Merge pull request #157 from abnamro/2472323-fix-datree-findings

2472323 fix datree findings

Author: amrityamrout

deployment/kubernetes/README.md

@@ -222,7 +222,7 @@ helm lint . --set-file global.secretScanRulePackConfig=./RESC-RULE.toml
 
 Render chart templates locally and display the output.
 ```bash
-helm template resc . -f ../resc-helm-wizard/custom-values.yaml --set-file global.secretScanRulePackConfig=./RESC-RULE.toml
+helm template resc . -f ./example-values.yaml --set-file global.secretScanRulePackConfig=./RESC-RULE.toml
 ```
 
 ## Deploying charts manually
@@ -242,7 +242,7 @@ Make sure you have completed the [pre-requisite](#prerequisites) steps.
 
 * Deploy the helm charts.
   ```bash
-  helm install --namespace resc resc . -f ../resc-helm-wizard/custom-values.yaml --set-file global.secretScanRulePackConfig=./RESC-RULE.toml
+  helm install --namespace resc resc . -f ./example-values.yaml --set-file global.secretScanRulePackConfig=./RESC-RULE.toml
   ```
 
 * Optionally, set the default namespace for all kubectl commands. Now you no longer need to specify the -n resc option for all the kubectl commands.

deployment/kubernetes/charts/resc-database/templates/database_service.yaml

@@ -7,6 +7,8 @@ metadata:
   labels:
     app: {{ .Values.global.appName }}
     tier: ms-database
+  annotations:
+    datree.skip/SERVICE_INCORRECT_TYPE_VALUE_NODEPORT: irrelevant as its only exposed for local environment and can be enabled/disabled from env specific values.yaml
 spec:
   {{ if .Values.database.exposeToHostPort }}
   type: NodePort

deployment/kubernetes/charts/resc-frontend/templates/frontend_deployment.yaml

@@ -3,6 +3,8 @@ kind: Deployment
 metadata:
   name: {{ .Values.global.appName }}-frontend
   namespace: {{ .Values.global.namespace }}
+  annotations:
+    datree.skip/CONTAINERS_INCORRECT_RUNASUSER_VALUE_LOWUID: irrelevant for nginx docker image, skipping.
 spec:
   replicas: {{ .Values.replicas}}
   selector:

deployment/kubernetes/charts/resc-frontend/templates/frontend_service.yaml

@@ -6,6 +6,8 @@ metadata:
   labels:
     app: {{ .Values.global.appName }}
     tier: frontend
+  annotations:
+    datree.skip/SERVICE_INCORRECT_TYPE_VALUE_NODEPORT: irrelevant as frontend needs to be exposed outside of the cluster
 spec:
   {{ if .Values.exposeToHostPort }}
   type: NodePort

deployment/kubernetes/charts/resc-rabbitmq/templates/rabbitmq_job.yaml

@@ -46,12 +46,15 @@ spec:
             - secretRef:
                 name: {{ .Values.global.appName }}-rabbitmq-admin-secret
             {{ end }}
+
+          {{- $additionalVolumeMounts := include "resc.mqInitAdditionalVolumeMounts" . }}
+          {{- if $additionalVolumeMounts }}
           volumeMounts:
-            {{ if eq .Values.useKubernetesSecret "false"}}
             {{- with include "resc.mqInitAdditionalVolumeMounts" .}}
               {{- nindent 12 .}}
             {{- end }}
-            {{ end }}
+          {{- end }}
+
           securityContext:
             allowPrivilegeEscalation: false
             readOnlyRootFilesystem: false
@@ -63,12 +66,15 @@ spec:
               type: RuntimeDefault
             runAsNonRoot: true
             runAsUser: 10001
+
+      {{- $additionalVolumes := include "resc.mqInitAdditionalVolumes" . }}
+      {{- if $additionalVolumes }}
       volumes:
-        {{ if eq .Values.useKubernetesSecret "false"}}
         {{- with include "resc.mqInitAdditionalVolumes" .}}
           {{- nindent 8 .}}
         {{- end }}
-        {{ end }}
+      {{- end }}
+      
       restartPolicy: {{ .Values.mqInit.restartPolicy }}
       {{ if .Values.global.imagePullSecret }}
       imagePullSecrets:

