetes-fluent-client"); module.exports = async () => { diff --git a/jest.teardown.js b/jest.teardown.js index 803adebd9..7926af39f 100644 --- a/jest.teardown.js +++ b/jest.teardown.js @@ -1,3 +1,8 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + const { K8s, kind } = require("kubernetes-fluent-client"); module.exports = async () => { diff --git a/package-lock.json b/package-lock.json index e838c0321..dd7b49ee3 100644 --- a/package-lock.json +++ b/package-lock.json @@ -8,7 +8,7 @@ "name": "uds-core", "version": "0.5.0", "dependencies": { - "pepr": "0.36.0" + "pepr": "0.38.1" }, "devDependencies": { "@jest/globals": "29.7.0", @@ -1140,6 +1140,7 @@ "version": "8.0.2", "resolved": "https://registry.npmjs.org/@isaacs/cliui/-/cliui-8.0.2.tgz", "integrity": "sha512-O8jcjabXaleOG9DQ0+ARXWZBTfnP4WNAqzuiJK7ll44AmxGKv/J2M4TPjxjY3znBCfvBXFzucm1twdyFybFqEA==", + "license": "ISC", "dependencies": { "string-width": "^5.1.2", "string-width-cjs": "npm:string-width@^4.2.0", @@ -1156,6 +1157,7 @@ "version": "6.1.0", "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-6.1.0.tgz", "integrity": "sha512-7HSX4QQb4CspciLpVFwyRe79O3xsIZDDLER21kERQ71oaPodF8jL725AgJMFAYbooIqolJoRLuM81SpeUkpkvA==", + "license": "MIT", "engines": { "node": ">=12" }, @@ -1167,6 +1169,7 @@ "version": "6.2.1", "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-6.2.1.tgz", "integrity": "sha512-bN798gFfQX+viw3R7yrGWRqnrN2oRkEkUjjl4JNn4E8GxxbjtG3FbrEIIY3l8/hrwUwIeCZvi4QuOTP4MErVug==", + "license": "MIT", "engines": { "node": ">=12" }, @@ -1177,12 +1180,14 @@ "node_modules/@isaacs/cliui/node_modules/emoji-regex": { "version": "9.2.2", "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-9.2.2.tgz", - "integrity": "sha512-L18DaJsXSUk2+42pv8mLs5jJT2hqFkFE4j21wOmgbUqsZ2hL72NsUU785g9RXgo3s0ZNgVl42TiHp3ZtOv/Vyg==" + "integrity": "sha512-L18DaJsXSUk2+42pv8mLs5jJT2hqFkFE4j21wOmgbUqsZ2hL72NsUU785g9RXgo3s0ZNgVl42TiHp3ZtOv/Vyg==", + "license": "MIT" }, "node_modules/@isaacs/cliui/node_modules/string-width": { "version": "5.1.2", "resolved": "https://registry.npmjs.org/string-width/-/string-width-5.1.2.tgz", "integrity": "sha512-HnLOCR3vjcY8beoNLtcjZ5/nxn2afmME6lhrDrebokqMap+XbeW8n9TXpPDOqdGK5qcI3oT0GKTW6wC7EMiVqA==", + "license": "MIT", "dependencies": { "eastasianwidth": "^0.2.0", "emoji-regex": "^9.2.2", @@ -1199,6 +1204,7 @@ "version": "7.1.0", "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-7.1.0.tgz", "integrity": "sha512-iq6eVVI64nQQTRYq2KtEg2d2uU7LElhTJwsH4YzIHZshxlgZms/wIc4VoDQTlG/IvVIrBKG06CrZnp0qv7hkcQ==", + "license": "MIT", "dependencies": { "ansi-regex": "^6.0.1" }, @@ -1213,6 +1219,7 @@ "version": "8.1.0", "resolved": "https://registry.npmjs.org/wrap-ansi/-/wrap-ansi-8.1.0.tgz", "integrity": "sha512-si7QWI6zUMq56bESFvagtmzMdGOtoxfR+Sez11Mobfc7tm+VkUckk9bW2UeffTGVUbOksxmSw0AA2gs8g71NCQ==", + "license": "MIT", "dependencies": { "ansi-styles": "^6.1.0", "string-width": "^5.0.1", @@ -1229,6 +1236,7 @@ "version": "4.0.1", "resolved": "https://registry.npmjs.org/@isaacs/fs-minipass/-/fs-minipass-4.0.1.tgz", "integrity": "sha512-wgm9Ehl2jpeqP3zw/7mo3kRHFp5MEDhqAdwy1fTGkHAwnkGOVsgpvQhL8B5n1qlb01jV3n/bI0ZfZp5lWA1k4w==", + "license": "ISC", "dependencies": { "minipass": "^7.0.4" }, @@ -1240,6 +1248,7 @@ "version": "7.1.2", "resolved": "https://registry.npmjs.org/minipass/-/minipass-7.1.2.tgz", "integrity": "sha512-qOOzS1cBTWYF4BH8fVePDBOO9iptMnGUEZwNc/cMWnTV2nVLZ7VoNWEPHkYczZA0pdoA7dl6e7FL659nX9S2aw==", + "license": "ISC", "engines": { "node": ">=16 || 14 >=14.17" } @@ -1682,6 +1691,7 @@ "version": "1.2.1", "resolved": "https://registry.npmjs.org/@jsep-plugin/assignment/-/assignment-1.2.1.tgz", "integrity": "sha512-gaHqbubTi29aZpVbBlECRpmdia+L5/lh2BwtIJTmtxdbecEyyX/ejAOg7eQDGNvGOUmPY7Z2Yxdy9ioyH/VJeA==", + "license": "MIT", "engines": { "node": ">= 10.16.0" }, @@ -1693,6 +1703,7 @@ "version": "1.0.3", "resolved": "https://registry.npmjs.org/@jsep-plugin/regex/-/regex-1.0.3.tgz", "integrity": "sha512-XfZgry4DwEZvSFtS/6Y+R48D7qJYJK6R9/yJFyUFHCIUMEEHuJ4X95TDgJp5QkmzfLYvapMPzskV5HpIDrREug==", + "license": "MIT", "engines": { "node": ">= 10.16.0" }, @@ -1701,22 +1712,21 @@ } }, "node_modules/@kubernetes/client-node": { - "version": "1.0.0-rc6", - "resolved": "https://registry.npmjs.org/@kubernetes/client-node/-/client-node-1.0.0-rc6.tgz", - "integrity": "sha512-CBNOZ0rrGc2NKx3/1Bu4Be6DLPbNWDDLmjgZ0DmIWOpEye/kyVf4vKqOCwfm+eM//reebW8DLxGZUsrrXETkEA==", + "version": "1.0.0-rc7", + "resolved": "https://registry.npmjs.org/@kubernetes/client-node/-/client-node-1.0.0-rc7.tgz", + "integrity": "sha512-s0U74yQ/nTq13xk3YI8P2y02pUm9TritjhsCIbtPYbOrG/5ti2bY2WhxxQWGx1LhiTZPEdoULtsyXI2XrIESJw==", + "license": "Apache-2.0", "dependencies": { "@types/js-yaml": "^4.0.1", - "@types/node": "^20.3.1", + "@types/node": "^22.0.0", "@types/node-fetch": "^2.6.9", "@types/stream-buffers": "^3.0.3", "@types/tar": "^6.1.1", - "@types/underscore": "^1.8.9", "@types/ws": "^8.5.4", - "byline": "^5.0.0", "form-data": "^4.0.0", "isomorphic-ws": "^5.0.0", "js-yaml": "^4.1.0", - "jsonpath-plus": "^9.0.0", + "jsonpath-plus": "^10.0.0", "node-fetch": "^2.6.9", "openid-client": "^5.6.5", "rfc4648": "^1.3.0", @@ -1724,17 +1734,8 @@ "tar": "^7.0.0", "tmp-promise": "^3.0.2", "tslib": "^2.5.0", - "underscore": "^1.9.1", "url-parse": "^1.4.3", - "ws": "^8.13.0" - } - }, - "node_modules/@kubernetes/client-node/node_modules/@types/node": { - "version": "20.16.5", - "resolved": "https://registry.npmjs.org/@types/node/-/node-20.16.5.tgz", - "integrity": "sha512-VwYCweNo3ERajwy0IUlqqcyZ8/A7Zwa9ZP3MnENWcB11AejO+tLy3pu850goUW2FC/IJMdZUfKpX/yxL1gymCA==", - "dependencies": { - "undici-types": "~6.19.2" + "ws": "^8.18.0" } }, "node_modules/@nodelib/fs.scandir": { @@ -1784,6 +1785,7 @@ "version": "0.11.0", "resolved": "https://registry.npmjs.org/@pkgjs/parseargs/-/parseargs-0.11.0.tgz", "integrity": "sha512-+1VkjdD0QBLPodGrJUeqarH8VAIvQODIbwh9XpP5Syisf7YoQgsJKPNFoqqLQlu+VQ/tVSshMR6loPMn8U+dPg==", + "license": "MIT", "optional": true, "engines": { "node": ">=14" @@ -1890,7 +1892,8 @@ "node_modules/@types/js-yaml": { "version": "4.0.9", "resolved": "https://registry.npmjs.org/@types/js-yaml/-/js-yaml-4.0.9.tgz", - "integrity": "sha512-k4MGaQl5TGo/iipqb2UDG2UwjXziSWkh0uysQelTlJpX1qGlpUZYm8PnO4DxG1qBomtJUdYJ6qR6xdIah10JLg==" + "integrity": "sha512-k4MGaQl5TGo/iipqb2UDG2UwjXziSWkh0uysQelTlJpX1qGlpUZYm8PnO4DxG1qBomtJUdYJ6qR6xdIah10JLg==", + "license": "MIT" }, "node_modules/@types/node": { "version": "22.5.4", @@ -1904,11 +1907,23 @@ "version": "2.6.11", "resolved": "https://registry.npmjs.org/@types/node-fetch/-/node-fetch-2.6.11.tgz", "integrity": "sha512-24xFj9R5+rfQJLRyM56qh+wnVSYhyXC2tkoBndtY0U+vubqNsYXGjufB2nn8Q6gt0LrARwL6UBtMCSVCwl4B1g==", + "license": "MIT", "dependencies": { "@types/node": "*", "form-data": "^4.0.0" } }, + "node_modules/@types/prompts": { + "version": "2.4.9", + "resolved": "https://registry.npmjs.org/@types/prompts/-/prompts-2.4.9.tgz", + "integrity": "sha512-qTxFi6Buiu8+50/+3DGIWLHM6QuWsEKugJnnP6iv2Mc4ncxE4A/OJkjuVOA+5X0X1S/nq5VJRa8Lu+nwcvbrKA==", + "license": "MIT", + "peer": true, + "dependencies": { + "@types/node": "*", + "kleur": "^3.0.3" + } + }, "node_modules/@types/ramda": { "version": "0.30.2", "resolved": "https://registry.npmjs.org/@types/ramda/-/ramda-0.30.2.tgz", @@ -1928,6 +1943,7 @@ "version": "3.0.7", "resolved": "https://registry.npmjs.org/@types/stream-buffers/-/stream-buffers-3.0.7.tgz", "integrity": "sha512-azOCy05sXVXrO+qklf0c/B07H/oHaIuDDAiHPVwlk3A9Ek+ksHyTeMajLZl3r76FxpPpxem//4Te61G1iW3Giw==", + "license": "MIT", "dependencies": { "@types/node": "*" } @@ -1936,20 +1952,17 @@ "version": "6.1.13", "resolved": "https://registry.npmjs.org/@types/tar/-/tar-6.1.13.tgz", "integrity": "sha512-IznnlmU5f4WcGTh2ltRu/Ijpmk8wiWXfF0VA4s+HPjHZgvFggk1YaIkbo5krX/zUCzWF8N/l4+W/LNxnvAJ8nw==", + "license": "MIT", "dependencies": { "@types/node": "*", "minipass": "^4.0.0" } }, - "node_modules/@types/underscore": { - "version": "1.11.15", - "resolved": "https://registry.npmjs.org/@types/underscore/-/underscore-1.11.15.tgz", - "integrity": "sha512-HP38xE+GuWGlbSRq9WrZkousaQ7dragtZCruBVMi0oX1migFZavZ3OROKHSkNp/9ouq82zrWtZpg18jFnVN96g==" - }, "node_modules/@types/ws": { "version": "8.5.12", "resolved": "https://registry.npmjs.org/@types/ws/-/ws-8.5.12.tgz", "integrity": "sha512-3tPRkv1EtkDpzlgyKyI8pGsGZAGPEaXeu0DOj5DI25Ja91bdAYddYHbADRYVrZMRbfW+1l5YwXVDKohDJNQxkQ==", + "license": "MIT", "dependencies": { "@types/node": "*" } @@ -2310,7 +2323,8 @@ "node_modules/asynckit": { "version": "0.4.0", "resolved": "https://registry.npmjs.org/asynckit/-/asynckit-0.4.0.tgz", - "integrity": "sha512-Oei9OH4tRh0YqU3GxhX79dM/mwVgvbZJaSNaRk+bshkj0S5cfHcgYakreBjrHwatXKbz+IoIdYLxrKim2MjW0Q==" + "integrity": "sha512-Oei9OH4tRh0YqU3GxhX79dM/mwVgvbZJaSNaRk+bshkj0S5cfHcgYakreBjrHwatXKbz+IoIdYLxrKim2MjW0Q==", + "license": "MIT" }, "node_modules/atomic-sleep": { "version": "1.0.0", @@ -2617,6 +2631,7 @@ "version": "5.0.0", "resolved": "https://registry.npmjs.org/byline/-/byline-5.0.0.tgz", "integrity": "sha512-s6webAy+R4SR8XVuJWt2V2rGvhnrhxN+9S15GNuTK3wKPOXFF6RNc+8ug2XhH+2s4f+uudG4kUVYmYOQWL2g0Q==", + "license": "MIT", "engines": { "node": ">=0.10.0" } @@ -2714,6 +2729,7 @@ "version": "3.0.0", "resolved": "https://registry.npmjs.org/chownr/-/chownr-3.0.0.tgz", "integrity": "sha512-+IxzY9BZOQd/XuYPRmrvEVjF/nqj5kgT4kEq7VofrDoM1MxoRjEWkrCC3EtLi59TVawxTAn+orJwFQcrqEN1+g==", + "license": "BlueOak-1.0.0", "engines": { "node": ">=18" } @@ -2871,6 +2887,7 @@ "version": "1.0.8", "resolved": "https://registry.npmjs.org/combined-stream/-/combined-stream-1.0.8.tgz", "integrity": "sha512-FQN4MRfuJeHf7cBbBMJFXhKSDq+2kAArBlmRBvcvFE5BB1HZKXtSFASDhdlz9zOYwxh8lDdnvmMOe/+5cdoEdg==", + "license": "MIT", "dependencies": { "delayed-stream": "~1.0.0" }, @@ -2918,9 +2935,10 @@ "dev": true }, "node_modules/cookie": { - "version": "0.6.0", - "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.6.0.tgz", - "integrity": "sha512-U71cyTamuh1CRNCfpGY6to28lxvNwPG4Guz/EVjgf3Jmzv0vlDp1atT9eS5dDjMYHucpHbWns6Lwf3BKz6svdw==", + "version": "0.7.1", + "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.7.1.tgz", + "integrity": "sha512-6DnInpx7SJ2AK3+CTUE/ZM0vWTUboZCegxhC2xiIydHR9jNuTAASBrfEpHhiGOZw/nX51bHt6YQl8jsGo4y/0w==", + "license": "MIT", "engines": { "node": ">= 0.6" } @@ -3046,6 +3064,7 @@ "version": "1.0.0", "resolved": "https://registry.npmjs.org/delayed-stream/-/delayed-stream-1.0.0.tgz", "integrity": "sha512-ZySD7Nf91aLB0RxL4KGrKHBXl7Eds1DAmEdcoVawXnLD7SDhpNgtuII2aAkg7a7QS41jxPSZ17p4VdGnMHk3MQ==", + "license": "MIT", "engines": { "node": ">=0.4.0" } @@ -3114,7 +3133,8 @@ "node_modules/eastasianwidth": { "version": "0.2.0", "resolved": "https://registry.npmjs.org/eastasianwidth/-/eastasianwidth-0.2.0.tgz", - "integrity": "sha512-I88TYZWc9XiYHRQ4/3c5rjjfgkjhLyW2luGIheGERbNQ6OY7yTybanSpDXZa8y7VUP9YmDcYa+eyq4ca7iLqWA==" + "integrity": "sha512-I88TYZWc9XiYHRQ4/3c5rjjfgkjhLyW2luGIheGERbNQ6OY7yTybanSpDXZa8y7VUP9YmDcYa+eyq4ca7iLqWA==", + "license": "MIT" }, "node_modules/ee-first": { "version": "1.1.1", @@ -3542,9 +3562,9 @@ } }, "node_modules/express": { - "version": "4.21.0", - "resolved": "https://registry.npmjs.org/express/-/express-4.21.0.tgz", - "integrity": "sha512-VqcNGcj/Id5ZT1LZ/cfihi3ttTn+NJmkli2eZADigjq29qTlWi/hAQ43t/VLPq8+UX06FCEx3ByOYet6ZFblng==", + "version": "4.21.1", + "resolved": "https://registry.npmjs.org/express/-/express-4.21.1.tgz", + "integrity": "sha512-YSFlK1Ee0/GC8QaO91tHcDxJiE/X4FbpAyQWkxAvG6AXCuR65YzK8ua6D9hvi/TzUfZMpc+BwuM1IPw8fmQBiQ==", "license": "MIT", "dependencies": { "accepts": "~1.3.8", @@ -3552,7 +3572,7 @@ "body-parser": "1.20.3", "content-disposition": "0.5.4", "content-type": "~1.0.4", - "cookie": "0.6.0", + "cookie": "0.7.1", "cookie-signature": "1.0.6", "debug": "2.6.9", "depd": "2.0.0", @@ -3804,6 +3824,7 @@ "version": "3.3.0", "resolved": "https://registry.npmjs.org/foreground-child/-/foreground-child-3.3.0.tgz", "integrity": "sha512-Ld2g8rrAyMYFXBhEqMz8ZAHBi4J4uS1i/CxGMDnjyFWddMXLVcDp051DZfu+t7+ab7Wv6SMqpWmyFIj5UbfFvg==", + "license": "ISC", "dependencies": { "cross-spawn": "^7.0.0", "signal-exit": "^4.0.1" @@ -3819,6 +3840,7 @@ "version": "4.1.0", "resolved": "https://registry.npmjs.org/signal-exit/-/signal-exit-4.1.0.tgz", "integrity": "sha512-bzyZ1e88w9O1iNJbKnOlvYTrWPDl46O1bG0D3XInv+9tkPrxrN8jUUTiFlDkkmKWgn1M6CfIA13SuGqOa9Korw==", + "license": "ISC", "engines": { "node": ">=14" }, @@ -3827,9 +3849,10 @@ } }, "node_modules/form-data": { - "version": "4.0.0", - "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.0.tgz", - "integrity": "sha512-ETEklSGi5t0QMZuiXoA/Q6vcnxcLQP5vdugSpuAyi6SVGi2clPPp+xgEhuMaHC+zGgn31Kd235W35f7Hykkaww==", + "version": "4.0.1", + "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.1.tgz", + "integrity": "sha512-tzN8e4TX8+kkxGPK8D5u0FNmjPUjw3lwC9lSLxxoB/+GtsJG91CO8bSWy73APlgAZzZbXEYZJuxjkHH2w+Ezhw==", + "license": "MIT", "dependencies": { "asynckit": "^0.4.0", "combined-stream": "^1.0.8", @@ -4387,6 +4410,7 @@ "version": "5.0.0", "resolved": "https://registry.npmjs.org/isomorphic-ws/-/isomorphic-ws-5.0.0.tgz", "integrity": "sha512-muId7Zzn9ywDsyXgTIafTry2sV3nySZeUDe6YedVd1Hvuuep5AsIlqK+XefWpYTyJG5e503F2xIuT2lcU6rCSw==", + "license": "MIT", "peerDependencies": { "ws": "*" } @@ -4461,6 +4485,7 @@ "version": "3.4.3", "resolved": "https://registry.npmjs.org/jackspeak/-/jackspeak-3.4.3.tgz", "integrity": "sha512-OGlZQpz2yfahA/Rd1Y8Cd9SIEsqvXkLVoSw/cgwhnhFMDbsQFeZYoJJ7bIZBS9BcamUW96asq/npPWugM+RQBw==", + "license": "BlueOak-1.0.0", "dependencies": { "@isaacs/cliui": "^8.0.2" }, @@ -5070,6 +5095,7 @@ "version": "4.15.9", "resolved": "https://registry.npmjs.org/jose/-/jose-4.15.9.tgz", "integrity": "sha512-1vUQX+IdDMVPj4k8kOxgUqlcK518yluMuGZwqlr44FS1ppZB/5GWh4rZG89erpOBOJjU/OBsnCVFfapsRz6nEA==", + "license": "MIT", "funding": { "url": "https://github.com/sponsors/panva" } @@ -5108,6 +5134,7 @@ "version": "1.3.9", "resolved": "https://registry.npmjs.org/jsep/-/jsep-1.3.9.tgz", "integrity": "sha512-i1rBX5N7VPl0eYb6+mHNp52sEuaS2Wi8CDYx1X5sn9naevL78+265XJqy1qENEk7mRKwS06NHpUqiBwR7qeodw==", + "license": "MIT", "engines": { "node": ">= 10.16.0" } @@ -5169,20 +5196,21 @@ } }, "node_modules/jsonpath-plus": { - "version": "9.0.0", - "resolved": "https://registry.npmjs.org/jsonpath-plus/-/jsonpath-plus-9.0.0.tgz", - "integrity": "sha512-bqE77VIDStrOTV/czspZhTn+o27Xx9ZJRGVkdVShEtPoqsIx5yALv3lWVU6y+PqYvWPJNWE7ORCQheQkEe0DDA==", + "version": "10.0.0", + "resolved": "https://registry.npmjs.org/jsonpath-plus/-/jsonpath-plus-10.0.0.tgz", + "integrity": "sha512-v7j76HGp/ibKlXYeZ7UrfCLSNDaBWuJMA0GaMjA4sZJtCtY89qgPyToDDcl2zdeHh4B5q/B3g2pQdW76fOg/dA==", + "license": "MIT", "dependencies": { "@jsep-plugin/assignment": "^1.2.1", "@jsep-plugin/regex": "^1.0.3", - "jsep": "^1.3.8" + "jsep": "^1.3.9" }, "bin": { "jsonpath": "bin/jsonpath-cli.js", "jsonpath-plus": "bin/jsonpath-cli.js" }, "engines": { - "node": ">=14.0.0" + "node": ">=18.0.0" } }, "node_modules/keyv": { @@ -5203,12 +5231,12 @@ } }, "node_modules/kubernetes-fluent-client": { - "version": "3.0.3", - "resolved": "https://registry.npmjs.org/kubernetes-fluent-client/-/kubernetes-fluent-client-3.0.3.tgz", - "integrity": "sha512-Cp2VdZYQY2bX4Sio5Tk4g20Vh7m2+OIUQrrIIYFYIcxqzTDBcK4yqVx8Au0SanwjgJ3DG2ysGMhyBUWJOezBmw==", + "version": "3.1.2", + "resolved": "https://registry.npmjs.org/kubernetes-fluent-client/-/kubernetes-fluent-client-3.1.2.tgz", + "integrity": "sha512-NFyBYr4FCUVfcwaCO/bu1p496QFFu+J5IZusKuBeHhGlbkp4yHanQsM12lX79GKuEMVKzVq2RXCYvYsJhvicFw==", "license": "Apache-2.0", "dependencies": { - "@kubernetes/client-node": "1.0.0-rc6", + "@kubernetes/client-node": "1.0.0-rc7", "byline": "5.0.0", "fast-json-patch": "3.1.1", "http-status-codes": "2.3.0", @@ -5772,6 +5800,7 @@ "version": "4.2.8", "resolved": "https://registry.npmjs.org/minipass/-/minipass-4.2.8.tgz", "integrity": "sha512-fNzuVyifolSLFL4NzpF+wEF4qrgqaaKX0haXPQEdQ7NKAN+WecoKMHV09YcuL/DHxrUsYQOK3MiuDf7Ip2OXfQ==", + "license": "ISC", "engines": { "node": ">=8" } @@ -5780,6 +5809,7 @@ "version": "3.0.1", "resolved": "https://registry.npmjs.org/minizlib/-/minizlib-3.0.1.tgz", "integrity": "sha512-umcy022ILvb5/3Djuu8LWeqUa8D68JaBzlttKeMWen48SjabqS3iY5w/vzeMzMUNhLDifyhbOwKDSznB1vvrwg==", + "license": "MIT", "dependencies": { "minipass": "^7.0.4", "rimraf": "^5.0.5" @@ -5792,6 +5822,7 @@ "version": "10.4.5", "resolved": "https://registry.npmjs.org/glob/-/glob-10.4.5.tgz", "integrity": "sha512-7Bv8RF0k6xjo7d4A/PxYLbUCfb6c+Vpd2/mB2yRDlew7Jb5hEXiCD9ibfO7wpk8i4sevK6DFny9h7EYbM3/sHg==", + "license": "ISC", "dependencies": { "foreground-child": "^3.1.0", "jackspeak": "^3.1.2", @@ -5811,6 +5842,7 @@ "version": "7.1.2", "resolved": "https://registry.npmjs.org/minipass/-/minipass-7.1.2.tgz", "integrity": "sha512-qOOzS1cBTWYF4BH8fVePDBOO9iptMnGUEZwNc/cMWnTV2nVLZ7VoNWEPHkYczZA0pdoA7dl6e7FL659nX9S2aw==", + "license": "ISC", "engines": { "node": ">=16 || 14 >=14.17" } @@ -5819,6 +5851,7 @@ "version": "5.0.10", "resolved": "https://registry.npmjs.org/rimraf/-/rimraf-5.0.10.tgz", "integrity": "sha512-l0OE8wL34P4nJH/H2ffoaniAokM2qSmrtXHmlpvYr5AVVX8msAyW0l8NVJFDxlSK4u3Uh/f41cQheDVdnYijwQ==", + "license": "ISC", "dependencies": { "glob": "^10.3.7" }, @@ -5833,6 +5866,7 @@ "version": "3.0.1", "resolved": "https://registry.npmjs.org/mkdirp/-/mkdirp-3.0.1.tgz", "integrity": "sha512-+NsyUUAZDmo6YVHzL/stxSu3t9YS1iljliy3BSDrXJ/dkn1KYdmtZODGGjLcc9XLgVVpH4KshHB8XmZgMhaBXg==", + "license": "MIT", "bin": { "mkdirp": "dist/cjs/src/bin.js" }, @@ -5926,6 +5960,7 @@ "version": "2.2.0", "resolved": "https://registry.npmjs.org/object-hash/-/object-hash-2.2.0.tgz", "integrity": "sha512-gScRMn0bS5fH+IuwyIFgnh9zBdo4DV+6GhygmWM9HyNJSgS0hScp1f5vjtm7oIIOiT9trXrShAkLFSc2IqKNgw==", + "license": "MIT", "engines": { "node": ">= 6" } @@ -5946,6 +5981,7 @@ "version": "5.0.3", "resolved": "https://registry.npmjs.org/oidc-token-hash/-/oidc-token-hash-5.0.3.tgz", "integrity": "sha512-IF4PcGgzAr6XXSff26Sk/+P4KZFJVuHAJZj3wgO3vX2bMdNVp/QXTP3P7CEm9V1IdG8lDLY3HhiqpsE/nOwpPw==", + "license": "MIT", "engines": { "node": "^10.13.0 || >=12.0.0" } @@ -5997,6 +6033,7 @@ "version": "5.7.0", "resolved": "https://registry.npmjs.org/openid-client/-/openid-client-5.7.0.tgz", "integrity": "sha512-4GCCGZt1i2kTHpwvaC/sCpTpQqDnBzDzuJcJMbH+y1Q5qI8U8RBvoSh28svarXszZHR5BAMXbJPX1PGPRE3VOA==", + "license": "MIT", "dependencies": { "jose": "^4.15.9", "lru-cache": "^6.0.0", @@ -6011,6 +6048,7 @@ "version": "6.0.0", "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-6.0.0.tgz", "integrity": "sha512-Jo6dJ04CmSjuznwJSS3pUeWmd/H0ffTlkXXgwZi+eq1UCmqQwCh+eLsYOYCwY991i2Fah4h1BEMCx4qThGbsiA==", + "license": "ISC", "dependencies": { "yallist": "^4.0.0" }, @@ -6021,7 +6059,8 @@ "node_modules/openid-client/node_modules/yallist": { "version": "4.0.0", "resolved": "https://registry.npmjs.org/yallist/-/yallist-4.0.0.tgz", - "integrity": "sha512-3wdGidZyq5PB084XLES5TpOSRA3wjXAlIWMhum2kRcv/41Sn2emQ0dycQW4uZXLejwKvg6EsvbdlVL+FYEct7A==" + "integrity": "sha512-3wdGidZyq5PB084XLES5TpOSRA3wjXAlIWMhum2kRcv/41Sn2emQ0dycQW4uZXLejwKvg6EsvbdlVL+FYEct7A==", + "license": "ISC" }, "node_modules/optionator": { "version": "0.9.4", @@ -6079,9 +6118,10 @@ } }, "node_modules/package-json-from-dist": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/package-json-from-dist/-/package-json-from-dist-1.0.0.tgz", - "integrity": "sha512-dATvCeZN/8wQsGywez1mzHtTlP22H8OEfPrVMLNr4/eGa+ijtLn/6M5f0dY8UKNrC2O9UCU6SSoG3qRKnt7STw==" + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/package-json-from-dist/-/package-json-from-dist-1.0.1.tgz", + "integrity": "sha512-UEZIS3/by4OC8vL3P2dTXRETpebLI2NiI5vIrjaD/5UtrkFX/tNbwjTSRAGC/+7CAo2pIcBaRgWmcBBHcsaCIw==", + "license": "BlueOak-1.0.0" }, "node_modules/pako": { "version": "1.0.11", @@ -6161,6 +6201,7 @@ "version": "1.11.1", "resolved": "https://registry.npmjs.org/path-scurry/-/path-scurry-1.11.1.tgz", "integrity": "sha512-Xa4Nw17FS9ApQFJ9umLiJS4orGjm7ZzwUrwamcGQuHSzDyth9boKDaycYdDcZDuqYATXw4HFXgaqWTctW/v1HA==", + "license": "BlueOak-1.0.0", "dependencies": { "lru-cache": "^10.2.0", "minipass": "^5.0.0 || ^6.0.2 || ^7.0.0" @@ -6175,12 +6216,14 @@ "node_modules/path-scurry/node_modules/lru-cache": { "version": "10.4.3", "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-10.4.3.tgz", - "integrity": "sha512-JNAzZcXrCt42VGLuYz0zfAzDfAvJWW6AfYlDBQyDV5DClI2m5sAmK+OIO7s59XfsRsWHp02jAJrRadPRGTt6SQ==" + "integrity": "sha512-JNAzZcXrCt42VGLuYz0zfAzDfAvJWW6AfYlDBQyDV5DClI2m5sAmK+OIO7s59XfsRsWHp02jAJrRadPRGTt6SQ==", + "license": "ISC" }, "node_modules/path-scurry/node_modules/minipass": { "version": "7.1.2", "resolved": "https://registry.npmjs.org/minipass/-/minipass-7.1.2.tgz", "integrity": "sha512-qOOzS1cBTWYF4BH8fVePDBOO9iptMnGUEZwNc/cMWnTV2nVLZ7VoNWEPHkYczZA0pdoA7dl6e7FL659nX9S2aw==", + "license": "ISC", "engines": { "node": ">=16 || 14 >=14.17" } @@ -6201,18 +6244,18 @@ } }, "node_modules/pepr": { - "version": "0.36.0", - "resolved": "https://registry.npmjs.org/pepr/-/pepr-0.36.0.tgz", - "integrity": "sha512-+GyQK9SUhjoEAfWU1cdKtKjYx8JCT+aracTBb5jRh3JIljD61H8nxlAlIS8rEcAdGw2Gcu/qztxX62x3Bjaw+A==", + "version": "0.38.1", + "resolved": "https://registry.npmjs.org/pepr/-/pepr-0.38.1.tgz", + "integrity": "sha512-rglrwpfrxRfvssab8rmiHcA3kH1P/Il65TuyNmvbJ05hbKSxWnJQ+L7hSbD6Iua1UqjRZ1JvGfj/yNvlPJC60w==", "license": "Apache-2.0", "dependencies": { "@types/ramda": "0.30.2", - "express": "4.21.0", + "express": "4.21.1", "fast-json-patch": "3.1.1", "json-pointer": "^0.6.2", - "kubernetes-fluent-client": "3.0.3", - "pino": "9.4.0", - "pino-pretty": "11.2.2", + "kubernetes-fluent-client": "3.1.2", + "pino": "9.5.0", + "pino-pretty": "11.3.0", "prom-client": "15.1.3", "ramda": "0.30.1" }, @@ -6223,6 +6266,7 @@ "node": ">=18.0.0" }, "peerDependencies": { + "@types/prompts": "2.4.9", "@typescript-eslint/eslint-plugin": "7.18.0", "@typescript-eslint/parser": "7.18.0", "commander": "12.1.0", @@ -6265,15 +6309,15 @@ } }, "node_modules/pino": { - "version": "9.4.0", - "resolved": "https://registry.npmjs.org/pino/-/pino-9.4.0.tgz", - "integrity": "sha512-nbkQb5+9YPhQRz/BeQmrWpEknAaqjpAqRK8NwJpmrX/JHu7JuZC5G1CeAwJDJfGes4h+YihC6in3Q2nGb+Y09w==", + "version": "9.5.0", + "resolved": "https://registry.npmjs.org/pino/-/pino-9.5.0.tgz", + "integrity": "sha512-xSEmD4pLnV54t0NOUN16yCl7RIB1c5UUOse5HSyEXtBp+FgFQyPeDutc+Q2ZO7/22vImV7VfEjH/1zV2QuqvYw==", "license": "MIT", "dependencies": { "atomic-sleep": "^1.0.0", "fast-redact": "^3.1.1", "on-exit-leak-free": "^2.1.0", - "pino-abstract-transport": "^1.2.0", + "pino-abstract-transport": "^2.0.0", "pino-std-serializers": "^7.0.0", "process-warning": "^4.0.0", "quick-format-unescaped": "^4.0.3", @@ -6287,18 +6331,19 @@ } }, "node_modules/pino-abstract-transport": { - "version": "1.2.0", - "resolved": "https://registry.npmjs.org/pino-abstract-transport/-/pino-abstract-transport-1.2.0.tgz", - "integrity": "sha512-Guhh8EZfPCfH+PMXAb6rKOjGQEoy0xlAIn+irODG5kgfYV+BQ0rGYYWTIel3P5mmyXqkYkPmdIkywsn6QKUR1Q==", + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/pino-abstract-transport/-/pino-abstract-transport-2.0.0.tgz", + "integrity": "sha512-F63x5tizV6WCh4R6RHyi2Ml+M70DNRXt/+HANowMflpgGFMAym/VKm6G7ZOQRjqN7XbGxK1Lg9t6ZrtzOaivMw==", + "license": "MIT", "dependencies": { - "readable-stream": "^4.0.0", "split2": "^4.0.0" } }, "node_modules/pino-pretty": { - "version": "11.2.2", - "resolved": "https://registry.npmjs.org/pino-pretty/-/pino-pretty-11.2.2.tgz", - "integrity": "sha512-2FnyGir8nAJAqD3srROdrF1J5BIcMT4nwj7hHSc60El6Uxlym00UbCCd8pYIterstVBFlMyF1yFV8XdGIPbj4A==", + "version": "11.3.0", + "resolved": "https://registry.npmjs.org/pino-pretty/-/pino-pretty-11.3.0.tgz", + "integrity": "sha512-oXwn7ICywaZPHmu3epHGU2oJX4nPmKvHvB/bwrJHlGcbEWaVcotkpyVHMKLKmiVryWYByNp0jpgAcXpFJDXJzA==", + "license": "MIT", "dependencies": { "colorette": "^2.0.7", "dateformat": "^4.6.3", @@ -6308,7 +6353,7 @@ "joycon": "^3.1.1", "minimist": "^1.2.6", "on-exit-leak-free": "^2.1.0", - "pino-abstract-transport": "^1.0.0", + "pino-abstract-transport": "^2.0.0", "pump": "^3.0.0", "readable-stream": "^4.0.0", "secure-json-parse": "^2.4.0", @@ -6556,7 +6601,8 @@ "node_modules/querystringify": { "version": "2.2.0", "resolved": "https://registry.npmjs.org/querystringify/-/querystringify-2.2.0.tgz", - "integrity": "sha512-FIqgj2EUvTa7R50u0rGsyTftzjYmv/a3hO345bZNrqabNqjtgiDMgmo4mkUjd+nzU5oF3dClKqFIPUKybUyqoQ==" + "integrity": "sha512-FIqgj2EUvTa7R50u0rGsyTftzjYmv/a3hO345bZNrqabNqjtgiDMgmo4mkUjd+nzU5oF3dClKqFIPUKybUyqoQ==", + "license": "MIT" }, "node_modules/queue-microtask": { "version": "1.2.3", @@ -6677,7 +6723,8 @@ "node_modules/requires-port": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/requires-port/-/requires-port-1.0.0.tgz", - "integrity": "sha512-KigOCHcocU3XODJxsu8i/j8T9tzT4adHiecwORRQ0ZZFcp7ahwXuRU1m+yuO90C5ZUyGeGfocHDI14M3L3yDAQ==" + "integrity": "sha512-KigOCHcocU3XODJxsu8i/j8T9tzT4adHiecwORRQ0ZZFcp7ahwXuRU1m+yuO90C5ZUyGeGfocHDI14M3L3yDAQ==", + "license": "MIT" }, "node_modules/resolve": { "version": "1.22.8", @@ -6791,7 +6838,8 @@ "node_modules/rfc4648": { "version": "1.5.3", "resolved": "https://registry.npmjs.org/rfc4648/-/rfc4648-1.5.3.tgz", - "integrity": "sha512-MjOWxM065+WswwnmNONOT+bD1nXzY9Km6u3kzvnx8F8/HXGZdz3T6e6vZJ8Q/RIMUSp/nxqjH3GwvJDy8ijeQQ==" + "integrity": "sha512-MjOWxM065+WswwnmNONOT+bD1nXzY9Km6u3kzvnx8F8/HXGZdz3T6e6vZJ8Q/RIMUSp/nxqjH3GwvJDy8ijeQQ==", + "license": "MIT" }, "node_modules/rfdc": { "version": "1.4.1", @@ -7088,6 +7136,7 @@ "version": "4.2.0", "resolved": "https://registry.npmjs.org/split2/-/split2-4.2.0.tgz", "integrity": "sha512-UcjcJOWknrNkF6PLX83qcHM6KHgVKNkV62Y8a5uYDVv9ydGQVwAHMKqHdJje1VTWpljG0WYpCDhrCdAOYH4TWg==", + "license": "ISC", "engines": { "node": ">= 10.x" } @@ -7132,6 +7181,7 @@ "version": "3.0.3", "resolved": "https://registry.npmjs.org/stream-buffers/-/stream-buffers-3.0.3.tgz", "integrity": "sha512-pqMqwQCso0PBJt2PQmDO0cFj0lyqmiwOMiMSkVtRokl7e+ZTRYgDHKnuZNbqjiJXgsg4nuqtD/zxuo9KqTp0Yw==", + "license": "Unlicense", "engines": { "node": ">= 0.10.0" } @@ -7188,6 +7238,7 @@ "version": "4.2.3", "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz", "integrity": "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==", + "license": "MIT", "dependencies": { "emoji-regex": "^8.0.0", "is-fullwidth-code-point": "^3.0.0", @@ -7200,12 +7251,14 @@ "node_modules/string-width-cjs/node_modules/emoji-regex": { "version": "8.0.0", "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz", - "integrity": "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==" + "integrity": "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==", + "license": "MIT" }, "node_modules/string-width-cjs/node_modules/is-fullwidth-code-point": { "version": "3.0.0", "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-3.0.0.tgz", "integrity": "sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg==", + "license": "MIT", "engines": { "node": ">=8" } @@ -7253,6 +7306,7 @@ "version": "6.0.1", "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz", "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==", + "license": "MIT", "dependencies": { "ansi-regex": "^5.0.1" }, @@ -7316,6 +7370,7 @@ "version": "7.4.3", "resolved": "https://registry.npmjs.org/tar/-/tar-7.4.3.tgz", "integrity": "sha512-5S7Va8hKfV7W5U6g3aYxXmlPoZVAwUMy9AOKyF2fVuZa2UD3qZjg578OrLRt8PcNN1PleVaL/5/yYATNL0ICUw==", + "license": "ISC", "dependencies": { "@isaacs/fs-minipass": "^4.0.0", "chownr": "^3.0.0", @@ -7332,6 +7387,7 @@ "version": "7.1.2", "resolved": "https://registry.npmjs.org/minipass/-/minipass-7.1.2.tgz", "integrity": "sha512-qOOzS1cBTWYF4BH8fVePDBOO9iptMnGUEZwNc/cMWnTV2nVLZ7VoNWEPHkYczZA0pdoA7dl6e7FL659nX9S2aw==", + "license": "ISC", "engines": { "node": ">=16 || 14 >=14.17" } @@ -7340,6 +7396,7 @@ "version": "5.0.0", "resolved": "https://registry.npmjs.org/yallist/-/yallist-5.0.0.tgz", "integrity": "sha512-YgvUTfwqyc7UXVMrB+SImsVYSmTS8X/tSrtdNZMImM+n7+QTriRXyXim0mBrTXNeqzVF0KWGgHPeiyViFFrNDw==", + "license": "BlueOak-1.0.0", "engines": { "node": ">=18" } @@ -7411,6 +7468,7 @@ "version": "0.2.3", "resolved": "https://registry.npmjs.org/tmp/-/tmp-0.2.3.tgz", "integrity": "sha512-nZD7m9iCPC5g0pYmcaxogYKggSfLsdxl8of3Q/oIbqCqLLIO9IAF0GWjX1z9NZRHPiXv8Wex4yDCaZsgEw0Y8w==", + "license": "MIT", "engines": { "node": ">=14.14" } @@ -7419,6 +7477,7 @@ "version": "3.0.3", "resolved": "https://registry.npmjs.org/tmp-promise/-/tmp-promise-3.0.3.tgz", "integrity": "sha512-RwM7MoPojPxsOBYnyd2hy0bxtIlVrihNs9pj5SUvY8Zz1sQcQG2tG1hSr8PDxfgEB8RNKDhqbIlroIarSNDNsQ==", + "license": "MIT", "dependencies": { "tmp": "^0.2.0" } @@ -7530,9 +7589,10 @@ "integrity": "sha512-nsZd8ZeNUzukXPlJmTBwUAuABDe/9qtVDelJeT/qW0ow3ZS3BsQJtNkan1802aM9Uf68/Y8ljw86Hu0h5IUW3w==" }, "node_modules/tslib": { - "version": "2.7.0", - "resolved": "https://registry.npmjs.org/tslib/-/tslib-2.7.0.tgz", - "integrity": "sha512-gLXCKdN1/j47AiHiOkJN69hJmcbGTHI0ImLmbYLHykhgeN0jVGola9yVjFgzCUklsZQMW55o+dW7IXv3RCXDzA==" + "version": "2.8.0", + "resolved": "https://registry.npmjs.org/tslib/-/tslib-2.8.0.tgz", + "integrity": "sha512-jWVzBLplnCmoaTr13V9dYbiQ99wvZRd0vNWaDRg+aVYRcjDF3nDksxFDE/+fkXnKhpnUUkmx5pK/v8mCtLVqZA==", + "license": "0BSD" }, "node_modules/type-check": { "version": "0.4.0", @@ -7601,11 +7661,6 @@ "node": ">=14.17" } }, - "node_modules/underscore": { - "version": "1.13.7", - "resolved": "https://registry.npmjs.org/underscore/-/underscore-1.13.7.tgz", - "integrity": "sha512-GMXzWtsc57XAtguZgaQViUOzs0KTkk8ojr3/xAxXLITqf/3EMwxC0inyETfDFjH/Krbhuep0HNbbjI9i/q3F3g==" - }, "node_modules/undici-types": { "version": "6.19.8", "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-6.19.8.tgz", @@ -7691,6 +7746,7 @@ "version": "1.5.10", "resolved": "https://registry.npmjs.org/url-parse/-/url-parse-1.5.10.tgz", "integrity": "sha512-WypcfiRhfeUP9vvF0j6rw0J3hrWrw6iZv3+22h6iRMJ/8z1Tj6XfLP4DsUix5MhMPnXpiHDoKyoZ/bdCkwBCiQ==", + "license": "MIT", "dependencies": { "querystringify": "^2.1.1", "requires-port": "^1.0.0" @@ -7812,6 +7868,7 @@ "version": "7.0.0", "resolved": "https://registry.npmjs.org/wrap-ansi/-/wrap-ansi-7.0.0.tgz", "integrity": "sha512-YVGIj2kamLSTxw6NsZjoBxfSwsn0ycdesmc4p+Q21c5zPuZ1pl+NfxVdxPtdHvmNVOQ6XSYG4AUtyt/Fi7D16Q==", + "license": "MIT", "dependencies": { "ansi-styles": "^4.0.0", "string-width": "^4.1.0", @@ -7827,12 +7884,14 @@ "node_modules/wrap-ansi-cjs/node_modules/emoji-regex": { "version": "8.0.0", "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz", - "integrity": "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==" + "integrity": "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==", + "license": "MIT" }, "node_modules/wrap-ansi-cjs/node_modules/is-fullwidth-code-point": { "version": "3.0.0", "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-3.0.0.tgz", "integrity": "sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg==", + "license": "MIT", "engines": { "node": ">=8" } @@ -7841,6 +7900,7 @@ "version": "4.2.3", "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz", "integrity": "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==", + "license": "MIT", "dependencies": { "emoji-regex": "^8.0.0", "is-fullwidth-code-point": "^3.0.0", @@ -7911,6 +7971,7 @@ "version": "8.18.0", "resolved": "https://registry.npmjs.org/ws/-/ws-8.18.0.tgz", "integrity": "sha512-8VbfWfHLbbwu3+N6OKsOMpBdT4kXPDDB9cJk2bJ6mh9ucxdlnNvH1e+roYkKmN9Nxw2yjz7VzeO9oOz2zJ04Pw==", + "license": "MIT", "engines": { "node": ">=10.0.0" }, diff --git a/package.json b/package.json index a0c4fc6f2..666231197 100644 --- a/package.json +++ b/package.json @@ -29,7 +29,7 @@ "k3d-setup": "k3d cluster delete pepr-dev && k3d cluster create pepr-dev --k3s-arg '--debug@server:0'" }, "dependencies": { - "pepr": "0.36.0" + "pepr": "0.38.1" }, "devDependencies": { "@jest/globals": "29.7.0", diff --git a/packages/backup-restore/README.md b/packages/backup-restore/README.md new file mode 100644 index 000000000..7f980a1f3 --- /dev/null +++ b/packages/backup-restore/README.md @@ -0,0 +1,7 @@ +# UDS Core Backup & Restore + +This layer of UDS Core provides backup and restore capabilities. Currently it includes the application(s): +- Velero + +To deploy this layer you must also deploy its dependent layer(s): +- Base \ No newline at end of file diff --git a/packages/backup-restore/tasks.yaml b/packages/backup-restore/tasks.yaml new file mode 100644 index 000000000..321585dca --- /dev/null +++ b/packages/backup-restore/tasks.yaml @@ -0,0 +1,10 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +includes: + - velero: ../../src/velero/tasks.yaml + +tasks: + - name: validate + actions: + - task: velero:validate diff --git a/packages/backup-restore/zarf.yaml b/packages/backup-restore/zarf.yaml new file mode 100644 index 000000000..bfed659f8 --- /dev/null +++ b/packages/backup-restore/zarf.yaml @@ -0,0 +1,19 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +kind: ZarfPackageConfig +metadata: + name: core-backup-restore + description: "UDS Core (Backup and Restore)" + authors: "Defense Unicorns - Product" + # x-release-please-start-version + version: "0.29.0" + # x-release-please-end + x-uds-dependencies: ["base"] + +components: + # Velero + - name: velero + required: true + import: + path: ../../src/velero diff --git a/packages/base/README.md b/packages/base/README.md new file mode 100644 index 000000000..d2c54c234 --- /dev/null +++ b/packages/base/README.md @@ -0,0 +1,7 @@ +# UDS Core Base + +This is the base layer of UDS Core required if deploying any other layers. Currently it includes the application(s): +- Istio (and gateways) +- UDS Operator and Policies (Pepr) + +As this is the base layer it can be deployed standalone for minimal functionality. diff --git a/packages/base/tasks.yaml b/packages/base/tasks.yaml new file mode 100644 index 000000000..cd4defc93 --- /dev/null +++ b/packages/base/tasks.yaml @@ -0,0 +1,12 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +includes: + - istio: ../../src/istio/tasks.yaml + - pepr: ../../src/pepr/tasks.yaml + +tasks: + - name: validate + actions: + - task: istio:validate + - task: pepr:validate diff --git a/packages/slim-dev/zarf.yaml b/packages/base/zarf.yaml similarity index 71% rename from packages/slim-dev/zarf.yaml rename to packages/base/zarf.yaml index 7a7de7a31..c0c2430ee 100644 --- a/packages/slim-dev/zarf.yaml +++ b/packages/base/zarf.yaml @@ -1,11 +1,19 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + kind: ZarfPackageConfig metadata: - name: core-slim-dev - description: "UDS Core (Istio, UDS Operator and Keycloak)" + name: core-base + description: "UDS Core (Base)" authors: "Defense Unicorns - Product" # x-release-please-start-version +<<<<<<< HEAD:packages/base/zarf.yaml + version: "0.29.0" +======= version: "0.28.0" +>>>>>>> 62baad3 (chore(main): release 0.28.0 (#795)):packages/slim-dev/zarf.yaml # x-release-please-end + x-uds-dependencies: [] components: - name: uds-operator-config @@ -45,9 +53,3 @@ components: required: true import: path: ../../src/pepr - - # Keycloak - - name: keycloak - required: true - import: - path: ../../src/keycloak diff --git a/packages/identity-authorization/README.md b/packages/identity-authorization/README.md new file mode 100644 index 000000000..ccbeaca1a --- /dev/null +++ b/packages/identity-authorization/README.md @@ -0,0 +1,8 @@ +# UDS Core Identity & Authorization + +This layer of UDS Core provides identity management and authorization capabilities. Currently it includes the application(s): +- Keycloak (with custom plugin and realm) +- AuthService + +To deploy this layer you must also deploy its dependent layer(s): +- Base diff --git a/packages/identity-authorization/tasks.yaml b/packages/identity-authorization/tasks.yaml new file mode 100644 index 000000000..f06de22cf --- /dev/null +++ b/packages/identity-authorization/tasks.yaml @@ -0,0 +1,12 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +includes: + - keycloak: ../../src/keycloak/tasks.yaml + - authservice: ../../src/authservice/tasks.yaml + +tasks: + - name: validate + actions: + - task: keycloak:validate + - task: authservice:validate diff --git a/packages/identity-authorization/zarf.yaml b/packages/identity-authorization/zarf.yaml new file mode 100644 index 000000000..2d985c0a3 --- /dev/null +++ b/packages/identity-authorization/zarf.yaml @@ -0,0 +1,25 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +kind: ZarfPackageConfig +metadata: + name: core-identity-authorization + description: "UDS Core (Identity & Authorization)" + authors: "Defense Unicorns - Product" + # x-release-please-start-version + version: "0.29.0" + # x-release-please-end + x-uds-dependencies: ["base"] + +components: + # Keycloak + - name: keycloak + required: true + import: + path: ../../src/keycloak + + # Authservice + - name: authservice + required: true + import: + path: ../../src/authservice diff --git a/packages/logging/README.md b/packages/logging/README.md new file mode 100644 index 000000000..e73912ab4 --- /dev/null +++ b/packages/logging/README.md @@ -0,0 +1,9 @@ +# UDS Core Logging + +This layer of UDS Core provides log collection and storage capabilities. Currently it includes the application(s): +- Vector: Log collection and shipping +- Loki: Log storage and querying + +To deploy this layer you must also deploy its dependent layer(s): +- Base +- Monitoring (optional to provide UI interaction with logs) diff --git a/packages/logging/tasks.yaml b/packages/logging/tasks.yaml new file mode 100644 index 000000000..e8d04ed1f --- /dev/null +++ b/packages/logging/tasks.yaml @@ -0,0 +1,12 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +includes: + - loki: ../../src/loki/tasks.yaml + - vector: ../../src/vector/tasks.yaml + +tasks: + - name: validate + actions: + - task: loki:validate + - task: vector:validate diff --git a/packages/logging/zarf.yaml b/packages/logging/zarf.yaml new file mode 100644 index 000000000..416d18e05 --- /dev/null +++ b/packages/logging/zarf.yaml @@ -0,0 +1,25 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +kind: ZarfPackageConfig +metadata: + name: core-logging + description: "UDS Core (Logging)" + authors: "Defense Unicorns - Product" + # x-release-please-start-version + version: "0.29.0" + # x-release-please-end + x-uds-dependencies: ["base"] + +components: + # Loki + - name: loki + required: true + import: + path: ../../src/loki + + # Vector + - name: vector + required: true + import: + path: ../../src/vector diff --git a/packages/metrics-server/README.md b/packages/metrics-server/README.md new file mode 100644 index 000000000..c23248502 --- /dev/null +++ b/packages/metrics-server/README.md @@ -0,0 +1,7 @@ +# UDS Core Metrics Server + +This layer of UDS Core provides k8s metrics capabilities. Currently it includes the application(s): +- Metrics Server + +To deploy this layer you must also deploy its dependent layer(s): +- Base diff --git a/packages/metrics-server/tasks.yaml b/packages/metrics-server/tasks.yaml new file mode 100644 index 000000000..a13737dc2 --- /dev/null +++ b/packages/metrics-server/tasks.yaml @@ -0,0 +1,11 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +includes: + - metrics-server: ../../src/metrics-server/tasks.yaml + +tasks: + - name: validate + actions: + - description: "Validate Metrics Server" + task: metrics-server:validate diff --git a/packages/metrics-server/zarf.yaml b/packages/metrics-server/zarf.yaml new file mode 100644 index 000000000..7658b4526 --- /dev/null +++ b/packages/metrics-server/zarf.yaml @@ -0,0 +1,19 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +kind: ZarfPackageConfig +metadata: + name: core-metrics-server + description: "UDS Core (Metrics Server)" + authors: "Defense Unicorns - Product" + # x-release-please-start-version + version: "0.29.0" + # x-release-please-end + x-uds-dependencies: ["base"] + +components: + # Metrics Server + - name: metrics-server + required: true + import: + path: ../../src/metrics-server diff --git a/packages/monitoring/readme.md b/packages/monitoring/readme.md new file mode 100644 index 000000000..e08fe67f7 --- /dev/null +++ b/packages/monitoring/readme.md @@ -0,0 +1,9 @@ +# UDS Core Monitoring + +This layer of UDS Core provides monitoring capabilities. Currently it includes the application(s): +- grafana +- prometheus + +To deploy this layer you must also deploy its dependent layer(s): +- base +- identity-authorization \ No newline at end of file diff --git a/packages/monitoring/tasks.yaml b/packages/monitoring/tasks.yaml new file mode 100644 index 000000000..e7c9b3bee --- /dev/null +++ b/packages/monitoring/tasks.yaml @@ -0,0 +1,12 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +includes: + - prometheus: ../../src/prometheus-stack/tasks.yaml + - grafana: ../../src/grafana/tasks.yaml + +tasks: + - name: validate + actions: + - task: prometheus:validate + - task: grafana:validate diff --git a/packages/monitoring/zarf.yaml b/packages/monitoring/zarf.yaml new file mode 100644 index 000000000..9cd7340ef --- /dev/null +++ b/packages/monitoring/zarf.yaml @@ -0,0 +1,24 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +kind: ZarfPackageConfig +metadata: + name: core-monitoring + description: "UDS Core Monitoring (Prometheus and Grafana)" + authors: "Defense Unicorns - Product" + # x-release-please-start-version + version: "0.29.0" + # x-release-please-end + x-uds-dependencies: ["base", "identity-authorization"] + +components: + # Prometheus + - name: kube-prometheus-stack + required: true + import: + path: ../../src/prometheus-stack + # Grafana + - name: grafana + required: true + import: + path: ../../src/grafana diff --git a/packages/runtime-security/README.md b/packages/runtime-security/README.md new file mode 100644 index 000000000..824b92632 --- /dev/null +++ b/packages/runtime-security/README.md @@ -0,0 +1,8 @@ +# UDS Core Runtime Security + +This layer of UDS Core provides Runtime Security capabilities. Currently it includes the application(s): +- neuvector + +To deploy this layer you must also deploy its dependent layer(s): +- base +- identity-authorization \ No newline at end of file diff --git a/packages/runtime-security/tasks.yaml b/packages/runtime-security/tasks.yaml new file mode 100644 index 000000000..9cf0cec0a --- /dev/null +++ b/packages/runtime-security/tasks.yaml @@ -0,0 +1,10 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +includes: + - neuvector: ../../src/neuvector/tasks.yaml + +tasks: + - name: validate + actions: + - task: neuvector:validate diff --git a/packages/runtime-security/zarf.yaml b/packages/runtime-security/zarf.yaml new file mode 100644 index 000000000..99ecd76ab --- /dev/null +++ b/packages/runtime-security/zarf.yaml @@ -0,0 +1,19 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +kind: ZarfPackageConfig +metadata: + name: core-runtime-security + description: "UDS Core (Runtime Security)" + authors: "Defense Unicorns - Product" + # x-release-please-start-version + version: "0.29.0" + # x-release-please-end + x-uds-dependencies: ["base", "identity-authorization"] + +components: + # Neuvector + - name: neuvector + required: true + import: + path: ../../src/neuvector diff --git a/packages/slim-dev/README.md b/packages/slim-dev/README.md deleted file mode 100644 index 1e3b1dce6..000000000 --- a/packages/slim-dev/README.md +++ /dev/null @@ -1,3 +0,0 @@ -# UDS Core Slim Dev - -This is a special modified version of UDS Core that only includes the components needed to run Istio, UDS Operator and Keycloak. diff --git a/packages/standard/zarf.yaml b/packages/standard/zarf.yaml index ef5ff903b..e458b11a7 100644 --- a/packages/standard/zarf.yaml +++ b/packages/standard/zarf.yaml @@ -1,107 +1,118 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + kind: ZarfPackageConfig metadata: name: core description: "UDS Core" authors: "Defense Unicorns - Product" # x-release-please-start-version +<<<<<<< HEAD + version: "0.29.0" +======= version: "0.28.0" +>>>>>>> 62baad3 (chore(main): release 0.28.0 (#795)) # x-release-please-end components: - name: uds-operator-config required: true import: - path: ../../src/pepr + path: ../base # CRDs - name: prometheus-operator-crds required: true import: - path: ../../src/prometheus-stack + path: ../base # Istio - name: istio-controlplane required: true import: - path: ../../src/istio + path: ../base - name: istio-admin-gateway required: true import: - path: ../../src/istio + path: ../base - name: istio-tenant-gateway required: true import: - path: ../../src/istio + path: ../base - name: istio-passthrough-gateway required: false import: - path: ../../src/istio + path: ../base # Pepr the world - name: pepr-uds-core required: true import: - path: ../../src/pepr + path: ../base # Metrics Server - name: metrics-server required: false import: - path: ../../src/metrics-server + path: ../metrics-server # Keycloak - name: keycloak required: true import: - path: ../../src/keycloak + path: ../identity-authorization # Neuvector - name: neuvector required: true import: - path: ../../src/neuvector + path: ../runtime-security # Loki - name: loki required: true import: - path: ../../src/loki + path: ../logging # Prometheus - name: kube-prometheus-stack required: true import: - path: ../../src/prometheus-stack + path: ../monitoring # Vector - name: vector required: true import: +<<<<<<< HEAD + path: ../logging +======= path: ../../src/vector +>>>>>>> 2f6ed02 (feat!: switch from promtail to vector (#724)) # Grafana - name: grafana required: true import: - path: ../../src/grafana + path: ../monitoring # Authservice - name: authservice required: true import: - path: ../../src/authservice + path: ../identity-authorization # UDS Runtime - name: uds-runtime required: false import: - path: ../../src/runtime + path: ../ui # Velero - name: velero required: true import: - path: ../../src/velero + path: ../backup-restore diff --git a/packages/ui/README.md b/packages/ui/README.md new file mode 100644 index 000000000..77acbd47d --- /dev/null +++ b/packages/ui/README.md @@ -0,0 +1,8 @@ +# UDS Core UI (Runtime) + +This layer of UDS Core provides UI capabilities. Currently it includes the application(s): +- runtime + +To deploy this layer you must also deploy its dependent layer(s): +- base +- identity-authorization [( unless disabled with runtime override )](https://github.com/defenseunicorns/uds-runtime/blob/v0.5.0/chart/values.yaml) \ No newline at end of file diff --git a/packages/ui/tasks.yaml b/packages/ui/tasks.yaml new file mode 100644 index 000000000..ef2d5405a --- /dev/null +++ b/packages/ui/tasks.yaml @@ -0,0 +1,10 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +includes: + - runtime: ../../src/runtime/tasks.yaml + +tasks: + - name: validate + actions: + - task: runtime:validate diff --git a/packages/ui/zarf.yaml b/packages/ui/zarf.yaml new file mode 100644 index 000000000..c69cd5493 --- /dev/null +++ b/packages/ui/zarf.yaml @@ -0,0 +1,19 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +kind: ZarfPackageConfig +metadata: + name: core-ui + description: "UDS Core (UI)" + authors: "Defense Unicorns - Product" + # x-release-please-start-version + version: "0.29.0" + # x-release-please-end + x-uds-dependencies: ["base", "identity-authorization"] + +components: + # Runtime + - name: uds-runtime + required: true + import: + path: ../../src/runtime diff --git a/pepr.ts b/pepr.ts index 885b09d3d..b0403818e 100644 --- a/pepr.ts +++ b/pepr.ts @@ -1,3 +1,8 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { PeprModule } from "pepr"; import cfg from "./package.json"; diff --git a/release-please-config.json b/release-please-config.json index 55d182d93..cb60d25d4 100644 --- a/release-please-config.json +++ b/release-please-config.json @@ -12,12 +12,20 @@ "bump-minor-pre-major": true, "versioning": "default", "extra-files": [ - ".github/bundles/uds-bundle.yaml", "README.md", - "packages/slim-dev/zarf.yaml", + "packages/base/zarf.yaml", + "packages/identity-authorization/zarf.yaml", + "packages/logging/zarf.yaml", + "packages/backup-restore/zarf.yaml", + "packages/runtime-security/zarf.yaml", + "packages/ui/zarf.yaml", + "packages/monitoring/zarf.yaml", + "packages/metrics-server/zarf.yaml", "packages/standard/zarf.yaml", "bundles/k3d-slim-dev/uds-bundle.yaml", "bundles/k3d-standard/uds-bundle.yaml", + ".github/bundles/rke2/uds-bundle.yaml", + ".github/bundles/eks/uds-bundle.yaml", "tasks/deploy.yaml", "tasks/publish.yaml" ] diff --git a/renovate.json b/renovate.json index f4428a606..387ef9641 100644 --- a/renovate.json +++ b/renovate.json @@ -78,36 +78,19 @@ "commitMessageTopic": "runtime" }, { - "matchPackageNames": ["zarf-dev/zarf", "ghcr.io/zarf-dev/packages/init"], - "groupName": "zarf", - "commitMessageTopic": "zarf" - }, - { - "matchPackageNames": ["defenseunicorns/uds-cli"], - "groupName": "uds", - "commitMessageTopic": "uds" - }, - { - "matchPackageNames": ["defenseunicorns/uds-k3d", "ghcr.io/defenseunicorns/packages/uds-k3d"], - "groupName": "uds-k3d", - "commitMessageTopic": "uds-k3d" - }, - { - "matchFileNames": [".github/workflows/**", ".github/actions/**"], - "matchPackageNames": ["*", "!zarf-dev/zarf", "!defenseunicorns/uds-cli", "!defenseunicorns/lula", "!k3d-io/k3d"], - "groupName": "githubactions", - "commitMessageTopic": "githubactions", - "pinDigests": true + "matchFileNames": ["package.json", "package-lock.json", "tasks/create.yaml"], + "groupName": "pepr", + "commitMessageTopic": "pepr" }, { - "matchFileNames": [".github/test-infra/**"], - "groupName": "test-infra", - "commitMessageTopic": "test-infra" + "matchFileNames": [".github/**", "bundles/**", "tasks/iac.yaml"], + "groupName": "support-deps", + "commitMessageTopic": "support dependencies" }, { - "matchFileNames": ["package.json", "package-lock.json", "tasks/create.yaml"], - "groupName": "pepr", - "commitMessageTopic": "pepr" + "matchPackageNames": ["defenseunicorns/uds-common"], + "groupName": "support-deps", + "commitMessageTopic": "support-deps" } ] } diff --git a/src/authservice/chart/Chart.yaml b/src/authservice/chart/Chart.yaml index 93ca95965..23497aa1f 100644 --- a/src/authservice/chart/Chart.yaml +++ b/src/authservice/chart/Chart.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: v2 name: authservice description: A Helm chart for Istio Authservice diff --git a/src/authservice/chart/templates/deployment.yaml b/src/authservice/chart/templates/deployment.yaml index 4dd4295f8..c75a602ec 100644 --- a/src/authservice/chart/templates/deployment.yaml +++ b/src/authservice/chart/templates/deployment.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: apps/v1 kind: Deployment metadata: diff --git a/src/authservice/chart/templates/hpa.yaml b/src/authservice/chart/templates/hpa.yaml index e5a4cb8ea..dc12bb186 100644 --- a/src/authservice/chart/templates/hpa.yaml +++ b/src/authservice/chart/templates/hpa.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + {{- if .Values.autoscaling.enabled }} apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler diff --git a/src/authservice/chart/templates/service.yaml b/src/authservice/chart/templates/service.yaml index 978a7b9ef..c95d81359 100644 --- a/src/authservice/chart/templates/service.yaml +++ b/src/authservice/chart/templates/service.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: v1 kind: Service metadata: diff --git a/src/authservice/chart/templates/uds-package.yaml b/src/authservice/chart/templates/uds-package.yaml index 0e4e583de..acf50b428 100644 --- a/src/authservice/chart/templates/uds-package.yaml +++ b/src/authservice/chart/templates/uds-package.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: uds.dev/v1alpha1 kind: Package metadata: diff --git a/src/authservice/chart/values.yaml b/src/authservice/chart/values.yaml index 06a631c9c..ea4e9af41 100644 --- a/src/authservice/chart/values.yaml +++ b/src/authservice/chart/values.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + # -- When setting this above 1, a redis configuration is required. replicaCount: 1 diff --git a/src/authservice/common/zarf.yaml b/src/authservice/common/zarf.yaml index 59914ddd9..82c57392e 100644 --- a/src/authservice/common/zarf.yaml +++ b/src/authservice/common/zarf.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + kind: ZarfPackageConfig metadata: name: uds-core-authservice-common diff --git a/src/authservice/tasks.yaml b/src/authservice/tasks.yaml index 479bc906f..06004f671 100644 --- a/src/authservice/tasks.yaml +++ b/src/authservice/tasks.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + tasks: - name: validate actions: diff --git a/src/authservice/values/registry1-values.yaml b/src/authservice/values/registry1-values.yaml index ad28c1a01..96812b76b 100644 --- a/src/authservice/values/registry1-values.yaml +++ b/src/authservice/values/registry1-values.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + image: repository: registry1.dso.mil/ironbank/istio-ecosystem/authservice tag: "1.0.2-ubi9" diff --git a/src/authservice/values/unicorn-values.yaml b/src/authservice/values/unicorn-values.yaml index 34bb6887d..8c48801c9 100644 --- a/src/authservice/values/unicorn-values.yaml +++ b/src/authservice/values/unicorn-values.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + image: repository: cgr.dev/du-uds-defenseunicorns/authservice-fips tag: "1.0.2" diff --git a/src/authservice/values/upstream-values.yaml b/src/authservice/values/upstream-values.yaml index f85681777..e8511c2b3 100644 --- a/src/authservice/values/upstream-values.yaml +++ b/src/authservice/values/upstream-values.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + image: repository: ghcr.io/istio-ecosystem/authservice/authservice tag: "1.0.2" diff --git a/src/authservice/zarf.yaml b/src/authservice/zarf.yaml index e214a28fc..53a82124e 100644 --- a/src/authservice/zarf.yaml +++ b/src/authservice/zarf.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + kind: ZarfPackageConfig metadata: name: uds-core-authservice diff --git a/src/grafana/chart/Chart.yaml b/src/grafana/chart/Chart.yaml index 10eb31e6b..2b07d2451 100644 --- a/src/grafana/chart/Chart.yaml +++ b/src/grafana/chart/Chart.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: v2 name: uds-grafana-config description: Grafana configuration for UDS diff --git a/src/grafana/chart/templates/_helpers.tpl b/src/grafana/chart/templates/_helpers.tpl index 17cd520f6..01c2b4623 100644 --- a/src/grafana/chart/templates/_helpers.tpl +++ b/src/grafana/chart/templates/_helpers.tpl @@ -60,3 +60,40 @@ Create the name of the service account to use {{- default "default" .Values.serviceAccount.name }} {{- end }} {{- end }} + +{{/* + This template validates the PostgreSQL configuration for Grafana. + It ensures either: + 1. An internal PostgreSQL is enabled with both `remoteSelector` and `remoteNamespace` provided as well as the full configuration required for external postgres (see below). + 2. An external PostgreSQL is properly configured with all required values (`host`, `database`, `user`, `password`, and `port`). + 3. No configuration is provided for a PostgresQL database (internal database will be used). + + If internal PostgreSQL is enabled but `remoteSelector` or `remoteNamespace` are missing, an error is thrown. + + In addition: + - If any postgresql settings are partially filled (excluding `port`, `internal`, and `ssl_mode`), an error is thrown. + - If no postgresql settings are provided, returns `"false"`. + - If all required postgresql settings are provided, returns `"true"`. + + Returns `"true"` if a valid configuration is detected, otherwise `"false"` if no configuration is set, or an error if the configuration is incomplete. +*/}} +{{- define "grafana.postgresql.config" -}} +{{- if .Values.postgresql.internal.enabled }} +{{- if or (empty .Values.postgresql.internal.remoteSelector) (empty .Values.postgresql.internal.remoteNamespace) -}} +{{- fail "Missing remoteSelector or remoteNamespace for internal PostgreSQL." -}} +{{- end }} +{{- end }} +{{- if (empty (compact (values (omit .Values.postgresql "port" "internal" "ssl_mode")))) -}} +{{- if .Values.postgresql.internal.enabled -}} +{{- fail "Missing configuration for internal postgres host, database, user, and password." -}} +{{- end }} +{{ default "false" "" }} +{{- else }} +{{- range $k := list "host" "database" "user" "password" "port" -}} +{{- if empty (get $.Values.postgresql $k) -}} +{{- fail (printf "Missing value for \"postgresql.%s\"." $k) -}} +{{- end }} +{{- end }} +{{- default "true" "" }} +{{- end }} +{{- end }} diff --git a/src/grafana/chart/templates/datasources.yaml b/src/grafana/chart/templates/datasources.yaml index c7f1bcff2..fecd5b634 100644 --- a/src/grafana/chart/templates/datasources.yaml +++ b/src/grafana/chart/templates/datasources.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: v1 kind: ConfigMap metadata: diff --git a/src/grafana/chart/templates/secret-postgres.yaml b/src/grafana/chart/templates/secret-postgres.yaml new file mode 100644 index 000000000..6aeb0ee58 --- /dev/null +++ b/src/grafana/chart/templates/secret-postgres.yaml @@ -0,0 +1,22 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "uds-grafana-config.fullname" . }}-postgresql + namespace: {{ .Release.Namespace }} + labels: + {{- include "uds-grafana-config.labels" . | nindent 4 }} +type: Opaque +stringData: + {{- if eq (include "grafana.postgresql.config" .) "true" }} + GF_DATABASE_TYPE: "postgres" + GF_DATABASE_HOST: "{{ .Values.postgresql.host }}:{{ .Values.postgresql.port }}" + GF_DATABASE_NAME: "{{ .Values.postgresql.database }}" + GF_DATABASE_USER: "{{ .Values.postgresql.user }}" + GF_DATABASE_PASSWORD: "{{ .Values.postgresql.password }}" + GF_DATABASE_SSL_MODE: "{{ .Values.postgresql.ssl_mode }}" + {{- else }} + {} + {{- end }} diff --git a/src/grafana/chart/templates/uds-package.yaml b/src/grafana/chart/templates/uds-package.yaml index 0181bc8f1..be80115af 100644 --- a/src/grafana/chart/templates/uds-package.yaml +++ b/src/grafana/chart/templates/uds-package.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: uds.dev/v1alpha1 kind: Package metadata: @@ -63,3 +66,30 @@ spec: app.kubernetes.io/name: grafana remoteGenerated: KubeAPI description: "Datasources Watcher" + + {{- if eq (include "grafana.postgresql.config" .) "true" }} + - description: "Postgresql access" + direction: Egress + selector: + app.kubernetes.io/name: grafana + port: {{ .Values.postgresql.port }} + {{- if .Values.postgresql.internal.enabled }} + remoteSelector: + {{- .Values.postgresql.internal.remoteSelector | toYaml | nindent 10 }} + remoteNamespace: {{ .Values.postgresql.internal.remoteNamespace }} + {{- else if .Values.postgresql.egressCidr }} + remoteCidr: {{ .Values.postgresql.egressCidr }} + {{- else }} + remoteGenerated: Anywhere + {{- end }} + {{- end }} + + # HA for Grafana + - direction: Ingress + remoteGenerated: IntraNamespace + ports: + - 3000 + - direction: Egress + remoteGenerated: IntraNamespace + ports: + - 3000 diff --git a/src/grafana/chart/values.yaml b/src/grafana/chart/values.yaml index 364a31438..94f893ec2 100644 --- a/src/grafana/chart/values.yaml +++ b/src/grafana/chart/values.yaml @@ -1 +1,26 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + domain: "###ZARF_VAR_DOMAIN###" + +# Stores Grafana's metadata, including dashboards, data sources, organizations, alerts, and other configurations. Required for HA mode. +postgresql: + # The hostname of the external postgresql server ( does not include the port ) + host: "" + # The name of the postgresql database Grafana will connect to. + database: "" + # The username used for authenticating to the external postgresql. + user: "" + # The password used for authenticating to the external postgresql. + password: "" + # SSL mode for the postgresql connection. Set to 'disable' if SSL is not required. + ssl_mode: require + # Port the postgresql is listening on + port: 5432 + # Egress CIDR for external Postgres + egressCidr: "" + # Configure internal postgresql deployment + internal: + enabled: false + remoteSelector: {} + remoteNamespace: "" diff --git a/src/grafana/common/zarf.yaml b/src/grafana/common/zarf.yaml index e707fc78f..561982e2a 100644 --- a/src/grafana/common/zarf.yaml +++ b/src/grafana/common/zarf.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + kind: ZarfPackageConfig metadata: name: uds-core-grafana-common @@ -14,7 +17,7 @@ components: localPath: ../chart - name: grafana url: https://grafana.github.io/helm-charts/ - version: 8.5.1 + version: 8.5.5 namespace: grafana valuesFiles: - ../values/values.yaml diff --git a/src/grafana/oscal-component.yaml b/src/grafana/oscal-component.yaml index 5966df926..87ba1e33d 100644 --- a/src/grafana/oscal-component.yaml +++ b/src/grafana/oscal-component.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + component-definition: uuid: 7d316238-f7c4-4d3b-ab33-6ecbf49de5a7 metadata: diff --git a/src/grafana/tasks.yaml b/src/grafana/tasks.yaml index 5547b227f..962abc8a7 100644 --- a/src/grafana/tasks.yaml +++ b/src/grafana/tasks.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + tasks: - name: validate actions: diff --git a/src/grafana/values/registry1-values.yaml b/src/grafana/values/registry1-values.yaml index faeb618aa..cfd61e80d 100644 --- a/src/grafana/values/registry1-values.yaml +++ b/src/grafana/values/registry1-values.yaml @@ -1,7 +1,10 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + image: registry: registry1.dso.mil repository: ironbank/opensource/grafana/grafana - tag: 11.2.0 + tag: 11.2.2 initChownData: image: @@ -18,4 +21,4 @@ sidecar: image: registry: registry1.dso.mil repository: ironbank/kiwigrid/k8s-sidecar - tag: 1.27.6 + tag: 1.28.0 diff --git a/src/grafana/values/unicorn-values.yaml b/src/grafana/values/unicorn-values.yaml index b03311547..79970420e 100644 --- a/src/grafana/values/unicorn-values.yaml +++ b/src/grafana/values/unicorn-values.yaml @@ -1,13 +1,16 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + image: registry: cgr.dev repository: du-uds-defenseunicorns/grafana-fips - tag: 11.2.0 + tag: 11.2.2 initChownData: image: registry: cgr.dev repository: du-uds-defenseunicorns/busybox-fips - tag: 1.36.1 + tag: 1.37.0 downloadDashboardsImage: registry: cgr.dev @@ -18,4 +21,4 @@ sidecar: image: registry: cgr.dev repository: du-uds-defenseunicorns/k8s-sidecar-fips - tag: 1.27.6 + tag: 1.28.0 diff --git a/src/grafana/values/upstream-values.yaml b/src/grafana/values/upstream-values.yaml index 7da312248..73f3ff340 100644 --- a/src/grafana/values/upstream-values.yaml +++ b/src/grafana/values/upstream-values.yaml @@ -1,20 +1,23 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + sidecar: image: # -- The Docker registry registry: ghcr.io repository: kiwigrid/k8s-sidecar - tag: 1.27.6 + tag: 1.28.0 image: registry: docker.io repository: grafana/grafana - tag: 11.2.0 + tag: 11.2.2 initChownData: image: registry: docker.io repository: library/busybox - tag: 1.36.1 + tag: 1.37.0 downloadDashboardsImage: registry: docker.io diff --git a/src/grafana/values/values.yaml b/src/grafana/values/values.yaml index 07c038ede..d7056b54a 100644 --- a/src/grafana/values/values.yaml +++ b/src/grafana/values/values.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + sidecar: dashboards: enabled: true @@ -48,5 +51,39 @@ grafana.ini: # Automatically redirect to the SSO login page auto_login: true +# Add environment variables for PostgresQL connection from uds-config chart +envFromSecret: "uds-grafana-config-postgresql" + service: appProtocol: "http" + +autoscaling: + # Enable HorizontalPodAutoscaler for Grafana + enabled: false + # Additional labels for the HorizontalPodAutoscaler + labels: {} + # Minimum and maximum number of replicas for the Grafana deployment + minReplicas: 2 + maxReplicas: 5 + # Metrics to use for scaling (CPU, memory, or custom metrics) + metrics: + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: 70 # Adjust based on expected load + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: 75 # Optional, based on memory usage patterns + # Scaling behavior (optional): Controls how fast to scale up or down + behavior: + scaleDown: + stabilizationWindowSeconds: 300 # Prevent rapid scaling down + policies: + - type: Pods + value: 1 + periodSeconds: 300 # Scale down one pod every 5 minutes diff --git a/src/grafana/zarf.yaml b/src/grafana/zarf.yaml index a59ba5ecb..a0fdde8c4 100644 --- a/src/grafana/zarf.yaml +++ b/src/grafana/zarf.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + kind: ZarfPackageConfig metadata: name: uds-core-grafana @@ -21,10 +24,10 @@ components: valuesFiles: - values/upstream-values.yaml images: - - docker.io/grafana/grafana:11.2.0 + - docker.io/grafana/grafana:11.2.2 - docker.io/curlimages/curl:8.10.1 - - docker.io/library/busybox:1.36.1 - - ghcr.io/kiwigrid/k8s-sidecar:1.27.6 + - docker.io/library/busybox:1.37.0 + - ghcr.io/kiwigrid/k8s-sidecar:1.28.0 - name: grafana required: true @@ -37,9 +40,9 @@ components: valuesFiles: - values/registry1-values.yaml images: - - registry1.dso.mil/ironbank/opensource/grafana/grafana:11.2.0 + - registry1.dso.mil/ironbank/opensource/grafana/grafana:11.2.2 - registry1.dso.mil/ironbank/redhat/ubi/ubi9-minimal:9.4 - - registry1.dso.mil/ironbank/kiwigrid/k8s-sidecar:1.27.6 + - registry1.dso.mil/ironbank/kiwigrid/k8s-sidecar:1.28.0 - name: grafana required: true @@ -52,7 +55,7 @@ components: valuesFiles: - values/unicorn-values.yaml images: - - cgr.dev/du-uds-defenseunicorns/grafana-fips:11.2.0 - - cgr.dev/du-uds-defenseunicorns/busybox-fips:1.36.1 + - cgr.dev/du-uds-defenseunicorns/grafana-fips:11.2.2 + - cgr.dev/du-uds-defenseunicorns/busybox-fips:1.37.0 - cgr.dev/du-uds-defenseunicorns/curl-fips:8.10.1 - - cgr.dev/du-uds-defenseunicorns/k8s-sidecar-fips:1.27.6 + - cgr.dev/du-uds-defenseunicorns/k8s-sidecar-fips:1.28.0 diff --git a/src/istio/chart/Chart.yaml b/src/istio/chart/Chart.yaml index bbbb78bc3..8b1186d97 100644 --- a/src/istio/chart/Chart.yaml +++ b/src/istio/chart/Chart.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: v2 name: uds-istio-config description: Istio configuration for UDS diff --git a/src/istio/chart/templates/gateway.yaml b/src/istio/chart/templates/gateway.yaml index eb09e0564..c14e81a74 100644 --- a/src/istio/chart/templates/gateway.yaml +++ b/src/istio/chart/templates/gateway.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + {{- $domain := .Values.domain }} {{- if .Values.tls }} apiVersion: networking.istio.io/v1beta1 diff --git a/src/istio/chart/templates/tls-cert.yaml b/src/istio/chart/templates/tls-cert.yaml index c094511b6..0fd4f0314 100644 --- a/src/istio/chart/templates/tls-cert.yaml +++ b/src/istio/chart/templates/tls-cert.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + {{- $tls := .Values.tls }} {{ if $tls.cert }} apiVersion: v1 diff --git a/src/istio/chart/values.yaml b/src/istio/chart/values.yaml index 618b15015..a399181c4 100644 --- a/src/istio/chart/values.yaml +++ b/src/istio/chart/values.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + # The gateway name prefix name: change-me diff --git a/src/istio/common/chart/.helmignore b/src/istio/common/chart/.helmignore new file mode 100644 index 000000000..0e8a0eb36 --- /dev/null +++ b/src/istio/common/chart/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/src/istio/common/chart/Chart.yaml b/src/istio/common/chart/Chart.yaml new file mode 100644 index 000000000..2936bb951 --- /dev/null +++ b/src/istio/common/chart/Chart.yaml @@ -0,0 +1,19 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial +apiVersion: v2 +name: uds-global-istio-config +description: Global Istio configuration for UDS + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 diff --git a/src/istio/common/manifests/envoy-filters.yaml b/src/istio/common/chart/templates/envoy-filters.yaml similarity index 95% rename from src/istio/common/manifests/envoy-filters.yaml rename to src/istio/common/chart/templates/envoy-filters.yaml index 3e4fb540f..455f364a8 100644 --- a/src/istio/common/manifests/envoy-filters.yaml +++ b/src/istio/common/chart/templates/envoy-filters.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + --- # Source: istio/templates/envoyfilter.yaml apiVersion: networking.istio.io/v1alpha3 diff --git a/src/istio/common/manifests/peer-authentication.yaml b/src/istio/common/chart/templates/peer-authentication.yaml similarity index 64% rename from src/istio/common/manifests/peer-authentication.yaml rename to src/istio/common/chart/templates/peer-authentication.yaml index 37ee318fc..827d11bde 100644 --- a/src/istio/common/manifests/peer-authentication.yaml +++ b/src/istio/common/chart/templates/peer-authentication.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + --- # Source: istio/templates/bigbang/peerAuthentication.yaml apiVersion: security.istio.io/v1beta1 diff --git a/src/istio/common/manifests/pepr-istio-config.yaml b/src/istio/common/chart/templates/pepr-istio-config.yaml similarity index 87% rename from src/istio/common/manifests/pepr-istio-config.yaml rename to src/istio/common/chart/templates/pepr-istio-config.yaml index 50eaf2ee1..cd6d0ae3d 100644 --- a/src/istio/common/manifests/pepr-istio-config.yaml +++ b/src/istio/common/chart/templates/pepr-istio-config.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + # Have to pre-create the namespace and also patch it with the istio-injection label later because # Helm is kind of dumb: https://github.com/helm/helm/issues/350 kind: Namespace diff --git a/src/istio/common/chart/values.yaml b/src/istio/common/chart/values.yaml new file mode 100644 index 000000000..c56503481 --- /dev/null +++ b/src/istio/common/chart/values.yaml @@ -0,0 +1 @@ +# SPDX-License-Identifier: AGPL-3.0-or-later OR Commercial diff --git a/src/istio/common/zarf.yaml b/src/istio/common/zarf.yaml index 69e10b0f7..9de933358 100644 --- a/src/istio/common/zarf.yaml +++ b/src/istio/common/zarf.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + kind: ZarfPackageConfig metadata: name: uds-core-istio-common @@ -18,15 +21,22 @@ components: namespace: istio-system valuesFiles: - "../values/values.yaml" - manifests: - name: uds-global-istio-config namespace: istio-system - files: - - "manifests/envoy-filters.yaml" - - "manifests/peer-authentication.yaml" - - "manifests/pepr-istio-config.yaml" + version: 0.1.0 + localPath: chart actions: onDeploy: + before: + - description: "Fix helm ownership if necessary for clean helm upgrade" + mute: true + cmd: | + ./zarf tools kubectl annotate EnvoyFilter misdirected-request -n istio-system meta.helm.sh/release-name=uds-global-istio-config --overwrite || true + ./zarf tools kubectl annotate EnvoyFilter remove-server-header -n istio-system meta.helm.sh/release-name=uds-global-istio-config --overwrite || true + ./zarf tools kubectl annotate PeerAuthentication default-istio-system -n istio-system meta.helm.sh/release-name=uds-global-istio-config --overwrite || true + ./zarf tools kubectl annotate PeerAuthentication permissive-pepr-webhook -n pepr-system meta.helm.sh/release-name=uds-global-istio-config --overwrite || true + ./zarf tools kubectl annotate PeerAuthentication permissive-pepr-webhook-watcher -n pepr-system meta.helm.sh/release-name=uds-global-istio-config --overwrite || true after: - description: "Ensure istio-injection is enabled for Pepr" + mute: true cmd: "./zarf tools kubectl label namespace pepr-system istio-injection=enabled --overwrite" diff --git a/src/istio/oscal-component.yaml b/src/istio/oscal-component.yaml index 9a9a97f74..78f2e91ec 100644 --- a/src/istio/oscal-component.yaml +++ b/src/istio/oscal-component.yaml @@ -1,4 +1,9 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + component-definition: +<<<<<<< HEAD +======= back-matter: resources: - rlinks: @@ -981,412 +986,329 @@ component-definition: type: opa title: ingress-traffic-encrypted uuid: fd071676-6b92-4e1c-a4f0-4c8d2bd55aed +>>>>>>> 2f6ed02 (feat!: switch from promtail to vector (#724)) components: - control-implementations: - - description: Controls implemented by Istio and authservice that are inherited by applications + - description: Control Implementation Description implemented-requirements: - - control-id: ac-4 - description: |- - # Control Implementation - Istio encrypts all in-mesh communication at runtime using FIPS verified mTLS in addition to ingress and egress gateways for controlling communication. + - control-id: ac-14 + description: Istio implements with service to service and provides authorization policies that require authentication to access any non-public features. links: - - href: "#67456ae8-4505-4c93-b341-d977d90cb125" + - href: file:../../compliance/validations/istio/healthcheck/validation.yaml rel: lula text: Check that Istio is healthy - - href: "#ca49ac97-487a-446a-a0b7-92b20e2c83cb" - rel: lula - text: Check that Istio is enforcing mtls STRICT - - href: "#1761ac07-80dd-47d2-947e-09f67943b986" - rel: lula - text: All pods are istio injected with proxyv2 sidecar - - href: "#fd071676-6b92-4e1c-a4f0-4c8d2bd55aed" + - href: file:../../compliance/validations/istio/authorized-keycloak-access/validation.yaml rel: lula - text: Check ingress traffic is encrypted - remarks: "# Control Description Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include, for example, keeping export-controlled information from being transmitted in the clear to the Internet, blocking outside traffic that claims to be from within the organization, restricting web requests to the Internet that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content." - uuid: 9e158525-96bd-4d4f-a674-7e3eab9aea7a - - control-id: ac-4.4 - description: |- - # Control Implementation - All encrypted HTTPS connections are terminated at the Istio ingress gateway. + text: Validates that Istio is used to authorize access to Keycloak admin console only from admin gateway + remarks: | + ASSESSMENT-OBJECTIVE: + AC-14a. [Assignment: organization-defined user actions] that can be performed on the system without identification or authentication consistent with organizational mission and business functions are identified; + AC-14b. + AC-14b.[01] user actions not requiring identification or authentication are documented in the security plan for the system; + AC-14b.[02] a rationale for user actions not requiring identification or authentication is provided in the security plan for the system. + uuid: 41c51dc3-7db1-4717-b071-83e57897f478 + - control-id: ac-4 + description: Istio encrypts all in-mesh communication at runtime using FIPS verified mTLS in addition to ingress and egress gateways for controlling communication. links: - - href: "#67456ae8-4505-4c93-b341-d977d90cb125" + - href: file:../../compliance/validations/istio/healthcheck/validation.yaml rel: lula text: Check that Istio is healthy - - href: "#ca49ac97-487a-446a-a0b7-92b20e2c83cb" + - href: file:../../compliance/validations/istio/enforce-mtls-strict/validation.yaml rel: lula text: Check that Istio is enforcing mtls STRICT - - href: "#1761ac07-80dd-47d2-947e-09f67943b986" + - href: file:../../compliance/validations/istio/all-pods-istio-injected/validation.yaml rel: lula text: All pods are istio injected with proxyv2 sidecar - - href: "#fd071676-6b92-4e1c-a4f0-4c8d2bd55aed" + - href: file:../../compliance/validations/istio/ingress-traffic-encrypted/validation.yaml rel: lula text: Check ingress traffic is encrypted - remarks: "# Control Description The information system prevents encrypted information from bypassing content-checking mechanisms by decrypting the information; blocking the flow of the encrypted information; terminating communications sessions attempting to pass encrypted information; Assignment: organization-defined procedure or method." - uuid: c3e13abc-3c19-4f08-a2f8-40fcbef5daa7 + remarks: |- + ASSESSMENT-OBJECTIVE: + approved authorizations are enforced for controlling the flow of information within the system and between connected systems based on [Assignment: organization-defined information flow control policies]. + uuid: 210f730b-7fed-42dd-99b4-42466951b080 - control-id: ac-4.21 - description: |- - # Control Implementation - Istio is configured to use ingress and egress gateways to provide logical flow separation. + description: Istio is configured to use ingress and egress gateways to provide logical flow separation. links: - - href: "#67456ae8-4505-4c93-b341-d977d90cb125" + - href: file:../../compliance/validations/istio/healthcheck/validation.yaml rel: lula text: Check that Istio is healthy - - href: "#0da39859-a91a-4ca6-bd8b-9b117689188f" + - href: file:../../compliance/validations/istio/all-namespaces-istio-injected/validation.yaml rel: lula text: Check namespaces are istio injected - - href: "#c6c9daf1-4196-406d-8679-312c0512ab2e" + - href: file:../../compliance/validations/istio/check-istio-admin-gateway-and-usage/validation.yaml rel: lula text: Check that Istio is configured with an admin gateway and admin services use it - - href: "#b0a8f21e-b12f-47ea-a967-2f4a3ec69e44" + - href: file:../../compliance/validations/istio/gateway-configuration-check/validation.yaml rel: lula text: Validates that Istio Gateways are available and expected VirtualServices using each Gateway. - remarks: "Separate information flows logically or physically using [Assignment: organization-defined mechanisms and/or techniques] to accomplish [Assignment: organization-defined required separations by types of information]." - uuid: 6e32feb5-ce43-465f-9422-e3ef3276bf5d - - control-id: ac-6.3 - description: |- - # Control Implementation - Configured with an "admin" gateway to restrict access to applications that only need administrative access. - links: - - href: "#67456ae8-4505-4c93-b341-d977d90cb125" - rel: lula - text: Check that Istio is healthy - - href: "#c6c9daf1-4196-406d-8679-312c0512ab2e" - rel: lula - text: Check that Istio is configured with an admin gateway and admin services use it - remarks: "Authorize network access to [Assignment: organization-defined privileged commands] only for [Assignment: organization-defined compelling operational needs] and document the rationale for such access in the security plan for the system." - uuid: 0081f95a-3233-4e07-a6cd-95cb1905c318 + remarks: | + ASSESSMENT-OBJECTIVE: + AC-04(21)[01] information flows are separated logically using [Assignment: organization-defined mechanisms and/or techniques] to accomplish [Assignment: organization-defined required separations]; + AC-04(21)[02] information flows are separated physically using [Assignment: organization-defined mechanisms and/or techniques] to accomplish [Assignment: organization-defined required separations]. + uuid: ee9e5fae-1c95-46c7-9265-dc0035e2bb05 - control-id: ac-6.9 - description: |- - # Control Implementation - Istio produces logs for all traffic in the information system. + description: Istio produces logs for all traffic in the information system. links: - - href: "#67456ae8-4505-4c93-b341-d977d90cb125" + - href: file:../../compliance/validations/istio/healthcheck/validation.yaml rel: lula text: Check that Istio is healthy - - href: "#90738c86-6315-450a-ac69-cc50eb4859cc" + - href: file:../../compliance/validations/istio/check-istio-logging-all-traffic/validation.yaml rel: lula text: Check that Istio is logging all traffic which could contain privileged function calls - - href: "#1761ac07-80dd-47d2-947e-09f67943b986" + - href: file:../../compliance/validations/istio/all-pods-istio-injected/validation.yaml rel: lula text: All pods are istio injected with proxyv2 sidecar - remarks: Log the execution of privileged functions. - uuid: 6d8a6c80-2844-4bfd-bc9d-0f5a71e5c979 - - control-id: ac-14 - description: |- - # Control Implementation - Istio implements with service to service and provides authorization policies that require authentication to access any non-public features. + remarks: |- + ASSESSMENT-OBJECTIVE: + the execution of privileged functions is logged. + uuid: c6d9abd2-0136-468a-908d-181d9bd51962 + - control-id: au-12 + description: Istio provides audit record generation capabilities for a variety of event types, including session, connection, transaction, or activity durations, and the number of bytes received and sent. links: - - href: "#67456ae8-4505-4c93-b341-d977d90cb125" + - href: file:../../compliance/validations/istio/healthcheck/validation.yaml rel: lula text: Check that Istio is healthy - - href: "#fbd877c8-d6b6-4d88-8685-2c4aaaab02a1" + - href: file:../../compliance/validations/istio/check-istio-logging-all-traffic/validation.yaml rel: lula - text: Validates that Istio is used to authorize access to Keycloak admin console only from admin gateway - remarks: 'a. Identify [Assignment: organization-defined user actions] that can be performed on the system without identification or authentication consistent with organizational mission and business functions; and b. Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication."' - uuid: c8c03abd-244d-4813-a966-3feece1bad6a + text: Check that Istio is logging all traffic which could contain audit events + remarks: | + ASSESSMENT-OBJECTIVE: + AU-12a. audit record generation capability for the event types the system is capable of auditing (defined in AU-02_ODP[01]) is provided by [Assignment: organization-defined system components]; + AU-12b. [Assignment: organization-defined personnel or roles] is/are allowed to select the event types that are to be logged by specific components of the system; + AU-12c. audit records for the event types defined in AU-02_ODP[02] that include the audit record content defined in AU-03 are generated. + uuid: 87f99f34-6980-49e1-91cf-c0264fa3407c - control-id: au-2 - description: |- - # Control Implementation - Istio logs all Istio event logs within the system's mesh network. + description: Istio logs all Istio event logs within the system's mesh network. links: - - href: "#67456ae8-4505-4c93-b341-d977d90cb125" + - href: file:../../compliance/validations/istio/healthcheck/validation.yaml rel: lula text: Check that Istio is healthy - - href: "#90738c86-6315-450a-ac69-cc50eb4859cc" + - href: file:../../compliance/validations/istio/check-istio-logging-all-traffic/validation.yaml rel: lula text: Check that Istio is logging all traffic which could contain audit events - remarks: "a. Identify the types of events that the system is capable of logging in support of the audit function: [Assignment: organization-defined event types that the system is capable of logging]; b. Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; c. Specify the following event types for logging within the system: [Assignment: organization-defined event types (subset of the event types defined in AU-2a.) along with the frequency of (or situation requiring) logging for each identified event type]; d. Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and e. Review and update the event types selected for logging [Assignment: organization-defined frequency]." - uuid: 88f300a6-aa21-41b4-919d-29ef3e4381bb + remarks: | + ASSESSMENT-OBJECTIVE: + AU-02a. [Assignment: organization-defined event types] that the system is capable of logging are identified in support of the audit logging function; + AU-02b. the event logging function is coordinated with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; + AU-02c. + AU-02c.[01] [Assignment: organization-defined event types (subset of AU-02_ODP[01])] are specified for logging within the system; + AU-02c.[02] the specified event types are logged within the system [Assignment: organization-defined frequency or situation]; + AU-02d. a rationale is provided for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; + AU-02e. the event types selected for logging are reviewed and updated [Assignment: organization-defined frequency]. + uuid: b3ed3dba-3164-4785-98db-ef22c96c7c62 - control-id: au-3 - description: |- - # Control Implementation - Istio logs all Istio event logs within the system's mesh network. + description: Istio logs all Istio event logs within the system's mesh network. links: - - href: "#67456ae8-4505-4c93-b341-d977d90cb125" + - href: file:../../compliance/validations/istio/healthcheck/validation.yaml rel: lula text: Check that Istio is healthy - - href: "#f346b797-be35-40a8-a93a-585db6fd56ec" + - href: file:../../compliance/validations/istio/tracing-logging-support/validation.yaml rel: lula text: Check that Istio is configured to provide tracing data - remarks: "Ensure that audit records contain information that establishes the following: a. What type of event occurred; b. When the event occurred; c. Where the event occurred; d. Source of the event; e. Outcome of the event; and f. Identity of any individuals, subjects, or objects/entities associated with the event." - uuid: 52756a01-6f5c-49b1-8a6b-972b74a01da4 + remarks: | + ASSESSMENT-OBJECTIVE: + AU-03a. audit records contain information that establishes what type of event occurred; + AU-03b. audit records contain information that establishes when the event occurred; + AU-03c. audit records contain information that establishes where the event occurred; + AU-03d. audit records contain information that establishes the source of the event; + AU-03e. audit records contain information that establishes the outcome of the event; + AU-03f. audit records contain information that establishes the identity of any individuals, subjects, or objects/entities associated with the event. + uuid: 79dee0b0-5848-4b1e-826b-a2e4ec567b90 - control-id: au-3.1 - description: |- - # Control Implementation - Istio has been configured to implement event logging within our environment. This includes capturing metrics related to the duration of sessions, connections, transactions, or activities. Specifically, Istio's telemetry features are utilized to capture these metrics, which provide valuable data that can be used to infer the duration of sessions or connections. + description: Istio has been configured to implement event logging within our environment. This includes capturing metrics related to the duration of sessions, connections, transactions, or activities. Specifically, Istio's telemetry features are utilized to capture these metrics, which provide valuable data that can be used to infer the duration of sessions or connections. links: - - href: "#67456ae8-4505-4c93-b341-d977d90cb125" + - href: file:../../compliance/validations/istio/healthcheck/validation.yaml rel: lula text: Check that Istio is healthy - - href: "#70d99754-2918-400c-ac9a-319f874fff90" + - href: file:../../compliance/validations/istio/metrics-logging-configured/validation.yaml rel: lula text: Check that Istio is configured to provide metrics data - - href: "#1761ac07-80dd-47d2-947e-09f67943b986" + - href: file:../../compliance/validations/istio/all-pods-istio-injected/validation.yaml rel: lula text: All pods are istio injected with proxyv2 sidecar - - href: "#f345c359-3208-46fb-9348-959bd628301e" + - href: file:../../compliance/validations/istio/prometheus-annotations-validation/validation.yaml rel: lula text: Check that pods running sidecar have the correct annotations for prometheus metrics scrape - remarks: "Generate audit records containing the following additional information: [Assignment: organization-defined additional information]. AU-3 (1) [session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands]" - uuid: 16cc258e-d907-47bb-97d9-4e92677cf075 - - control-id: au-12 - description: |- - # Control Implementation - Istio provides audit record generation capabilities for a variety of event types, including session, connection, transaction, or activity durations, and the number of bytes received and sent. - links: - - href: "#67456ae8-4505-4c93-b341-d977d90cb125" - rel: lula - text: Check that Istio is healthy - - href: "#90738c86-6315-450a-ac69-cc50eb4859cc" - rel: lula - text: Check that Istio is logging all traffic which could contain audit events - remarks: "a. Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2a on [Assignment: organization-defined system components]; b. Allow [Assignment: organization-defined personnel or roles] to select the event types that are to be logged by specific components of the system; and c. Generate audit records for the event types defined in AU-2c that include the audit record content defined in AU-3." - uuid: 8f645835-6538-4327-a7aa-453b398f5ef4 + remarks: |- + ASSESSMENT-OBJECTIVE: + generated audit records contain the following [Assignment: organization-defined additional information]. + uuid: b855fff0-5f57-4ea0-b9a7-52973e81784d - control-id: cm-5 - description: |- - # Control Implementation - Istio enforces logical access restrictions associated with changes to the system. Istio's Role-Based Access Control (RBAC) features are used to define and enforce access controls, ensuring that only approved personnel can make changes to the system. + description: Istio enforces logical access restrictions associated with changes to the system. Istio's Role-Based Access Control (RBAC) features are used to define and enforce access controls, ensuring that only approved personnel can make changes to the system. links: - - href: "#67456ae8-4505-4c93-b341-d977d90cb125" + - href: file:../../compliance/validations/istio/healthcheck/validation.yaml rel: lula text: Check that Istio is healthy - - href: "#7b045b2a-106f-4c8c-85d9-ae3d7a8e0e28" + - href: file:../../compliance/validations/istio/rbac-enforcement-check/validation.yaml rel: lula text: Check that Istio is enforcing RBAC - - href: "#9b361d7b-4e07-40db-8b86-3854ed499a4b" + - href: file:../../compliance/validations/istio/rbac-for-approved-personnel/validation.yaml rel: lula text: Check that particular RBAC is ensuring only approved personnel can make changes to the system [PLACEHOLDER] - remarks: Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system. - uuid: 32e53a18-4b64-4a24-935c-11cbac2c62be - - control-id: sc-3 - description: |- - # Control Implementation - Namespaces, Istio gateways, and network policies collectively by providing resource isolation, secure traffic routing, and network segmentation to prevent unauthorized and unintended information transfer. - links: - - href: "#67456ae8-4505-4c93-b341-d977d90cb125" - rel: lula - text: Check that Istio is healthy - - href: "#c6c9daf1-4196-406d-8679-312c0512ab2e" - rel: lula - text: Check that Istio is configured with an admin gateway and admin services use it - - href: "#b0a8f21e-b12f-47ea-a967-2f4a3ec69e44" - rel: lula - text: Validates that Istio Gateways are available and expected VirtualServices using each Gateway. - remarks: Isolate security functions from nonsecurity functions. - uuid: 9e2894a3-2452-4f7a-b8a5-f72b89b23c87 - - control-id: sc-4 - description: |- - # Control Implementation - Istio enforces outbound traffic goes through an Egress Gateway with a Network Policy. - links: - - href: "#67456ae8-4505-4c93-b341-d977d90cb125" - rel: lula - text: Check that Istio is healthy - - href: "#7455f86d-b79c-4226-9ce3-f3fb7d9348c8" - rel: lula - text: Network Policies are in place to ensure that only authorized traffic is allowed to egress the cluster [PLACEHOLDER] - - href: "#ecdb90c7-971a-4442-8f29-a8b0f6076bc9" - rel: lula - text: Egress Gateway exists and is configured [PLACEHOLDER] - remarks: Prevent unauthorized and unintended information transfer via shared system resources. - uuid: 86bc4fb7-f91b-4f2c-b914-65427951018c - - control-id: sc-7.4 - description: |- - # Control Implementation - Istio is configured to provide managed interfaces for external telecommunication services, establish traffic flow policies, and protect the confidentiality and integrity of transmitted information. It also prevents unauthorized exchange of control plane traffic and filters unauthorized control plane traffic. - links: - - href: "#67456ae8-4505-4c93-b341-d977d90cb125" - rel: lula - text: Check that Istio is healthy - - href: "#570e2dc7-e6c2-4ad5-8ea3-f07974f59747" - rel: lula - text: Resources in namespaces can securely communicate with Istio control plane via network policies - - href: "#fbd877c8-d6b6-4d88-8685-2c4aaaab02a1" - rel: lula - text: Validates that Istio is used to authorize access to Keycloak admin console only from admin gateway - - href: "#b0a8f21e-b12f-47ea-a967-2f4a3ec69e44" - rel: lula - text: Validates that Istio Gateways are available and expected VirtualServices using each Gateway. - remarks: "(a) Implement a managed interface for each external telecommunication service; (b) Establish a traffic flow policy for each managed interface; (c) Protect the confidentiality and integrity of the information being transmitted across each interface; (d) Document each exception to the traffic flow policy with a supporting mission or business need and duration of that need; (e) Review exceptions to the traffic flow policy [Assignment: organization-defined frequency] and remove exceptions that are no longer supported by an explicit mission or business need; (f) Prevent unauthorized exchange of control plane traffic with external networks; (g) Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks; and (h) Filter unauthorized control plane traffic from external networks." - uuid: 85df9e6c-3d94-4c60-9a20-8c481831f1e0 - - control-id: sc-7.8 - description: |- - # Control Implementation - is configured to route internal communications traffic to external