Skip to content

Commit

Permalink
add security policy schema and resource
Browse files Browse the repository at this point in the history 
Signed-off-by: Ishan Gupta <gishan@vmware.com>
  • Loading branch information
@ishangupta-ds
ishangupta-ds committed Aug 8, 2022
1 parent 2d1801e commit e6c298b
Show file tree
Hide file tree
Showing 40 changed files with 4,960 additions and 6 deletions.
29 changes: 29 additions & 0 deletions examples/resources/security_policy/resource_cluster_baseline_security_policy.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
# Create Tanzu Mission Control security policy
resource "tanzu-mission-control_security_policy" "create_cluster_baseline_security_policy" {
name = "tf-sp-test"

scope {
cluster {
management_cluster_name = "attached"
provisioner_name = "attached"
name = "tf-create-test"
}
}

spec {
input {
baseline {
audit = true
disable_native_psp = false
}
}

namespace_selector {
match_expressions {
key = "not-a-component"
operator = "DoesNotExist"
values = []
}
}
}
}
136 changes: 136 additions & 0 deletions examples/resources/security_policy/resource_cluster_custom_security_policy.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,136 @@
# Create Tanzu Mission Control security policy
resource "tanzu-mission-control_security_policy" "create_cluster_custom_security_policy" {
name = "tf-sp-test"

scope {
cluster {
management_cluster_name = "attached"
provisioner_name = "attached"
name = "tf-create-test"
}
}

spec {
input {
custom {
audit = true
disable_native_psp = false
allow_privileged_containers = true
allow_privilege_escalation = true
allow_host_namespace_sharing = true
allow_host_network = true
read_only_root_file_system = true

allowed_host_port_range {
min = 3000
max = 5000
}

allowed_volumes = [
"configMap",
"nfs",
"vsphereVolume"
]

run_as_user {
rule = "RunAsAny"

ranges {
min = 3
max = 5
}
ranges {
min = 7
max = 12
}
}

run_as_group {
rule = "RunAsAny"

ranges {
min = 3
max = 5
}
ranges {
min = 7
max = 12
}
}

supplemental_groups {
rule = "RunAsAny"

ranges {
min = 3
max = 5
}
ranges {
min = 7
max = 12
}
}

fs_group {
rule = "RunAsAny"

ranges {
min = 3
max = 5
}
ranges {
min = 7
max = 12
}
}

linux_capabilities {
allowed_capabilities = [
"CHOWN",
"IPC_LOCK"
]
required_drop_capabilities = [
"SYS_TIME"
]
}

allowed_host_paths {
path_prefix = "p1"
read_only = true
}
allowed_host_paths {
path_prefix = "p2"
read_only = false
}
allowed_host_paths {
path_prefix = "p3"
read_only = true
}

allowed_se_linux_options {
level = "s0"
role = "sysadm_r"
type = "httpd_sys_content_t"
user = "root"
}

sysctls {
forbidden_sysctls = [
"kernel.msgmax",
"kernel.sem"
]
}

seccomp {
allowed_profiles = [
"Localhost"
]
allowed_localhost_files = [
"profiles/audit.json",
"profiles/violation.json"
]
}
}
}
}
}
35 changes: 35 additions & 0 deletions examples/resources/security_policy/resource_cluster_group_baseline_security_policy.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
# Create Tanzu Mission Control securitypolicy entry
resource "tanzu-mission-control_security_policy" "create_cluster_group_baseline_security_policy" {
name = "tf-sp-test"

scope {
cluster_group {
cluster_group = "tf-create-test"
}
}

spec {
input {
baseline {
audit = false
disable_native_psp = true
}
}

namespace_selector {
match_expressions {
key = "component"
operator = "In"
values = [
"api-server",
"agent-gateway"
]
}
match_expressions {
key = "not-a-component"
operator = "DoesNotExist"
values = []
}
}
}
}
150 changes: 150 additions & 0 deletions examples/resources/security_policy/resource_cluster_group_custom_security_policy.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,150 @@
# Create Tanzu Mission Control securitypolicy entry
resource "tanzu-mission-control_security_policy" "create_cluster_group_custom_security_policy" {
name = "tf-sp-test"

scope {
cluster_group {
cluster_group = "tf-create-test"
}
}

spec {
input {
custom {
audit = true
disable_native_psp = false
allow_privileged_containers = true
allow_privilege_escalation = true
allow_host_namespace_sharing = true
allow_host_network = true
read_only_root_file_system = true

allowed_host_port_range {
min = 3000
max = 5000
}

allowed_volumes = [
"configMap",
"nfs",
"vsphereVolume"
]

run_as_user {
rule = "RunAsAny"

ranges {
min = 3
max = 5
}
ranges {
min = 7
max = 12
}
}

run_as_group {
rule = "RunAsAny"

ranges {
min = 3
max = 5
}
ranges {
min = 7
max = 12
}
}

supplemental_groups {
rule = "RunAsAny"

ranges {
min = 3
max = 5
}
ranges {
min = 7
max = 12
}
}

fs_group {
rule = "RunAsAny"

ranges {
min = 3
max = 5
}
ranges {
min = 7
max = 12
}
}

linux_capabilities {
allowed_capabilities = [
"CHOWN",
"IPC_LOCK"
]
required_drop_capabilities = [
"SYS_TIME"
]
}

allowed_host_paths {
path_prefix = "p1"
read_only = true
}
allowed_host_paths {
path_prefix = "p2"
read_only = false
}
allowed_host_paths {
path_prefix = "p3"
read_only = true
}

allowed_se_linux_options {
level = "s0"
role = "sysadm_r"
type = "httpd_sys_content_t"
user = "root"
}

sysctls {
forbidden_sysctls = [
"kernel.msgmax",
"kernel.sem"
]
}

seccomp {
allowed_profiles = [
"Localhost"
]
allowed_localhost_files = [
"profiles/audit.json",
"profiles/violation.json"
]
}
}
}

namespace_selector {
match_expressions {
key = "component"
operator = "In"
values = [
"api-server",
"agent-gateway"
]
}
match_expressions {
key = "not-a-component"
operator = "DoesNotExist"
values = []
}
}
}
}
19 changes: 19 additions & 0 deletions examples/resources/security_policy/resource_cluster_group_strict_security_policy.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
# Create Tanzu Mission Control securitypolicy entry
resource "tanzu-mission-control_security_policy" "create_cluster_group_strict_security_policy" {
name = "tf-sp-test"

scope {
cluster_group {
cluster_group = "tf-create-test"
}
}

spec {
input {
strict {
audit = false
disable_native_psp = true
}
}
}
}
Loading

0 comments on commit e6c298b

Please sign in to comment.