deployment/kubernetes/charts/resc-rabbitmq/templates/rabbitmq_service.yaml

@@ -6,6 +6,8 @@ metadata:
   labels:
     app: {{ .Values.global.appName }}
     tier: rabbitmq
+  annotations:
+    datree.skip/SERVICE_INCORRECT_TYPE_VALUE_NODEPORT: irrelevant as its only exposed for local environment and can be enabled/disabled from env specific values.yaml
 spec:
   {{ if and (eq .Values.global.enableInClusterRabbitMqMgmt "true") (.Values.rabbitMQ.exposeAmqpToHostPort) (.Values.rabbitMQ.exposeToHostPort)}}
   type: NodePort

deployment/kubernetes/charts/resc-rabbitmq/templates/rabbitmq_statefulset.yaml

@@ -78,11 +78,12 @@ spec:
             - mountPath: "/var/lib/rabbitmq/mnesia"
               subPath: "var/lib/rabbitmq/mnesia"
               name: {{ .Values.global.appName }}-mq-pv-storage
-            {{ if eq .Values.useKubernetesSecret "false"}}
+            {{- $additionalVolumeMounts := include "resc.mqAdditionalVolumeMounts" . }}
+            {{- if $additionalVolumeMounts }}
             {{- with include "resc.mqAdditionalVolumeMounts" .}}
               {{- nindent 12 .}}
             {{- end }}
-            {{ end }}
+            {{- end }}
           securityContext:
             allowPrivilegeEscalation: false
             readOnlyRootFilesystem: false

deployment/kubernetes/charts/resc-redis/templates/redis_deployement.yaml

@@ -45,6 +45,9 @@ spec:
         ports:
         - containerPort: {{ .Values.redis.config.port}}
         resources:
+          requests:
+              cpu: {{ .Values.redis.resources.requests.cpu }}
+              memory: {{ .Values.redis.resources.requests.memory }}
           limits:
             cpu: {{ .Values.redis.resources.limits.cpu }}
             memory: {{ .Values.redis.resources.limits.memory }}
@@ -53,11 +56,12 @@ spec:
           name: data
         - mountPath: /redis-master
           name: config
-        {{ if eq .Values.useKubernetesSecret "false"}}
+        {{- $additionalVolumeMounts := include "resc.redisAdditionalVolumeMounts" . }}
+        {{- if $additionalVolumeMounts }}
         {{- with include "resc.redisAdditionalVolumeMounts" .}}
           {{- nindent 8 .}}
         {{- end }}
-        {{ end }}
+        {{- end }}
       volumes:
         - name: data
           emptyDir: {}
@@ -67,10 +71,11 @@ spec:
             items:
             - key: redis-config
               path: redis.conf
-        {{ if eq .Values.useKubernetesSecret "false"}}
+        {{- $additionalVolumes := include "resc.redisAdditionalVolumes" . }}
+        {{- if $additionalVolumes }}
         {{- with include "resc.redisAdditionalVolumes" .}}
           {{- nindent 8 .}}
         {{- end }}
-        {{ end }}
+        {{- end }}
 
 

deployment/kubernetes/charts/resc-redis/templates/redis_service.yaml

@@ -6,6 +6,8 @@ metadata:
   labels:
     app: {{ .Values.global.appName }}
     tier: redis
+  annotations:
+    datree.skip/SERVICE_INCORRECT_TYPE_VALUE_NODEPORT: irrelevant as its only exposed for local environment and can be enabled/disabled from env specific values.yaml
 spec:
   {{ if and (eq .Values.global.enableInClusterRedis "true") (.Values.redis.exposeToHostPort)}}
   type: NodePort

deployment/kubernetes/charts/resc-redis/values.yaml

@@ -1,16 +1,16 @@
 redis:
+  image:
+    repository:
+    name: redis
+    tag: 7.0.11-alpine
+    pullPolicy: IfNotPresent
   resources:
     requests:
       cpu: 250m
       memory: 256Mi
     limits:
       cpu: 250m
       memory: 256Mi
-  image:
-    repository:
-    name: redis
-    tag: 7.0.11-alpine
-    pullPolicy: IfNotPresent
   config:
     port: 6379
     password:

deployment/kubernetes/charts/resc-vcs-scanner-secrets/templates/vcs_scanner_secrets_deployment.yaml

