Skip to content

Instantly share code, notes, and snippets.

@burdzwastaken

burdzwastaken/daemonset.yaml

Last active December 10, 2018 13:40
Show Gist options
  • Save burdzwastaken/b4be7ed1e62f29a5d1ae86479e33b373 to your computer and use it in GitHub Desktop.
Save burdzwastaken/b4be7ed1e62f29a5d1ae86479e33b373 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
daemonset.yaml
{{- $name := include "base.name" . -}}
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: {{ $name }}
labels: {{ include "base.labels.mulesoft" . | nindent 4 }}
spec:
selector:
matchLabels:
app: {{ $name }}
updateStrategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 1
minReadySeconds: 3
template:
metadata:
labels: {{ include "base.labels.mulesoft" . | nindent 8 }}
name: {{ $name }}
spec:
serviceAccountName: {{ $name }}
hostNetwork: true
hostPID: true
{{ include "base.image.pull-secret-name" . | indent 6 | trim }}
{{- if ge .Capabilities.KubeVersion.Minor "6" }}
tolerations:
{{ toYaml .Values.tolerations | indent 8 | trim }}
{{- end }}
containers:
- name: {{ $name }}-agent
image: {{ template "base.image.name" . }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
{{ include "base.resources.limits" . | indent 10 | trim }}
env:
- name: THREATSTACK_CONFIG_PATH
value: /tmp/ts-config/ts-config.json
securityContext:
capabilities:
add: ["AUDIT_CONTROL", "AUDIT_READ", "NET_ADMIN", "SYS_ADMIN"]
volumeMounts:
- name: {{ $name }}
mountPath: /threatstackfs/tmp/ts-config
- name: dockersocket
mountPath: /var/run/docker.sock
- name: hostfs
mountPath: /threatstackfs
volumes:
- name: {{ $name }}
secret:
secretName: {{ $name }}
items:
- key: ts-config.json
path: ts-config.json
- name: dockersocket
hostPath:
path: /var/run/docker.sock
- name: hostfs
hostPath:
path: /
Raw
psp.yaml
apiVersion: extensions/v1beta1
kind: PodSecurityPolicy
metadata:
name: infosec-monitoring
spec:
fsGroup:
rule: RunAsAny
hostNetwork: true
hostPID: true
hostPorts:
- max: 65535
min: 1024
allowedCapabilities:
- AUDIT_CONTROL
- AUDIT_READ
- NET_ADMIN
- SYS_ADMIN
runAsUser:
rule: RunAsAny
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
volumes:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: infosec-monitoring
rules:
- apiGroups:
- extensions
resourceNames:
- infosec-monitoring
resources:
- podsecuritypolicies
verbs:
- use
Raw
rbac.yaml
{{- $name := include "base.name" . -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ $name }}
namespace: {{ .Release.Namespace }}
---
kind: ClusterRoleBinding
{{/* Support 1.8+ */}}
{{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" }}
apiVersion: rbac.authorization.k8s.io/v1
{{ else }}
apiVersion: rbac.authorization.k8s.io/v1beta1
{{- end }}
metadata:
name: {{ $name }}
namespace: {{ .Release.Namespace }}
roleRef:
kind: ClusterRole
name: infosec-monitoring
subjects:
- kind: ServiceAccount
name: {{ $name }}
namespace: {{ .Release.Namespace }}
Raw
secrets.yaml
{{- $name := include "base.name" . -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ $name }}
labels: {{ include "base.labels.standard" . | nindent 4 }}
type: Opaque
data:
ts-config.json: {{ toJson .Values.threatstack | b64enc | trim -}}
Raw
values.yaml
threatstack:
deploy-key: ""
agent_type: "i"
ruleset: "Base Rule Set, Docker Rule Set, Kubernetes Rule Set, CIS Docker Rule Set"
configuration:
enable_containers: 1
enable_kubes: 1
log_level: "info"
# deploy key gets injected at our deploy phase in our pipeline
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment