MagTape is a Policy-as-Code tool for Kubernetes that allows for evaluating Kubernetes resources against a set of defined policies to inform and enforce best practice configurations.

Overview

Latest release License Gitter chat python-checks e2e-checks image-build

magtape-logo

MagTape

MagTape is a Policy-as-Code tool for Kubernetes that allows for evaluating Kubernetes resources against a set of defined policies to inform and enforce best practice configurations. MagTape includes variable policy enforcement, notifications, and targeted metrics.

MagTape builds on the Kubernetes Admission Webhook concept and uses Open Policy Agent (OPA) for its generic policy language and engine.

Our goal with MagTape is to show an example of wrapping additional business logic and features around OPA's core, not to be a competitor. While MagTape is not primarily meant to be a security tool, it can easily enforce security policy.

Overview

MagTape examines kubernetes objects against a set of defined policies (best practice configurations/security concepts) and can deny/alert on objects that fail policy checks. The webhook is written in Python using the Flask framework.

Prereqs

A modern version of Kubernetes with the admissionregistration.k8s.io API enabled. Verify that by the following command:

$ kubectl api-versions | grep admissionregistration.k8s.io

The result should be:

admissionregistration.k8s.io/v1beta1

In addition, the MutatingAdmissionWebhook and ValidatingAdmissionWebhook admission controllers should be added and listed in the correct order in the admission-control flag of kube-apiserver.

NOTE: MagTape has been tested and is known to work for Kubernetes versions 1.13+ on various Distros/Cloud Providers (DOKS, GKE, EKS, AKS, PKS, and KinD)

Permissions

MagTape requires cluster-admin permissions to deploy to Kubernetes since it requires access to create/read/update/delete cluster scoped resources (ValidatingWebhookConfigurations, Events, etc.)

MagTape's default RBAC permissions include get, list, and watch access to Secret resources across all namespaces in the cluster. This is to allow for lookup of user-defined Slack Incoming Webhook URL's. If this feature is not needed. the magtape-read ClusterRole can be adjusted to remove these permissions.

Quickstart

You can use the following command to install MagTape and the example policies from this repo with sane defaults. This won't have all features turned on as they require more configuration up front. Please see the Advanced Install section for more details.

NOTE: The quickstart installation is not meant for production use. Please read through the Advanced Install and Cautions sections, and as always, use your best judgement when configuring MagTape for production scenarios.

NOTE: The master branch of this repository is considered a working branch and may not always be in a functioning state. It's best to select a specific tag for a stable version of MagTape

$ kubectl apply -f https://raw.githubusercontent.com/tmobile/magtape/v2.3.3/deploy/install.yaml

This will do the following

  • Create the magtape-system namespace
  • Create cluster and namespace scoped roles/rolebindings
  • Deploy the MagTape workload and related configs
  • Deploy the example policies from this repo

Once this is complete you can do the following to test

Create and label a test namespace

$ kubectl create ns test1
$ kubectl label ns test1 k8s.t-mobile.com/magtape=enabled

Deploy some test workloads

# These examples assume you're in the root directory of this repo
# Example with no failures

$ kubectl apply -f ./testing/deployments/test-deploy01.yaml -n test1

# Example with deny
# You should get immediate feedback that this request was denied.

$ kubectl apply -f ./testing/deployments/test-deploy02.yaml -n test1

# Example with failures, but no deny
# While this request won't be denied, a K8s Event will be generated
# and can be viewed with "kubectl get events -n test1"

$ kubectl apply -f ./testing/deployments/test-deploy03.yaml -n test1

Beyond the Basics

Now that you've seen the basics of MagTape, try out some of the other features

Cleanup

Remove all MagTape deployed resources

# Assumes you're in the root directory of this repo
$ kubectl delete -f deploy/install.yaml
$ kubectl delete validatingwebhookconfiguration magtape-webhook

Policies

The below policy examples are available within this repo. The can be ignored or custom policies can be added. Policies use OPA's Rego language with a specific format to define policy metadata and the output message. This special formatting is required as it enables the additional functionality of MagTape.

  • Liveness Probe (Check ID: MT1001)
  • Readiness Probe (Check ID: MT1002)
  • Resource Limits (Check ID: MT1003)
  • Resource Requests (Check ID: MT1004)
  • Pod Disruption Budget (Check ID: MT1005)
  • Istio Port Name/Number Mismatch (Check ID: MT1006)
  • Singleton Pods (Check ID: MT1007)
  • Host Port (Check ID: MT1008)
  • emptyDir Volume (Check ID: MT1009)
  • Host Path (Check ID: MT1010)
  • Privileged Pod Security Context (Check ID: MT2001)
  • Node Port Range (Check ID: MT2002)

More detailed info about these policies can be found here.

The policy metadata is defined within each policy similar to this:

policy_metadata = {

    # Set MagTape Policy Info
    "name": "policy-resource-requests",
    "severity": "LOW",
    "errcode": "MT1004",
    "targets": {"Deployment", "StatefulSet", "DaemonSet", "Pod"},

}
  • name - Defines the name of the specific policy. This should be unique per policy.
  • severity - Defines the severity level of a specific policy. This correlates with the DENY_LEVEL to determine if a policy should result in a deny or not.
  • errcode - A unique code that can be used, typically in reference to an FAQ, to look up additional information about the policy, what produces a failure, and how to resolve failures.
  • targets - This controls which Kubernetes resources the policy targets. Each target should be the singular of the Kubernetes resource as found in the Kind field. Special care should be taken to make sure all target resources maintain similar JSON data paths within the policy logic, or that differences are handled appropriately.

Policies follow normal OPA operations for policy discovery. MagTape provides configuration to OPA to filter which configmaps it targets for discovery. If you're adding your own policies make sure to apply the following labels to the configmap:

app=opa
openpolicyagent.org/policy=rego

Example creating a policy configmap with appropriate labels from an existing Rego file

# Create a policy from a Rego file
$ kubectl create cm my-special-policy -n magtape-system --from-file=my-special-policy.rego --dry-run -o yaml | \
kubectl label --local app=opa openpolicyagent.org/policy=rego -f - --dry-run -o yaml > my-special-policy-cm.yaml

OPA will add/update the openpolicyagent.org/policy-status annotation on the policy configmaps to show they've been loaded successfully or if there are any syntax/validation issues.

Writing policies that Reference resources outside of the request object

As part of the integration MagTape has with OPA, the kube-mgmt service is also deployed within the MagTape pod. In short, kube-mgmt replicates resources from the Kubernetes cluster into OPA to allow for additional context with policies. kube-mgmt requires permissions to build the resource cache and those permissions should be updated accordingly when policies are developed that expand the scope of resources needed.

Please reference the kube-mgmt documentation on caching for additional information on how to configure kube-mgmt to watch new resource types and adjust the permissions in the magtape-read clusterrole accordingly.

Deny Level

Each policy is assigned a Severity level "LOW", "MED", or "HIGH". This is used to influence what policy checks result in an actual deny, or just become passive (alerting only)

The Deny Level is set within the deployment via an environment variable (MAGTAPE_DENY_VOLUME) and can be set to "OFF", "LOW", "MED", or "HIGH". The Deny Level has an inverse relationship to the Severity of the defined checks, which works as follows:

Deny Level Severities Blocked
OFF None
LOW HIGH
MED HIGH, MED
HIGH HIGH, MED, LOW

This configuration provides flexibility around controlling which checks should result in a "deny" and allows for a progressive approach as the platform and its users mature

Health Check

MagTape has a rudimentary healthcheck endpoint configured at /healthz. The endpoint displays a json output including the name of the pod running the webhook, the datetime of the request, and the overall health. This is nothing fancy. If the Flask app is running at all the health will report ok.

Image

MagTape uses a few images for operation. Please reference the image repos for more information on the image structure and contents

K8s Events

K8s Events can be generated for policy failures via the MAGTAPE_K8S_EVENTS_ENABLED environment variable.

Setting this variable to TRUE will cause a Kubernetes event to be created in the target namespace of the request object when a policy failure occurs. This will provide a more native method to passively inform users on policy failures (regardless of whether or not the request is denied).

Slack Alerts

Slack alerts can be enabled and controlled via environment variables (noted above):

  • MAGTAPE_SLACK_ENABLED
  • MAGTAPE_SLACK_PASSIVE
  • MAGTAPE_SLACK_WEBHOOK_URL_BASE
  • MAGTAPE_SLACK_WEBHOOK_URL_DEFAULT
  • MAGTAPE_SLACK_USER
  • MAGTAPE_SLACK_ICON

Override base domain for Slack Incoming Webhook URL

Some airgapped environments may need to use a forwarder/proxy service to assist in sending alerts to the Slack API. the MAGTAPE_SLACK_WEBHOOK_URL_BASE environment variable allows you to override the base domain for the Slack Incoming Webhook URL to target the forwarding/proxy service. This is very assumptive that the forwarding/proxy service will accept a Slack compliant payload and that the endpoint differs from the default Slack Incoming Webhook URL in domain only (ie. the protocol and trailing paths remain the same).

EXAMPLE:

MAGTAPE_SLACK_WEBHOOK_URL_DEFAULT="https://hooks.slack.com/services/XXXXXXXX/XXXXXXXXXXXX"
MAGTAPE_SLACK_WEBHOOK_URL_BASE="slack-proxy.example.com"

This configuration will override hooks.slack.com to be slack-proxy.example.com and the outcome will be:

https://slack-proxy.example.com/services/XXXXXXXX/XXXXXXXXXXXX

NOTE: The MAGTAPE_SLACK_WEBHOOK_URL_BASE environment variable is optional and if not specified the URL will remain unchanged from what is set in MAGTAPE_SLACK_WEBHOOK_URL_DEFAULT

Default Alert Target

When alerts are enabled they will be sent to the Slack Incoming Webhook URL defined in the MAGTAPE_SLACK_WEBHOOK_URL_DEFAULT environment variable. This is meant to be a channel controlled by the MagTape Webhook administrators.

User-defined Alert Target

When alerts are enabled they can be sent to a user-defined Slack Incoming Webhook URL in addition to the default mentioned above. This can be configured via a Kubernetes Secret resource in a target namespace. The secret should be named magtape-slack and the Slack Incoming Webhook URL should be set as the value (typical base64 encoding) for the webhook-url key. This will allow end-users to receive alerts in their desired Slack Channel for request objects targeting their own namespace.

EXAMPLE:

$ kubectl create secret generic magtape-slack -n my-cool-namespace --from-literal=webhook-url="https://hooks.slack.com/services/XXXXXXXX/XXXXXXXXXXXX"

Alert Format

Slack alert examples:

Slack Alert Deny Screenshot

Slack Alert Fail Screenshot

NOTE: For Slack Alerts to work, you will need to configure a Slack Incoming Webhook and set the environment variable for the webhook deployment as noted above.

Metrics

Prometheus formatted metrics are exposed on the /metrics endpoint. Metrics track counters for requests by:

  • CPU, Memory, and HTTP error rate
  • Number of requests passed, failed, and total
  • Breakdown by namespace
  • Breakdown by policy

Grafana dashboards showing Cluster, Namespace, and Policy scoped metrics are available in the metrics directory. An example Prometheus ServiceMonitor resource is located here.

These dashboards are simple, but serve a few purposes:

  • How busy the MagTape app itself is (ie. should the resources or replica count be increased/decreased)
  • What Namespaces seem to produce the most policy failures (Could indicate the team is struggling with certain concepts, there's something malicious going on, etc.)
  • What policies seem to be the most problematic (Maybe an opportunity to target education/training for specific topics based on the policy scope)

We've found that sometimes thinking about operations from a metrics perspective can lead you to develop a policy that is more about tracking how frequently some action occurs rather than explicitly if it should be allowed or denied. Your mileage may very!

Testing

  • Create namespace for testing and label it appropriately

    $ kubectl create ns test1
    $ kubectl label ns test1 k8s.t-mobile.com/magtape=enabled
  • Deploy test deployment to Kubernetes cluster

    $ kubectl apply -f test-deploy02.yaml -n test1

    NOTE: MagTape should deny this workload and should provide feedback similar to this:

    $ kubectl apply -f test-deploy02.yaml -n test1
    
    Error from server: error when creating "test-deploy02.yaml": admission webhook "magtape.webhook.k8s.t-mobile.com" denied the request: [FAIL] HIGH - Found privileged Security Context for container "test-deploy02" (MT2001), [FAIL] LOW - Liveness Probe missing for container "test-deploy02" (MT1001), [FAIL] LOW - Readiness Probe missing for container "test-deploy02" (MT1002), [FAIL] LOW - Resource limits missing (CPU/MEM) for container "test-deploy02" (MT1003), [FAIL] LOW - Resource requests missing (CPU/MEM) for container "test-deploy02" (MT1004)

Test Samples Available

Info on testing resources can be found in the testing directory

NOTE: These manifests are meant to test deploy-time validation, some pods related to these test manifests may fail to come up properly. A failing pod doesn't represent an issue with MagTape.

Cautions

Production Considerations

  • By Default the MagTape Validating Webhook Configuration is set to fail "closed". Meaning if the webhook is unreachable or doesn't return an expected response, requests to the Kubernetes API will be blocked. Please adjust the configuration if this is not something that fits your environment.
  • MagTape supports operation with multiple replicas that can increase availability and performance for critical clusters.

Break Glass Scenarios

MagTape can be enabled and disabled on a per namespace basis by utilizing the k8s.t-mobile.com/magtape label on namespace resources. In emergency situations the label can be removed from a namespace to disable policy assessment for workloads in that namespace.

If there are cluster-wide issues you can disable MagTape completely by removing the magtape-webhook Validating Webhook Configuration and deleting the MagTape deployment.

Troubleshooting

Certificate Trust

The ValidatingWebhookConfiguration needs to have a CA Bundle that includes the CA that signed the TLS cert used to secure the MagTape webhook. If this is not done the required trust between the K8s API and webhook will not exist and the webhook won't function correctly. More info is available here

Access MagTape API from local machine

$ kubectl get pods # to get the name of the running pod
$ kubectl port-forward <pod_name> -n <namespace> 5000:5000

Use Curl to perform HTTP POST to MagTape

$ curl -vX POST https://localhost:5000/ -d @test.json -H "Content-Type: application/json"

Follow logs of the webhook pod

$ kubectl get pods # to get the name of the running pod
$ kubectl logs <pod_name> -n <namespace> -f
Comments
  • Extend testing options for functional-test automation

    Extend testing options for functional-test automation

    What would you like to be added:

    Currently there's not a good way to perform per test setup/breakdown for things outside of k8s artifacts.

    Why is this needed:

    Some tests may require setting up specific scenarios before/after a given functional test. Example:

    NodePort test should add an annotation to the target namespace and then remove it when done.

    Ideally this is done in a generic way where each resource type can have a setup/breakdown related hook.

    enhancement help wanted ci 
    opened by phenixblue 6
  • update byoc doc

    update byoc doc

    What type of PR is this?

    Uncomment only one /kind <> line, hit enter to put that in a new line, and remove leading whitespace from that line:

    /kind bug /kind cleanup /kind deprecation /kind design

    /kind documentation

    /kind feature /kind release

    What this PR does / why we need it: update byoc doc Which issue(s) this PR fixes:

    Fixes https://github.com/tmobile/magtape/issues/102

    Special notes for your reviewer:

    Does this PR introduce a user-facing change?:

    NONE
    

    Additional documentation e.g., usage docs, etc.:

    
    
    documentation 
    opened by xytian315 5
  • Add Shellcheck CI checks

    Add Shellcheck CI checks

    What would you like to be added:

    Need to add Shellcheck CI Checks for all bash scripts in the repo.

    Why is this needed:

    To ensure adherence to a standard for BASH scripts for consistency and best practices. This should help to maintain trusted tooling within the repo.

    enhancement good first issue help wanted gh-actions ci bash 
    opened by phenixblue 5
  • Bump version of docker-build-push Action

    Bump version of docker-build-push Action

    What would you like to be added:

    Move to using v2 of docker-build-push Action

    Why is this needed:

    v1 of the docker-build-push action has been deprecated, need to move to v2

    Original deprecation shown in this CI output: https://github.com/tmobile/magtape/runs/1121343080?check_suite_focus=true#step:6:1

    enhancement good first issue help wanted ci important soon 
    opened by phenixblue 5
  • Support K8s v1.21+

    Support K8s v1.21+

    What type of PR is this?

    Uncomment only one /kind <> line, hit enter to put that in a new line, and remove leading whitespace from that line:

    /kind bug /kind cleanup /kind deprecation /kind design /kind documentation

    /kind feature

    /kind release

    What this PR does / why we need it:

    This PR updates the Kubernetes libraries and a handful of other pieces of the code base to ensure MagTape works on Kubernetes v1.21+. This is required for new API deprecations and changes to the CSR flow used in the magtape-init application to generate/manage the Admission Controller Webhook certificate.

    This PR also bumps the versions of several dependencies (libraries, utilities in CI, resource API versions, as well as OPA/kube-mgmt.

    With the bump for OPA/kube-mgmt, this should enable full support for MagTape on arm64 architectures.

    Which issue(s) this PR fixes:

    Fixes #120 Fixes #109

    Special notes for your reviewer:

    Does this PR introduce a user-facing change?:

    WARNING: Kubernetes versions prior to v1.19.0 will no longer be supported with these changes due to the deprecations in the Kubernetes API/Client libraries.
    

    Additional documentation e.g., usage docs, etc.:

    
    
    opened by phenixblue 3
  • Add documentation for Signed Commits Requirement to Contributing Docs

    Add documentation for Signed Commits Requirement to Contributing Docs

    What would you like to be added:

    Need to add verbiage to specify the requirement for signed commits for all contributions to the Contributing Docs

    Why is this needed:

    More clarity for prerequisites for new contributors.

    documentation enhancement good first issue help wanted contrib 
    opened by phenixblue 3
  • Need to update README for Testing

    Need to update README for Testing

    What would you like to be added:

    The testing README located here needs to be updated for the most recent changes to the functional testing framework.

    Reference #45 for more context

    Why is this needed:

    The existing info is slightly outdated even the changes to functional-tests.yaml

    documentation enhancement good first issue help wanted important soon 
    opened by phenixblue 2
  • Add logic to handle Github Action Workflow dependencies on releases

    Add logic to handle Github Action Workflow dependencies on releases

    What would you like to be added:

    Add logic to handle Github Action Workflow dependencies on releases

    Why is this needed:

    Currently the release flow executes e2e tests prior to the new container image build because the same flow is used for PR/push to master. Need to make sure image build happens before e2e tests for release prep (push to master). This may require pre-release image builds or refactoring the Github Action workflows overall.

    enhancement gh-actions ci 
    opened by phenixblue 2
  • Updated CONTRIBUTING.md

    Updated CONTRIBUTING.md

    What type of PR is this?

    Uncomment only one /kind <> line, hit enter to put that in a new line, and remove leading whitespace from that line:

    /kind bug /kind cleanup /kind deprecation /kind design

    /kind documentation

    /kind feature /kind release

    What this PR does / why we need it: Added documentation on requiring signed commits in CONTRIBUTING.md

    Which issue(s) this PR fixes:

    Fixes #

    Special notes for your reviewer:

    Does this PR introduce a user-facing change?:

    NONE
    

    Additional documentation e.g., usage docs, etc.:

    
    
    opened by pramod74 1
  • Support arm64 Architecture

    Support arm64 Architecture

    What would you like to be added:

    We need to have MagTape support deployment to arm64 based cluster environments.

    We have multi-arch builds of the magtape-init and magtape container images, but we need supported images for opa and kube-mgmt as well.

    Related to https://github.com/open-policy-agent/opa/issues/2233 for arm64 support with OPA.

    Why is this needed:

    Further deployment flexibility

    enhancement important longterm opa image 
    opened by phenixblue 1
  • Prepare v2.3.2 release

    Prepare v2.3.2 release

    Signed-off-by: Joe Searcy [email protected]

    What type of PR is this?

    Uncomment only one /kind <> line, hit enter to put that in a new line, and remove leading whitespace from that line:

    /kind bug /kind cleanup /kind deprecation /kind design /kind documentation /kind feature

    /kind release

    What this PR does / why we need it:

    This preps for the v2.3.2 release which included the security fix from #99

    Which issue(s) this PR fixes:

    NA

    Special notes for your reviewer:

    Does this PR introduce a user-facing change?:

    NONE
    

    Additional documentation e.g., usage docs, etc.:

    
    
    release 
    opened by phenixblue 1
  • Bump setuptools from 65.3.0 to 65.5.1 in /app/magtape-init

    Bump setuptools from 65.3.0 to 65.5.1 in /app/magtape-init

    Bumps setuptools from 65.3.0 to 65.5.1.

    Changelog

    Sourced from setuptools's changelog.

    v65.5.1

    Misc ^^^^

    • #3638: Drop a test dependency on the mock package, always use :external+python:py:mod:unittest.mock -- by :user:hroncok
    • #3659: Fixed REDoS vector in package_index.

    v65.5.0

    Changes ^^^^^^^

    • #3624: Fixed editable install for multi-module/no-package src-layout projects.
    • #3626: Minor refactorings to support distutils using stdlib logging module.

    Documentation changes ^^^^^^^^^^^^^^^^^^^^^

    • #3419: Updated the example version numbers to be compliant with PEP-440 on the "Specifying Your Project’s Version" page of the user guide.

    Misc ^^^^

    • #3569: Improved information about conflicting entries in the current working directory and editable install (in documentation and as an informational warning).
    • #3576: Updated version of validate_pyproject.

    v65.4.1

    Misc ^^^^

    • #3613: Fixed encoding errors in expand.StaticModule when system default encoding doesn't match expectations for source files.
    • #3617: Merge with pypa/distutils@6852b20 including fix for pypa/distutils#181.

    v65.4.0

    Changes ^^^^^^^

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies 
    opened by dependabot[bot] 0
  • Bump setuptools from 65.3.0 to 65.5.1 in /app/magtape

    Bump setuptools from 65.3.0 to 65.5.1 in /app/magtape

    Bumps setuptools from 65.3.0 to 65.5.1.

    Changelog

    Sourced from setuptools's changelog.

    v65.5.1

    Misc ^^^^

    • #3638: Drop a test dependency on the mock package, always use :external+python:py:mod:unittest.mock -- by :user:hroncok
    • #3659: Fixed REDoS vector in package_index.

    v65.5.0

    Changes ^^^^^^^

    • #3624: Fixed editable install for multi-module/no-package src-layout projects.
    • #3626: Minor refactorings to support distutils using stdlib logging module.

    Documentation changes ^^^^^^^^^^^^^^^^^^^^^

    • #3419: Updated the example version numbers to be compliant with PEP-440 on the "Specifying Your Project’s Version" page of the user guide.

    Misc ^^^^

    • #3569: Improved information about conflicting entries in the current working directory and editable install (in documentation and as an informational warning).
    • #3576: Updated version of validate_pyproject.

    v65.4.1

    Misc ^^^^

    • #3613: Fixed encoding errors in expand.StaticModule when system default encoding doesn't match expectations for source files.
    • #3617: Merge with pypa/distutils@6852b20 including fix for pypa/distutils#181.

    v65.4.0

    Changes ^^^^^^^

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies 
    opened by dependabot[bot] 0
  • Bump certifi from 2022.9.14 to 2022.12.7 in /app/magtape

    Bump certifi from 2022.9.14 to 2022.12.7 in /app/magtape

    Bumps certifi from 2022.9.14 to 2022.12.7.

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies 
    opened by dependabot[bot] 0
  • Bump certifi from 2022.9.14 to 2022.12.7 in /app/magtape-init

    Bump certifi from 2022.9.14 to 2022.12.7 in /app/magtape-init

    Bumps certifi from 2022.9.14 to 2022.12.7.

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies 
    opened by dependabot[bot] 0
  • Add linux/ppc64le Arch back for magtape-init images

    Add linux/ppc64le Arch back for magtape-init images

    What would you like to be added:

    Add support for building linux/ppc64le architecture container images for the magtape-init container.

    Why is this needed:

    Support for the linux/ppc64le arch was removed during the v2.4.0 release cycle for MagTape due to an issue encountered in release CI that blocked the release. This seems to be related to the cryptography library specifically.

    Logs from CI run:

    #27 489.6 Failed to install some dependency or packages.  The following have failed installation and attempted retry: [Requirement(_name='cryptography', vcs=None, req=NamedRequirement(name='cryptography', version='==37.0.2', req=Requirement.parse('cryptography==37.0.2'), extras=[], editable=False, _parsed_line=<Line (editable=False, name=cryptography, path=None, uri=None, extras=(), markers=None, vcs=None, specifier===37.0.2, pyproject=None, pyproject_requires=None, pyproject_backend=None, ireq=cryptography==37.0.2)>), markers=None, _specifiers='==37.0.2', index='pypi', editable=False, hashes=frozenset({'sha256:ef15c2df7656763b4ff20a9bc4381d8352e6640cfeb95c2972c38ef508e75181', 'sha256:aeaba7b5e756ea52c8861c133c596afe93dd716cbcacae23b80bc238202dc023', 'sha256:31fe38d14d2e5f787e0aecef831457da6cec68e0bb09a35835b0b44ae8b988fe', 'sha256:3c81599befb4d4f3d7648ed3217e00d21a9341a9a688ecdd615ff72ffbed7336', 'sha256:59b281eab51e1b6b6afa525af2bd93c16d49358404f814fe2c2410058623928c', 'sha256:0cc20f655157d4cfc7bada909dc5cc228211b075ba8407c46467f63597c78178', 'sha256:a7d5137e556cc0ea418dca6186deabe9129cee318618eb1ffecbd35bee55ddc1', 'sha256:46f4c544f6557a2fefa7ac8ac7d1b17bf9b647bd20b16decc8fbcab7117fbc15', 'sha256:471e0d70201c069f74c837983189949aa0d24bb2d751b57e26e3761f2f782b8d', 'sha256:1f3bfbd611db5cb58ca82f3deb35e83af34bb8cf06043fa61500157d50a70982', 'sha256:a68254dd88021f24a68b613d8c51d5c5e74d735878b9e32cc0adf19d1f10aaf9', 'sha256:3b8398b3d0efc420e777c40c16764d6870bcef2eb383df9c6dbb9ffe12c64452', 'sha256:95e590dd70642eb2079d280420a888190aa040ad20f19ec8c6e097e38aa29e06', 'sha256:093cb351031656d3ee2f4fa1be579a8c69c754cf874206be1d4cf3b542042804', 'sha256:731c8abd27693323b348518ed0e0705713a36d79fdbd969ad968fbef0979a7e0', 'sha256:2bd1096476aaac820426239ab534b636c77d71af66c547b9ddcd76eb9c79e004', 'sha256:f8ec91983e638a9bcd75b39f1396e5c0dc2330cbd9ce4accefe68717e6779e0a', 'sha256:dc26bb134452081859aa21d4990474ddb7e863aa39e60d1592800a8865a702de', 'sha256:1b9362d34363f2c71b7853f6251219298124aa4cc2075ae2932e64c91a3e2717', 'sha256:f224ad253cc9cea7568f49077007d2263efa57396a2f2f78114066fd54b5c68e', 'sha256:e53258e69874a306fcecb88b7534d61820db8a98655662a3dd2ec7f1afd9132f', 'sha256:419c57d7b63f5ec38b1199a9521d77d7d1754eb97827bbb773162073ccd8c8d4'}), extras=(), abstract_dep=None, _line_instance=<Line (editable=False, name=cryptography, path=None, uri=None, extras=(), markers=None, vcs=None, specifier===37.0.2, pyproject=None, pyproject_requires=None, pyproject_backend=None, ireq=cryptography==37.0.2)>, _ireq=None)]
    
    bug enhancement help wanted needs-triage release 
    opened by phenixblue 0
  • enhance documentation on writing policy

    enhance documentation on writing policy

    What would you like to be added:

    Please add information, tips and recommendations about writing policy.

    Why is this needed:

    Worked with a magtape user today who had an issue with their new policy. The problem they had was pretty easy to make, easy to overlook and difficult to understand based on the errors shown in the logs. Enhanced documentation on writing policy would probably help with this.

    documentation enhancement 
    opened by ilrudie 4
Releases(v2.4.0)
  • v2.4.0(Jun 13, 2022)

    Overview

    This release is primarily focused on adding support for newer Kubernetes versions (v1.19+), but does introduce breaking changes for prior Kubernetes versions.

    MagTape v2.3.3 should be used for Kubernetes versions below v1.19.0

    MagTape v2.4.0 is using a newer release of the Kubernetes Python Client library which removed some previously deprecated API's and changed the way the CertificateSigningRequest resource is handled for the webhook Cert Bundle.

    NOTE: The linux/ppc64le architecture was dropped for this release due to an issue with the underlying Python cryptography package. We will try and track this down to resolve in a future release.

    Enhancements

    • Bump Kubernetes Python Client to v23.3.0 to support new K8s versions (#120)
    • Bump OPA version to v0.37.2, and move to using the "static" image for arm64 support (#109)
    • Bump kube-mgmt to v4.1.1
    • Bump KinD node images/matrix to test aginst k8s v1.19, v1.20, v1.21, and v1.22 for CI
    • Bump KinD Github Action to v0.12.0 for CI
    • Bump "black" Python linter to v22.3.0 for CI/local tooling
    • Bump kubectl to v1.22.5 for CI
    • Set "black" Python linter line length to 120 characters
    • Move to admission.k8s.io/v1 for AdmissionReview
    • Move to events.k8s.io/v1 for Events
    • Move to admissionregistration.k8s.io/v1 for VWC
    • Add sign verb for MagTape cluster RBAC
    • Move to support v4.x of yq utility syntax for Makefile/CI

    Other Changes

    • Bump urllib3 from 1.26.4 to 1.26.5 in /app/magtape-init by @dependabot in https://github.com/tmobile/magtape/pull/110
    • Bump urllib3 from 1.26.4 to 1.26.5 in /app/magtape by @dependabot in https://github.com/tmobile/magtape/pull/111
    • policies.md by @kamleshjoshi8102 in https://github.com/tmobile/magtape/pull/104
    • fix: issue 113 GHA workflows using KinD are failing by @ilrudie in https://github.com/tmobile/magtape/pull/114
    • update byoc doc by @xytian315 in https://github.com/tmobile/magtape/pull/116
    • Updated CONTRIBUTING.md by @pramod74 in https://github.com/tmobile/magtape/pull/119
    • Support K8s v1.21+ by @phenixblue in https://github.com/tmobile/magtape/pull/122

    New Contributors

    • @kamleshjoshi8102 made their first contribution in https://github.com/tmobile/magtape/pull/104
    • @xytian315 made their first contribution in https://github.com/tmobile/magtape/pull/116
    • @pramod74 made their first contribution in https://github.com/tmobile/magtape/pull/119

    Full Changelog: https://github.com/tmobile/magtape/compare/v2.3.3...v2.4.0

    Source code(tar.gz)
    Source code(zip)
  • v2.3.3(May 26, 2021)

    Overview

    This release contains a bug fix and some CI enhancements

    Enhancements

    • Add multi-arch image builds for release workflow, amd64, arm64, and ppc64le to start (#107 authored by @phenixblue)
    • Fix typos in Makefile (#105 authored by @Freakin)
    • Bump urllib3 to 1.26.4 (#101 authored by dependabot)

    Bumps urllib3 from 1.26.3 to 1.26.4 in /app/magtape-init

    Source code(tar.gz)
    Source code(zip)
  • v2.3.2(Mar 28, 2021)

    Overview

    This release includes a security fix

    Security Fix

    • Bumps jinja2 from 2.11.2 to 2.11.3. in /app/magtape (ref #99)

    This contains a fix for a speed issue with the urlize filter. urlize is likely to be called on untrusted user input. For certain inputs some of the >regular expressions used to parse the text could take a very long time due to backtracking. As part of the fix, the email matching became >slightly stricter. The various speedups apply to urlize in general, not just the specific input cases.

    PyPI: https://pypi.org/project/Jinja2/2.11.3/ Changes: https://jinja.palletsprojects.com/en/2.11.x/changelog/#version-2-11-3

    Source code(tar.gz)
    Source code(zip)
  • v2.3.1(Feb 12, 2021)

  • v2.3.0(Jan 30, 2021)

    Overview

    This release has a breaking change, changes to RBAC, some new features, CI enhancements, changes to test mocking, and some updates to documentation.

    Breaking Changes

    • the MAGTAPE_SLACK_ANNOTATION environment variable has been removed and is no longer used for enabling user-defined slack alerts.

    user-defined slack alerts

    For better security the user-defined Slack Incoming Webhook URL is now defined via creation of a magtape-slack secret that includes the webhook-url key and a value set to the Slack Incoming Webhook URL (typical base64 encoding applies).

    The README has an example of how you can create a properly formatted secret.

    Enhancements

    • Enable shellcheck linting for bash (#57 authored by @ilrudie)
    • Cleanup Rego testing/mocking (#60)
    • Update docker/build-push-action to v2 (#62 authored by @ilrudie)
    • Update functional testing documentation (#65 authored by @ilrudie)
    • Enable server-side warnings on policy failures (#66)
    • Bump cryptography Python package from 2.9.2 to 3.2 (#68 authored by dependabot)
    • Add logic to handle in-cluster and out-of-cluster kubernetes client configs for API calls (#77)
    • Add RBAC rules to read secrets for user defined Slack Incoming Webhook URL's (#77)
    • Add logic to handle custom Slack Webhook even if Default is unset (#77)
    • Bump the engineerd/setup-kind Action to v05.0 to support the deprecations noted here (#77)
    • Change add-path commands in rego-checks CI jobs (#77)
    • Add ci-bootstrap Make target to pin versions for specific utilities (ie. kubectl) for more consistent CI (#77)
    • Enables descriptive names for functional tests (#86)
    • OPA version bumped to 0.25.2 (#88)

    server-side warnings on policy failures

    Server-side warnings were added in Kubernetes v1.19. This enhancement allows for messages to be surfaced to the end-users via kubectl and client-go. This gives MagTape yet another mechanism to display feedback on policy failures to the end-user. This change is transparent for Kubernetes releases prior to v1.19.

    Version 2 for docker/build-push-action

    Adopting version 2 of this action allows us to start consuming Docker buildx. This is transparent at the moment, but should allow us to more easily build images for e2e checks and relases across multiple architectures (amd64, ARM, ppc64le, etc.).

    RBAC rule changes

    Due to the change in how user-defined Slack Incoming Webhooks are applied, there's a need for the magtape-sa service account to read Secrets across all namespaces. This includes get, list, and watch actions.

    Source code(tar.gz)
    Source code(zip)
  • v2.2.1(Oct 28, 2020)

    Overview

    This release includes a security fix and some small supporting changes.

    Security Fix

    • Bump cryptography from 2.9.2 to 3.2 in /app/magtape-init (ref #68)
    * **SECURITY ISSUE:** Attempted to make RSA PKCS#1v1.5 decryption more constant
      time, to protect against Bleichenbacher vulnerabilities. Due to limitations
      imposed by our API, we cannot completely mitigate this vulnerability and a
      future release will contain a new API which is designed to be resilient to
      these for contexts where it is required. Credit to **Hubert Kario** for
      reporting the issue. *CVE-2020-25659*
    * Support for OpenSSL 1.0.2 has been removed. Users on older version of OpenSSL
      will need to upgrade.
    * Added basic support for PKCS7 signing (including SMIME) via
      :class:`~cryptography.hazmat.primitives.serialization.pkcs7.PKCS7SignatureBuilder`.
    .. _v3-1-1:
    
    
    3.1.1 - 2020-09-22
    

    Enhancements

    • Backported some CI changes related to Image Builds (ref #62)
    Source code(tar.gz)
    Source code(zip)
  • v2.2.0(Oct 6, 2020)

    Overview

    This release focuses on some security, scalability, and CI enhancements.

    Enhancements

    • Add securityContext and non-root user for pod/containers (#47)
    • Hardcode Gunicorn workers/threads to fix #48 (#49)
    • Add HPA resource for horizontal scaling (#50)
    • Add new framework for executing setup/teardown code between functional tests (#45) authored by @ilrudie
    • Bump OPA to v0.23.2

    Misc Notes

    • Changes OPA container listening port from 443 to 8443 since a non-root user can't bind to ports below 1000. The OPA container isn't exposed outside of localhost, so this shouldn't present any issues
    Source code(tar.gz)
    Source code(zip)
  • v2.1.5(Sep 24, 2020)

    Overview

    This release adds new policies and enhances several CI workflow components.

    New Policies

    Authored by @jsteichen12

    • Singleton Pods (Check ID: MT1007)
    • Host Port (Check ID: MT1008)
    • emptyDir Volume (Check ID: MT1009)
    • Host Path (Check ID: MT1010)
    • Node Port Range (Check ID: MT2002)

    New CI Features

    • Kubernetes Matrix for end-to-end testing. All commits/PR's are now tested against Kubernetes 1.16, 1.17, 1.18, and 1.19
    • Rego linting and unit tests
    • Code quality anallysis and static code scanning for Security/Best Practices

    Misc Enhancements

    • Enhancements for Advanced install workflow with Kustomize
    Source code(tar.gz)
    Source code(zip)
  • v2.1.4(Aug 8, 2020)

    Overview

    This release adds the approve verb to the RBAC config to account for newer changes to the Kubernetes certificates/CSR API as noted here. These changes were tested against K8s 1.14, 1.15, 1.16, 1.17, and 1.18.

    Source code(tar.gz)
    Source code(zip)
  • v2.1.3(Jul 24, 2020)

    Overview

    This release migrates to using the Gunicorn WSGI HTTP Server instead of the default Flask server. This change reduces average latency by about 75% in our normal benchmarking tests. This change also means the standard 3 replica deployment can handle almost 3 times the request rate as before.

    Source code(tar.gz)
    Source code(zip)
  • v2.1.2(May 7, 2020)

    2.1.2

    This release contains several package updates geared towards fixing security related issues with CVE-2017-18342.

    The updated pyyaml package required updates to the Kubernetes Python client library, moving primary support to Kubernetes 1.15+. Backwards compatibility to Kubernetes 1.13 should exist, but isn't tested/gauranteed.

    Source code(tar.gz)
    Source code(zip)
  • v2.1.1(May 1, 2020)

  • v2.1.0(May 1, 2020)

Owner
T-Mobile
T-Mobile
Google Kubernetes Engine (GKE) with a Snyk Kubernetes controller installed/configured for Snyk App

Google Kubernetes Engine (GKE) with a Snyk Kubernetes controller installed/configured for Snyk App This example provisions a Google Kubernetes Engine

Pas Apicella 2 Feb 9, 2022
Coding For Entrepreneurs 100 Jan 1, 2023
A Simple script to hunt unused Kubernetes resources.

K8SPurger A Simple script to hunt unused Kubernetes resources. Release History Release 0.3 Added Ingress Added Services Account Adding RoleBindding Re

Yogesh Kunjir 202 Nov 19, 2022
A Blazing fast Security Auditing tool for Kubernetes

A Blazing fast Security Auditing tool for kubernetes!! Basic Overview Kubestriker performs numerous in depth checks on kubernetes infra to identify th

Vasant Chinnipilli 934 Jan 4, 2023
Caboto, the Kubernetes semantic analysis tool

Caboto Caboto, the Kubernetes semantic analysis toolkit. It contains a lightweight Python library for semantic analysis of plain Kubernetes manifests

Michael Schilonka 8 Nov 26, 2022
This repository contains code examples and documentation for learning how applications can be developed with Kubernetes

BigBitBus KAT Components Click on the diagram to enlarge, or follow this link for detailed documentation Introduction Welcome to the BigBitBus Kuberne

null 51 Oct 16, 2022
sysctl/sysfs settings on a fly for Kubernetes Cluster. No restarts are required for clusters and nodes.

SysBindings Daemon Little toolkit for control the sysctl/sysfs bindings on Kubernetes Cluster on the fly and without unnecessary restarts of cluster o

Wallarm 19 May 6, 2022
Rancher Kubernetes API compatible with RKE, RKE2 and maybe others?

kctl Rancher Kubernetes API compatible with RKE, RKE2 and maybe others? Documentation is WIP. Quickstart pip install --upgrade kctl Usage from lazycls

null 1 Dec 2, 2021
Copy a Kubernetes pod and run commands in its environment

copypod Utility for copying a running Kubernetes pod so you can run commands in a copy of its environment, without worrying about it the pod potential

Memrise 4 Apr 8, 2022
Checkmk kube agent - Checkmk Kubernetes Cluster and Node Collectors

Checkmk Kubernetes Cluster and Node Collectors Checkmk cluster and node collecto

tribe29 GmbH 15 Dec 26, 2022
A basic instruction for Kubernetes setup and understanding.

A basic instruction for Kubernetes setup and understanding Module ID Module Guide - Install Kubernetes Cluster k8s-install 3 Docker Core Technology mo

null 648 Jan 2, 2023
Official Python client library for kubernetes

Kubernetes Python Client Python client for the kubernetes API. Installation From source: git clone --recursive https://github.com/kubernetes-client/py

Kubernetes Clients 5.4k Jan 2, 2023
A Kubernetes operator that creates UptimeRobot monitors for your ingresses

This operator automatically creates uptime monitors at UptimeRobot for your Kubernetes Ingress resources. This allows you to easily integrate uptime monitoring of your services into your Kubernetes deployments.

Max 49 Dec 14, 2022
Run Oracle on Kubernetes with El Carro

El Carro is a new project that offers a way to run Oracle databases in Kubernetes as a portable, open source, community driven, no vendor lock-in container orchestration system. El Carro provides a powerful declarative API for comprehensive and consistent configuration and deployment as well as for real-time operations and monitoring.

Google Cloud Platform 205 Dec 30, 2022
Linux, Jenkins, AWS, SRE, Prometheus, Docker, Python, Ansible, Git, Kubernetes, Terraform, OpenStack, SQL, NoSQL, Azure, GCP, DNS, Elastic, Network, Virtualization. DevOps Interview Questions

Linux, Jenkins, AWS, SRE, Prometheus, Docker, Python, Ansible, Git, Kubernetes, Terraform, OpenStack, SQL, NoSQL, Azure, GCP, DNS, Elastic, Network, Virtualization. DevOps Interview Questions

Arie Bregman 35.1k Jan 2, 2023
Chartreuse: Automated Alembic migrations within kubernetes

Chartreuse: Automated Alembic SQL schema migrations within kubernetes "How to automate management of Alembic database schema migration at scale using

Wiremind 8 Oct 25, 2022
Hubble - Network, Service & Security Observability for Kubernetes using eBPF

Network, Service & Security Observability for Kubernetes What is Hubble? Getting Started Features Service Dependency Graph Metrics & Monitoring Flow V

Cilium 2.4k Jan 4, 2023
A charmed operator for running PGbouncer on kubernetes.

operator-template Description TODO: Describe your charm in a few paragraphs of Markdown Usage TODO: Provide high-level usage, such as required config

Canonical 1 Dec 1, 2022
Quick & dirty controller to schedule Kubernetes Jobs later (once)

K8s Jobber Operator Quickly implemented Kubernetes controller to enable scheduling of Jobs at a later time. Usage: To schedule a Job later, Set .spec.

Jukka Väisänen 2 Feb 11, 2022