networks through authenticated proxy servers at managed interfaces, using its Egress Gateway. + remarks: | + ASSESSMENT-OBJECTIVE: + CM-05[01] physical access restrictions associated with changes to the system are defined and documented; + CM-05[02] physical access restrictions associated with changes to the system are approved; + CM-05[03] physical access restrictions associated with changes to the system are enforced; + CM-05[04] logical access restrictions associated with changes to the system are defined and documented; + CM-05[05] logical access restrictions associated with changes to the system are approved; + CM-05[06] logical access restrictions associated with changes to the system are enforced. + uuid: 80a456cf-c642-4b02-a0fb-18b416e90481 + - control-id: sc-10 + description: Istio is configured to manage network connections associated with specific communication sessions. It can be set up to automatically terminate these connections after periods of inactivity, providing an additional layer of security. links: - - href: "#67456ae8-4505-4c93-b341-d977d90cb125" + - href: file:../../compliance/validations/istio/healthcheck/validation.yaml rel: lula text: Check that Istio is healthy - - href: "#ecdb90c7-971a-4442-8f29-a8b0f6076bc9" + - href: file:../../compliance/validations/istio/communications-terminated-after-inactivity/validation.yaml rel: lula - text: Egress Gateway exists and is configured [PLACEHOLDER] - - href: "#19faf69a-de74-4b78-a628-64a9f244ae13" - rel: lula - text: Check that external traffic is managed [PLACEHOLDER] - remarks: "Route [Assignment: organization-defined internal communications traffic] to [Assignment: organization-defined external networks] through authenticated proxy servers at managed interfaces." - uuid: 4b930af3-ae84-43ff-b751-448fe1c2eec8 - - control-id: sc-7.20 - description: |- - # Control Implementation - Istio is configured to dynamically isolate certain internal system components when necessary. This is achieved through Istio's network policies, which allow us to partition or separate system components + text: Istio terminates communication sessions after inactivity [PLACEHOLDER] + remarks: |- + ASSESSMENT-OBJECTIVE: + the network connection associated with a communication session is terminated at the end of the session or after [Assignment: organization-defined time period] of inactivity. + uuid: ad919a09-d186-4edd-9234-ead04f959fff + - control-id: sc-13 + description: Istio provides FIPS encryption in transit for all applications in the mesh, TLS termination at ingress, and TLS origination at egress. links: - - href: "#67456ae8-4505-4c93-b341-d977d90cb125" + - href: file:../../compliance/validations/istio/healthcheck/validation.yaml rel: lula text: Check that Istio is healthy - - href: "#ca49ac97-487a-446a-a0b7-92b20e2c83cb" + - href: file:../../compliance/validations/istio/enforce-mtls-strict/validation.yaml rel: lula text: Check that Istio is enforcing mtls STRICT - - href: "#1761ac07-80dd-47d2-947e-09f67943b986" - rel: lula - text: All pods are istio injected with proxyv2 sidecar - remarks: "Provide the capability to dynamically isolate [Assignment: organization-defined system components] from other system components." - uuid: 30b49a3e-ad38-441d-8c07-5a9018848a02 - - control-id: sc-7.21 - description: |- - # Control Implementation - Istio is configured to isolate system components that perform different mission or business functions. This is achieved through Istio's network policies and mutual TLS, which allow us to control information flows and provide enhanced protection. - links: - - href: "#67456ae8-4505-4c93-b341-d977d90cb125" + - href: file:../../compliance/validations/istio/ingress-traffic-encrypted/validation.yaml rel: lula - text: Check that Istio is healthy - - href: "#ca49ac97-487a-446a-a0b7-92b20e2c83cb" + text: Istio is encrypting ingress traffic + - href: file:../../compliance/validations/istio/tls-origination-at-egress/validation.yaml rel: lula - text: Check that Istio is enforcing mtls STRICT - - href: "#1761ac07-80dd-47d2-947e-09f67943b986" + text: Istio is providing TLS origination at egress [PLACEHOLDER] + - href: file:../../compliance/validations/istio/fips-evaluation/validation.yaml rel: lula - text: All pods are istio injected with proxyv2 sidecar - remarks: "Employ boundary protection mechanisms to isolate [Assignment: organization-defined system components] supporting [Assignment: organization-defined missions and/or business functions]." - uuid: c9a1e9bc-3caa-44ce-a300-ecd722487987 - - control-id: sc-8 - description: |- - # Control Implementation - Istio is configured to protect the confidentiality and integrity of transmitted information across both internal and external networks. This is achieved through Istio's mutual TLS, which encrypts service-to-service communication, ensuring that data in transit is not exposed to the possibility of interception and modification. + text: System is using FIPS-compliant Istio distribution [PLACEHOLDER] + remarks: | + ASSESSMENT-OBJECTIVE: + SC-13a. [Assignment: organization-defined cryptographic uses] are identified; + SC-13b. [Assignment: organization-defined types of cryptography] for each specified cryptographic use (defined in SC-13_ODP[01]) are implemented. + uuid: 675c0823-8e94-4910-9f61-5266d7e7b38c + - control-id: sc-23 + description: Istio is configured to protect session authenticity, establishing confidence in the ongoing identities of other parties and the validity of transmitted information. This is achieved through Istio's mutual TLS, which ensures secure communication. links: - - href: "#67456ae8-4505-4c93-b341-d977d90cb125" + - href: file:../../compliance/validations/istio/healthcheck/validation.yaml rel: lula text: Check that Istio is healthy - - href: "#ca49ac97-487a-446a-a0b7-92b20e2c83cb" + - href: file:../../compliance/validations/istio/enforce-mtls-strict/validation.yaml rel: lula text: Check that Istio is enforcing mtls STRICT - - href: "#1761ac07-80dd-47d2-947e-09f67943b986" - rel: lula - text: All pods are istio injected with proxyv2 sidecar - remarks: "Protect the [Selection (one or more): confidentiality; integrity] of transmitted information." - uuid: 7548b4ee-e4a3-4e3c-a34b-95eccad45f92 - - control-id: sc-8.1 - description: |- - # Control Implementation - Istio is configured to protect the confidentiality and integrity of transmitted information across both internal and external networks. This is achieved through Istio's mutual TLS, which encrypts service-to-service communication, ensuring that data in transit is not exposed to the possibility of interception and modification. + remarks: |- + ASSESSMENT-OBJECTIVE: + the authenticity of communication sessions is protected. + uuid: dac01dde-3bdf-4e70-9d4d-4081c88de380 + - control-id: sc-39 + description: Istio is configured to maintain separate execution domains for each executing process. This is achieved through Istio's sidecar proxy design, where each service in the mesh has its own dedicated sidecar proxy to handle its inbound and outbound traffic. This ensures that communication between processes is controlled and one process cannot modify the executing code of another process. links: - - href: "#67456ae8-4505-4c93-b341-d977d90cb125" + - href: file:../../compliance/validations/istio/healthcheck/validation.yaml rel: lula text: Check that Istio is healthy - - href: "#ca49ac97-487a-446a-a0b7-92b20e2c83cb" - rel: lula - text: Check that Istio is enforcing mtls STRICT - - href: "#1761ac07-80dd-47d2-947e-09f67943b986" + - href: file:../../compliance/validations/istio/all-pods-istio-injected/validation.yaml rel: lula text: All pods are istio injected with proxyv2 sidecar - remarks: "Implement cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission." - uuid: 69415B92-0490-4A14-9E0F-E1EE61951F9C - - control-id: sc-8.2 - description: |- - # Control Implementation - Istio implements with global configuration. + remarks: |- + ASSESSMENT-OBJECTIVE: + a separate execution domain is maintained for each executing system process. + uuid: 0e72ca49-e9cb-4a74-8701-6f81091197b6 + - control-id: sc-7.4 + description: Istio is configured to provide managed interfaces for external telecommunication services, establish traffic flow policies, and protect the confidentiality and integrity of transmitted information. It also prevents unauthorized exchange of control plane traffic and filters unauthorized control plane traffic. links: - - href: "#67456ae8-4505-4c93-b341-d977d90cb125" + - href: file:../../compliance/validations/istio/healthcheck/validation.yaml rel: lula text: Check that Istio is healthy - - href: "#ca49ac97-487a-446a-a0b7-92b20e2c83cb" + - href: file:../../compliance/validations/istio/secure-communication-with-istiod/validation.yaml rel: lula - text: Check that Istio is enforcing mtls STRICT to ensure integrity of information sent/received - - href: "#1761ac07-80dd-47d2-947e-09f67943b986" - rel: lula - text: All pods are istio injected with proxyv2 sidecar - - href: "#fbd877c8-d6b6-4d88-8685-2c4aaaab02a1" + text: Resources in namespaces can securely communicate with Istio control plane via network policies + - href: file:../../compliance/validations/istio/authorized-keycloak-access/validation.yaml rel: lula text: Validates that Istio is used to authorize access to Keycloak admin console only from admin gateway - remarks: "Maintain the [Selection (one or more): confidentiality; integrity] of information during preparation for transmission and during reception." - uuid: c158b75a-cefc-4794-b124-f1e56ff5646d - - control-id: sc-10 - description: |- - # Control Implementation - Istio is configured to manage network connections associated with specific communication sessions. It can be set up to automatically terminate these connections after periods of inactivity, providing an additional layer of security. + - href: file:../../compliance/validations/istio/gateway-configuration-check/validation.yaml + rel: lula + text: Validates that Istio Gateways are available and expected VirtualServices using each Gateway. + remarks: | + ASSESSMENT-OBJECTIVE: + SC-07(04)(a) a managed interface is implemented for each external telecommunication service; + SC-07(04)(b) a traffic flow policy is established for each managed interface; + SC-07(04)(c) + SC-07(04)(c)[01] the confidentiality of the information being transmitted across each interface is protected; + SC-07(04)(c)[02] the integrity of the information being transmitted across each interface is protected; + SC-07(04)(d) each exception to the traffic flow policy is documented with a supporting mission or business need and duration of that need; + SC-07(04)(e) + SC-07(04)(e)[01] exceptions to the traffic flow policy are reviewed [Assignment: organization-defined frequency]; + SC-07(04)(e)[02] exceptions to the traffic flow policy that are no longer supported by an explicit mission or business need are removed; + SC-07(04)(f) unauthorized exchanges of control plan traffic with external networks are prevented; + SC-07(04)(g) information is published to enable remote networks to detect unauthorized control plane traffic from internal networks; + SC-07(04)(h) unauthorized control plane traffic is filtered from external networks. + uuid: a5bac410-d674-431d-b5fc-2f904842c29c + - control-id: sc-7.8 + description: Istio is configured to route internal communications traffic to external networks through authenticated proxy servers at managed interfaces, using its Egress Gateway. links: - - href: "#67456ae8-4505-4c93-b341-d977d90cb125" + - href: file:../../compliance/validations/istio/healthcheck/validation.yaml rel: lula text: Check that Istio is healthy - - href: "#663f5e92-6db4-4042-8b5a-eba3ebe5a622" + - href: file:../../compliance/validations/istio/egress-gateway-exists-and-configured/validation.yaml rel: lula - text: Istio terminates communication sessions after inactivity [PLACEHOLDER] - remarks: "Maintain the [Selection (one or more): confidentiality; integrity] of information during preparation for transmission and during reception." - uuid: 169c9ad3-0a6c-46ee-80cd-cd8cef5eca5c - - control-id: sc-13 - description: |- - # Control Implementation - Istio provides FIPS encryption in transit for all applications in the mesh, TLS termination at ingress, and TLS origination at egress. + text: Egress Gateway exists and is configured [PLACEHOLDER] + - href: file:../../compliance/validations/istio/external-traffic-managed/validation.yaml + rel: lula + text: Check that external traffic is managed [PLACEHOLDER] + remarks: |- + ASSESSMENT-OBJECTIVE: + [Assignment: organization-defined internal communications traffic] is routed to [Assignment: organization-defined external networks] through authenticated proxy servers at managed interfaces. + uuid: 3f409103-880e-4180-81e7-54f85a6143ae + - control-id: sc-8 + description: Istio is configured to protect the confidentiality and integrity of transmitted information across both internal and external networks. This is achieved through Istio's mutual TLS, which encrypts service-to-service communication, ensuring that data in transit is not exposed to the possibility of interception and modification. links: - - href: "#67456ae8-4505-4c93-b341-d977d90cb125" + - href: file:../../compliance/validations/istio/healthcheck/validation.yaml rel: lula text: Check that Istio is healthy - - href: "#ca49ac97-487a-446a-a0b7-92b20e2c83cb" + - href: file:../../compliance/validations/istio/enforce-mtls-strict/validation.yaml rel: lula text: Check that Istio is enforcing mtls STRICT - - href: "#fd071676-6b92-4e1c-a4f0-4c8d2bd55aed" + - href: file:../../compliance/validations/istio/all-pods-istio-injected/validation.yaml rel: lula - text: Istio is encrypting ingress traffic - - href: "#8be1601e-5870-4573-ab4f-c1c199944815" - rel: lula - text: Istio is providing TLS origination at egress [PLACEHOLDER] - - href: "#73434890-2751-4894-b7b2-7e583b4a8977" - rel: lula - text: System is using FIPS-compliant Istio distribution [PLACEHOLDER] - remarks: 'a. Determine the [Assignment: organization-defined cryptographic uses]; and b. Implement the following types of cryptography required for each specified cryptographic use: [Assignment: organization-defined types of cryptography for each specified cryptographic use]."' - uuid: 2bf5c525-af5f-4b8b-8349-3f6a91e0aab9 - - control-id: sc-23 - description: |- - # Control Implementation - Istio is configured to protect session authenticity, establishing confidence in the ongoing identities of other parties and the validity of transmitted information. This is achieved through Istio's mutual TLS, which ensures secure communication. + text: All pods are istio injected with proxyv2 sidecar + remarks: |- + ASSESSMENT-OBJECTIVE: + the [Selection: (one-or-more) organization-defined confidentiality; integrity] of transmitted information is/are protected. + uuid: e97a451e-44c7-4240-a7a7-adaadd26f01c + - control-id: sc-8.1 + description: Istio is configured to protect the confidentiality and integrity of transmitted information across both internal and external networks. This is achieved through Istio's mutual TLS, which encrypts service-to-service communication, ensuring that data in transit is not exposed to the possibility of interception and modification. links: - - href: "#67456ae8-4505-4c93-b341-d977d90cb125" + - href: file:../../compliance/validations/istio/healthcheck/validation.yaml rel: lula text: Check that Istio is healthy - - href: "#ca49ac97-487a-446a-a0b7-92b20e2c83cb" + - href: file:../../compliance/validations/istio/enforce-mtls-strict/validation.yaml rel: lula text: Check that Istio is enforcing mtls STRICT - remarks: "Protect the [Selection (one or more): confidentiality; integrity] of the following information at rest: [Assignment: organization-defined information at rest]. SC-28 Guidance: The organization supports the capability to use cryptographic mechanisms to protect information at rest. SC-28 Guidance: When leveraging encryption from underlying IaaS/PaaS: While some IaaS/PaaS services provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured. SC-28 Guidance: Note that this enhancement requires the use of cryptography in accordance with SC-13." - uuid: 625bfdc1-0b20-45f3-919b-91afbac77799 - - control-id: sc-39 - description: |- - # Control Implementation - Istio is configured to maintain separate execution domains for each executing process. This is achieved through Istio's sidecar proxy design, where each service in the mesh has its own dedicated sidecar proxy to handle its inbound and outbound traffic. This ensures that communication between processes is controlled and one process cannot modify the executing code of another process. - links: - - href: "#67456ae8-4505-4c93-b341-d977d90cb125" - rel: lula - text: Check that Istio is healthy - - href: "#1761ac07-80dd-47d2-947e-09f67943b986" + - href: file:../../compliance/validations/istio/all-pods-istio-injected/validation.yaml rel: lula text: All pods are istio injected with proxyv2 sidecar - remarks: Maintain a separate execution domain for each executing system process. - uuid: f972ef8d-1eb0-403b-8db8-e65a4f4e2aaa - source: https://raw.githubusercontent.com/GSA/fedramp-automation/93ca0e20ff5e54fc04140613476fba80f08e3c7d/dist/content/rev5/baselines/json/FedRAMP_rev5_HIGH-baseline-resolved-profile_catalog.json - uuid: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c + remarks: |- + ASSESSMENT-OBJECTIVE: + cryptographic mechanisms are implemented to [Selection: (one-or-more) organization-defined prevent unauthorized disclosure of information; detect changes to information] during transmission. + uuid: f3b38f79-9bf7-4024-a1b2-00befd67fda7 props: + - name: generation + ns: https://docs.lula.dev/oscal/ns + value: lula generate component --catalog-source https://raw.githubusercontent.com/GSA/fedramp-automation/refs/tags/fedramp-2.0.0-oscal-1.0.4/dist/content/rev5/baselines/json/FedRAMP_rev5_MODERATE-baseline-resolved-profile_catalog.json --component 'Istio' --requirements ac-4,ac-4.21,ac-6.9,ac-14,au-2,au-3,au-3.1,au-12,cm-5,sc-7.4,sc-7.8,sc-8,sc-8.1,sc-10,sc-13,sc-23,sc-39 --remarks assessment-objective --framework il4 - name: framework ns: https://docs.lula.dev/oscal/ns value: il4 - description: | - Istio Service Mesh - purpose: Istio Service Mesh - responsible-roles: - - party-uuids: - - f3cf70f8-ba44-4e55-9ea3-389ef24847d3 - role-id: provider - title: Istio Controlplane + source: https://raw.githubusercontent.com/GSA/fedramp-automation/refs/tags/fedramp-2.0.0-oscal-1.0.4/dist/content/rev5/baselines/json/FedRAMP_rev5_MODERATE-baseline-resolved-profile_catalog.json + uuid: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c + description: Component Description + title: Istio type: software - uuid: 81f6ec5d-9b8d-408f-8477-f8a04f493690 + uuid: 3fad668e-7751-44e6-b1be-4fe773971370 metadata: - last-modified: 2024-07-16T02:47:14.949557671Z + last-modified: 2024-09-17T20:24:07.548382887Z oscal-version: 1.1.2 parties: - links: @@ -1394,7 +1316,9 @@ component-definition: rel: website name: Unicorn Delivery Service type: organization - uuid: f3cf70f8-ba44-4e55-9ea3-389ef24847d3 - title: Istio Controlplane - version: "20240614" - uuid: 7e3269fc-fe33-49c9-be88-6c868e21aae1 + uuid: bf31d461-82af-529a-8bdf-09aa488e5b7e + published: 2024-09-03T21:02:56.440962532Z + remarks: Lula Generated Component Definition + title: Istio + version: 0.0.1 + uuid: b0395313-5d50-4c64-b0e7-43014a47ead9 diff --git a/src/istio/tasks.yaml b/src/istio/tasks.yaml index a41c5ec03..2ccadee58 100644 --- a/src/istio/tasks.yaml +++ b/src/istio/tasks.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + tasks: - name: validate actions: diff --git a/src/istio/values/config-admin.yaml b/src/istio/values/config-admin.yaml index 560cc4585..ceedf9cd1 100644 --- a/src/istio/values/config-admin.yaml +++ b/src/istio/values/config-admin.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + name: admin domain: "admin.###ZARF_VAR_DOMAIN###" tls: diff --git a/src/istio/values/config-passthrough.yaml b/src/istio/values/config-passthrough.yaml index 8d992d3ee..6c81bac5a 100644 --- a/src/istio/values/config-passthrough.yaml +++ b/src/istio/values/config-passthrough.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + name: passthrough tls: diff --git a/src/istio/values/config-tenant.yaml b/src/istio/values/config-tenant.yaml index 0d3c99741..8d6a4e96b 100644 --- a/src/istio/values/config-tenant.yaml +++ b/src/istio/values/config-tenant.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + name: tenant tls: servers: diff --git a/src/istio/values/registry1-values.yaml b/src/istio/values/registry1-values.yaml index 37921bf2c..17f229fea 100644 --- a/src/istio/values/registry1-values.yaml +++ b/src/istio/values/registry1-values.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + pilot: image: registry1.dso.mil/ironbank/tetrate/istio/pilot:1.23.2-tetratefips-v0 global: diff --git a/src/istio/values/unicorn-values.yaml b/src/istio/values/unicorn-values.yaml index 28c091285..4d112b8c3 100644 --- a/src/istio/values/unicorn-values.yaml +++ b/src/istio/values/unicorn-values.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + pilot: image: "cgr.dev/du-uds-defenseunicorns/istio-pilot-fips:1.23.2" global: diff --git a/src/istio/values/upstream-values.yaml b/src/istio/values/upstream-values.yaml index 63b88c989..800d39f62 100644 --- a/src/istio/values/upstream-values.yaml +++ b/src/istio/values/upstream-values.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + pilot: image: "docker.io/istio/pilot:1.23.2-distroless" global: diff --git a/src/istio/values/values.yaml b/src/istio/values/values.yaml index 4b5412489..0e06a2f26 100644 --- a/src/istio/values/values.yaml +++ b/src/istio/values/values.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + meshConfig: accessLogFile: /dev/stdout pathNormalization: diff --git a/src/istio/zarf.yaml b/src/istio/zarf.yaml index 49fd2ad54..21bae304e 100644 --- a/src/istio/zarf.yaml +++ b/src/istio/zarf.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + kind: ZarfPackageConfig metadata: name: uds-core-istio diff --git a/src/keycloak/chart/Chart.yaml b/src/keycloak/chart/Chart.yaml index 255a95d04..040ddcd78 100644 --- a/src/keycloak/chart/Chart.yaml +++ b/src/keycloak/chart/Chart.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: v2 name: keycloak # renovate: datasource=docker depName=quay.io/keycloak/keycloak versioning=semver diff --git a/src/keycloak/chart/templates/destination-rule.yaml b/src/keycloak/chart/templates/destination-rule.yaml index 2cb14314a..10b57d2d0 100644 --- a/src/keycloak/chart/templates/destination-rule.yaml +++ b/src/keycloak/chart/templates/destination-rule.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + {{- if not .Values.devMode }} apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule diff --git a/src/keycloak/chart/templates/hpa.yaml b/src/keycloak/chart/templates/hpa.yaml index 92fce4c7a..17a8b7c4a 100644 --- a/src/keycloak/chart/templates/hpa.yaml +++ b/src/keycloak/chart/templates/hpa.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + {{- if .Values.autoscaling.enabled }} apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler diff --git a/src/keycloak/chart/templates/istio-admin.yaml b/src/keycloak/chart/templates/istio-admin.yaml index 54f6ff114..612e53d68 100644 --- a/src/keycloak/chart/templates/istio-admin.yaml +++ b/src/keycloak/chart/templates/istio-admin.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + {{- if .Capabilities.APIVersions.Has "security.istio.io/v1beta1" }} apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy diff --git a/src/keycloak/chart/templates/istio-peer-auth.yaml b/src/keycloak/chart/templates/istio-peer-auth.yaml index 2e65c6b57..7d8602eb3 100644 --- a/src/keycloak/chart/templates/istio-peer-auth.yaml +++ b/src/keycloak/chart/templates/istio-peer-auth.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + {{- if .Capabilities.APIVersions.Has "security.istio.io/v1beta1" }} apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication diff --git a/src/keycloak/chart/templates/poddisruptionbudget.yaml b/src/keycloak/chart/templates/poddisruptionbudget.yaml index ac77e92c8..0d91b54d1 100644 --- a/src/keycloak/chart/templates/poddisruptionbudget.yaml +++ b/src/keycloak/chart/templates/poddisruptionbudget.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + {{- if .Values.podDisruptionBudget -}} apiVersion: policy/v1 kind: PodDisruptionBudget diff --git a/src/keycloak/chart/templates/prometheusrule.yaml b/src/keycloak/chart/templates/prometheusrule.yaml index 20ef047ac..26ef5bd9e 100644 --- a/src/keycloak/chart/templates/prometheusrule.yaml +++ b/src/keycloak/chart/templates/prometheusrule.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + {{- with .Values.prometheusRule -}} {{- if .enabled }} apiVersion: monitoring.coreos.com/v1 diff --git a/src/keycloak/chart/templates/pvc.yaml b/src/keycloak/chart/templates/pvc.yaml index fea8dd0b9..bba13f93d 100644 --- a/src/keycloak/chart/templates/pvc.yaml +++ b/src/keycloak/chart/templates/pvc.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + {{- if .Values.persistence.providers.enabled }} kind: PersistentVolumeClaim apiVersion: v1 diff --git a/src/keycloak/chart/templates/secret-admin-password.yaml b/src/keycloak/chart/templates/secret-admin-password.yaml index 59307eb32..16ba00026 100644 --- a/src/keycloak/chart/templates/secret-admin-password.yaml +++ b/src/keycloak/chart/templates/secret-admin-password.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + {{- if .Values.insecureAdminPasswordGeneration.enabled }} {{- $kcPass := (randAlphaNum 32) | b64enc | quote }} {{- $kcUser := .Values.insecureAdminPasswordGeneration.username | b64enc | quote }} diff --git a/src/keycloak/chart/templates/secret-kc-realm.yaml b/src/keycloak/chart/templates/secret-kc-realm.yaml index 28dcdbe94..a41db2617 100644 --- a/src/keycloak/chart/templates/secret-kc-realm.yaml +++ b/src/keycloak/chart/templates/secret-kc-realm.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: v1 kind: Secret metadata: diff --git a/src/keycloak/chart/templates/secret-postgresql.yaml b/src/keycloak/chart/templates/secret-postgresql.yaml index aef32a4d9..6fc0905e0 100644 --- a/src/keycloak/chart/templates/secret-postgresql.yaml +++ b/src/keycloak/chart/templates/secret-postgresql.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + {{- if eq (include "keycloak.postgresql.config" .) "true" }} apiVersion: v1 kind: Secret diff --git a/src/keycloak/chart/templates/service-headless.yaml b/src/keycloak/chart/templates/service-headless.yaml index d5a67c2b5..c85e78914 100644 --- a/src/keycloak/chart/templates/service-headless.yaml +++ b/src/keycloak/chart/templates/service-headless.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: v1 kind: Service metadata: diff --git a/src/keycloak/chart/templates/service-http.yaml b/src/keycloak/chart/templates/service-http.yaml index d3be8dd2e..6dd7ab485 100644 --- a/src/keycloak/chart/templates/service-http.yaml +++ b/src/keycloak/chart/templates/service-http.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: v1 kind: Service metadata: diff --git a/src/keycloak/chart/templates/servicemonitor.yaml b/src/keycloak/chart/templates/servicemonitor.yaml index 3ea4cfdcc..835284e8d 100644 --- a/src/keycloak/chart/templates/servicemonitor.yaml +++ b/src/keycloak/chart/templates/servicemonitor.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + {{- range $key, $serviceMonitor := dict "metrics" .Values.serviceMonitor "extra" .Values.extraServiceMonitor }} {{- with $serviceMonitor }} {{- if .enabled }} diff --git a/src/keycloak/chart/templates/statefulset.yaml b/src/keycloak/chart/templates/statefulset.yaml index 4e4521381..ed23facc4 100644 --- a/src/keycloak/chart/templates/statefulset.yaml +++ b/src/keycloak/chart/templates/statefulset.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: apps/v1 kind: StatefulSet metadata: diff --git a/src/keycloak/chart/templates/uds-package.yaml b/src/keycloak/chart/templates/uds-package.yaml index 2c1c52e47..42bb8a9f5 100644 --- a/src/keycloak/chart/templates/uds-package.yaml +++ b/src/keycloak/chart/templates/uds-package.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: uds.dev/v1alpha1 kind: Package metadata: @@ -25,13 +28,12 @@ spec: app: pepr-uds-core-watcher port: 8080 - # Temp workaround for any cluster pod - # todo: remove this once cluster pods is a remote generated target - description: "Keycloak backchannel access" direction: Ingress selector: app.kubernetes.io/name: keycloak - remoteGenerated: Anywhere + # Allow access from anything in cluster using an empty namespace selector + remoteNamespace: "*" port: 8080 # Keycloak OCSP to check certs cannot guarantee a static IP diff --git a/src/keycloak/chart/values.yaml b/src/keycloak/chart/values.yaml index 0e1605ba8..bd1020069 100644 --- a/src/keycloak/chart/values.yaml +++ b/src/keycloak/chart/values.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + image: # The Keycloak image repository repository: quay.io/keycloak/keycloak diff --git a/src/keycloak/common/zarf.yaml b/src/keycloak/common/zarf.yaml index 8838c6a40..ce63c125a 100644 --- a/src/keycloak/common/zarf.yaml +++ b/src/keycloak/common/zarf.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + kind: ZarfPackageConfig metadata: name: uds-core-keycloak-common diff --git a/src/keycloak/tasks.yaml b/src/keycloak/tasks.yaml index e8513a206..8937fa0a4 100644 --- a/src/keycloak/tasks.yaml +++ b/src/keycloak/tasks.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + includes: - config: https://raw.githubusercontent.com/defenseunicorns/uds-identity-config/v0.6.3/tasks.yaml diff --git a/src/keycloak/values/registry1-values.yaml b/src/keycloak/values/registry1-values.yaml index 49937ba3d..635584579 100644 --- a/src/keycloak/values/registry1-values.yaml +++ b/src/keycloak/values/registry1-values.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + image: repository: registry1.dso.mil/ironbank/opensource/keycloak/keycloak tag: "25.0.6" diff --git a/src/keycloak/values/unicorn-values.yaml b/src/keycloak/values/unicorn-values.yaml index 544734319..32a44252e 100644 --- a/src/keycloak/values/unicorn-values.yaml +++ b/src/keycloak/values/unicorn-values.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + podSecurityContext: fsGroup: 65532 image: diff --git a/src/keycloak/values/upstream-values.yaml b/src/keycloak/values/upstream-values.yaml index 58d5ae6c5..c856c052f 100644 --- a/src/keycloak/values/upstream-values.yaml +++ b/src/keycloak/values/upstream-values.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + podSecurityContext: fsGroup: 1000 image: diff --git a/src/keycloak/zarf.yaml b/src/keycloak/zarf.yaml index acf43864b..037a18fa9 100644 --- a/src/keycloak/zarf.yaml +++ b/src/keycloak/zarf.