@@ -57,11 +57,12 @@ spec:
             - name: config-volume
               mountPath: {{ .Values.config.vcs_instance_file_path }}
               subPath: vcs_instances_config.json
-          {{ if eq .Values.useKubernetesSecret "false"}}
+          {{- $additionalVolumeMounts := include "resc.vcsScannerSecretsAdditionalVolumeMounts" . }}
+          {{- if $additionalVolumeMounts }}
           {{- with include "resc.vcsScannerSecretsAdditionalVolumeMounts" .}}
             {{- nindent 12 .}}
           {{- end }}
-          {{ end }}
+          {{- end }}
         env:
           - name: GET_HOSTS_FROM
             value: dns
@@ -80,11 +81,12 @@ spec:
         - name: config-volume
           configMap:
             name: {{ .Values.global.appName }}-vcs-instances-config
-        {{ if eq .Values.useKubernetesSecret "false"}}
+        {{- $additionalVolumes := include "resc.vcsScannerSecretsAdditionalVolumes" . }}
+        {{- if $additionalVolumes }}
         {{- with include "resc.vcsScannerSecretsAdditionalVolumes" .}}
           {{- nindent 8 .}}
         {{- end }}
-        {{ end }}
+        {{- end }}
       restartPolicy: {{ .Values.restartPolicy }}
       {{ if .Values.global.imagePullSecret }}
       imagePullSecrets:

deployment/kubernetes/charts/resc-vcs-scraper-projects/templates/vcs_scraper_projects_cron_job.yaml

@@ -7,6 +7,7 @@ spec:
   suspend: {{ .Values.suspend }}
   schedule: "{{ .Values.config.schedule }}"
   concurrencyPolicy: Forbid
+  startingDeadlineSeconds: {{ .Values.config.startingDeadlineSeconds }}
   successfulJobsHistoryLimit: {{ .Values.config.successfulJobsHistoryLimit }}
   failedJobsHistoryLimit: {{ .Values.config.failedJobsHistoryLimit }}
   jobTemplate:
@@ -57,11 +58,12 @@ spec:
               - name: config-volume
                 mountPath: {{ .Values.config.vcs_instance_file_path }}
                 subPath: vcs_instances_config.json
-              {{ if eq .Values.useKubernetesSecret "false"}}
+              {{- $additionalVolumeMounts := include "resc.vcsScraperProjectsAdditionalVolumeMounts" . }}
+              {{- if $additionalVolumeMounts }}
               {{- with include "resc.vcsScraperProjectsAdditionalVolumeMounts" .}}
                 {{- nindent 14 .}}
               {{- end }}
-              {{ end }}
+              {{- end }}
             env:
               - name: GET_HOSTS_FROM
                 value: dns
@@ -80,11 +82,12 @@ spec:
             - name: config-volume
               configMap:
                 name: {{ .Values.global.appName }}-vcs-instances-config
-            {{ if eq .Values.useKubernetesSecret "false"}}
+            {{- $additionalVolumes := include "resc.vcsScraperProjectsAdditionalVolumes" . }}
+            {{- if $additionalVolumes }}
             {{- with include "resc.vcsScraperProjectsAdditionalVolumes" .}}
               {{- nindent 12 .}}
             {{- end }}
-            {{ end }}
+            {{- end }}
           restartPolicy: {{ .Values.restartPolicy }}
           {{ if .Values.global.imagePullSecret }}
           imagePullSecrets:

deployment/kubernetes/charts/resc-vcs-scraper-projects/values.yaml

@@ -12,6 +12,7 @@ config:
   schedule:
   successfulJobsHistoryLimit: 0
   failedJobsHistoryLimit: 0
+  startingDeadlineSeconds: 100
 resources:
   requests:
     cpu: 300m

deployment/kubernetes/charts/resc-vcs-scraper-repositories/templates/vcs_scraper_repositories_deployment.yaml

