-
Notifications
You must be signed in to change notification settings - Fork 31
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
add security policy schema and resource
Signed-off-by: Ishan Gupta <gishan@vmware.com>
- Loading branch information
1 parent
2d1801e
commit e6c298b
Showing
40 changed files
with
4,960 additions
and
6 deletions.
There are no files selected for viewing
29 changes: 29 additions & 0 deletions
29
examples/resources/security_policy/resource_cluster_baseline_security_policy.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
# Create Tanzu Mission Control security policy | ||
resource "tanzu-mission-control_security_policy" "create_cluster_baseline_security_policy" { | ||
name = "tf-sp-test" | ||
|
||
scope { | ||
cluster { | ||
management_cluster_name = "attached" | ||
provisioner_name = "attached" | ||
name = "tf-create-test" | ||
} | ||
} | ||
|
||
spec { | ||
input { | ||
baseline { | ||
audit = true | ||
disable_native_psp = false | ||
} | ||
} | ||
|
||
namespace_selector { | ||
match_expressions { | ||
key = "not-a-component" | ||
operator = "DoesNotExist" | ||
values = [] | ||
} | ||
} | ||
} | ||
} |
136 changes: 136 additions & 0 deletions
136
examples/resources/security_policy/resource_cluster_custom_security_policy.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,136 @@ | ||
# Create Tanzu Mission Control security policy | ||
resource "tanzu-mission-control_security_policy" "create_cluster_custom_security_policy" { | ||
name = "tf-sp-test" | ||
|
||
scope { | ||
cluster { | ||
management_cluster_name = "attached" | ||
provisioner_name = "attached" | ||
name = "tf-create-test" | ||
} | ||
} | ||
|
||
spec { | ||
input { | ||
custom { | ||
audit = true | ||
disable_native_psp = false | ||
allow_privileged_containers = true | ||
allow_privilege_escalation = true | ||
allow_host_namespace_sharing = true | ||
allow_host_network = true | ||
read_only_root_file_system = true | ||
|
||
allowed_host_port_range { | ||
min = 3000 | ||
max = 5000 | ||
} | ||
|
||
allowed_volumes = [ | ||
"configMap", | ||
"nfs", | ||
"vsphereVolume" | ||
] | ||
|
||
run_as_user { | ||
rule = "RunAsAny" | ||
|
||
ranges { | ||
min = 3 | ||
max = 5 | ||
} | ||
ranges { | ||
min = 7 | ||
max = 12 | ||
} | ||
} | ||
|
||
run_as_group { | ||
rule = "RunAsAny" | ||
|
||
ranges { | ||
min = 3 | ||
max = 5 | ||
} | ||
ranges { | ||
min = 7 | ||
max = 12 | ||
} | ||
} | ||
|
||
supplemental_groups { | ||
rule = "RunAsAny" | ||
|
||
ranges { | ||
min = 3 | ||
max = 5 | ||
} | ||
ranges { | ||
min = 7 | ||
max = 12 | ||
} | ||
} | ||
|
||
fs_group { | ||
rule = "RunAsAny" | ||
|
||
ranges { | ||
min = 3 | ||
max = 5 | ||
} | ||
ranges { | ||
min = 7 | ||
max = 12 | ||
} | ||
} | ||
|
||
linux_capabilities { | ||
allowed_capabilities = [ | ||
"CHOWN", | ||
"IPC_LOCK" | ||
] | ||
required_drop_capabilities = [ | ||
"SYS_TIME" | ||
] | ||
} | ||
|
||
allowed_host_paths { | ||
path_prefix = "p1" | ||
read_only = true | ||
} | ||
allowed_host_paths { | ||
path_prefix = "p2" | ||
read_only = false | ||
} | ||
allowed_host_paths { | ||
path_prefix = "p3" | ||
read_only = true | ||
} | ||
|
||
allowed_se_linux_options { | ||
level = "s0" | ||
role = "sysadm_r" | ||
type = "httpd_sys_content_t" | ||
user = "root" | ||
} | ||
|
||
sysctls { | ||
forbidden_sysctls = [ | ||
"kernel.msgmax", | ||
"kernel.sem" | ||
] | ||
} | ||
|
||
seccomp { | ||
allowed_profiles = [ | ||
"Localhost" | ||
] | ||
allowed_localhost_files = [ | ||
"profiles/audit.json", | ||
"profiles/violation.json" | ||
] | ||
} | ||
} | ||
} | ||
} | ||
} |
35 changes: 35 additions & 0 deletions
35
examples/resources/security_policy/resource_cluster_group_baseline_security_policy.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
# Create Tanzu Mission Control securitypolicy entry | ||
resource "tanzu-mission-control_security_policy" "create_cluster_group_baseline_security_policy" { | ||
name = "tf-sp-test" | ||
|
||
scope { | ||
cluster_group { | ||
cluster_group = "tf-create-test" | ||
} | ||
} | ||
|
||
spec { | ||
input { | ||
baseline { | ||
audit = false | ||
disable_native_psp = true | ||
} | ||
} | ||
|
||
namespace_selector { | ||
match_expressions { | ||
key = "component" | ||
operator = "In" | ||
values = [ | ||
"api-server", | ||
"agent-gateway" | ||
] | ||
} | ||
match_expressions { | ||
key = "not-a-component" | ||
operator = "DoesNotExist" | ||
values = [] | ||
} | ||
} | ||
} | ||
} |
150 changes: 150 additions & 0 deletions
150
examples/resources/security_policy/resource_cluster_group_custom_security_policy.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,150 @@ | ||
# Create Tanzu Mission Control securitypolicy entry | ||
resource "tanzu-mission-control_security_policy" "create_cluster_group_custom_security_policy" { | ||
name = "tf-sp-test" | ||
|
||
scope { | ||
cluster_group { | ||
cluster_group = "tf-create-test" | ||
} | ||
} | ||
|
||
spec { | ||
input { | ||
custom { | ||
audit = true | ||
disable_native_psp = false | ||
allow_privileged_containers = true | ||
allow_privilege_escalation = true | ||
allow_host_namespace_sharing = true | ||
allow_host_network = true | ||
read_only_root_file_system = true | ||
|
||
allowed_host_port_range { | ||
min = 3000 | ||
max = 5000 | ||
} | ||
|
||
allowed_volumes = [ | ||
"configMap", | ||
"nfs", | ||
"vsphereVolume" | ||
] | ||
|
||
run_as_user { | ||
rule = "RunAsAny" | ||
|
||
ranges { | ||
min = 3 | ||
max = 5 | ||
} | ||
ranges { | ||
min = 7 | ||
max = 12 | ||
} | ||
} | ||
|
||
run_as_group { | ||
rule = "RunAsAny" | ||
|
||
ranges { | ||
min = 3 | ||
max = 5 | ||
} | ||
ranges { | ||
min = 7 | ||
max = 12 | ||
} | ||
} | ||
|
||
supplemental_groups { | ||
rule = "RunAsAny" | ||
|
||
ranges { | ||
min = 3 | ||
max = 5 | ||
} | ||
ranges { | ||
min = 7 | ||
max = 12 | ||
} | ||
} | ||
|
||
fs_group { | ||
rule = "RunAsAny" | ||
|
||
ranges { | ||
min = 3 | ||
max = 5 | ||
} | ||
ranges { | ||
min = 7 | ||
max = 12 | ||
} | ||
} | ||
|
||
linux_capabilities { | ||
allowed_capabilities = [ | ||
"CHOWN", | ||
"IPC_LOCK" | ||
] | ||
required_drop_capabilities = [ | ||
"SYS_TIME" | ||
] | ||
} | ||
|
||
allowed_host_paths { | ||
path_prefix = "p1" | ||
read_only = true | ||
} | ||
allowed_host_paths { | ||
path_prefix = "p2" | ||
read_only = false | ||
} | ||
allowed_host_paths { | ||
path_prefix = "p3" | ||
read_only = true | ||
} | ||
|
||
allowed_se_linux_options { | ||
level = "s0" | ||
role = "sysadm_r" | ||
type = "httpd_sys_content_t" | ||
user = "root" | ||
} | ||
|
||
sysctls { | ||
forbidden_sysctls = [ | ||
"kernel.msgmax", | ||
"kernel.sem" | ||
] | ||
} | ||
|
||
seccomp { | ||
allowed_profiles = [ | ||
"Localhost" | ||
] | ||
allowed_localhost_files = [ | ||
"profiles/audit.json", | ||
"profiles/violation.json" | ||
] | ||
} | ||
} | ||
} | ||
|
||
namespace_selector { | ||
match_expressions { | ||
key = "component" | ||
operator = "In" | ||
values = [ | ||
"api-server", | ||
"agent-gateway" | ||
] | ||
} | ||
match_expressions { | ||
key = "not-a-component" | ||
operator = "DoesNotExist" | ||
values = [] | ||
} | ||
} | ||
} | ||
} |
19 changes: 19 additions & 0 deletions
19
examples/resources/security_policy/resource_cluster_group_strict_security_policy.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
# Create Tanzu Mission Control securitypolicy entry | ||
resource "tanzu-mission-control_security_policy" "create_cluster_group_strict_security_policy" { | ||
name = "tf-sp-test" | ||
|
||
scope { | ||
cluster_group { | ||
cluster_group = "tf-create-test" | ||
} | ||
} | ||
|
||
spec { | ||
input { | ||
strict { | ||
audit = false | ||
disable_native_psp = true | ||
} | ||
} | ||
} | ||
} |
Oops, something went wrong.