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + kind: ZarfPackageConfig metadata: name: uds-core-keycloak diff --git a/src/kiali/tasks.yaml b/src/kiali/tasks.yaml index e3b314c9b..31f664e75 100644 --- a/src/kiali/tasks.yaml +++ b/src/kiali/tasks.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + tasks: - name: validate actions: diff --git a/src/kiali/zarf.yaml b/src/kiali/zarf.yaml index 6cd41c49a..a2b3b0d8b 100644 --- a/src/kiali/zarf.yaml +++ b/src/kiali/zarf.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + kind: ZarfPackageConfig metadata: name: uds-core-kiali diff --git a/src/loki/chart/Chart.yaml b/src/loki/chart/Chart.yaml index 4228b0d81..7bacb6262 100644 --- a/src/loki/chart/Chart.yaml +++ b/src/loki/chart/Chart.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: v2 name: uds-loki-config description: Loki configuration for UDS diff --git a/src/loki/chart/templates/loki-dashboards.yaml b/src/loki/chart/templates/loki-dashboards.yaml index 04075a9bb..92cc07c13 100644 --- a/src/loki/chart/templates/loki-dashboards.yaml +++ b/src/loki/chart/templates/loki-dashboards.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: v1 kind: ConfigMap metadata: diff --git a/src/loki/chart/templates/peerauthentication/loki-simple-scalable.yaml b/src/loki/chart/templates/peerauthentication/loki-simple-scalable.yaml index 90f748d95..12ac3e56b 100644 --- a/src/loki/chart/templates/peerauthentication/loki-simple-scalable.yaml +++ b/src/loki/chart/templates/peerauthentication/loki-simple-scalable.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + {{- if .Capabilities.APIVersions.Has "security.istio.io/v1beta1" }} apiVersion: "security.istio.io/v1beta1" kind: PeerAuthentication diff --git a/src/loki/chart/templates/service-dns.yaml b/src/loki/chart/templates/service-dns.yaml index 57ec5740a..04c0a61e8 100644 --- a/src/loki/chart/templates/service-dns.yaml +++ b/src/loki/chart/templates/service-dns.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + --- apiVersion: v1 kind: Service diff --git a/src/loki/chart/templates/uds-package.yaml b/src/loki/chart/templates/uds-package.yaml index b7a39eb5d..80b87d8eb 100644 --- a/src/loki/chart/templates/uds-package.yaml +++ b/src/loki/chart/templates/uds-package.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: uds.dev/v1alpha1 kind: Package metadata: diff --git a/src/loki/chart/values.yaml b/src/loki/chart/values.yaml index fbb557b5a..5ec83f081 100644 --- a/src/loki/chart/values.yaml +++ b/src/loki/chart/values.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + storage: internal: enabled: false diff --git a/src/loki/common/zarf.yaml b/src/loki/common/zarf.yaml index 28750e2d6..66c05553b 100644 --- a/src/loki/common/zarf.yaml +++ b/src/loki/common/zarf.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + kind: ZarfPackageConfig metadata: name: uds-core-loki-common @@ -13,7 +16,7 @@ components: localPath: ../chart - name: loki url: https://grafana.github.io/helm-charts/ - version: 6.12.0 + version: 6.16.0 namespace: loki valuesFiles: - ../values/values.yaml diff --git a/src/loki/oscal-component.yaml b/src/loki/oscal-component.yaml index 62245b436..303ade21f 100644 --- a/src/loki/oscal-component.yaml +++ b/src/loki/oscal-component.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + component-definition: uuid: aaa97ff3-41f7-4f11-b74a-0cf0de527e6e metadata: diff --git a/src/loki/tasks.yaml b/src/loki/tasks.yaml index a319aa659..41b1eda6b 100644 --- a/src/loki/tasks.yaml +++ b/src/loki/tasks.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + tasks: - name: validate actions: diff --git a/src/loki/values/registry1-values.yaml b/src/loki/values/registry1-values.yaml index 900772e53..3618cadbd 100644 --- a/src/loki/values/registry1-values.yaml +++ b/src/loki/values/registry1-values.yaml @@ -1,8 +1,11 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + loki: image: registry: registry1.dso.mil repository: ironbank/opensource/grafana/loki - tag: 3.1.1 + tag: 3.2.0 podSecurityContext: fsGroup: 10001 runAsGroup: 10001 diff --git a/src/loki/values/unicorn-values.yaml b/src/loki/values/unicorn-values.yaml index 309753bee..177cbe1be 100644 --- a/src/loki/values/unicorn-values.yaml +++ b/src/loki/values/unicorn-values.yaml @@ -1,13 +1,16 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + loki: image: registry: cgr.dev repository: du-uds-defenseunicorns/loki - tag: 3.1.1 + tag: 3.2.0 gateway: image: registry: cgr.dev repository: du-uds-defenseunicorns/nginx-fips - tag: 1.27.1 + tag: 1.27.2 memcached: image: repository: cgr.dev/du-uds-defenseunicorns/memcached diff --git a/src/loki/values/upstream-values.yaml b/src/loki/values/upstream-values.yaml index a7ebd51df..5fbfbdd13 100644 --- a/src/loki/values/upstream-values.yaml +++ b/src/loki/values/upstream-values.yaml @@ -1,8 +1,11 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + loki: image: registry: docker.io repository: grafana/loki - tag: 3.1.1 + tag: 3.2.0 gateway: image: diff --git a/src/loki/values/values.yaml b/src/loki/values/values.yaml index 99717b712..243286566 100644 --- a/src/loki/values/values.yaml +++ b/src/loki/values/values.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + # Sets the global DNS service to the service created in this chart global: dnsService: "uds-loki-dns" diff --git a/src/loki/zarf.yaml b/src/loki/zarf.yaml index 46d102da2..25f938b86 100644 --- a/src/loki/zarf.yaml +++ b/src/loki/zarf.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + kind: ZarfPackageConfig metadata: name: uds-core-loki @@ -16,7 +19,7 @@ components: valuesFiles: - ./values/upstream-values.yaml images: - - docker.io/grafana/loki:3.1.1 + - docker.io/grafana/loki:3.2.0 - docker.io/nginxinc/nginx-unprivileged:1.27-alpine - docker.io/memcached:1.6.31-alpine @@ -32,7 +35,7 @@ components: valuesFiles: - ./values/registry1-values.yaml images: - - registry1.dso.mil/ironbank/opensource/grafana/loki:3.1.1 + - registry1.dso.mil/ironbank/opensource/grafana/loki:3.2.0 - registry1.dso.mil/ironbank/opensource/nginx/nginx-alpine:1.26.2 - registry1.dso.mil/ironbank/opensource/memcached/memcached:1.6.31 @@ -48,6 +51,6 @@ components: valuesFiles: - ./values/unicorn-values.yaml images: - - cgr.dev/du-uds-defenseunicorns/loki:3.1.1 - - cgr.dev/du-uds-defenseunicorns/nginx-fips:1.27.1 + - cgr.dev/du-uds-defenseunicorns/loki:3.2.0 + - cgr.dev/du-uds-defenseunicorns/nginx-fips:1.27.2 - cgr.dev/du-uds-defenseunicorns/memcached:1.6.31 diff --git a/src/metrics-server/chart/Chart.yaml b/src/metrics-server/chart/Chart.yaml index 3f7f729de..81339062a 100644 --- a/src/metrics-server/chart/Chart.yaml +++ b/src/metrics-server/chart/Chart.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: v2 name: uds-metrics-server-config description: Metrics Server configuration for UDS diff --git a/src/metrics-server/chart/templates/peerauthentication/metrics-api.yaml b/src/metrics-server/chart/templates/peerauthentication/metrics-api.yaml index 18c5fdcbf..24e4ef61c 100644 --- a/src/metrics-server/chart/templates/peerauthentication/metrics-api.yaml +++ b/src/metrics-server/chart/templates/peerauthentication/metrics-api.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + {{- if .Capabilities.APIVersions.Has "security.istio.io/v1beta1" }} apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication diff --git a/src/metrics-server/chart/templates/service-monitor.yaml b/src/metrics-server/chart/templates/service-monitor.yaml index 390875164..e636bcf66 100644 --- a/src/metrics-server/chart/templates/service-monitor.yaml +++ b/src/metrics-server/chart/templates/service-monitor.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + {{- if .Capabilities.APIVersions.Has "monitoring.coreos.com/v1" }} # The serviceMonitor for metrics-server is unique due to permissive mTLS on its port, so it is created outside of the Package spec apiVersion: monitoring.coreos.com/v1 diff --git a/src/metrics-server/chart/templates/uds-package.yaml b/src/metrics-server/chart/templates/uds-package.yaml index b213992f3..dfe607dab 100644 --- a/src/metrics-server/chart/templates/uds-package.yaml +++ b/src/metrics-server/chart/templates/uds-package.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: uds.dev/v1alpha1 kind: Package metadata: diff --git a/src/metrics-server/chart/values.yaml b/src/metrics-server/chart/values.yaml index e69de29bb..2067cc53d 100644 --- a/src/metrics-server/chart/values.yaml +++ b/src/metrics-server/chart/values.yaml @@ -0,0 +1,2 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial diff --git a/src/metrics-server/common/zarf.yaml b/src/metrics-server/common/zarf.yaml index 9bad06c8a..8eaeab1c2 100644 --- a/src/metrics-server/common/zarf.yaml +++ b/src/metrics-server/common/zarf.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + kind: ZarfPackageConfig metadata: name: uds-core-metrics-server-common @@ -15,7 +18,7 @@ components: - name: metrics-server namespace: metrics-server url: https://kubernetes-sigs.github.io/metrics-server - version: 3.12.1 + version: 3.12.2 valuesFiles: - "../values/values.yaml" actions: diff --git a/src/metrics-server/tasks.yaml b/src/metrics-server/tasks.yaml index 610223eaf..c6bd4ef0f 100644 --- a/src/metrics-server/tasks.yaml +++ b/src/metrics-server/tasks.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + tasks: - name: validate actions: diff --git a/src/metrics-server/values/registry1-values.yaml b/src/metrics-server/values/registry1-values.yaml index 6ef5bb83a..38f843e47 100644 --- a/src/metrics-server/values/registry1-values.yaml +++ b/src/metrics-server/values/registry1-values.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + image: repository: registry1.dso.mil/ironbank/opensource/kubernetes-sigs/metrics-server tag: "v0.7.2" diff --git a/src/metrics-server/values/unicorn-values.yaml b/src/metrics-server/values/unicorn-values.yaml index fd874866b..46a3e4be3 100644 --- a/src/metrics-server/values/unicorn-values.yaml +++ b/src/metrics-server/values/unicorn-values.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + image: repository: cgr.dev/du-uds-defenseunicorns/metrics-server-fips tag: "0.7.2" diff --git a/src/metrics-server/values/upstream-values.yaml b/src/metrics-server/values/upstream-values.yaml index 00f0dfcb6..874d66b9f 100644 --- a/src/metrics-server/values/upstream-values.yaml +++ b/src/metrics-server/values/upstream-values.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + image: repository: registry.k8s.io/metrics-server/metrics-server tag: "v0.7.2" diff --git a/src/metrics-server/values/values.yaml b/src/metrics-server/values/values.yaml index 28c8b42d5..e7152fcac 100644 --- a/src/metrics-server/values/values.yaml +++ b/src/metrics-server/values/values.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + readinessProbe: httpGet: path: /readyz diff --git a/src/metrics-server/zarf.yaml b/src/metrics-server/zarf.yaml index 62c412083..d91819c6b 100644 --- a/src/metrics-server/zarf.yaml +++ b/src/metrics-server/zarf.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + kind: ZarfPackageConfig metadata: name: uds-core-metrics-server diff --git a/src/neuvector/README.md b/src/neuvector/README.md index 98c4b1870..879cd7586 100644 --- a/src/neuvector/README.md +++ b/src/neuvector/README.md @@ -1 +1 @@ -## Neuvector +## NeuVector diff --git a/src/neuvector/chart/Chart.yaml b/src/neuvector/chart/Chart.yaml index 31d565b22..34ce1f650 100644 --- a/src/neuvector/chart/Chart.yaml +++ b/src/neuvector/chart/Chart.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: v2 name: uds-neuvector-config description: Neuvector configuration for UDS diff --git a/src/neuvector/chart/templates/internal-cert.yaml b/src/neuvector/chart/templates/internal-cert.yaml index d6e96a174..b00d4a5c0 100644 --- a/src/neuvector/chart/templates/internal-cert.yaml +++ b/src/neuvector/chart/templates/internal-cert.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + {{- if .Values.generateInternalCert -}} {{- $cn := "neuvector" }} {{- $ca := genCA "neuvector" 3650 -}} diff --git a/src/neuvector/chart/templates/istio/headless-controller-service.yaml b/src/neuvector/chart/templates/istio/headless-controller-service.yaml index 4e41a72d7..f4d5211df 100644 --- a/src/neuvector/chart/templates/istio/headless-controller-service.yaml +++ b/src/neuvector/chart/templates/istio/headless-controller-service.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: v1 kind: Service metadata: diff --git a/src/neuvector/chart/templates/istio/headless-enforcer-service.yaml b/src/neuvector/chart/templates/istio/headless-enforcer-service.yaml index 66c3f4513..487f6c448 100644 --- a/src/neuvector/chart/templates/istio/headless-enforcer-service.yaml +++ b/src/neuvector/chart/templates/istio/headless-enforcer-service.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: v1 kind: Service diff --git a/src/neuvector/chart/templates/istio/headless-scanner-service.yaml b/src/neuvector/chart/templates/istio/headless-scanner-service.yaml index f0d9da3b8..26ad3043e 100644 --- a/src/neuvector/chart/templates/istio/headless-scanner-service.yaml +++ b/src/neuvector/chart/templates/istio/headless-scanner-service.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: v1 kind: Service metadata: diff --git a/src/neuvector/chart/templates/neuvector-dashboard.yaml b/src/neuvector/chart/templates/neuvector-dashboard.yaml index d70e86c98..80f839248 100644 --- a/src/neuvector/chart/templates/neuvector-dashboard.yaml +++ b/src/neuvector/chart/templates/neuvector-dashboard.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + {{- if .Values.grafana.enabled -}} apiVersion: v1 kind: ConfigMap diff --git a/src/neuvector/chart/templates/peerauthentication/neuvector-controller-pa.yaml b/src/neuvector/chart/templates/peerauthentication/neuvector-controller-pa.yaml index 6e881bf73..90d91096d 100644 --- a/src/neuvector/chart/templates/peerauthentication/neuvector-controller-pa.yaml +++ b/src/neuvector/chart/templates/peerauthentication/neuvector-controller-pa.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + {{- if .Capabilities.APIVersions.Has "security.istio.io/v1beta1" }} apiVersion: "security.istio.io/v1beta1" kind: PeerAuthentication diff --git a/src/neuvector/chart/templates/uds-exemption.yaml b/src/neuvector/chart/templates/uds-exemption.yaml index 09e61c13e..7be8143bf 100644 --- a/src/neuvector/chart/templates/uds-exemption.yaml +++ b/src/neuvector/chart/templates/uds-exemption.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: uds.dev/v1alpha1 kind: Exemption metadata: diff --git a/src/neuvector/chart/templates/uds-package.yaml b/src/neuvector/chart/templates/uds-package.yaml index 1cdee101d..0644dd4f9 100644 --- a/src/neuvector/chart/templates/uds-package.yaml +++ b/src/neuvector/chart/templates/uds-package.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: uds.dev/v1alpha1 kind: Package metadata: diff --git a/src/neuvector/chart/values.yaml b/src/neuvector/chart/values.yaml index fac586fa5..9c16875a1 100644 --- a/src/neuvector/chart/values.yaml +++ b/src/neuvector/chart/values.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + domain: "###ZARF_VAR_DOMAIN###" grafana: diff --git a/src/neuvector/common/zarf.yaml b/src/neuvector/common/zarf.yaml index b56d75371..730e0310f 100644 --- a/src/neuvector/common/zarf.yaml +++ b/src/neuvector/common/zarf.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + kind: ZarfPackageConfig metadata: name: uds-core-neuvector-common diff --git a/src/neuvector/oscal-component.yaml b/src/neuvector/oscal-component.yaml index f15e9a6c4..9d9e271fc 100644 --- a/src/neuvector/oscal-component.yaml +++ b/src/neuvector/oscal-component.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + component-definition: uuid: 80bc0932-82d9-4144-8e7c-dec0f79e04fc metadata: diff --git a/src/neuvector/tasks.yaml b/src/neuvector/tasks.yaml index a9cd5a7dd..b5c1ad696 100644 --- a/src/neuvector/tasks.yaml +++ b/src/neuvector/tasks.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + tasks: - name: validate actions: diff --git a/src/neuvector/values/monitor-values.yaml b/src/neuvector/values/monitor-values.yaml index b30b4032f..7f2e21aad 100644 --- a/src/neuvector/values/monitor-values.yaml +++ b/src/neuvector/values/monitor-values.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + leastPrivilege: true exporter: diff --git a/src/neuvector/values/registry1-values.yaml b/src/neuvector/values/registry1-values.yaml index ba258fce7..436d488d7 100644 --- a/src/neuvector/values/registry1-values.yaml +++ b/src/neuvector/values/registry1-values.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + registry: registry1.dso.mil # renovate: datasource=docker depName=registry1.dso.mil/ironbank/neuvector/neuvector/controller versioning=docker tag: "5.3.4" diff --git a/src/neuvector/values/unicorn-config-values.yaml b/src/neuvector/values/unicorn-config-values.yaml index e07235598..284d3107c 100644 --- a/src/neuvector/values/unicorn-config-values.yaml +++ b/src/neuvector/values/unicorn-config-values.yaml @@ -1 +1,4 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + generateInternalCert: true diff --git a/src/neuvector/values/unicorn-values.yaml b/src/neuvector/values/unicorn-values.yaml index a0f05bd01..f34c5c87a 100644 --- a/src/neuvector/values/unicorn-values.yaml +++ b/src/neuvector/values/unicorn-values.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + # Generate certs missing from unicorn images autoGenerateCert: true diff --git a/src/neuvector/values/upstream-values.yaml b/src/neuvector/values/upstream-values.yaml index 67bc9edee..0391ab7a2 100644 --- a/src/neuvector/values/upstream-values.yaml +++ b/src/neuvector/values/upstream-values.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + registry: docker.io # renovate: datasource=docker depName=docker.io/neuvector/controller versioning=docker tag: "5.3.4" diff --git a/src/neuvector/values/values.yaml b/src/neuvector/values/values.yaml index cafd56b35..a11c8d823 100644 --- a/src/neuvector/values/values.yaml +++ b/src/neuvector/values/values.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + leastPrivilege: true autoGenerateCert: false rbac: true diff --git a/src/neuvector/zarf.yaml b/src/neuvector/zarf.yaml index 5d76af2f8..2bb8ccc13 100644 --- a/src/neuvector/zarf.yaml +++ b/src/neuvector/zarf.yaml @@ -1,9 +1,17 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + kind: ZarfPackageConfig metadata: name: uds-core-neuvector description: "UDS Core Neuvector" url: https://open-docs.neuvector.com/ +variables: + - name: DOMAIN + description: "Cluster domain" + default: "uds.dev" + components: - name: neuvector description: "Deploy Neuvector" diff --git a/src/pepr/config.ts b/src/pepr/config.ts index 183f504d9..2b1198405 100644 --- a/src/pepr/config.ts +++ b/src/pepr/config.ts @@ -1,3 +1,8 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { Component, setupLogger } from "./logger"; let domain = process.env.UDS_DOMAIN; @@ -20,21 +25,16 @@ export const UDSConfig = { domain, // Base64 Encoded Trusted CA cert for Istio certificates (i.e. for `sso.domain`) caCert, - // Track if we are running a single test mode - isSingleTest: process.env.UDS_SINGLE_TEST === "true", // Allow UDS policy exemptions to be used in any namespace allowAllNSExemptions: process.env.UDS_ALLOW_ALL_NS_EXEMPTIONS === "true", // Redis URI for Authservice authserviceRedisUri, + + // Track if UDS Core identity-authorization layer is deployed + isIdentityDeployed: false, }; // configure subproject logger const log = setupLogger(Component.CONFIG); log.info(UDSConfig, "Loaded UDS Config"); - -if (UDSConfig.isSingleTest) { - log.warn( - "Running in single test mode, this will change the behavior of the operator and should only be used for UDS Core development testing.", - ); -} diff --git a/src/pepr/istio/index.ts b/src/pepr/istio/index.ts index 01eb86278..bd39d6e9f 100644 --- a/src/pepr/istio/index.ts +++ b/src/pepr/istio/index.ts @@ -1,3 +1,8 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { Exec, KubeConfig } from "@kubernetes/client-node"; import { Capability, a } from "pepr"; import { Component, setupLogger } from "../logger"; @@ -47,8 +52,13 @@ When(a.Pod) const shouldTerminate = pod.status.containerStatuses // Ignore the istio-proxy container .filter(c => c.name != "istio-proxy") - // and if ALL are terminated then shouldTerminate is true - .every(c => c.state?.terminated); + // and if ALL are terminated AND restartPolicy is Never or is OnFailure with a 0 exit code then shouldTerminate is true + .every( + c => + c.state?.terminated && + (pod.spec?.restartPolicy == "Never" || + (pod.spec?.restartPolicy == "OnFailure" && c.state.terminated.exitCode == 0)), + ); if (shouldTerminate) { // Mark the pod as seen diff --git a/src/pepr/logger.ts b/src/pepr/logger.ts index 8f505faed..b79ca76a5 100644 --- a/src/pepr/logger.ts +++ b/src/pepr/logger.ts @@ -1,9 +1,15 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { Log } from "pepr"; export enum Component { STARTUP = "startup", CONFIG = "config", ISTIO = "istio", + OPERATOR = "operator", OPERATOR_EXEMPTIONS = "operator.exemptions", OPERATOR_ISTIO = "operator.istio", OPERATOR_KEYCLOAK = "operator.keycloak", diff --git a/src/pepr/operator/README.md b/src/pepr/operator/README.md index 5b95cea2d..bc6079a8d 100644 --- a/src/pepr/operator/README.md +++ b/src/pepr/operator/README.md @@ -12,7 +12,7 @@ The UDS Operator manages the lifecycle of UDS Package CRs and their correspondin #### Exemption -- allowing exemption custom resources only in the `uds-policy-exemptions` namespace unless configured to allow in all namespaces (see [configuring policy exemptions](../../../docs/configuration/uds-configure-policy-exemptions.md)) +- allowing exemption custom resources only in the `uds-policy-exemptions` namespace unless configured to allow in all namespaces (see [configuring policy exemptions](../../../docs/reference/configuration/uds-configure-policy-exemptions.md)) - updating the policies Pepr store with registered exemptions ### Example UDS Package CR diff --git a/src/pepr/operator/common.ts b/src/pepr/operator/common.ts index 820e9d5f3..713363d0f 100644 --- a/src/pepr/operator/common.ts +++ b/src/pepr/operator/common.ts @@ -1,3 +1,8 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { Capability } from "pepr"; export const operator = new Capability({ diff --git a/src/pepr/operator/controllers/exemptions/exemption-store.spec.ts b/src/pepr/operator/controllers/exemptions/exemption-store.spec.ts index 15e25d948..94ccb5db3 100644 --- a/src/pepr/operator/controllers/exemptions/exemption-store.spec.ts +++ b/src/pepr/operator/controllers/exemptions/exemption-store.spec.ts @@ -1,3 +1,8 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { beforeEach, describe, expect, it } from "@jest/globals"; import { Matcher, MatcherKind, Policy } from "../../crd"; import { ExemptionStore } from "./exemption-store"; diff --git a/src/pepr/operator/controllers/exemptions/exemption-store.ts b/src/pepr/operator/controllers/exemptions/exemption-store.ts index 00b6d5e5d..f32dcefac 100644 --- a/src/pepr/operator/controllers/exemptions/exemption-store.ts +++ b/src/pepr/operator/controllers/exemptions/exemption-store.ts @@ -1,3 +1,8 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { Component, setupLogger } from "../../../logger"; import { StoredMatcher } from "../../../policies"; import { Matcher, Policy, UDSExemption } from "../../crd"; diff --git a/src/pepr/operator/controllers/exemptions/exemptions.spec.ts b/src/pepr/operator/controllers/exemptions/exemptions.spec.ts index b1bab8da1..92556b78a 100644 --- a/src/pepr/operator/controllers/exemptions/exemptions.spec.ts +++ b/src/pepr/operator/controllers/exemptions/exemptions.spec.ts @@ -1,3 +1,8 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { beforeEach, describe, expect, it } from "@jest/globals"; import { WatchPhase } from "kubernetes-fluent-client/dist/fluent/types"; import { MatcherKind, Policy } from "../../crd"; diff --git a/src/pepr/operator/controllers/exemptions/exemptions.ts b/src/pepr/operator/controllers/exemptions/exemptions.ts index 1b3401154..88d2e9d2a 100644 --- a/src/pepr/operator/controllers/exemptions/exemptions.ts +++ b/src/pepr/operator/controllers/exemptions/exemptions.ts @@ -1,3 +1,8 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { WatchPhase } from "kubernetes-fluent-client/dist/fluent/types"; import { UDSExemption } from "../../crd"; import { ExemptionStore } from "./exemption-store"; diff --git a/src/pepr/operator/controllers/istio/injection.ts b/src/pepr/operator/controllers/istio/injection.ts index 50193ea96..4ee2971ce 100644 --- a/src/pepr/operator/controllers/istio/injection.ts +++ b/src/pepr/operator/controllers/istio/injection.ts @@ -1,3 +1,8 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { K8s, kind } from "pepr"; import { Component, setupLogger } from "../../../logger"; diff --git a/src/pepr/operator/controllers/istio/istio-resources.ts b/src/pepr/operator/controllers/istio/istio-resources.ts index 297aec6b0..6cb7c4b2b 100644 --- a/src/pepr/operator/controllers/istio/istio-resources.ts +++ b/src/pepr/operator/controllers/istio/istio-resources.ts @@ -1,3 +1,8 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { K8s } from "pepr"; import { Component, setupLogger } from "../../../logger"; diff --git a/src/pepr/operator/controllers/istio/service-entry.spec.ts b/src/pepr/operator/controllers/istio/service-entry.spec.ts index caeb1be1c..f9724a9de 100644 --- a/src/pepr/operator/controllers/istio/service-entry.spec.ts +++ b/src/pepr/operator/controllers/istio/service-entry.spec.ts @@ -1,7 +1,12 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { describe, expect, it } from "@jest/globals"; import { UDSConfig } from "../../../config"; -import { generateServiceEntry } from "./service-entry"; import { Expose, Gateway, IstioLocation, IstioResolution } from "../../crd"; +import { generateServiceEntry } from "./service-entry"; describe("test generate service entry", () => { const ownerRefs = [ diff --git a/src/pepr/operator/controllers/istio/service-entry.ts b/src/pepr/operator/controllers/istio/service-entry.ts index b326a99d0..0e049913e 100644 --- a/src/pepr/operator/controllers/istio/service-entry.ts +++ b/src/pepr/operator/controllers/istio/service-entry.ts @@ -1,13 +1,18 @@ -import { UDSConfig } from "../../../config"; +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { V1OwnerReference } from "@kubernetes/client-node"; +import { UDSConfig } from "../../../config"; import { Expose, Gateway, - IstioServiceEntry, + IstioEndpoint, IstioLocation, - IstioResolution, IstioPort, - IstioEndpoint, + IstioResolution, + IstioServiceEntry, } from "../../crd"; import { sanitizeResourceName } from "../utils"; diff --git a/src/pepr/operator/controllers/istio/virtual-service.spec.ts b/src/pepr/operator/controllers/istio/virtual-service.spec.ts index f07f6fe17..9d92a5f6f 100644 --- a/src/pepr/operator/controllers/istio/virtual-service.spec.ts +++ b/src/pepr/operator/controllers/istio/virtual-service.spec.ts @@ -1,3 +1,8 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { describe, expect, it } from "@jest/globals"; import { UDSConfig } from "../../../config"; import { Expose, Gateway } from "../../crd"; diff --git a/src/pepr/operator/controllers/istio/virtual-service.ts b/src/pepr/operator/controllers/istio/virtual-service.ts index 983624975..c5ecc28d1 100644 --- a/src/pepr/operator/controllers/istio/virtual-service.ts +++ b/src/pepr/operator/controllers/istio/virtual-service.ts @@ -1,3 +1,8 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { V1OwnerReference } from "@kubernetes/client-node"; import { UDSConfig } from "../../../config"; import { Expose, Gateway, IstioHTTP, IstioHTTPRoute, IstioVirtualService } from "../../crd"; diff --git a/src/pepr/operator/controllers/keycloak/authservice/authorization-policy.ts b/src/pepr/operator/controllers/keycloak/authservice/authorization-policy.ts index 1c16fcbe4..f818482c4 100644 --- a/src/pepr/operator/controllers/keycloak/authservice/authorization-policy.ts +++ b/src/pepr/operator/controllers/keycloak/authservice/authorization-policy.ts @@ -1,3 +1,8 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { K8s } from "pepr"; import { UDSConfig } from "../../../../config"; import { diff --git a/src/pepr/operator/controllers/keycloak/authservice/authservice.spec.ts b/src/pepr/operator/controllers/keycloak/authservice/authservice.spec.ts index 770174196..0ed1ca897 100644 --- a/src/pepr/operator/controllers/keycloak/authservice/authservice.spec.ts +++ b/src/pepr/operator/controllers/keycloak/authservice/authservice.spec.ts @@ -1,3 +1,8 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { beforeEach, describe, expect, jest, test } from "@jest/globals"; import { UDSPackage } from "../../../crd"; import { Client } from "../types"; diff --git a/src/pepr/operator/controllers/keycloak/authservice/authservice.ts b/src/pepr/operator/controllers/keycloak/authservice/authservice.ts index 675e931fa..69dc30628 100644 --- a/src/pepr/operator/controllers/keycloak/authservice/authservice.ts +++ b/src/pepr/operator/controllers/keycloak/authservice/authservice.ts @@ -1,3 +1,8 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { R } from "pepr"; import { UDSConfig } from "../../../../config"; import { Component, setupLogger } from "../../../../logger"; diff --git a/src/pepr/operator/controllers/keycloak/authservice/config.ts b/src/pepr/operator/controllers/keycloak/authservice/config.ts index 76de7630e..859885c5b 100644 --- a/src/pepr/operator/controllers/keycloak/authservice/config.ts +++ b/src/pepr/operator/controllers/keycloak/authservice/config.ts @@ -1,3 +1,8 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { createHash } from "crypto"; import { K8s, kind } from "pepr"; diff --git a/src/pepr/operator/controllers/keycloak/authservice/types.ts b/src/pepr/operator/controllers/keycloak/authservice/types.ts index 1d12fcbae..0b6eb3554 100644 --- a/src/pepr/operator/controllers/keycloak/authservice/types.ts +++ b/src/pepr/operator/controllers/keycloak/authservice/types.ts @@ -1,3 +1,8 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { Client } from "../types"; export enum Action { diff --git a/src/pepr/operator/controllers/keycloak/client-sync.spec.ts b/src/pepr/operator/controllers/keycloak/client-sync.spec.ts index 247ba7e70..1f4892f20 100644 --- a/src/pepr/operator/controllers/keycloak/client-sync.spec.ts +++ b/src/pepr/operator/controllers/keycloak/client-sync.spec.ts @@ -1,3 +1,8 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { describe, expect, it } from "@jest/globals"; import { Sso } from "../../crd"; import { diff --git a/src/pepr/operator/controllers/keycloak/client-sync.ts b/src/pepr/operator/controllers/keycloak/client-sync.ts index 3aa891554..3ecc9bd28 100644 --- a/src/pepr/operator/controllers/keycloak/client-sync.ts +++ b/src/pepr/operator/controllers/keycloak/client-sync.ts @@ -1,6 +1,10 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { fetch, K8s, kind } from "pepr"; -import { UDSConfig } from "../../../config"; import { Component, setupLogger } from "../../../logger"; import { Store } from "../../common"; import { Sso, UDSPackage } from "../../crd"; @@ -209,16 +213,6 @@ async function syncClient( } async function apiCall(client: Partial, method = "POST", authToken = "") { - // Handle single test mode - if (UDSConfig.isSingleTest) { - log.warn(`Generating fake client for '${client.clientId}' in single test mode`); - return { - ...client, - secret: client.secret || "fake-secret", - registrationAccessToken: "fake-registration-access-token", - } as Client; - } - const req = { body: JSON.stringify(client) as string | undefined, method, diff --git a/src/pepr/operator/controllers/keycloak/types.ts b/src/pepr/operator/controllers/keycloak/types.ts index bd20fe20d..e9d62d138 100644 --- a/src/pepr/operator/controllers/keycloak/types.ts +++ b/src/pepr/operator/controllers/keycloak/types.ts @@ -1,3 +1,8 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { ProtocolMapper } from "../../crd/generated/package-v1alpha1"; export interface Client { diff --git a/src/pepr/operator/controllers/monitoring/common.ts b/src/pepr/operator/controllers/monitoring/common.ts index a8afa5d1f..be9655421 100644 --- a/src/pepr/operator/controllers/monitoring/common.ts +++ b/src/pepr/operator/controllers/monitoring/common.ts @@ -1,3 +1,8 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { Monitor } from "../../crd"; import { sanitizeResourceName } from "../utils"; diff --git a/src/pepr/operator/controllers/monitoring/pod-monitor.spec.ts b/src/pepr/operator/controllers/monitoring/pod-monitor.spec.ts index acba54e26..9fc200af5 100644 --- a/src/pepr/operator/controllers/monitoring/pod-monitor.spec.ts +++ b/src/pepr/operator/controllers/monitoring/pod-monitor.spec.ts @@ -1,3 +1,8 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { describe, expect, it } from "@jest/globals"; import { Monitor } from "../../crd"; import { generatePodMonitor } from "./pod-monitor"; diff --git a/src/pepr/operator/controllers/monitoring/pod-monitor.ts b/src/pepr/operator/controllers/monitoring/pod-monitor.ts index d3f033898..50e5ab756 100644 --- a/src/pepr/operator/controllers/monitoring/pod-monitor.ts +++ b/src/pepr/operator/controllers/monitoring/pod-monitor.ts @@ -1,3 +1,8 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { V1OwnerReference } from "@kubernetes/client-node"; import { K8s } from "pepr"; import { Component, setupLogger } from "../../../logger"; diff --git a/src/pepr/operator/controllers/monitoring/service-monitor.spec.ts b/src/pepr/operator/controllers/monitoring/service-monitor.spec.ts index e99900409..76282a47f 100644 --- a/src/pepr/operator/controllers/monitoring/service-monitor.spec.ts +++ b/src/pepr/operator/controllers/monitoring/service-monitor.spec.ts @@ -1,3 +1,8 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { describe, expect, it } from "@jest/globals"; import { Monitor } from "../../crd"; import { generateServiceMonitor } from "./service-monitor"; diff --git a/src/pepr/operator/controllers/monitoring/service-monitor.ts b/src/pepr/operator/controllers/monitoring/service-monitor.ts index 9f567c245..e582faefc 100644 --- a/src/pepr/operator/controllers/monitoring/service-monitor.ts +++ b/src/pepr/operator/controllers/monitoring/service-monitor.ts @@ -1,3 +1,8 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { K8s } from "pepr"; import { V1OwnerReference } from "@kubernetes/client-node"; diff --git a/src/pepr/operator/controllers/network/defaults/allow-egress-dns.ts b/src/pepr/operator/controllers/network/defaults/allow-egress-dns.ts index a4fc5684e..b30c3c77b 100644 --- a/src/pepr/operator/controllers/network/defaults/allow-egress-dns.ts +++ b/src/pepr/operator/controllers/network/defaults/allow-egress-dns.ts @@ -1,3 +1,8 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { Direction } from "../../../crd"; import { generate } from "../generate"; diff --git a/src/pepr/operator/controllers/network/defaults/allow-egress-istiod.ts b/src/pepr/operator/controllers/network/defaults/allow-egress-istiod.ts index 775395aa4..17e7411aa 100644 --- a/src/pepr/operator/controllers/network/defaults/allow-egress-istiod.ts +++ b/src/pepr/operator/controllers/network/defaults/allow-egress-istiod.ts @@ -1,3 +1,8 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { Direction } from "../../../crd"; import { generate } from "../generate"; diff --git a/src/pepr/operator/controllers/network/defaults/allow-ingress-sidecar-monitoring.ts b/src/pepr/operator/controllers/network/defaults/allow-ingress-sidecar-monitoring.ts index 6758a3c77..878c27e35 100644 --- a/src/pepr/operator/controllers/network/defaults/allow-ingress-sidecar-monitoring.ts +++ b/src/pepr/operator/controllers/network/defaults/allow-ingress-sidecar-monitoring.ts @@ -1,3 +1,8 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { Direction } from "../../../crd"; import { generate } from "../generate"; diff --git a/src/pepr/operator/controllers/network/defaults/default-deny-all.ts b/src/pepr/operator/controllers/network/defaults/default-deny-all.ts index 9382b5c69..84d54d310 100644 --- a/src/pepr/operator/controllers/network/defaults/default-deny-all.ts +++ b/src/pepr/operator/controllers/network/defaults/default-deny-all.ts @@ -1,3 +1,8 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { kind } from "pepr"; export function defaultDenyAll(namespace: string): kind.NetworkPolicy { diff --git a/src/pepr/operator/controllers/network/generate.spec.ts b/src/pepr/operator/controllers/network/generate.spec.ts index 9abeb1647..495363aa7 100644 --- a/src/pepr/operator/controllers/network/generate.spec.ts +++ b/src/pepr/operator/controllers/network/generate.spec.ts @@ -1,3 +1,8 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { describe, expect, it } from "@jest/globals"; import { kind } from "pepr"; import { Direction } from "../../crd"; diff --git a/src/pepr/operator/controllers/network/generate.ts b/src/pepr/operator/controllers/network/generate.ts index ecba6d1cb..c46bc0b75 100644 --- a/src/pepr/operator/controllers/network/generate.ts +++ b/src/pepr/operator/controllers/network/generate.ts @@ -1,8 +1,13 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { V1NetworkPolicyPeer, V1NetworkPolicyPort } from "@kubernetes/client-node"; import { kind } from "pepr"; import { Allow, RemoteGenerated } from "../../crd"; -import { anywhere } from "./generators/anywhere"; +import { anywhere, anywhereInCluster } from "./generators/anywhere"; import { cloudMetadata } from "./generators/cloudMetadata"; import { intraNamespace } from "./generators/intraNamespace"; import { kubeAPI } from "./generators/kubeAPI"; @@ -30,7 +35,7 @@ function getPeers(policy: Allow): V1NetworkPolicyPeer[] { break; case RemoteGenerated.Anywhere: - peers = [anywhere]; + peers = [anywhere, anywhereInCluster]; break; } } else if (policy.remoteNamespace !== undefined || policy.remoteSelector !== undefined) { diff --git a/src/pepr/operator/controllers/network/generators/anywhere.ts b/src/pepr/operator/controllers/network/generators/anywhere.ts index 58a982fc2..c9db22318 100644 --- a/src/pepr/operator/controllers/network/generators/anywhere.ts +++ b/src/pepr/operator/controllers/network/generators/anywhere.ts @@ -1,3 +1,8 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { V1NetworkPolicyPeer } from "@kubernetes/client-node"; import { META_IP } from "./cloudMetadata"; @@ -8,3 +13,11 @@ export const anywhere: V1NetworkPolicyPeer = { except: [META_IP], }, }; + +/** Matches any endpoint in cluster + * This is primarily to support Cilium where IP based policies do not match/allow anything in-cluster + * Ref: https://github.com/defenseunicorns/uds-core/issues/871 and https://github.com/cilium/cilium/blob/v1.16.2/Documentation/network/kubernetes/policy.rst#networkpolicy + */ +export const anywhereInCluster: V1NetworkPolicyPeer = { + namespaceSelector: {}, +}; diff --git a/src/pepr/operator/controllers/network/generators/cloudMetadata.ts b/src/pepr/operator/controllers/network/generators/cloudMetadata.ts index 8d1f641e2..b3dc4e942 100644 --- a/src/pepr/operator/controllers/network/generators/cloudMetadata.ts +++ b/src/pepr/operator/controllers/network/generators/cloudMetadata.ts @@ -1,3 +1,8 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { V1NetworkPolicyPeer } from "@kubernetes/client-node"; export const META_IP = "169.254.169.254/32"; diff --git a/src/pepr/operator/controllers/network/generators/intraNamespace.ts b/src/pepr/operator/controllers/network/generators/intraNamespace.ts index 3fb7f17f0..9ff89a0da 100644 --- a/src/pepr/operator/controllers/network/generators/intraNamespace.ts +++ b/src/pepr/operator/controllers/network/generators/intraNamespace.ts @@ -1,3 +1,8 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { V1NetworkPolicyPeer } from "@kubernetes/client-node"; /** Matches any pod in the namespace */ diff --git a/src/pepr/operator/controllers/network/generators/kubeAPI.ts b/src/pepr/operator/controllers/network/generators/kubeAPI.ts index 550d90f92..30f704780 100644 --- a/src/pepr/operator/controllers/network/generators/kubeAPI.ts +++ b/src/pepr/operator/controllers/network/generators/kubeAPI.ts @@ -1,3 +1,8 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { V1NetworkPolicyPeer } from "@kubernetes/client-node"; import { K8s, kind, R } from "pepr"; diff --git a/src/pepr/operator/controllers/network/generators/remoteCidr.ts b/src/pepr/operator/controllers/network/generators/remoteCidr.ts index 031e43f16..0b62bf878 100644 --- a/src/pepr/operator/controllers/network/generators/remoteCidr.ts +++ b/src/pepr/operator/controllers/network/generators/remoteCidr.ts @@ -1,3 +1,8 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { V1NetworkPolicyPeer } from "@kubernetes/client-node"; import { META_IP } from "./cloudMetadata"; diff --git a/src/pepr/operator/controllers/network/policies.ts b/src/pepr/operator/controllers/network/policies.ts index 8534f028f..24a53cc88 100644 --- a/src/pepr/operator/controllers/network/policies.ts +++ b/src/pepr/operator/controllers/network/policies.ts @@ -1,3 +1,8 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { K8s, kind } from "pepr"; import { Component, setupLogger } from "../../../logger"; diff --git a/src/pepr/operator/controllers/utils.ts b/src/pepr/operator/controllers/utils.ts index 7bfd9e4cf..9b8adf647 100644 --- a/src/pepr/operator/controllers/utils.ts +++ b/src/pepr/operator/controllers/utils.ts @@ -1,3 +1,8 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { V1OwnerReference } from "@kubernetes/client-node"; import { GenericClass, GenericKind } from "kubernetes-fluent-client"; import { K8s } from "pepr"; diff --git a/src/pepr/operator/crd/generated/exemption-v1alpha1.ts b/src/pepr/operator/crd/generated/exemption-v1alpha1.ts index 487c4961f..7c22b5a1a 100644 --- a/src/pepr/operator/crd/generated/exemption-v1alpha1.ts +++ b/src/pepr/operator/crd/generated/exemption-v1alpha1.ts @@ -1,3 +1,8 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + // This file is auto-generated by kubernetes-fluent-client, do not edit manually import { GenericKind, RegisterKind } from "kubernetes-fluent-client"; diff --git a/src/pepr/operator/crd/generated/istio/authorizationpolicy-v1beta1.ts b/src/pepr/operator/crd/generated/istio/authorizationpolicy-v1beta1.ts index f05d62b50..568feae88 100644 --- a/src/pepr/operator/crd/generated/istio/authorizationpolicy-v1beta1.ts +++ b/src/pepr/operator/crd/generated/istio/authorizationpolicy-v1beta1.ts @@ -1,3 +1,8 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + // This file is auto-generated by kubernetes-fluent-client, do not edit manually import { GenericKind, RegisterKind } from "kubernetes-fluent-client"; diff --git a/src/pepr/operator/crd/generated/istio/requestauthentication-v1.ts b/src/pepr/operator/crd/generated/istio/requestauthentication-v1.ts index ecf85a878..4382de250 100644 --- a/src/pepr/operator/crd/generated/istio/requestauthentication-v1.ts +++ b/src/pepr/operator/crd/generated/istio/requestauthentication-v1.ts @@ -1,3 +1,8 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + // This file is auto-generated by kubernetes-fluent-client, do not edit manually import { GenericKind, RegisterKind } from "kubernetes-fluent-client"; diff --git a/src/pepr/operator/crd/generated/istio/serviceentry-v1beta1.ts b/src/pepr/operator/crd/generated/istio/serviceentry-v1beta1.ts index 3ab93402f..364daee2a 100644 --- a/src/pepr/operator/crd/generated/istio/serviceentry-v1beta1.ts +++ b/src/pepr/operator/crd/generated/istio/serviceentry-v1beta1.ts @@ -1,3 +1,8 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + // This file is auto-generated by kubernetes-fluent-client, do not edit manually import { GenericKind, RegisterKind } from "kubernetes-fluent-client"; diff --git a/src/pepr/operator/crd/generated/istio/virtualservice-v1beta1.ts b/src/pepr/operator/crd/generated/istio/virtualservice-v1beta1.ts index c528769d3..dd575a7ec 100644 --- a/src/pepr/operator/crd/generated/istio/virtualservice-v1beta1.ts +++ b/src/pepr/operator/crd/generated/istio/virtualservice-v1beta1.ts @@ -1,3 +1,8 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + // This file is auto-generated by kubernetes-fluent-client, do not edit manually import { GenericKind, RegisterKind } from "kubernetes-fluent-client"; diff --git a/src/pepr/operator/crd/generated/package-v1alpha1.ts b/src/pepr/operator/crd/generated/package-v1alpha1.ts index 20d896d92..1696c9f8d 100644 --- a/src/pepr/operator/crd/generated/package-v1alpha1.ts +++ b/src/pepr/operator/crd/generated/package-v1alpha1.ts @@ -1,3 +1,8 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + // This file is auto-generated by kubernetes-fluent-client, do not edit manually import { GenericKind, RegisterKind } from "kubernetes-fluent-client"; @@ -634,6 +639,10 @@ export interface Sso { * Enables the standard OpenID Connect redirect based authentication with authorization code. */ standardFlowEnabled?: boolean; + /** + * Enables the client credentials grant based authentication via OpenID Connect protocol. + */ + serviceAccountsEnabled?: boolean; /** * Allowed CORS origins. To permit all origins of Valid Redirect URIs, add '+'. This does * not include the '*' wildcard though. To permit all origins, explicitly add '*'. diff --git a/src/pepr/operator/crd/generated/prometheus/podmonitor-v1.ts b/src/pepr/operator/crd/generated/prometheus/podmonitor-v1.ts index 77bd51537..654172626 100644 --- a/src/pepr/operator/crd/generated/prometheus/podmonitor-v1.ts +++ b/src/pepr/operator/crd/generated/prometheus/podmonitor-v1.ts @@ -1,3 +1,8 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + // This file is auto-generated by kubernetes-fluent-client, do not edit manually import { GenericKind, RegisterKind } from "kubernetes-fluent-client"; diff --git a/src/pepr/operator/crd/generated/prometheus/servicemonitor-v1.ts b/src/pepr/operator/crd/generated/prometheus/servicemonitor-v1.ts index 94ea5b299..3acf678e8 100644 --- a/src/pepr/operator/crd/generated/prometheus/servicemonitor-v1.ts +++ b/src/pepr/operator/crd/generated/prometheus/servicemonitor-v1.ts @@ -1,3 +1,8 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + // This file is auto-generated by kubernetes-fluent-client, do not edit manually import { GenericKind, RegisterKind } from "kubernetes-fluent-client"; diff --git a/src/pepr/operator/crd/index.ts b/src/pepr/operator/crd/index.ts index ac3bba71b..ee4603e00 100644 --- a/src/pepr/operator/crd/index.ts +++ b/src/pepr/operator/crd/index.ts @@ -1,3 +1,8 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + export { Allow, Direction, diff --git a/src/pepr/operator/crd/migrate.ts b/src/pepr/operator/crd/migrate.ts index 5b05f8034..bb8e8bb23 100644 --- a/src/pepr/operator/crd/migrate.ts +++ b/src/pepr/operator/crd/migrate.ts @@ -1,3 +1,8 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { UDSPackage } from "."; /** diff --git a/src/pepr/operator/crd/register.ts b/src/pepr/operator/crd/register.ts index 9c2812930..7be968e71 100644 --- a/src/pepr/operator/crd/register.ts +++ b/src/pepr/operator/crd/register.ts @@ -1,3 +1,8 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { K8s, kind } from "pepr"; import { Component, setupLogger } from "../../logger"; diff --git a/src/pepr/operator/crd/sources/exemption/v1alpha1.ts b/src/pepr/operator/crd/sources/exemption/v1alpha1.ts index 71ff236f2..f9ab19404 100644 --- a/src/pepr/operator/crd/sources/exemption/v1alpha1.ts +++ b/src/pepr/operator/crd/sources/exemption/v1alpha1.ts @@ -1,3 +1,8 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { V1CustomResourceDefinitionVersion, V1JSONSchemaProps } from "@kubernetes/client-node"; export const v1alpha1: V1CustomResourceDefinitionVersion = { diff --git a/src/pepr/operator/crd/sources/istio/virtualservice-v1beta1.ts b/src/pepr/operator/crd/sources/istio/virtualservice-v1beta1.ts index 5a30ff039..d32c97b35 100644 --- a/src/pepr/operator/crd/sources/istio/virtualservice-v1beta1.ts +++ b/src/pepr/operator/crd/sources/istio/virtualservice-v1beta1.ts @@ -1,3 +1,8 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { V1JSONSchemaProps } from "@kubernetes/client-node"; const matchRequired = [{ required: ["exact"] }, { required: ["prefix"] }, { required: ["regex"] }]; diff --git a/src/pepr/operator/crd/sources/package/v1alpha1.ts b/src/pepr/operator/crd/sources/package/v1alpha1.ts index 8af0ed32a..3b36df0a6 100644 --- a/src/pepr/operator/crd/sources/package/v1alpha1.ts +++ b/src/pepr/operator/crd/sources/package/v1alpha1.ts @@ -1,3 +1,8 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { V1CustomResourceDefinitionVersion, V1JSONSchemaProps } from "@kubernetes/client-node"; import { advancedHTTP } from "../istio/virtualservice-v1beta1"; @@ -381,6 +386,12 @@ const sso = { type: "boolean", default: true, }, + serviceAccountsEnabled: { + description: + "Enables the client credentials grant based authentication via OpenID Connect protocol.", + type: "boolean", + default: false, + }, publicClient: { description: "Defines whether the client requires a client secret for authentication", type: "boolean", diff --git a/src/pepr/operator/crd/validators/exempt-validator.spec.ts b/src/pepr/operator/crd/validators/exempt-validator.spec.ts index 1ce8d1cbf..166d4f627 100644 --- a/src/pepr/operator/crd/validators/exempt-validator.spec.ts +++ b/src/pepr/operator/crd/validators/exempt-validator.spec.ts @@ -1,3 +1,8 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { afterEach, describe, expect, it, jest } from "@jest/globals"; import { PeprValidateRequest } from "pepr"; import { MatcherKind, UDSExemption } from ".."; diff --git a/src/pepr/operator/crd/validators/exempt-validator.ts b/src/pepr/operator/crd/validators/exempt-validator.ts index 06c9fbc68..f725c16ef 100644 --- a/src/pepr/operator/crd/validators/exempt-validator.ts +++ b/src/pepr/operator/crd/validators/exempt-validator.ts @@ -1,3 +1,8 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { PeprValidateRequest } from "pepr"; import { MatcherKind, Policy, UDSExemption } from ".."; import { UDSConfig } from "../../../config"; diff --git a/src/pepr/operator/crd/validators/package-validator.spec.ts b/src/pepr/operator/crd/validators/package-validator.spec.ts index 9c5e5ec0d..379e16e74 100644 --- a/src/pepr/operator/crd/validators/package-validator.spec.ts +++ b/src/pepr/operator/crd/validators/package-validator.spec.ts @@ -1,3 +1,8 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { afterEach, describe, expect, it, jest } from "@jest/globals"; import { PeprValidateRequest } from "pepr"; import { Allow, Direction, Expose, Gateway, Protocol, RemoteGenerated, Sso, UDSPackage } from ".."; @@ -273,6 +278,38 @@ describe("Test validation of Exemption CRs", () => { expect(mockReq.Deny).toHaveBeenCalledTimes(1); }); + it("denies public clients using the service accounts roles", async () => { + const mockReq = makeMockReq( + {}, + [], + [], + [ + { + publicClient: true, + serviceAccountsEnabled: true, + }, + ], + ); + await validator(mockReq); + expect(mockReq.Deny).toHaveBeenCalledTimes(1); + }); + + it("denies using standard flow with service accounts roles", async () => { + const mockReq = makeMockReq( + {}, + [], + [], + [ + { + standardFlowEnabled: true, + serviceAccountsEnabled: true, + }, + ], + ); + await validator(mockReq); + expect(mockReq.Deny).toHaveBeenCalledTimes(1); + }); + it("denies public device flow clients using a secret", async () => { const mockReq = makeMockReq( {}, @@ -396,6 +433,22 @@ describe("Test validation of Exemption CRs", () => { expect(mockReq.Approve).toHaveBeenCalledTimes(1); }); + it("allows service account clients with standard flow disabled ", async () => { + const mockReq = makeMockReq( + {}, + [], + [], + [ + { + serviceAccountsEnabled: true, + standardFlowEnabled: false, + }, + ], + ); + await validator(mockReq); + expect(mockReq.Approve).toHaveBeenCalledTimes(1); + }); + it("denies authservice clients with : in client ID", async () => { const mockReq = makeMockReq( {}, diff --git a/src/pepr/operator/crd/validators/package-validator.ts b/src/pepr/operator/crd/validators/package-validator.ts index 2a88662c7..bc04e810a 100644 --- a/src/pepr/operator/crd/validators/package-validator.ts +++ b/src/pepr/operator/crd/validators/package-validator.ts @@ -1,3 +1,8 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { PeprValidateRequest } from "pepr"; import { Gateway, Protocol, UDSPackage } from ".."; @@ -139,10 +144,17 @@ export async function validator(req: PeprValidateRequest) { `The client ID "${client.clientId}" must specify redirectUris if standardFlowEnabled is turned on (it is enabled by default)`, ); } + // If serviceAccountsEnabled is true, do not allow standard flow + if (client.serviceAccountsEnabled && client.standardFlowEnabled) { + return req.Deny( + `The client ID "${client.clientId}" serviceAccountsEnabled is disallowed with standardFlowEnabled`, + ); + } // If this is a public client ensure that it only sets itself up as an OAuth Device Flow client if ( client.publicClient && - (client.standardFlowEnabled !== false || + (client.standardFlowEnabled !== false /* default true */ || + client.serviceAccountsEnabled /* default false */ || client.secret !== undefined || client.secretName !== undefined || client.secretTemplate !== undefined || @@ -151,7 +163,7 @@ export async function validator(req: PeprValidateRequest) { client.attributes?.["oauth2.device.authorization.grant.enabled"] !== "true") ) { return req.Deny( - `The client ID "${client.clientId}" must _only_ configure the OAuth Device Flow as a public client`, + `The client ID "${client.clientId}" sets options incompatible with publicClient`, ); } // Check if client.attributes contain any disallowed attributes diff --git a/src/pepr/operator/index.ts b/src/pepr/operator/index.ts index 5c11232a2..9fc520f59 100644 --- a/src/pepr/operator/index.ts +++ b/src/pepr/operator/index.ts @@ -1,3 +1,8 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + // Common imports import { a } from "pepr"; import { When } from "./common"; @@ -16,13 +21,20 @@ import { UDSExemption, UDSPackage } from "./crd"; import { validator } from "./crd/validators/package-validator"; // Reconciler imports +import { UDSConfig } from "../config"; +import { Component, setupLogger } from "../logger"; import { purgeAuthserviceClients } from "./controllers/keycloak/authservice/authservice"; import { exemptValidator } from "./crd/validators/exempt-validator"; import { packageReconciler } from "./reconcilers/package-reconciler"; +// Mutator imports +import { copySecret, labelCopySecret } from "./secrets"; + // Export the operator capability for registration in the root pepr.ts export { operator } from "./common"; +const log = setupLogger(Component.OPERATOR); + // Pre-populate the API server CIDR since we are not persisting the EndpointSlice // Note ignore any errors since the watch will still be running hereafter void initAPIServerCIDR(); @@ -63,3 +75,34 @@ When(UDSPackage) // Watch for Exemptions and validate When(UDSExemption).IsCreatedOrUpdated().Validate(exemptValidator); + +// Watch for secrets w/ the UDS secret label and copy as necessary +When(a.Secret) + .IsCreatedOrUpdated() + .WithLabel(labelCopySecret) + .Mutate(request => copySecret(request)); + +// Watch for Functional Layers and update config +When(UDSPackage) + .IsCreatedOrUpdated() + .InNamespace("keycloak") + .WithName("keycloak") + .Watch(() => { + // todo: wait for keycloak and authservice to be running? + log.info("Identity and Authorization layer deployed, operator configured to handle SSO."); + UDSConfig.isIdentityDeployed = true; + }); +When(UDSPackage) + .IsDeleted() + .InNamespace("keycloak") + .WithName("keycloak") + .Watch(() => { + log.info("Identity and Authorization layer removed, operator will NOT handle SSO."); + UDSConfig.isIdentityDeployed = false; + }); + +// Watch for secrets w/ the UDS secret label and copy as necessary +When(a.Secret) + .IsCreatedOrUpdated() + .WithLabel(labelCopySecret) + .Mutate(request => copySecret(request)); diff --git a/src/pepr/operator/reconcilers/index.spec.ts b/src/pepr/operator/reconcilers/index.spec.ts index 8f7c22aa8..054d99782 100644 --- a/src/pepr/operator/reconcilers/index.spec.ts +++ b/src/pepr/operator/reconcilers/index.spec.ts @@ -1,3 +1,8 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { beforeEach, describe, expect, it, jest } from "@jest/globals"; import { GenericKind } from "kubernetes-fluent-client"; import { K8s, Log, kind } from "pepr"; diff --git a/src/pepr/operator/reconcilers/index.ts b/src/pepr/operator/reconcilers/index.ts index c9a173fb2..6466c84d7 100644 --- a/src/pepr/operator/reconcilers/index.ts +++ b/src/pepr/operator/reconcilers/index.ts @@ -1,3 +1,8 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { K8s, kind } from "pepr"; import { Component, setupLogger } from "../../logger"; diff --git a/src/pepr/operator/reconcilers/package-reconciler.spec.ts b/src/pepr/operator/reconcilers/package-reconciler.spec.ts index 69c336f25..bb8a8c843 100644 --- a/src/pepr/operator/reconcilers/package-reconciler.spec.ts +++ b/src/pepr/operator/reconcilers/package-reconciler.spec.ts @@ -1,3 +1,8 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { beforeEach, describe, expect, jest, test } from "@jest/globals"; import { K8s, Log } from "pepr"; diff --git a/src/pepr/operator/reconcilers/package-reconciler.ts b/src/pepr/operator/reconcilers/package-reconciler.ts index 568f71afa..e60e39150 100644 --- a/src/pepr/operator/reconcilers/package-reconciler.ts +++ b/src/pepr/operator/reconcilers/package-reconciler.ts @@ -1,3 +1,8 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { handleFailure, shouldSkip, updateStatus, writeEvent } from "."; import { UDSConfig } from "../../config"; import { Component, setupLogger } from "../../logger"; @@ -5,6 +10,7 @@ import { enableInjection } from "../controllers/istio/injection"; import { istioResources } from "../controllers/istio/istio-resources"; import { authservice } from "../controllers/keycloak/authservice/authservice"; import { keycloak } from "../controllers/keycloak/client-sync"; +import { Client } from "../controllers/keycloak/types"; import { podMonitor } from "../controllers/monitoring/pod-monitor"; import { serviceMonitor } from "../controllers/monitoring/service-monitor"; import { networkPolicies } from "../controllers/network/policies"; @@ -65,21 +71,27 @@ export async function packageReconciler(pkg: UDSPackage) { // Update the namespace to ensure the istio-injection label is set await enableInjection(pkg); - // Configure SSO - const ssoClients = await keycloak(pkg); - const authserviceClients = await authservice(pkg, ssoClients); + let ssoClients = new Map(); + let authserviceClients: string[] = []; + + if (UDSConfig.isIdentityDeployed) { + // Configure SSO + ssoClients = await keycloak(pkg); + authserviceClients = await authservice(pkg, ssoClients); + } else if (pkg.spec?.sso) { + log.error("Identity & Authorization is not deployed, but the package has SSO configuration"); + throw new Error( + "Identity & Authorization is not deployed, but the package has SSO configuration", + ); + } // Create the VirtualService and ServiceEntry for each exposed service endpoints = await istioResources(pkg, namespace!); // Only configure the ServiceMonitors if not running in single test mode const monitors: string[] = []; - if (!UDSConfig.isSingleTest) { - monitors.push(...(await podMonitor(pkg, namespace!))); - monitors.push(...(await serviceMonitor(pkg, namespace!))); - } else { - log.warn(`Running in single test mode, skipping ${name} Monitors.`); - } + monitors.push(...(await podMonitor(pkg, namespace!))); + monitors.push(...(await serviceMonitor(pkg, namespace!))); await updateStatus(pkg, { phase: Phase.Ready, diff --git a/src/pepr/operator/secrets.ts b/src/pepr/operator/secrets.ts new file mode 100644 index 000000000..4056cd564 --- /dev/null +++ b/src/pepr/operator/secrets.ts @@ -0,0 +1,248 @@ +import { a, K8s, kind, Log, PeprMutateRequest } from "pepr"; + +<<<<<<< HEAD +export const labelCopySecret = "secrets.uds.dev/copy"; + +const annotationFromNS = "secrets.uds.dev/fromNamespace"; +const annotationFromName = "secrets.uds.dev/fromName"; +const annotationOnFailure = "secrets.uds.dev/onMissingSource"; + +/** + * Enum for handling what to do when the source secret is missing + * +======= +export const labelCopySecret = "uds.dev/secrets/copy"; + +const annotationFromNS = "uds.dev/secrets/fromNamespace"; +const annotationFromName = "uds.dev/secrets/fromName"; +const annotationOnFailure = "uds.dev/secrets/onMissingSource"; + +/** + * Enum for handling what to do when the source secret is missing + * +>>>>>>> 2f808c1 (Started on secret watch/mutator) + * This can be one of the following: + * - Ignore: Do nothing + * - Error: Log an error and return + * - LeaveEmpty: Create the destination secret with no data + */ +enum OnFailure { +<<<<<<< HEAD + IGNORE, + ERROR, + LEAVEEMPTY, +} + +/** + * Filter unwanted labels based on a list of keys to strip out. + * + * @returns Record - The filtered labels + */ +function filterLabels(labels: Record, keysToRemove: string[]) { + const filteredLabels: Record = {}; + + for (const key in labels) { + if (!keysToRemove.includes(key)) { + filteredLabels[key] = labels[key]; + } + } + + return filteredLabels; +======= + IGNORE, + ERROR, + LEAVEEMPTY, +>>>>>>> 2f808c1 (Started on secret watch/mutator) +} + +/** + * Copy a secret from one namespace to another +<<<<<<< HEAD + * +======= + * +>>>>>>> 2f808c1 (Started on secret watch/mutator) + * @remarks + * This function is a PeprMutateRequest handler that copies a secret from one + * namespace to another. It looks for a set of annotations on this _destination_ + * secret, with the source namespace and name from which to copy the secret + * data. +<<<<<<< HEAD + * +======= + * +>>>>>>> 2f808c1 (Started on secret watch/mutator) + * If the source secret does not exist, the behavior is determined by the + * `uds.dev/secrets/onMissingSource` annotation. If this annotation is not + * present, the default behavior is "Error", which will log an error and return + * without creating a destination secret. Other options are "Ignore" which will + * silently do nothing, and "LeaveEmpty" which will create the destination + * secret with desired name in the desired namespace, but with no data. +<<<<<<< HEAD + * +======= + * +>>>>>>> 2f808c1 (Started on secret watch/mutator) + * @param request The PeprMutateRequest on a Secret. This should have been + * triggered by a secret with the appropriate label. + * @returns void + * + **/ +export async function copySecret(request: PeprMutateRequest) { +<<<<<<< HEAD + const annotations = request.Raw.metadata?.annotations; + + if (!annotations) { + Log.error("No annotations present for secret copy %s", request.Raw.metadata?.name); + return; + } + + const fromNS = annotations[annotationFromNS]; + const fromName = annotations[annotationFromName]; + const toNS = request.Raw.metadata?.namespace; + const toName = request.Raw.metadata?.name; + + let failBehavior: OnFailure; + + switch (annotations[annotationOnFailure]) { + case "Ignore": + failBehavior = OnFailure.IGNORE; + break; + case "LeaveEmpty": + failBehavior = OnFailure.LEAVEEMPTY; + break; + case "Error": + default: + failBehavior = OnFailure.ERROR; + break; + } + + if (!fromNS || !fromName || !toNS || !toName) { + Log.error("Missing required annotations for secret copy %s", request.Raw.metadata?.name); + } + + Log.info("Attempting to copy secret %s from namespace %s to %s", fromName, fromNS, toNS); + + // filter out the original copy label, then add a "copied" label + let filteredLabels = filterLabels(request.Raw.metadata?.labels || {}, [labelCopySecret]); + filteredLabels = { ...filteredLabels, "secrets.uds.dev/copied": "true" }; + + try { + const sourceSecret = await K8s(kind.Secret).InNamespace(fromNS).Get(fromName); + + if (!sourceSecret) { + // if the source secret does not exist, handle according to the failure behavior + switch (failBehavior) { + case OnFailure.IGNORE: + return; + case OnFailure.LEAVEEMPTY: + // Create an empty secret in the destination namespace + await K8s(kind.Secret).Apply({ + apiVersion: "v1", + kind: "Secret", + metadata: { + name: toName, + namespace: toNS, + labels: filteredLabels, + annotations: request.Raw.metadata?.annotations, + }, + }); + return; + case OnFailure.ERROR: + Log.error("Source secret %s not found in namespace %s", fromName, fromNS); + return; + } + } else { + // fill in destination secret with source data + await K8s(kind.Secret).Apply({ + apiVersion: "v1", + kind: "Secret", + metadata: { + name: toName, + namespace: toNS, + labels: filteredLabels, + annotations: request.Raw.metadata?.annotations, + }, + data: sourceSecret.data, + }); + } + } catch (error) { + Log.error("Error copying secret %s from %s to %s: %s", fromName, fromNS, toNS, error); + } +} +======= + const annotations = request.Raw.metadata?.annotations; + + if (!annotations) { + Log.error("No annotations present for secret copy %s", request.Raw.metadata?.name); + return; + } + + const fromNS = annotations[annotationFromNS]; + const fromName = annotations[annotationFromName]; + const toNS = request.Raw.metadata?.namespace; + const toName = request.Raw.metadata?.name; + + let failBehavior: OnFailure; + + switch(annotations[annotationOnFailure]) { + case "Ignore": + failBehavior = OnFailure.IGNORE; + break; + case "LeaveEmpty": + failBehavior = OnFailure.LEAVEEMPTY; + break; + case "Error": + default: + failBehavior = OnFailure.ERROR; + break; + } + + if (!fromNS || !fromName || !toNS || !toName) { + Log.error("Missing required annotations for secret copy %s", request.Raw.metadata?.name); + } + + Log.info("Attempting to copy secret %s from namespace %s to %s", fromName, fromNS, toNS); + + try { + const sourceSecret = await K8s(kind.Secret).InNamespace(fromNS).Get(fromName); + + if (!sourceSecret) { + // if the source secret does not exist, handle according to the failure behavior + switch(failBehavior) { + case OnFailure.IGNORE: + return; + case OnFailure.LEAVEEMPTY: + // Create an empty secret in the destination namespace + await K8s(kind.Secret).Apply({ + apiVersion: "v1", + kind: "Secret", + metadata: { + namespace: toNS, + name: toName, + }, + }); + return; + case OnFailure.ERROR: + Log.error("Source secret %s not found in namespace %s", fromName, fromNS); + return; + } + } else { + // fill in destination secret with source data + await K8s(kind.Secret).Apply({ + apiVersion: "v1", + kind: "Secret", + metadata: { + namespace: toNS, + name: toName, + }, + data: sourceSecret.data, + }); + } + + } catch (error) { + Log.error("Error copying secret %s from %s to %s: %s", fromName, fromNS, toNS, error); + } +}; + +>>>>>>> 2f808c1 (Started on secret watch/mutator) diff --git a/src/pepr/policies/README.md b/src/pepr/policies/README.md index 8906a12bc..175d18eac 100644 --- a/src/pepr/policies/README.md +++ b/src/pepr/policies/README.md @@ -1,2 +1,2 @@ ### Pepr Policies -See [pepr-policies.md](../../../docs/configuration/pepr-policies.md) for current Pepr Policies +See [pepr-policies.md](../../../docs/reference/configuration/pepr-policies.md) for current Pepr Policies diff --git a/src/pepr/policies/common.ts b/src/pepr/policies/common.ts index 0a953faa4..7945ef2aa 100644 --- a/src/pepr/policies/common.ts +++ b/src/pepr/policies/common.ts @@ -1,3 +1,8 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { KubernetesObject, V1Container, V1SecurityContext } from "@kubernetes/client-node"; import { Capability, PeprMutateRequest, PeprValidateRequest, a } from "pepr"; import { Policy } from "../operator/crd"; @@ -107,6 +112,9 @@ export function annotateMutation( const annotations = request.Raw.metadata?.annotations ?? {}; const valStr = annotations[key]; const arr = JSON.parse(valStr || "[]"); - arr.push(transform(policy)); + const safePolicyName = transform(policy); + if (!arr.includes(safePolicyName)) { + arr.push(safePolicyName); + } request.SetAnnotation(key, JSON.stringify(arr)); } diff --git a/src/pepr/policies/exemptions/index.spec.ts b/src/pepr/policies/exemptions/index.spec.ts index 3f8faa429..e81850ed5 100644 --- a/src/pepr/policies/exemptions/index.spec.ts +++ b/src/pepr/policies/exemptions/index.spec.ts @@ -1,3 +1,8 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { beforeAll, describe, expect, it, jest } from "@jest/globals"; import { PeprValidateRequest, kind } from "pepr"; import { isExempt } from "."; diff --git a/src/pepr/policies/exemptions/index.ts b/src/pepr/policies/exemptions/index.ts index db2e11c68..08a89fb74 100644 --- a/src/pepr/policies/exemptions/index.ts +++ b/src/pepr/policies/exemptions/index.ts @@ -1,3 +1,8 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { KubernetesObject } from "kubernetes-fluent-client"; import { PeprMutateRequest, PeprValidateRequest } from "pepr"; import { Component, setupLogger } from "../../logger"; diff --git a/src/pepr/policies/index.ts b/src/pepr/policies/index.ts index 8ba25dc26..31422950c 100644 --- a/src/pepr/policies/index.ts +++ b/src/pepr/policies/index.ts @@ -1,3 +1,8 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + // Various validation actions for Kubernetes resources from Big Bang import { WatchCfg } from "kubernetes-fluent-client"; import { K8s } from "pepr"; @@ -35,6 +40,7 @@ export async function startExemptionWatch() { relistIntervalSec: process.env.PEPR_RELIST_INTERVAL_SECONDS ? parseInt(process.env.PEPR_RELIST_INTERVAL_SECONDS, 10) : 1800, + useHTTP2: process.env.PEPR_HTTP2_WATCH === "true", }; const watcher = K8s(UDSExemption).Watch(async (exemption, phase) => { log.debug(`Processing exemption ${exemption.metadata?.name}, watch phase: ${phase}`); diff --git a/src/pepr/policies/network.spec.ts b/src/pepr/policies/network.spec.ts index 7f0779dee..6b5479d51 100644 --- a/src/pepr/policies/network.spec.ts +++ b/src/pepr/policies/network.spec.ts @@ -1,3 +1,8 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { describe, expect, it } from "@jest/globals"; import { K8s, kind } from "pepr"; diff --git a/src/pepr/policies/networking.ts b/src/pepr/policies/networking.ts index 02165233a..fcf02297a 100644 --- a/src/pepr/policies/networking.ts +++ b/src/pepr/policies/networking.ts @@ -1,7 +1,12 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { a } from "pepr"; -import { When, containers } from "./common"; import { Policy } from "../operator/crd"; +import { When, containers } from "./common"; import { isExempt, markExemption } from "./exemptions"; /** diff --git a/src/pepr/policies/security.spec.ts b/src/pepr/policies/security.spec.ts index c047e6976..a48e162dd 100644 --- a/src/pepr/policies/security.spec.ts +++ b/src/pepr/policies/security.spec.ts @@ -1,3 +1,8 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { describe, expect, it } from "@jest/globals"; import { K8s, kind } from "pepr"; diff --git a/src/pepr/policies/security.ts b/src/pepr/policies/security.ts index 6d614b58c..75d52908d 100644 --- a/src/pepr/policies/security.ts +++ b/src/pepr/policies/security.ts @@ -1,3 +1,8 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { a } from "pepr"; import { V1SecurityContext } from "@kubernetes/client-node"; diff --git a/src/pepr/policies/storage.spec.ts b/src/pepr/policies/storage.spec.ts index b7b53eafb..231951b87 100644 --- a/src/pepr/policies/storage.spec.ts +++ b/src/pepr/policies/storage.spec.ts @@ -1,3 +1,8 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { describe, expect, it } from "@jest/globals"; import { K8s, kind } from "pepr"; diff --git a/src/pepr/policies/storage.ts b/src/pepr/policies/storage.ts index a7559666d..f04efd483 100644 --- a/src/pepr/policies/storage.ts +++ b/src/pepr/policies/storage.ts @@ -1,3 +1,8 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { a } from "pepr"; import { Policy } from "../operator/crd"; diff --git a/src/pepr/prometheus/index.ts b/src/pepr/prometheus/index.ts index ef4c1e34e..cb06542b4 100644 --- a/src/pepr/prometheus/index.ts +++ b/src/pepr/prometheus/index.ts @@ -1,3 +1,8 @@ +/** + * Copyright 2024 Defense Unicorns + * SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + */ + import { Capability, K8s, kind } from "pepr"; import { Component, setupLogger } from "../logger"; import { diff --git a/src/pepr/tasks.yaml b/src/pepr/tasks.yaml index 4033b25f9..15f3e123f 100644 --- a/src/pepr/tasks.yaml +++ b/src/pepr/tasks.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + tasks: - name: validate actions: diff --git a/src/pepr/uds-operator-config/Chart.yaml b/src/pepr/uds-operator-config/Chart.yaml index fd20c4ad3..787490c85 100644 --- a/src/pepr/uds-operator-config/Chart.yaml +++ b/src/pepr/uds-operator-config/Chart.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: v2 name: uds-operator-config description: UDS Core configuration for UDS Operator diff --git a/src/pepr/uds-operator-config/templates/secret.yaml b/src/pepr/uds-operator-config/templates/secret.yaml index 503a4b2e0..6bb2c0c30 100644 --- a/src/pepr/uds-operator-config/templates/secret.yaml +++ b/src/pepr/uds-operator-config/templates/secret.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: v1 kind: Secret metadata: diff --git a/src/pepr/uds-operator-config/values.yaml b/src/pepr/uds-operator-config/values.yaml index 876c335e9..90a1f4636 100644 --- a/src/pepr/uds-operator-config/values.yaml +++ b/src/pepr/uds-operator-config/values.yaml @@ -1,11 +1,18 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + operator: UDS_DOMAIN: "###ZARF_VAR_DOMAIN###" UDS_CA_CERT: "###ZARF_VAR_CA_CERT###" UDS_ALLOW_ALL_NS_EXEMPTIONS: "###ZARF_VAR_ALLOW_ALL_NS_EXEMPTIONS###" - UDS_SINGLE_TEST: "###ZARF_VAR_UDS_SINGLE_TEST###" UDS_LOG_LEVEL: "###ZARF_VAR_UDS_LOG_LEVEL###" AUTHSERVICE_REDIS_URI: "###ZARF_VAR_AUTHSERVICE_REDIS_URI###" # Allow Pepr watch to be configurable to react to dropped connections faster PEPR_LAST_SEEN_LIMIT_SECONDS: "60" # Allow Pepr to re-list resources more frequently to avoid missing resources PEPR_RELIST_INTERVAL_SECONDS: "60" +<<<<<<< HEAD + # Use HTTP2 for Pepr watches and exemption watch + PEPR_HTTP2_WATCH: false +======= +>>>>>>> 29e4d5e (chore: updated pepr watch limit to 60s (#840)) diff --git a/src/pepr/values.yaml b/src/pepr/values.yaml index 55ee5664a..d6630a25b 100644 --- a/src/pepr/values.yaml +++ b/src/pepr/values.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + watcher: serviceMonitor: enabled: ###ZARF_VAR_PEPR_SERVICE_MONITORS### diff --git a/src/pepr/zarf.yaml b/src/pepr/zarf.yaml index 904045a19..235ce27fe 100644 --- a/src/pepr/zarf.yaml +++ b/src/pepr/zarf.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + kind: ZarfPackageConfig metadata: name: pepr-uds-core @@ -21,10 +24,6 @@ variables: description: "UDS Authservice Redis URI" default: "" - - name: UDS_SINGLE_TEST - description: "UDS Single package test" - default: "" - - name: PEPR_SERVICE_MONITORS description: "Enables Service Monitors for Pepr services (watcher, admission)" default: "true" @@ -49,6 +48,8 @@ components: - name: module valuesFiles: - values.yaml +<<<<<<< HEAD +======= actions: onDeploy: before: @@ -69,3 +70,4 @@ components: ./zarf tools kubectl annotate deployment -n pepr-system pepr-uds-core-watcher meta.helm.sh/release-name=module --overwrite || true ./zarf tools kubectl annotate mutatingwebhookconfiguration -n pepr-system pepr-uds-core meta.helm.sh/release-name=module --overwrite || true ./zarf tools kubectl annotate validatingwebhookconfiguration -n pepr-system pepr-uds-core meta.helm.sh/release-name=module --overwrite || true +>>>>>>> 2f6ed02 (feat!: switch from promtail to vector (#724)) diff --git a/src/prometheus-stack/chart/Chart.yaml b/src/prometheus-stack/chart/Chart.yaml index 032e81126..9a6487cab 100644 --- a/src/prometheus-stack/chart/Chart.yaml +++ b/src/prometheus-stack/chart/Chart.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: v2 name: uds-prometheus-config description: Prometheus stack configuration for UDS diff --git a/src/prometheus-stack/chart/templates/istio-monitor.yaml b/src/prometheus-stack/chart/templates/istio-monitor.yaml index f2871b10b..674346d35 100644 --- a/src/prometheus-stack/chart/templates/istio-monitor.yaml +++ b/src/prometheus-stack/chart/templates/istio-monitor.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + # This podmonitor will pick up envoy stats for all Istio sidecars across the cluster apiVersion: monitoring.coreos.com/v1 kind: PodMonitor diff --git a/src/prometheus-stack/chart/templates/peerauthentication/prometheus-operator-pa.yaml b/src/prometheus-stack/chart/templates/peerauthentication/prometheus-operator-pa.yaml index eb1c14d0e..45b36d696 100644 --- a/src/prometheus-stack/chart/templates/peerauthentication/prometheus-operator-pa.yaml +++ b/src/prometheus-stack/chart/templates/peerauthentication/prometheus-operator-pa.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + {{- if .Capabilities.APIVersions.Has "security.istio.io/v1beta1" }} apiVersion: "security.istio.io/v1beta1" kind: PeerAuthentication diff --git a/src/prometheus-stack/chart/templates/prometheus-pod-monitor.yaml b/src/prometheus-stack/chart/templates/prometheus-pod-monitor.yaml index 06bcd9e5c..e9ea8bb10 100644 --- a/src/prometheus-stack/chart/templates/prometheus-pod-monitor.yaml +++ b/src/prometheus-stack/chart/templates/prometheus-pod-monitor.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + # This pod monitor is used instead of a service monitor to handle mTLS with self-monitoring apiVersion: monitoring.coreos.com/v1 kind: PodMonitor diff --git a/src/prometheus-stack/chart/templates/uds-exemption.yaml b/src/prometheus-stack/chart/templates/uds-exemption.yaml index 9d9b7e317..ffb1df745 100644 --- a/src/prometheus-stack/chart/templates/uds-exemption.yaml +++ b/src/prometheus-stack/chart/templates/uds-exemption.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: uds.dev/v1alpha1 kind: Exemption metadata: diff --git a/src/prometheus-stack/chart/templates/uds-package.yaml b/src/prometheus-stack/chart/templates/uds-package.yaml index 2dfda03fb..fd049e994 100644 --- a/src/prometheus-stack/chart/templates/uds-package.yaml +++ b/src/prometheus-stack/chart/templates/uds-package.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: uds.dev/v1alpha1 kind: Package metadata: diff --git a/src/prometheus-stack/chart/values.yaml b/src/prometheus-stack/chart/values.yaml index e69de29bb..2067cc53d 100644 --- a/src/prometheus-stack/chart/values.yaml +++ b/src/prometheus-stack/chart/values.yaml @@ -0,0 +1,2 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial diff --git a/src/prometheus-stack/common/zarf.yaml b/src/prometheus-stack/common/zarf.yaml index 142bbd63f..9bdf279cb 100644 --- a/src/prometheus-stack/common/zarf.yaml +++ b/src/prometheus-stack/common/zarf.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + kind: ZarfPackageConfig metadata: name: uds-core-prometheus-stack-common @@ -15,7 +18,7 @@ components: - name: kube-prometheus-stack namespace: monitoring url: https://prometheus-community.github.io/helm-charts - version: 62.7.0 + version: 65.2.0 valuesFiles: - "../values/values.yaml" actions: diff --git a/src/prometheus-stack/oscal-component.yaml b/src/prometheus-stack/oscal-component.yaml index 2dab3e066..0bf34cbf4 100644 --- a/src/prometheus-stack/oscal-component.yaml +++ b/src/prometheus-stack/oscal-component.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + component-definition: uuid: 017dbd45-5122-4c11-b5ce-d4b31116c581 metadata: diff --git a/src/prometheus-stack/tasks.yaml b/src/prometheus-stack/tasks.yaml index eacf43448..f71e3624e 100644 --- a/src/prometheus-stack/tasks.yaml +++ b/src/prometheus-stack/tasks.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + tasks: - name: validate actions: @@ -33,8 +36,8 @@ tasks: # - name: gen-crds # actions: # - description: Generate servicemonitor types - # cmd: "npx kubernetes-fluent-client crd https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.77.0/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml src/pepr/operator/crd/generated/prometheus" + # cmd: "npx kubernetes-fluent-client crd https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.77.1/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml src/pepr/operator/crd/generated/prometheus" # - description: Generate podmonitor types - # cmd: "npx kubernetes-fluent-client crd https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.77.0/example/prometheus-operator-crd/monitoring.coreos.com_podmonitors.yaml src/pepr/operator/crd/generated/prometheus" + # cmd: "npx kubernetes-fluent-client crd https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.77.1/example/prometheus-operator-crd/monitoring.coreos.com_podmonitors.yaml src/pepr/operator/crd/generated/prometheus" # - description: Pepr Format # cmd: "npx pepr format" diff --git a/src/prometheus-stack/values/crd-values.yaml b/src/prometheus-stack/values/crd-values.yaml index b5d80740e..bb4bd672d 100644 --- a/src/prometheus-stack/values/crd-values.yaml +++ b/src/prometheus-stack/values/crd-values.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + ## Annotations for CRDs crds: annotations: {} diff --git a/src/prometheus-stack/values/registry1-values.yaml b/src/prometheus-stack/values/registry1-values.yaml index b0d19a0a9..c5f39b658 100644 --- a/src/prometheus-stack/values/registry1-values.yaml +++ b/src/prometheus-stack/values/registry1-values.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + alertmanager: alertmanagerSpec: image: @@ -37,7 +40,7 @@ prometheusOperator: image: registry: registry1.dso.mil repository: ironbank/opensource/ingress-nginx/kube-webhook-certgen - tag: v1.4.3 + tag: v1.4.4 registry: registry1.dso.mil repository: ironbank/opensource/ingress-nginx/kube-webhook-certgen tag: v1.3.0 @@ -48,9 +51,9 @@ prometheusOperator: image: registry: registry1.dso.mil repository: ironbank/opensource/prometheus-operator/prometheus-operator - tag: v0.77.0 + tag: v0.77.1 prometheusConfigReloader: image: registry: registry1.dso.mil repository: ironbank/opensource/prometheus-operator/prometheus-config-reloader - tag: v0.77.0 + tag: v0.77.1 diff --git a/src/prometheus-stack/values/unicorn-values.yaml b/src/prometheus-stack/values/unicorn-values.yaml index f9f1f9f91..df2b75f14 100644 --- a/src/prometheus-stack/values/unicorn-values.yaml +++ b/src/prometheus-stack/values/unicorn-values.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + alertmanager: alertmanagerSpec: image: @@ -37,7 +40,7 @@ prometheusOperator: image: registry: cgr.dev repository: du-uds-defenseunicorns/kube-webhook-certgen-fips - tag: 1.11.2 + tag: 1.11.3 registry: cgr.dev repository: du-uds-defenseunicorns/kube-webhook-certgen-fips tag: 1.10.1 @@ -48,9 +51,9 @@ prometheusOperator: image: registry: cgr.dev repository: du-uds-defenseunicorns/prometheus-operator-fips - tag: 0.77.0 + tag: 0.77.1 prometheusConfigReloader: image: registry: cgr.dev repository: du-uds-defenseunicorns/prometheus-config-reloader-fips - tag: 0.77.0 + tag: 0.77.1 diff --git a/src/prometheus-stack/values/upstream-values.yaml b/src/prometheus-stack/values/upstream-values.yaml index 8f2c4c34a..e539454dd 100644 --- a/src/prometheus-stack/values/upstream-values.yaml +++ b/src/prometheus-stack/values/upstream-values.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + alertmanager: alertmanagerSpec: image: @@ -32,7 +35,7 @@ prometheusOperator: image: registry: registry.k8s.io repository: ingress-nginx/kube-webhook-certgen - tag: v1.4.3 + tag: v1.4.4 securityContext: runAsGroup: 2000 runAsNonRoot: true @@ -40,9 +43,9 @@ prometheusOperator: image: registry: quay.io repository: prometheus-operator/prometheus-operator - tag: v0.77.0 + tag: v0.77.1 prometheusConfigReloader: image: registry: quay.io repository: prometheus-operator/prometheus-config-reloader - tag: v0.77.0 + tag: v0.77.1 diff --git a/src/prometheus-stack/values/values.yaml b/src/prometheus-stack/values/values.yaml index 1419a08a0..216b6c78c 100644 --- a/src/prometheus-stack/values/values.yaml +++ b/src/prometheus-stack/values/values.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + crds: enabled: false grafana: diff --git a/src/prometheus-stack/zarf.yaml b/src/prometheus-stack/zarf.yaml index b1c30e46a..6b0d667a0 100644 --- a/src/prometheus-stack/zarf.yaml +++ b/src/prometheus-stack/zarf.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + kind: ZarfPackageConfig metadata: name: uds-core-prometheus-stack @@ -10,7 +13,7 @@ components: charts: - name: prometheus-operator-crds url: https://prometheus-community.github.io/helm-charts - version: 14.0.0 + version: 15.0.0 namespace: uds-crds valuesFiles: - "values/crd-values.yaml" @@ -28,12 +31,12 @@ components: - "values/upstream-values.yaml" images: - "quay.io/prometheus/node-exporter:v1.8.2" - - "quay.io/prometheus-operator/prometheus-operator:v0.77.0" + - "quay.io/prometheus-operator/prometheus-operator:v0.77.1" - "registry.k8s.io/kube-state-metrics/kube-state-metrics:v2.13.0" - "quay.io/prometheus/alertmanager:v0.27.0" - - "quay.io/prometheus-operator/prometheus-config-reloader:v0.77.0" + - "quay.io/prometheus-operator/prometheus-config-reloader:v0.77.1" - "quay.io/prometheus/prometheus:v2.54.1" - - "registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.3" + - "registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.4" - name: kube-prometheus-stack required: true @@ -48,12 +51,12 @@ components: - "values/registry1-values.yaml" images: - "registry1.dso.mil/ironbank/opensource/prometheus/node-exporter:v1.8.2" - - "registry1.dso.mil/ironbank/opensource/prometheus-operator/prometheus-operator:v0.77.0" + - "registry1.dso.mil/ironbank/opensource/prometheus-operator/prometheus-operator:v0.77.1" - "registry1.dso.mil/ironbank/opensource/kubernetes/kube-state-metrics:v2.13.0" - "registry1.dso.mil/ironbank/opensource/prometheus/alertmanager:v0.27.0" - - "registry1.dso.mil/ironbank/opensource/prometheus-operator/prometheus-config-reloader:v0.77.0" + - "registry1.dso.mil/ironbank/opensource/prometheus-operator/prometheus-config-reloader:v0.77.1" - "registry1.dso.mil/ironbank/opensource/prometheus/prometheus:v2.54.1" - - "registry1.dso.mil/ironbank/opensource/ingress-nginx/kube-webhook-certgen:v1.4.3" + - "registry1.dso.mil/ironbank/opensource/ingress-nginx/kube-webhook-certgen:v1.4.4" - name: kube-prometheus-stack required: true @@ -68,9 +71,9 @@ components: - "values/unicorn-values.yaml" images: - "cgr.dev/du-uds-defenseunicorns/prometheus-node-exporter-fips:1.8.2" - - "cgr.dev/du-uds-defenseunicorns/prometheus-operator-fips:0.77.0" + - "cgr.dev/du-uds-defenseunicorns/prometheus-operator-fips:0.77.1" - "cgr.dev/du-uds-defenseunicorns/kube-state-metrics-fips:2.13.0" - "cgr.dev/du-uds-defenseunicorns/prometheus-alertmanager-fips:0.27.0" - - "cgr.dev/du-uds-defenseunicorns/prometheus-config-reloader-fips:0.77.0" + - "cgr.dev/du-uds-defenseunicorns/prometheus-config-reloader-fips:0.77.1" - "cgr.dev/du-uds-defenseunicorns/prometheus-fips:2.54.1" - - "cgr.dev/du-uds-defenseunicorns/kube-webhook-certgen-fips:1.11.2" + - "cgr.dev/du-uds-defenseunicorns/kube-webhook-certgen-fips:1.11.3" diff --git a/src/runtime/tasks.yaml b/src/runtime/tasks.yaml index 75208bc81..c07ea9314 100644 --- a/src/runtime/tasks.yaml +++ b/src/runtime/tasks.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + tasks: - name: validate actions: diff --git a/src/runtime/zarf.yaml b/src/runtime/zarf.yaml index 42df7a706..3b72a0fca 100644 --- a/src/runtime/zarf.yaml +++ b/src/runtime/zarf.yaml @@ -1,18 +1,34 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + kind: ZarfPackageConfig metadata: name: uds-core-runtime description: "UDS Core Runtime" url: "https://github.com/defenseunicorns/uds-runtime" +variables: + - name: DOMAIN + description: "Cluster domain" + default: "uds.dev" + components: - name: uds-runtime required: false images: +<<<<<<< HEAD + - ghcr.io/defenseunicorns/uds-runtime:0.6.1 + charts: + - name: uds-runtime + namespace: uds-runtime + version: "v0.6.1" +======= - ghcr.io/defenseunicorns/uds-runtime:0.5.0 charts: - name: uds-runtime namespace: uds-runtime version: "v0.5.0" +>>>>>>> e80e6fc (chore(deps): update runtime to v0.5.0 (#834)) url: https://github.com/defenseunicorns/uds-runtime.git gitPath: chart actions: diff --git a/src/tempo/tasks.yaml b/src/tempo/tasks.yaml index e3b314c9b..31f664e75 100644 --- a/src/tempo/tasks.yaml +++ b/src/tempo/tasks.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + tasks: - name: validate actions: diff --git a/src/tempo/zarf.yaml b/src/tempo/zarf.yaml index 55413629d..cf41f93c3 100644 --- a/src/tempo/zarf.yaml +++ b/src/tempo/zarf.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + kind: ZarfPackageConfig metadata: name: uds-core-tempo diff --git a/src/test/app-admin.yaml b/src/test/app-admin.yaml index 785438ea6..81bfecb2a 100644 --- a/src/test/app-admin.yaml +++ b/src/test/app-admin.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: v1 kind: Namespace metadata: diff --git a/src/test/app-authservice-tenant.yaml b/src/test/app-authservice-tenant.yaml index 04093682b..dcca00954 100644 --- a/src/test/app-authservice-tenant.yaml +++ b/src/test/app-authservice-tenant.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: v1 kind: Namespace metadata: diff --git a/src/test/app-tenant.yaml b/src/test/app-tenant.yaml index 3eb203b99..e377cd25e 100644 --- a/src/test/app-tenant.yaml +++ b/src/test/app-tenant.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: v1 kind: Namespace metadata: diff --git a/src/test/chart/Chart.yaml b/src/test/chart/Chart.yaml index 288986028..f7eefefca 100644 --- a/src/test/chart/Chart.yaml +++ b/src/test/chart/Chart.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: v2 name: uds-podinfo-config description: A Helm chart for testing an exempted-app diff --git a/src/test/chart/templates/exemption1.yaml b/src/test/chart/templates/exemption1.yaml index b170dc955..25ae7d346 100644 --- a/src/test/chart/templates/exemption1.yaml +++ b/src/test/chart/templates/exemption1.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: uds.dev/v1alpha1 kind: Exemption metadata: diff --git a/src/test/chart/templates/exemption2.yaml b/src/test/chart/templates/exemption2.yaml index 6e03d00c0..b3dd9d30c 100644 --- a/src/test/chart/templates/exemption2.yaml +++ b/src/test/chart/templates/exemption2.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: uds.dev/v1alpha1 kind: Exemption metadata: diff --git a/src/test/chart/templates/exemption3.yaml b/src/test/chart/templates/exemption3.yaml index 6e470070e..a3a01ca18 100644 --- a/src/test/chart/templates/exemption3.yaml +++ b/src/test/chart/templates/exemption3.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: uds.dev/v1alpha1 kind: Exemption metadata: diff --git a/src/test/chart/templates/exemption4.yaml b/src/test/chart/templates/exemption4.yaml index 7c71840c5..29797a723 100644 --- a/src/test/chart/templates/exemption4.yaml +++ b/src/test/chart/templates/exemption4.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: uds.dev/v1alpha1 kind: Exemption metadata: diff --git a/src/test/chart/templates/exemption5.yaml b/src/test/chart/templates/exemption5.yaml index 856688656..25d080889 100644 --- a/src/test/chart/templates/exemption5.yaml +++ b/src/test/chart/templates/exemption5.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: uds.dev/v1alpha1 kind: Exemption metadata: diff --git a/src/test/chart/templates/package.yaml b/src/test/chart/templates/package.yaml index 1bb8d8e76..c9fa7b778 100644 --- a/src/test/chart/templates/package.yaml +++ b/src/test/chart/templates/package.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: uds.dev/v1alpha1 kind: Package metadata: diff --git a/src/test/chart/values.yaml b/src/test/chart/values.yaml index e69de29bb..2067cc53d 100644 --- a/src/test/chart/values.yaml +++ b/src/test/chart/values.yaml @@ -0,0 +1,2 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial diff --git a/src/test/podinfo-values.yaml b/src/test/podinfo-values.yaml index 7be05fd31..1dc56093d 100644 --- a/src/test/podinfo-values.yaml +++ b/src/test/podinfo-values.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + # Values set to intentionally violate pepr policies securityContext: runAsUser: 0 diff --git a/src/test/tasks.yaml b/src/test/tasks.yaml index 905791c46..080ccdc2e 100644 --- a/src/test/tasks.yaml +++ b/src/test/tasks.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + tasks: - name: validate description: Test app used for UDS Core validation diff --git a/src/test/zarf.yaml b/src/test/zarf.yaml index f350e036e..90195beae 100644 --- a/src/test/zarf.yaml +++ b/src/test/zarf.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + kind: ZarfPackageConfig metadata: name: uds-core-test-apps diff --git a/src/vector/chart/Chart.yaml b/src/vector/chart/Chart.yaml index 6b5ca4898..c620cf6fa 100644 --- a/src/vector/chart/Chart.yaml +++ b/src/vector/chart/Chart.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: v2 name: uds-vector-config description: Vector configuration for UDS diff --git a/src/vector/chart/templates/uds-exemption.yaml b/src/vector/chart/templates/uds-exemption.yaml index 0c6032102..7ec004775 100644 --- a/src/vector/chart/templates/uds-exemption.yaml +++ b/src/vector/chart/templates/uds-exemption.yaml @@ -1,3 +1,9 @@ +<<<<<<< HEAD +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +======= +>>>>>>> 2f6ed02 (feat!: switch from promtail to vector (#724)) apiVersion: uds.dev/v1alpha1 kind: Exemption metadata: diff --git a/src/vector/chart/templates/uds-package.yaml b/src/vector/chart/templates/uds-package.yaml index b6bf5bbc1..329effcf3 100644 --- a/src/vector/chart/templates/uds-package.yaml +++ b/src/vector/chart/templates/uds-package.yaml @@ -1,3 +1,9 @@ +<<<<<<< HEAD +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +======= +>>>>>>> 2f6ed02 (feat!: switch from promtail to vector (#724)) apiVersion: uds.dev/v1alpha1 kind: Package metadata: diff --git a/src/vector/chart/values.yaml b/src/vector/chart/values.yaml index f2d4d867f..5ef1e885e 100644 --- a/src/vector/chart/values.yaml +++ b/src/vector/chart/values.yaml @@ -1,3 +1,9 @@ +<<<<<<< HEAD +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +======= +>>>>>>> 2f6ed02 (feat!: switch from promtail to vector (#724)) additionalNetworkAllow: [] # Examples: # - direction: Egress diff --git a/src/vector/common/zarf.yaml b/src/vector/common/zarf.yaml index b020db0e8..89f933638 100644 --- a/src/vector/common/zarf.yaml +++ b/src/vector/common/zarf.yaml @@ -1,3 +1,9 @@ +<<<<<<< HEAD +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +======= +>>>>>>> 2f6ed02 (feat!: switch from promtail to vector (#724)) kind: ZarfPackageConfig metadata: name: uds-core-vector-common diff --git a/src/vector/oscal-component.yaml b/src/vector/oscal-component.yaml index fef87cc00..6a3eb7bc3 100644 --- a/src/vector/oscal-component.yaml +++ b/src/vector/oscal-component.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + component-definition: uuid: ff959bdb-7be9-49b3-9dc2-c41b34e7017d metadata: diff --git a/src/vector/tasks.yaml b/src/vector/tasks.yaml index 69dfbf4ff..afc4a5ea7 100644 --- a/src/vector/tasks.yaml +++ b/src/vector/tasks.yaml @@ -1,3 +1,9 @@ +<<<<<<< HEAD +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +======= +>>>>>>> 2f6ed02 (feat!: switch from promtail to vector (#724)) tasks: - name: validate actions: diff --git a/src/vector/values/registry1-values.yaml b/src/vector/values/registry1-values.yaml index 85509e7b4..961e5a5ce 100644 --- a/src/vector/values/registry1-values.yaml +++ b/src/vector/values/registry1-values.yaml @@ -1,3 +1,9 @@ +<<<<<<< HEAD +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +======= +>>>>>>> 2f6ed02 (feat!: switch from promtail to vector (#724)) image: repository: registry1.dso.mil/ironbank/opensource/timberio/vector tag: 0.41.1 diff --git a/src/vector/values/unicorn-values.yaml b/src/vector/values/unicorn-values.yaml index d90700602..68e19e7d7 100644 --- a/src/vector/values/unicorn-values.yaml +++ b/src/vector/values/unicorn-values.yaml @@ -1,3 +1,9 @@ +<<<<<<< HEAD +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +======= +>>>>>>> 2f6ed02 (feat!: switch from promtail to vector (#724)) image: repository: cgr.dev/du-uds-defenseunicorns/vector tag: 0.41.1 diff --git a/src/vector/values/upstream-values.yaml b/src/vector/values/upstream-values.yaml index 5180f3c7c..9cc0bce8d 100644 --- a/src/vector/values/upstream-values.yaml +++ b/src/vector/values/upstream-values.yaml @@ -1,3 +1,9 @@ +<<<<<<< HEAD +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +======= +>>>>>>> 2f6ed02 (feat!: switch from promtail to vector (#724)) image: repository: timberio/vector tag: 0.41.1-distroless-static diff --git a/src/vector/values/values.yaml b/src/vector/values/values.yaml index 7bbe3ee60..7946cfa6f 100644 --- a/src/vector/values/values.yaml +++ b/src/vector/values/values.yaml @@ -1,3 +1,9 @@ +<<<<<<< HEAD +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +======= +>>>>>>> 2f6ed02 (feat!: switch from promtail to vector (#724)) # Run as an agent daemonset role: "Agent" diff --git a/src/vector/zarf.yaml b/src/vector/zarf.yaml index 738476d7d..ec1a31437 100644 --- a/src/vector/zarf.yaml +++ b/src/vector/zarf.yaml @@ -1,3 +1,9 @@ +<<<<<<< HEAD +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + +======= +>>>>>>> 2f6ed02 (feat!: switch from promtail to vector (#724)) kind: ZarfPackageConfig metadata: name: uds-core-vector diff --git a/src/velero/README.md b/src/velero/README.md index 534761d6a..5d9c08e19 100644 --- a/src/velero/README.md +++ b/src/velero/README.md @@ -75,28 +75,14 @@ This package currently assumes the availability of S3 API compatible object stor ## Deploy -### Build and Deploy Everything locally via UDS tasks +### Build Deploy, and Test locally via UDS tasks -```bash -# build the bundle for testing -UDS_PKG=velero uds run create-single-package - -# setup a k3d test env -uds run setup-test-cluster - -# deploy the bundle -UDS_PKG=velero uds run deploy-single-package -``` - -### Test the package via UDS tasks -Running the following will check that the velero deployment exists in the cluster and attempt to execute a backup: +Velero is included in the backup-restore functional layer (WIP). This layer can be created, deployed, and tested with a single UDS run command: ```bash -uds run -f src/velero/tasks.yaml validate +uds run test-single-layer --set LAYER=backup-restore ``` -> Alternatively, you can combine package creation, cluster setup, package deploy and the test command with a simple `UDS_PKG=velero uds run test-single-package` - ## Manually trigger the default backup for testing purposes ```bash diff --git a/src/velero/chart/Chart.yaml b/src/velero/chart/Chart.yaml index 751f5e64a..291b632a8 100644 --- a/src/velero/chart/Chart.yaml +++ b/src/velero/chart/Chart.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: v2 name: uds-velero-config description: Velero configuration for UDS diff --git a/src/velero/chart/templates/uds-package.yaml b/src/velero/chart/templates/uds-package.yaml index 0326a863e..c096f7222 100644 --- a/src/velero/chart/templates/uds-package.yaml +++ b/src/velero/chart/templates/uds-package.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + apiVersion: uds.dev/v1alpha1 kind: Package metadata: diff --git a/src/velero/chart/values.yaml b/src/velero/chart/values.yaml index fbb557b5a..5ec83f081 100644 --- a/src/velero/chart/values.yaml +++ b/src/velero/chart/values.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + storage: internal: enabled: false diff --git a/src/velero/common/zarf.yaml b/src/velero/common/zarf.yaml index 398d902cc..ca0d88458 100644 --- a/src/velero/common/zarf.yaml +++ b/src/velero/common/zarf.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + kind: ZarfPackageConfig metadata: name: uds-core-velero-common diff --git a/src/velero/oscal-component.yaml b/src/velero/oscal-component.yaml index b98db8364..4d149c77b 100644 --- a/src/velero/oscal-component.yaml +++ b/src/velero/oscal-component.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + component-definition: uuid: D73CF4E6-D893-4BDE-A195-C4DE782DF63B metadata: diff --git a/src/velero/tasks.yaml b/src/velero/tasks.yaml index 1c129338b..9a27a47e9 100644 --- a/src/velero/tasks.yaml +++ b/src/velero/tasks.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + tasks: - name: validate actions: diff --git a/src/velero/values/registry1-values.yaml b/src/velero/values/registry1-values.yaml index a77d3af58..07357ca8d 100644 --- a/src/velero/values/registry1-values.yaml +++ b/src/velero/values/registry1-values.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + image: repository: registry1.dso.mil/ironbank/opensource/velero/velero tag: v1.14.1 diff --git a/src/velero/values/unicorn-values.yaml b/src/velero/values/unicorn-values.yaml index 9f78c90db..68c72a20e 100644 --- a/src/velero/values/unicorn-values.yaml +++ b/src/velero/values/unicorn-values.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + image: repository: cgr.dev/du-uds-defenseunicorns/velero-fips tag: 1.14.1-dev diff --git a/src/velero/values/upstream-values.yaml b/src/velero/values/upstream-values.yaml index 765de705c..8b7cd9fe6 100644 --- a/src/velero/values/upstream-values.yaml +++ b/src/velero/values/upstream-values.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + image: repository: velero/velero tag: v1.14.1 diff --git a/src/velero/values/values.yaml b/src/velero/values/values.yaml index c77c7334c..1cbe8d9a3 100644 --- a/src/velero/values/values.yaml +++ b/src/velero/values/values.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + credentials: useSecret: true name: "velero-bucket-credentials" diff --git a/src/velero/zarf.yaml b/src/velero/zarf.yaml index e3a809c83..4814bc8dc 100644 --- a/src/velero/zarf.yaml +++ b/src/velero/zarf.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + kind: ZarfPackageConfig metadata: name: uds-core-velero diff --git a/tasks.yaml b/tasks.yaml index 0ee6c3e46..9ac39253d 100644 --- a/tasks.yaml +++ b/tasks.yaml @@ -1,8 +1,11 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + variables: - name: FLAVOR default: upstream - - name: PKG + - name: LAYER includes: - create: ./tasks/create.yaml @@ -12,7 +15,6 @@ includes: - lint: ./tasks/lint.yaml tasks: - - name: default actions: - description: "Build, deploy and test UDS Core" @@ -24,8 +26,31 @@ tasks: - description: "Create the dev cluster" task: setup:create-k3d-cluster + # Workaround for https://github.com/zarf-dev/zarf/issues/2713 + - description: "Modify Istio values w/ upstream registry" + cmd: "uds zarf tools yq -i '.global.proxy_init.image |= sub(\"###ZARF_REGISTRY###\", \"docker.io\") | .global.proxy.image |= sub(\"###ZARF_REGISTRY###\", \"docker.io\")' src/istio/values/upstream-values.yaml" + +<<<<<<< HEAD + # Workaround for https://github.com/zarf-dev/zarf/issues/2713 + - description: "Modify Istio values w/ upstream registry" + cmd: "uds zarf tools yq -i '.global.proxy_init.image |= sub(\"###ZARF_REGISTRY###\", \"docker.io\") | .global.proxy.image |= sub(\"###ZARF_REGISTRY###\", \"docker.io\")' src/istio/values/upstream-values.yaml" + +======= + # Note: This currently is broken until https://github.com/zarf-dev/zarf/issues/2713 is resolved + # As a workaround you can edit the `src/istio/values/upstream-values.yaml` file to change ###ZARF_REGISTRY### to docker.io before running +>>>>>>> b3f532a (feat: add base and identity layers (#853)) - description: "Deploy the Istio source package with Zarf Dev" - cmd: "uds zarf dev deploy src/istio --flavor ${FLAVOR} --no-progress" + cmd: "uds zarf dev deploy src/istio --flavor upstream --no-progress" + + - description: "Restore Istio registry values" + cmd: "uds zarf tools yq -i '.global.proxy_init.image |= sub(\"docker.io\", \"###ZARF_REGISTRY###\") | .global.proxy.image |= sub(\"docker.io\", \"###ZARF_REGISTRY###\")' src/istio/values/upstream-values.yaml" +<<<<<<< HEAD +<<<<<<< HEAD +======= + #cmd: "sed -i '4,$s/docker.io/###ZARF_REGISTRY###/g' src/istio/values/upstream-values.yaml" +>>>>>>> 550aac5 (Added image workaround for dev-setup, getting started notes) +======= +>>>>>>> de87646 (get rid of sed experiment) # Note, this abuses the --flavor flag to only install the CRDs from this package - the "crds-only" flavor is not an explicit flavor of the package - description: "Deploy the Prometheus-Stack source package with Zarf Dev to only install the CRDs" @@ -40,9 +65,6 @@ tasks: - name: slim-dev actions: - - description: "Create slim dev package" - task: create:slim-dev-package - - description: "Build slim dev bundle" task: create:k3d-slim-dev-bundle @@ -57,46 +79,34 @@ tasks: - description: "Deploy Pepr" cmd: "npx pepr deploy --confirm" - - description: "Deploy Keycloak" - cmd: "uds run dev-deploy --set PKG=keycloak" - - - description: "Deploy Authservice" - cmd: "uds run dev-deploy --set PKG=authservice" + - description: "Deploy Keycloak + Authservice" + cmd: "uds run dev-deploy --set LAYER=identity-authorization --no-progress" - name: dev-deploy - description: "Deploy the given source package with Zarf Dev" + description: "Deploy the given core layer with Zarf Dev" actions: - - cmd: "uds zarf dev deploy src/${PKG} --flavor ${FLAVOR}" + - cmd: "uds zarf dev deploy packages/${LAYER} --flavor ${FLAVOR} --no-progress" - name: setup-cluster description: "Create a k3d Cluster and Initialize with Zarf" actions: - task: setup:k3d-test-cluster - - name: create-single-package - description: "Create a single Zarf Package, must set UDS_PKG environment variable" - actions: - - task: create:single-package - - name: create-standard-package description: "Create UDS Core Zarf Package, `upstream` flavor default, use --set FLAVOR={flavor} to change" actions: - task: create:standard-package - - name: deploy-single-package - description: "Deploy Pepr Module and a Zarf Package using UDS_PKG environment variable" + - name: test-single-layer + description: "Deploys k3d cluster, layer dependencies and the provided layer (based on LAYER variable)" actions: - - task: deploy:single-package + - task: test:layer-dependencies + - task: test:single-layer - name: deploy-standard-bundle actions: - task: deploy:k3d-standard-bundle - - name: test-single-package - description: "Build and test a single package, must set UDS_PKG environment variable" - actions: - - task: test:single-package - - name: test-uds-core description: "Build and test UDS Core" actions: @@ -105,9 +115,10 @@ tasks: - name: test-uds-core-ha description: "Build and test UDS Core" actions: - - cmd: docker stop my-postgres && docker rm my-postgres || true + - cmd: docker stop postgres && docker rm postgres || true - cmd: docker network create k3d-uds || true - - cmd: docker run -p 5432:5432 --network=k3d-uds --name my-postgres -e POSTGRES_DB=keycloak -e POSTGRES_USER=keycloak -e POSTGRES_PASSWORD=password -d postgres + - cmd: docker run -p 5432:5432 --network=k3d-uds --name postgres -e POSTGRES_DB=keycloak -e POSTGRES_USER=postgres -e POSTGRES_PASSWORD=password -d postgres + - cmd: sleep 3 && docker exec postgres psql -U postgres -c "CREATE DATABASE grafana;" - task: test:uds-core-ha - name: test-uds-core-upgrade diff --git a/tasks/create.yaml b/tasks/create.yaml index 9480a8944..b1e8416c3 100644 --- a/tasks/create.yaml +++ b/tasks/create.yaml @@ -1,5 +1,9 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + + includes: - - common: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.13.1/tasks/create.yaml + - common: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.1.0/tasks/create.yaml variables: - name: FLAVOR @@ -7,7 +11,9 @@ variables: - name: REGISTRY1_PEPR_IMAGE # renovate: datasource=docker depName=registry1.dso.mil/ironbank/opensource/defenseunicorns/pepr/controller versioning=semver - default: registry1.dso.mil/ironbank/opensource/defenseunicorns/pepr/controller:v0.36.0 + default: registry1.dso.mil/ironbank/opensource/defenseunicorns/pepr/controller:v0.38.0 + + - name: LAYER tasks: - name: standard-package @@ -24,36 +30,38 @@ tasks: - description: "Create the UDS Core Standard Bundle" cmd: "uds create bundles/k3d-standard --confirm --no-progress --architecture=${ZARF_ARCHITECTURE}" - - name: slim-dev-package - description: "Create the UDS Core (Istio Only) Zarf Package" + - name: k3d-slim-dev-bundle + description: "Create the slim dev bundle (Base and Identity)" actions: - - task: pepr-build + - description: "Create base package" + task: single-layer + with: + layer: base - - description: "Create the UDS Core Istio Zarf Package" - cmd: "uds zarf package create packages/slim-dev --confirm --no-progress --flavor ${FLAVOR}" + - description: "Create identity-authorization package" + task: single-layer + with: + layer: identity-authorization - - name: k3d-slim-dev-bundle - description: "Create the K3d-UDS Core (Istio and Keycloak Only) Bundle" - actions: - - description: "Create the UDS Core Istio and Keycloak Only Bundle" + - description: "Create the slim dev bundle (Base and Identity)" cmd: "uds create bundles/k3d-slim-dev --confirm --no-progress --architecture=${ZARF_ARCHITECTURE}" - - name: single-package - description: "Create a single Zarf Package, must set UDS_PKG environment variable" + # This task is a wrapper to support --set LAYER=identity-authorization + - name: single-layer-callable actions: - - task: pepr-build - - - description: "Create the Pepr Zarf Package, if it exists" - cmd: "uds zarf package create src/pepr --confirm --no-progress" + - task: single-layer + with: + layer: $LAYER - - description: "Create the requested Zarf Package (must set UDS_PKG environment variable)" - cmd: "uds zarf package create src/${UDS_PKG} --confirm --no-progress --flavor ${FLAVOR}" - - - description: "Create the Istio Zarf Package, if UDS_PKG != istio" - cmd: | - if [ "${UDS_PKG}" != "istio" ]; then - uds zarf package create src/istio --confirm --no-progress --flavor ${FLAVOR} - fi + - name: single-layer + inputs: + layer: + default: base + description: The UDS Core layer to build + actions: + - task: pepr-build + if: ${{ eq .inputs.layer "base"}} + - cmd: uds zarf package create packages/${{ index .inputs "layer" }} --confirm --no-progress --flavor ${FLAVOR} - name: pepr-build description: "Build the UDS Core Pepr Module" diff --git a/tasks/deploy.yaml b/tasks/deploy.yaml index 0d1ff8a88..6afb448d1 100644 --- a/tasks/deploy.yaml +++ b/tasks/deploy.yaml @@ -1,3 +1,7 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + + includes: - utils: utils.yaml @@ -5,7 +9,11 @@ variables: - name: VERSION description: "The version of the packages to deploy" # x-release-please-start-version +<<<<<<< HEAD + default: "0.29.0" +======= default: "0.28.0" +>>>>>>> 62baad3 (chore(main): release 0.28.0 (#795)) # x-release-please-end - name: FLAVOR default: upstream @@ -28,18 +36,22 @@ tasks: - description: "Deploy the UDS Core Slim Dev Only Bundle" cmd: uds deploy bundles/k3d-slim-dev/uds-bundle-k3d-core-slim-dev-${UDS_ARCH}-${VERSION}.tar.zst --confirm --no-progress - - name: single-package + # This task is a wrapper to support --set LAYER=identity-authorization + - name: single-layer-callable + actions: + - task: single-layer + with: + layer: $LAYER + + - name: single-layer + description: "Deploy a single UDS Core layer, must set UDS_LAYER environment variable" + inputs: + layer: + default: base + description: The UDS Core layer to deploy actions: - - description: "Deploy the Istio package, if UDS_PKG != istio" - cmd: | - if [ "${UDS_PKG}" != "istio" ]; then - uds zarf package deploy build/zarf-package-uds-core-istio-${UDS_ARCH}.tar.zst --confirm --no-progress --components '*' - fi - - description: "Deploy the Pepr Module" - cmd: | - uds zarf package deploy build/zarf-package-pepr-uds-core-${UDS_ARCH}.tar.zst --confirm --no-progress --set UDS_SINGLE_TEST=true --set PEPR_SERVICE_MONITORS=false - - description: "Deploy the requested Zarf Package (must set UDS_PKG environment variable)" - cmd: uds zarf package deploy build/zarf-package-uds-core-${UDS_PKG}-${UDS_ARCH}.tar.zst --confirm --no-progress --components '*' + - description: "Deploy a single UDS Core Layer (must set UDS_LAYER environment variable)" + cmd: uds zarf package deploy build/zarf-package-core-${{ index .inputs "layer" }}-${UDS_ARCH}-${VERSION}.tar.zst --confirm --no-progress --components '*' - name: latest-package-release actions: diff --git a/tasks/iac.yaml b/tasks/iac.yaml index f13e2d4e4..0c178bab9 100644 --- a/tasks/iac.yaml +++ b/tasks/iac.yaml @@ -1,5 +1,10 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + + variables: - name: CLUSTER_NAME + - name: K8S_DISTRO - name: REGION - name: PERMISSIONS_BOUNDARY_NAME - name: PERMISSIONS_BOUNDARY_ARN @@ -13,7 +18,7 @@ tasks: - name: install-eksctl actions: - cmd: | - curl --silent --location "https://github.com/weaveworks/eksctl/releases/download/v0.190.0/eksctl_Linux_amd64.tar.gz" | tar xz -C /tmp + curl --silent --location "https://github.com/weaveworks/eksctl/releases/download/v0.192.0/eksctl_Linux_amd64.tar.gz" | tar xz -C /tmp sudo mv /tmp/eksctl /usr/local/bin - name: create-cluster @@ -75,6 +80,50 @@ tasks: - cmd: eksctl create cluster -f cluster-config.yaml - cmd: eksctl utils write-kubeconfig -c ${CLUSTER_NAME} + - name: rke2-get-kubeconfig + actions: + - cmd: chmod +x ./scripts/get-kubeconfig.sh && ./scripts/get-kubeconfig.sh + dir: .github/test-infra/aws/rke2/ + + - name: rke2-nodes-ready + actions: + - cmd: sleep 30 + - wait: + cluster: + kind: nodes + condition: Ready + name: kubernetes.io/os=linux + maxTotalSeconds: 900 + + - name: rke2-cluster-ready + actions: + - task: rke2-nodes-ready + - cmd: | + export KUBECONFIG=./rke2-config + # wait for at least 3 nodes + while true; do + if [ $(uds zarf tools kubectl get nodes -o jsonpath='{range .items[*]}{.status.conditions[-1].type}={.status.conditions[-1].status}{"\n"}{end}' | egrep -i '^ready.*true' | wc -l) -lt 3 ]; then + echo "Waiting for at least 3 nodes to be ready..."; + sleep 5; + else + break + fi + done + + # wait for cluster components + while true; do + if [ $(uds zarf tools kubectl get po -A --no-headers=true | egrep -v 'Running|Completed' | wc -l) -gt 0 ]; then + echo "Waiting for cluster components to be ready..."; + sleep 5; + else + echo "Cluster is ready" + break + fi + done + uds zarf tools kubectl apply -f ./metallb.yaml + dir: .github/test-infra/aws/rke2/ + maxTotalSeconds: 600 + - name: destroy-cluster actions: - cmd: eksctl delete cluster -f cluster-config.yaml --disable-nodegroup-eviction --wait @@ -88,56 +137,89 @@ tasks: - name: destroy-iac actions: - cmd: tofu destroy -auto-approve - dir: .github/test-infra/buckets-iac + dir: .github/test-infra/aws/${K8S_DISTRO} - name: apply-tofu actions: - - cmd: echo ${STATE_KEY} | sed 's/\.tfstate/-buckets1.tfstate/g' + - cmd: echo ${STATE_KEY} | sed 's/\.tfstate/-buckets.tfstate/g' setVariables: - name: BUCKETS_STATE_KEY - dir: .github/test-infra/buckets-iac - - cmd: echo ${BUCKETS_STATE_KEY} + dir: .github/test-infra/aws/${K8S_DISTRO} - cmd: | tofu init -force-copy \ - -backend-config="bucket=${STATE_BUCKET_NAME}" \ - -backend-config="key=${BUCKETS_STATE_KEY}" \ - -backend-config="region=${REGION}" \ - -backend-config="dynamodb_table=${STATE_DYNAMODB_TABLE_NAME}" - dir: .github/test-infra/buckets-iac + -backend-config="bucket=${STATE_BUCKET_NAME}" \ + -backend-config="key=${BUCKETS_STATE_KEY}" \ + -backend-config="region=${REGION}" \ + -backend-config="dynamodb_table=${STATE_DYNAMODB_TABLE_NAME}" + dir: .github/test-infra/aws/${K8S_DISTRO} - cmd: tofu apply -auto-approve - dir: .github/test-infra/buckets-iac + dir: .github/test-infra/aws/${K8S_DISTRO} - name: tofu-outputs actions: - cmd: tofu output -raw loki_s3_bucket setVariables: - name: "LOKI_S3_BUCKET" - dir: .github/test-infra/buckets-iac + dir: .github/test-infra/aws/${K8S_DISTRO} + mute: true - cmd: tofu output -raw aws_region setVariables: - name: LOKI_S3_AWS_REGION - dir: .github/test-infra/buckets-iac + dir: .github/test-infra/aws/${K8S_DISTRO} - cmd: tofu output -raw loki_irsa_role_arn setVariables: - name: LOKI_S3_ROLE_ARN - dir: .github/test-infra/buckets-iac + dir: .github/test-infra/aws/${K8S_DISTRO} + mute: true - cmd: tofu output -raw velero_s3_bucket setVariables: - name: VELERO_S3_BUCKET - dir: .github/test-infra/buckets-iac + dir: .github/test-infra/aws/${K8S_DISTRO} + mute: true - cmd: tofu output -raw aws_region setVariables: - name: VELERO_S3_AWS_REGION - dir: .github/test-infra/buckets-iac + dir: .github/test-infra/aws/${K8S_DISTRO} - cmd: tofu output -raw velero_irsa_role_arn setVariables: - name: VELERO_S3_ROLE_ARN - dir: .github/test-infra/buckets-iac + dir: .github/test-infra/aws/${K8S_DISTRO} + mute: true + - cmd: tofu output -raw grafana_pg_host 2>/dev/null || echo '""' + setVariables: + - name: GRAFANA_PG_HOST + dir: .github/test-infra/aws/${K8S_DISTRO} + mute: true + - cmd: tofu output -raw grafana_pg_port 2>/dev/null || echo '""' + setVariables: + - name: GRAFANA_PG_PORT + dir: .github/test-infra/aws/${K8S_DISTRO} + mute: true + - cmd: tofu output -raw grafana_pg_database 2>/dev/null || echo '""' + setVariables: + - name: GRAFANA_PG_DATABASE + dir: .github/test-infra/aws/${K8S_DISTRO} + mute: true + - cmd: tofu output -raw grafana_pg_user 2>/dev/null || echo '""' + setVariables: + - name: GRAFANA_PG_USER + dir: .github/test-infra/aws/${K8S_DISTRO} + mute: true + - cmd: tofu output -raw grafana_pg_password 2>/dev/null || echo '""' + setVariables: + - name: GRAFANA_PG_PASSWORD + mute: true # Muted to hide sensitive password + dir: .github/test-infra/aws/${K8S_DISTRO} + - cmd: tofu output -raw grafana_ha + setVariables: + - name: GRAFANA_HA + dir: .github/test-infra/aws/${K8S_DISTRO} - name: create-uds-config actions: + - task: tofu-outputs - cmd: | - cat < .github/bundles/uds-config.yaml + cat < .github/bundles/${K8S_DISTRO}/uds-config.yaml options: architecture: amd64 variables: @@ -146,12 +228,18 @@ tasks: loki_ruler_bucket: ${LOKI_S3_BUCKET} loki_admin_bucket: ${LOKI_S3_BUCKET} loki_s3_region: ${LOKI_S3_AWS_REGION} - loki_irsa_annotation: "${LOKI_S3_ROLE_ARN}" + loki_irsa_role_arn: ${LOKI_S3_ROLE_ARN} velero_use_secret: false - velero_irsa_annotation: "${VELERO_S3_ROLE_ARN}" + velero_irsa_role_arn: ${VELERO_S3_ROLE_ARN} velero_bucket: ${VELERO_S3_BUCKET} velero_bucket_region: ${VELERO_S3_AWS_REGION} velero_bucket_provider_url: "" velero_bucket_credential_name: "" velero_bucket_credential_key: "" + grafana_ha: ${GRAFANA_HA} + grafana_pg_host: ${GRAFANA_PG_HOST} + grafana_pg_port: ${GRAFANA_PG_PORT} + grafana_pg_database: ${GRAFANA_PG_DATABASE} + grafana_pg_password: ${GRAFANA_PG_PASSWORD} + grafana_pg_user: ${GRAFANA_PG_USER} EOF diff --git a/tasks/lint.yaml b/tasks/lint.yaml index 471072261..ecce5fe3c 100644 --- a/tasks/lint.yaml +++ b/tasks/lint.yaml @@ -1,5 +1,9 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + + includes: - - remote: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.13.1/tasks/lint.yaml + - remote: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.1.0/tasks/lint.yaml tasks: - name: fix @@ -27,8 +31,23 @@ tasks: cmd: yamllint . -c .yamllint --no-warnings - description: codespell lint cmd: codespell + - description: Install addlicense dep + # renovate: datasource=github-tags depName=google/addlicense versioning=semver + cmd: GOPATH="$HOME/go" go install github.com/google/addlicense@v1.1.1 + - description: license lint + task: license - name: oscal actions: - description: Lula Lint OSCAL task: remote:oscal + + - name: license + actions: + - description: Lint for the SPDX license identifier being in source files + task: remote:license + + - name: fix-license + actions: + - description: Add the SPDX license identifier to source files + task: remote:fix-license diff --git a/tasks/publish.yaml b/tasks/publish.yaml index 30e70f557..d80afd36e 100644 --- a/tasks/publish.yaml +++ b/tasks/publish.yaml @@ -1,5 +1,11 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + + includes: - utils: utils.yaml + - test: test.yaml + - setup: setup.yaml variables: - name: FLAVOR @@ -8,9 +14,15 @@ variables: - name: VERSION description: "The version of the packages to build" # x-release-please-start-version +<<<<<<< HEAD + default: "0.29.0" +======= default: "0.28.0" +>>>>>>> 62baad3 (chore(main): release 0.28.0 (#795)) # x-release-please-end + - name: LAYER + tasks: - name: standard-package description: "Publish the UDS package" @@ -52,3 +64,12 @@ tasks: uds zarf tools registry copy ${pkgPath}:${VERSION} ${pkgPath}:latest pkgPath="${TARGET_REPO}/bundles/k3d-core-slim-dev" uds zarf tools registry copy ${pkgPath}:${VERSION} ${pkgPath}:latest + + - name: single-layer + description: "Test and Publish UDS Core layer" + actions: + - task: test:layer-dependencies + - task: test:single-layer + - task: utils:determine-repo + - description: "Publish build of layer" + cmd: uds zarf package publish build/zarf-package-core-${LAYER}-${UDS_ARCH}-${VERSION}.tar.zst oci://${TARGET_REPO} diff --git a/tasks/setup.yaml b/tasks/setup.yaml index 756d3e354..6bed84f72 100644 --- a/tasks/setup.yaml +++ b/tasks/setup.yaml @@ -1,3 +1,7 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + + tasks: - name: create-k3d-cluster actions: @@ -11,4 +15,4 @@ tasks: - description: "Initialize the cluster with Zarf" # renovate: datasource=github-tags depName=zarf-dev/zarf versioning=semver - cmd: "uds zarf package deploy oci://ghcr.io/zarf-dev/packages/init:v0.40.1 --confirm --no-progress" + cmd: "uds zarf package deploy oci://ghcr.io/zarf-dev/packages/init:v0.41.0 --confirm --no-progress" diff --git a/tasks/test.yaml b/tasks/test.yaml index 185408e5a..449fddbf2 100644 --- a/tasks/test.yaml +++ b/tasks/test.yaml @@ -1,19 +1,46 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + + includes: - create: ./create.yaml - setup: ./setup.yaml - deploy: ./deploy.yaml - - compliance: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.13.1/tasks/compliance.yaml + - compliance: https://raw.githubusercontent.com/defenseunicorns/uds-common/v1.1.0/tasks/compliance.yaml + - base-layer: ../packages/base/tasks.yaml tasks: - - name: single-package - description: "Build and test a single package, must set UDS_PKG environment variable" + - name: base + description: "Build and test the base layer" actions: - - task: create:single-package + - task: create:pepr-build - task: setup:k3d-test-cluster - - task: deploy:single-package + - cmd: uds run -f tasks/test.yaml single-layer --set FLAVOR=${FLAVOR} --set=layer=base + - name: single-layer + description: "Build and test a single layer, must set UDS_LAYER environment variable" + actions: + - task: create:single-layer + with: + layer: ${LAYER} + - task: deploy:single-layer + with: + layer: ${LAYER} - description: "Validate the package" - cmd: uds run -f src/${UDS_PKG}/tasks.yaml validate --no-progress + cmd: uds run -f packages/${LAYER}/tasks.yaml validate --no-progress + + - name: layer-dependencies + description: "Sets up a k3d cluster and deploys dependencies for the given layer" + actions: + - task: setup:k3d-test-cluster + - cmd: uds zarf tools yq '.metadata.x-uds-dependencies.[]' packages/${LAYER}/zarf.yaml 2>/dev/null + mute: true + setVariables: + - name: LAYER_DEPS + - cmd: | + for dep in $LAYER_DEPS; do + uds run -f tasks/test.yaml single-layer --set LAYER=$dep --set FLAVOR=${FLAVOR} --no-progress + done - name: validate-packages description: "Validated all packages" diff --git a/tasks/utils.yaml b/tasks/utils.yaml index 6afa8c9d6..298551e72 100644 --- a/tasks/utils.yaml +++ b/tasks/utils.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + variables: - name: BASE_REPO default: "ghcr.io/defenseunicorns/packages" diff --git a/zarf-config.yaml b/zarf-config.yaml index 8ee66a63c..1e942db6a 100644 --- a/zarf-config.yaml +++ b/zarf-config.yaml @@ -1,3 +1,6 @@ +# Copyright 2024 Defense Unicorns +# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial + # Disable until UDS CLI isn't super noisy no_progress: true