@@ -59,11 +59,12 @@ spec:
           - name: config-volume
             mountPath: {{ .Values.config.vcs_instance_file_path }}
             subPath: vcs_instances_config.json
-          {{ if eq .Values.useKubernetesSecret "false"}}
+          {{- $additionalVolumeMounts := include "resc.vcsScraperRepositoriesAdditionalVolumeMounts" . }}
+          {{- if $additionalVolumeMounts }}
           {{- with include "resc.vcsScraperRepositoriesAdditionalVolumeMounts" .}}
             {{- nindent 10 .}}
           {{- end }}
-          {{ end }}
+          {{- end }}
         env:
           - name: GET_HOSTS_FROM
             value: dns
@@ -86,11 +87,12 @@ spec:
         - name: config-volume
           configMap:
             name: {{ .Values.global.appName }}-vcs-instances-config
-        {{ if eq .Values.useKubernetesSecret "false"}}
+        {{- $additionalVolumes := include "resc.vcsScraperRepositoriesAdditionalVolumes" . }}
+        {{- if $additionalVolumes }}
         {{- with include "resc.vcsScraperRepositoriesAdditionalVolumes" .}}
           {{- nindent 8 .}}
         {{- end }}
-        {{ end }}
+        {{- end }}
       restartPolicy: {{ .Values.restartPolicy }}
       {{ if .Values.global.imagePullSecret }}
       imagePullSecrets:

deployment/kubernetes/datree-policies.yaml

@@ -6,9 +6,9 @@ policies:
       - identifier: INGRESS_INCORRECT_HOST_VALUE_PERMISSIVE
         messageOnFailure: Incorrect value for key `host` - specify host instead of using a wildcard character ("*")
       #- identifier: CONTAINERS_MISSING_IMAGE_VALUE_VERSION # Not applicable to RESC
-      #  messageOnFailure: Incorrect value for key `image` - specify an image version to avoid unpleasant "version surprises" in the future
-      - identifier: DEPLOYMENT_MISSING_LABEL_ENV_VALUE
-        messageOnFailure: 'Missing label object `env` - add a proper environment description (e.g. "prod", "testing", etc.) to the Deployment config'
+        # messageOnFailure: Incorrect value for key `image` - specify an image version to avoid unpleasant "version surprises" in the future
+      # - identifier: DEPLOYMENT_MISSING_LABEL_ENV_VALUE # Not applicable to RESC
+        # messageOnFailure: 'Missing label object `env` - add a proper environment description (e.g. "prod", "testing", etc.) to the Deployment config'
       - identifier: CONTAINERS_MISSING_CPU_REQUEST_KEY
         messageOnFailure: Missing property object `requests.cpu` - value should be within the accepted boundaries recommended by the organization
       - identifier: CRONJOB_INVALID_SCHEDULE_VALUE
@@ -25,12 +25,12 @@ policies:
         messageOnFailure: Incorrect value for key `hostPID` - running on the host’s PID namespace enables access to sensitive information from processes running outside the container
       - identifier: K8S_DEPRECATED_APIVERSION_1.16
         messageOnFailure: Incorrect value for key `apiVersion` - the version you are trying to use is not supported by the Kubernetes cluster version (>=1.16)
-      - identifier: CONTAINERS_MISSING_IMAGE_VALUE_DIGEST
-        messageOnFailure: 'Incorrect value for key `image` - add a digest tag (starts with `@sha256:`) to represent an immutable version of the image'
+      # - identifier: CONTAINERS_MISSING_IMAGE_VALUE_DIGEST # Not applicable to RESC, version tag is better and we don't want to update our Kubernetes manifests with image digest tag on everytime we public a image
+        # messageOnFailure: 'Incorrect value for key `image` - add a digest tag (starts with `@sha256:`) to represent an immutable version of the image'
       - identifier: CONTAINERS_INCORRECT_HOSTIPC_VALUE_TRUE
         messageOnFailure: Incorrect value for key `hostIPC` - running on the host’s IPC namespace can be (maliciously) used to interact with other processes running outside the container
     #  - identifier: DEPLOYMENT_INCORRECT_REPLICAS_VALUE # Not applicable to RESC
-    #   messageOnFailure: Incorrect value for key `replicas` - don't relay on a single pod to do all of the work. Running 2 or more replicas will increase the availability of the service
+        # messageOnFailure: Incorrect value for key `replicas` - don't relay on a single pod to do all of the work. Running 2 or more replicas will increase the availability of the service
       - identifier: HPA_MISSING_MAXREPLICAS_KEY
         messageOnFailure: Missing property object `maxReplicas` - the value should be within the accepted boundaries recommended by the organization
       - identifier: CONTAINERS_MISSING_READINESSPROBE_KEY

deployment/kubernetes/example-values.yaml

@@ -122,10 +122,6 @@ resc-redis:
     config:
       port: 6379
       password: "Y0urStr0ngPassword" # <enter Redis password here for caching, default to Y0urStr0ngPassword>
-    resources:
-      limits:
-        cpu: 250m
-        memory: 256Mi
 
 resc-vcs-instances:
   vcsInstances:

deployment/kubernetes/templates/web_service_deployment.tpl

@@ -59,11 +59,12 @@ spec:
             - name: config-volume
               mountPath: /tmp/odbc.ini
               subPath: odbc.ini
-            {{ if eq .Values.useKubernetesSecret "false"}}
+            {{- $additionalVolumeMounts := include "resc.rescWebserviceAdditionalVolumeMounts" . }}
+            {{- if $additionalVolumeMounts }}
             {{- with include "resc.rescWebserviceAdditionalVolumeMounts" .}}
                 {{- nindent 12 .}}
             {{- end }}
-            {{ end }}
+            {{- end }}
           securityContext:
             allowPrivilegeEscalation: false
             readOnlyRootFilesystem: false
@@ -87,11 +88,12 @@ spec:
         - name: config-volume
           configMap:
             name: {{ .Values.global.appName }}-web-service-config{{ .Values.nameSuffix }}
-        {{ if eq .Values.useKubernetesSecret "false"}}
+        {{- $additionalVolumes := include "resc.rescWebserviceAdditionalVolumes" . }}
+        {{- if $additionalVolumes }}
         {{- with include "resc.rescWebserviceAdditionalVolumes" .}}
           {{- nindent 8 .}}
         {{- end }}
-        {{ end }}
+        {{- end }}
       {{ if .Values.global.imagePullSecret }}
       imagePullSecrets:
       - name: {{ .Values.global.imagePullSecret }}

deployment/kubernetes/templates/web_service_service.tpl

@@ -7,6 +7,8 @@ metadata:
   labels:
     app: {{ .Values.global.appName }}
     tier: api{{ .Values.nameSuffix }}
+  annotations:
+    datree.skip/SERVICE_INCORRECT_TYPE_VALUE_NODEPORT: irrelevant as its only exposed for local environment and can be enabled/disabled from env specific values.yaml
 spec:
   {{ if .Values.exposeToHostPort }}
   type: NodePort

deployment/resc-helm-wizard/src/resc_helm_wizard/config/example-values.yaml

@@ -122,10 +122,6 @@ resc-redis:
     config:
       port: 6379
       password: "Y0urStr0ngPassword" # <enter Redis password here for caching, default to Y0urStr0ngPassword>
-    resources:
-      limits:
-        cpu: 250m
-        memory: 256Mi
 
 resc-vcs-instances:
   vcsInstances: