diff --git a/.github/bundles/exemption/uds-config.yaml b/.github/bundles/exemption/uds-config.yaml new file mode 100644 index 000000000..087ea08f8 --- /dev/null +++ b/.github/bundles/exemption/uds-config.yaml @@ -0,0 +1,19 @@ +variables: + core: + PRE_CORE_EXEMPTIONS_ENABLED: true + PRE_CORE_EXEMPTIONS: | + - policies: + - DisallowPrivileged + - RequireNonRootUser + - DropAllCapabilities + title: "podinfo1" + matcher: + namespace: podinfo + name: "^podinfo.*" + - policies: + - DisallowNodePortServices + title: "podinfo2" + matcher: + namespace: podinfo + name: "^.*-local.*" + kind: service diff --git a/.github/bundles/uds-bundle.yaml b/.github/bundles/infra-bundle/uds-bundle.yaml similarity index 98% rename from .github/bundles/uds-bundle.yaml rename to .github/bundles/infra-bundle/uds-bundle.yaml index 8f4c53a0f..35efb7b8b 100644 --- a/.github/bundles/uds-bundle.yaml +++ b/.github/bundles/infra-bundle/uds-bundle.yaml @@ -13,7 +13,7 @@ packages: ref: v0.33.2 - name: core - path: ../../build/ + path: ../../../build/ # x-release-please-start-version ref: 0.21.1 # x-release-please-end diff --git a/.github/bundles/uds-config.yaml b/.github/bundles/infra-bundle/uds-config.yaml similarity index 100% rename from .github/bundles/uds-config.yaml rename to .github/bundles/infra-bundle/uds-config.yaml diff --git a/.github/workflows/nightly-testing.yaml b/.github/workflows/nightly-testing.yaml index 77afeb45b..8797662bc 100644 --- a/.github/workflows/nightly-testing.yaml +++ b/.github/workflows/nightly-testing.yaml @@ -7,7 +7,7 @@ on: paths: - tasks/iac.yaml - .github/workflows/test-eks.yaml - - .github/bundles/* + - .github/bundles/infra-bundle/* - .github/test-infra/buckets-iac/* jobs: diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index 59813acc2..5b268d7b6 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -76,6 +76,11 @@ jobs: uds run deploy-standard-bundle --no-progress uds run -f tasks/test.yaml validate-packages --no-progress + # Cluster must be up for generating the CRD + - name: Create Exemption CRD Package + if: ${{ matrix.flavor == 'upstream' }} + run: uds run -f tasks/create.yaml exemption-crd-package + - name: Debug Output if: ${{ always() && !inputs.snapshot }} uses: ./.github/actions/debug-output @@ -88,6 +93,10 @@ jobs: if: ${{ !inputs.snapshot && matrix.flavor != 'registry1' }} run: uds run -f tasks/publish.yaml bundles --no-progress + - name: Publish Exemption CRD Package + if: ${{ matrix.flavor == 'upstream' }} + run: uds run -f tasks/publish.yaml exemption-crd-package + - name: (Snapshot) Publish Standard Package if: ${{ inputs.snapshot }} run: uds run -f tasks/publish.yaml standard-package --set FLAVOR=${{ matrix.flavor }} --set TARGET_REPO="ghcr.io/defenseunicorns/packages/uds/snapshots" --set VERSION="${SNAPSHOT_VERSION}" --no-progress diff --git a/.github/workflows/test-eks.yaml b/.github/workflows/test-eks.yaml index 666d03a9e..1a988b3f2 100644 --- a/.github/workflows/test-eks.yaml +++ b/.github/workflows/test-eks.yaml @@ -52,7 +52,7 @@ jobs: run: ZARF_ARCHITECTURE=amd64 uds run -f tasks/create.yaml standard-package --no-progress - name: Create Core Bundle - run: uds create .github/bundles --confirm + run: uds create .github/bundles/infra-bundle --confirm - name: Create Cluster run: uds run -f tasks/iac.yaml create-cluster --no-progress @@ -64,13 +64,13 @@ jobs: - name: Deploy Core Bundle env: - UDS_CONFIG: .github/bundles/uds-config.yaml - run: uds deploy .github/bundles/uds-bundle-uds-core-eks-nightly-*.tar.zst --confirm + UDS_CONFIG: .github/bundles/infra-bundle/uds-config.yaml + run: uds deploy .github/bundles/infra-bundle/uds-bundle-uds-core-eks-nightly-*.tar.zst --confirm timeout-minutes: 20 - name: Remove UDS Core if: always() - run: uds remove .github/bundles/uds-bundle-uds-core-eks-*.tar.zst --confirm + run: uds remove .github/bundles/infra-bundle/uds-bundle-uds-core-eks-*.tar.zst --confirm timeout-minutes: 10 continue-on-error: true diff --git a/bundles/k3d-slim-dev/uds-bundle.yaml b/bundles/k3d-slim-dev/uds-bundle.yaml index 592dd0a76..59962acb5 100644 --- a/bundles/k3d-slim-dev/uds-bundle.yaml +++ b/bundles/k3d-slim-dev/uds-bundle.yaml @@ -63,3 +63,10 @@ packages: - name: INSECURE_ADMIN_PASSWORD_GENERATION description: "Generate an insecure admin password for dev/test" path: insecureAdminPasswordGeneration.enabled + pre-core-exemptions: + pre-core-exemptions: + variables: + - name: PRE_CORE_EXEMPTIONS_ENABLED + path: enabled + - name: PRE_CORE_EXEMPTIONS + path: exemptions diff --git a/bundles/k3d-standard/uds-bundle.yaml b/bundles/k3d-standard/uds-bundle.yaml index aafa37e54..2efea9d50 100644 --- a/bundles/k3d-standard/uds-bundle.yaml +++ b/bundles/k3d-standard/uds-bundle.yaml @@ -99,3 +99,10 @@ packages: - name: INSECURE_ADMIN_PASSWORD_GENERATION description: "Generate an insecure admin password for dev/test" path: insecureAdminPasswordGeneration.enabled + pre-core-exemptions: + pre-core-exemptions: + variables: + - name: PRE_CORE_EXEMPTIONS_ENABLED + path: enabled + - name: PRE_CORE_EXEMPTIONS + path: exemptions diff --git a/docs/configuration/uds-configure-policy-exemptions.md b/docs/configuration/uds-configure-policy-exemptions.md index 8b062beb8..e12cabd20 100644 --- a/docs/configuration/uds-configure-policy-exemptions.md +++ b/docs/configuration/uds-configure-policy-exemptions.md @@ -27,5 +27,38 @@ shared: variables: # package specific variables here +``` -``` \ No newline at end of file +## Handling Pre Core Exemptions + +If you find that you are deploying a resource before uds-core that requires an exemption CR once uds-core is deployed there are two options: + +1) Pass exemptions to the core `pre-core-exemptions` package as helm values overrides. See [Pre Core Exemptions Docs](../src/pre-core-exemptions/README.md) + +2) Deploy the exemption CRD as a package in your bundle before your pre-core resource. + (e.g.) + ```yaml + kind: UDSBundle + metadata: + name: example CRD + + packages: + - name: exemption-crd + repository: ghcr.io/defenseunicorns/packages/uds/exemption-crd + ref: + + # Where the exemption CR lives + - name: custom-init + repository: ghcr.io/custom-init + ref: v0.1.0 + + - name: core + path: ghcr.io/defenseunicorns/packages/uds/core + ref: 0.20.0-upstream + ``` + +> Warning +> +> Though both options have been tested, there is no guarantee +> that upgrades, specifically to the CRD package and your CR, +> will not break your deployment. \ No newline at end of file diff --git a/packages/slim-dev/zarf.yaml b/packages/slim-dev/zarf.yaml index 24d498579..7945b5104 100644 --- a/packages/slim-dev/zarf.yaml +++ b/packages/slim-dev/zarf.yaml @@ -42,6 +42,11 @@ components: path: ../../dist name: module + - name: pre-core-exemptions + required: true + import: + path: ../standard + # Keycloak - name: keycloak required: true diff --git a/packages/standard/zarf.yaml b/packages/standard/zarf.yaml index 580c7c1e1..2edf564da 100644 --- a/packages/standard/zarf.yaml +++ b/packages/standard/zarf.yaml @@ -42,6 +42,11 @@ components: path: ../../dist name: module + - name: pre-core-exemptions + required: true + import: + path: ../../src/pre-core-exemptions + # Metrics Server - name: metrics-server required: true diff --git a/packages/uds-crds/zarf.yaml b/packages/uds-crds/zarf.yaml new file mode 100644 index 000000000..3dabc43fd --- /dev/null +++ b/packages/uds-crds/zarf.yaml @@ -0,0 +1,17 @@ +kind: ZarfPackageConfig +metadata: + name: uds-crds + yolo: true + # x-release-please-start-version + version: 0.21.0 + # x-release-please-end + +components: + - name: crds + required: true + manifests: + - name: crds + files: + # generated in CI + - ./exemption-crd.yaml + - ./package-crd.yaml diff --git a/release-please-config.json b/release-please-config.json index ab5696504..63cb72b55 100644 --- a/release-please-config.json +++ b/release-please-config.json @@ -11,7 +11,7 @@ ], "versioning": "default", "extra-files": [ - ".github/bundles/uds-bundle.yaml", + ".github/bundles/infra-bundle/uds-bundle.yaml", "README.md", "packages/slim-dev/zarf.yaml", "packages/standard/zarf.yaml", diff --git a/src/pepr/tasks.yaml b/src/pepr/tasks.yaml index 08b657648..ba0576dea 100644 --- a/src/pepr/tasks.yaml +++ b/src/pepr/tasks.yaml @@ -10,6 +10,10 @@ tasks: env: - "PEPR_WATCH_MODE=true" + - cmd: "kubectl get crd packages.uds.dev -o yaml > packages/uds-crds/package-crd.yaml" + + - cmd: "kubectl get crd exemptions.uds.dev -o yaml > packages/uds-crds/exemption-crd.yaml" + - cmd: "npx kubernetes-fluent-client crd packages.uds.dev src/pepr/operator/crd/generated" - cmd: "npx kubernetes-fluent-client crd exemptions.uds.dev src/pepr/operator/crd/generated" diff --git a/src/pre-core-exemptions/README.md b/src/pre-core-exemptions/README.md new file mode 100644 index 000000000..10be9a3d4 --- /dev/null +++ b/src/pre-core-exemptions/README.md @@ -0,0 +1,111 @@ +# Pre Core Exemptions + +This package serves as a way for users deploying uds-core to create exemption resources for things that are deployed before core. + +For instance, when a team is deploying a bundle that includes a custom init package with rook-ceph. During install, everything goes smoothly because Pepr's validation is not present. However, during an upgrade after the core deployment, Pepr policies will deny new rook-ceph pods. + +## How to Use + +Option 1: Set as values in bundle overrides +```yaml +kind: UDSBundle +metadata: + name: example helm overrides + +packages: + - name: core + path: ghcr.io/defenseunicorns/packages/uds/core + ref: 0.20.0-upstream + overrides: + pre-core-exemptions: + pre-core-exemptions: + values: + - path: enabled + value: true + - path: exemptions + value: | + - policies: + - DisallowPrivileged + - RequireNonRootUser + - DropAllCapabilities + title: "podinfo1" + matcher: + namespace: podinfo + name: "^podinfo.*" + test: 1 + - policies: + - DisallowNodePortServices + title: "podinfo2" + matcher: + namespace: podinfo + name: "^.*-local.*" + kind: service + test: 2 +``` + +Option 2: Set as variables in bundle overrides and use `uds-config.yaml` +```yaml +kind: UDSBundle +metadata: + name: example helm overrides + +packages: + - name: core + path: ../../build/ + overrides: + pre-core-exemptions: + pre-core-exemptions: + variables: + - name: PRE_CORE_EXEMPTIONS_ENABLED + path: enabled + - name: PRE_CORE_EXEMPTIONS + path: exemptions +``` + +```yaml +variables: + core: + PRE_CORE_EXEMPTIONS_ENABLED: true + PRE_CORE_EXEMPTIONS: | + - policies: + - DisallowPrivileged + - RequireNonRootUser + - DropAllCapabilities + title: "podinfo1" + matcher: + namespace: podinfo + name: "^podinfo.*" + - policies: + - DisallowNodePortServices + title: "podinfo2" + matcher: + namespace: podinfo + name: "^.*-local.*" + kind: service +``` + +Option 3: If deploying the standard package not as part of a bundle, you can use a `zarf-config.yaml` + +```yaml +package: + deploy: + set: + pre_core_exemptions_enabled: true + pre_core_exemptions: | + - policies: + - DisallowPrivileged + - RequireNonRootUser + - DropAllCapabilities + title: "podinfo1" + matcher: + namespace: podinfo + name: "^podinfo.*" + - policies: + - DisallowNodePortServices + title: "podinfo2" + matcher: + namespace: podinfo + name: "^.*-local.*" + kind: service +``` + diff --git a/src/pre-core-exemptions/chart/.helmignore b/src/pre-core-exemptions/chart/.helmignore new file mode 100644 index 000000000..0e8a0eb36 --- /dev/null +++ b/src/pre-core-exemptions/chart/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/src/pre-core-exemptions/chart/Chart.yaml b/src/pre-core-exemptions/chart/Chart.yaml new file mode 100644 index 000000000..426382df7 --- /dev/null +++ b/src/pre-core-exemptions/chart/Chart.yaml @@ -0,0 +1,5 @@ +apiVersion: v2 +name: pre-core-exemptions +description: Helm chart for exemptions that are required before core but couldn't be applied before core +type: application +version: 0.1.0 diff --git a/src/pre-core-exemptions/chart/templates/uds-exemption.yaml b/src/pre-core-exemptions/chart/templates/uds-exemption.yaml new file mode 100644 index 000000000..f14584828 --- /dev/null +++ b/src/pre-core-exemptions/chart/templates/uds-exemption.yaml @@ -0,0 +1,9 @@ +{{- if .Values.enabled }} +apiVersion: uds.dev/v1alpha1 +kind: Exemption +metadata: + name: pre-core-exemptions + namespace: {{ .Values.namespace }} +spec: + exemptions: {{ .Values.exemptions | nindent 4 }} +{{- end }} diff --git a/src/pre-core-exemptions/chart/values.yaml b/src/pre-core-exemptions/chart/values.yaml new file mode 100644 index 000000000..0c57bf9aa --- /dev/null +++ b/src/pre-core-exemptions/chart/values.yaml @@ -0,0 +1,3 @@ +enabled: false +namespace: uds-policy-exemptions +exemptions: {} diff --git a/src/pre-core-exemptions/tasks.yaml b/src/pre-core-exemptions/tasks.yaml new file mode 100644 index 000000000..f6bb1d453 --- /dev/null +++ b/src/pre-core-exemptions/tasks.yaml @@ -0,0 +1,27 @@ +# works in conjunction with .github/bundles/exemption/uds-bundle.yaml +variables: + - name: PODINFO_NAME + +tasks: + - name: validate + actions: + - description: Validate exemptions are applied + wait: + cluster: + kind: exemption + name: pre-core-exemptions + namespace: uds-policy-exemptions + condition: exists + - description: Create Podinfo Zarf Pkg + cmd: uds zarf package create src/pre-core-exemptions/test --confirm --no-progress + - description: Deploy Podinfo Zarf Pkg + cmd: uds zarf package deploy build/zarf-package-podinfo-*.tar.zst --confirm --no-progress + - cmd: uds zarf tools kubectl get pods -n podinfo -o=jsonpath='{.items[0].metadata.name}' + setVariables: + - name: PODINFO_NAME + - description: Check for podinfo to come back up + wait: + cluster: + kind: Pod + name: ${PODINFO_NAME} + namespace: podinfo diff --git a/src/pre-core-exemptions/test/values.yaml b/src/pre-core-exemptions/test/values.yaml new file mode 100644 index 000000000..c2d830e76 --- /dev/null +++ b/src/pre-core-exemptions/test/values.yaml @@ -0,0 +1,3 @@ +securityContext: + runAsUser: 0 + runAsGroup: 0 diff --git a/src/pre-core-exemptions/test/zarf.yaml b/src/pre-core-exemptions/test/zarf.yaml new file mode 100644 index 000000000..5d7768d0f --- /dev/null +++ b/src/pre-core-exemptions/test/zarf.yaml @@ -0,0 +1,18 @@ +kind: ZarfPackageConfig +metadata: + name: podinfo + version: 0.0.1 + +components: + - name: podinfo + required: true + charts: + - name: podinfo + version: 6.4.0 + namespace: podinfo + url: https://github.com/stefanprodan/podinfo.git + gitPath: charts/podinfo + valuesFiles: + - ./values.yaml + images: + - ghcr.io/stefanprodan/podinfo:6.4.0 diff --git a/src/pre-core-exemptions/zarf.yaml b/src/pre-core-exemptions/zarf.yaml new file mode 100644 index 000000000..5014d4f3c --- /dev/null +++ b/src/pre-core-exemptions/zarf.yaml @@ -0,0 +1,22 @@ +kind: ZarfPackageConfig +metadata: + name: uds-core-pre-core-exemptions + +components: + - name: pre-core-exemptions + required: true + charts: + - name: pre-core-exemptions + namespace: uds-policy-exemptions + version: 0.1.0 + localPath: ./chart + variables: + - name: PRE_CORE_EXEMPTIONS_ENABLED + description: "Toggle to disable or enable pre-core-exemptions" + path: enabled + - name: PRE_CORE_EXEMPTIONS_NAMESPACE + description: "The namespace to deploy pre-core-exemptions to (default uds-policy-exemptions). See docs/CONFIGURE_POLICY_EXEMPTIONS.md in order to change this." + path: namespace + - name: PRE_CORE_EXEMPTIONS + description: "The list of exemptions to be applied" + path: exemptions diff --git a/tasks/create.yaml b/tasks/create.yaml index dabbca799..5780ce1b2 100644 --- a/tasks/create.yaml +++ b/tasks/create.yaml @@ -55,6 +55,14 @@ tasks: uds zarf package create src/istio --confirm --no-progress --flavor ${FLAVOR} fi + - name: uds-crds-package + description: "Generate the latest UDS Package and Exemption CRDs and create the Zarf package for publishing" + actions: + - cmd: uds run -f src/pepr/tasks.yaml gen-crds + - cmd: yq -ei 'del(.metadata.creationTimestamp, .metadata.generation, .metadata.resourceVersion, .metadata.uid, .status)' packages/uds-crds/exemption-crd.yaml + - cmd: yq -ei 'del(.metadata.creationTimestamp, .metadata.generation, .metadata.resourceVersion, .metadata.uid, .status)' packages/uds-crds/package-crd.yaml + - cmd: uds zarf package create packages/uds-crds --confirm --no-progress + - name: pepr-build description: "Build the UDS Core Pepr Module" actions: diff --git a/tasks/deploy.yaml b/tasks/deploy.yaml index 9f296492e..d458e6083 100644 --- a/tasks/deploy.yaml +++ b/tasks/deploy.yaml @@ -9,14 +9,22 @@ variables: tasks: - name: k3d-standard-bundle + inputs: + config: + default: "" + description: "path to uds-config to use" actions: - description: "Deploy the UDS Core Standard Bundle" - cmd: uds deploy bundles/k3d-standard/uds-bundle-k3d-core-demo-${UDS_ARCH}-${VERSION}.tar.zst --set=uds-k3d-dev.K3D_IMAGE=${K3D_IMAGE} --confirm --no-progress --no-tea + cmd: UDS_CONFIG=$INPUT_CONFIG uds deploy bundles/k3d-standard/uds-bundle-k3d-core-demo-${UDS_ARCH}-${VERSION}.tar.zst --set=uds-k3d-dev.K3D_IMAGE=${K3D_IMAGE} --confirm --no-progress --no-tea - name: k3d-slim-dev-bundle + inputs: + config: + default: "" + description: "path to uds-config to use" actions: - description: "Deploy the UDS Core Slim Dev Only Bundle" - cmd: uds deploy bundles/k3d-slim-dev/uds-bundle-k3d-core-slim-dev-${UDS_ARCH}-${VERSION}.tar.zst --set=uds-k3d-dev.K3D_IMAGE=${K3D_IMAGE} --confirm --no-progress --no-tea + cmd: UDS_CONFIG=$INPUT_CONFIG uds deploy bundles/k3d-slim-dev/uds-bundle-k3d-core-slim-dev-${UDS_ARCH}-${VERSION}.tar.zst --set=uds-k3d-dev.K3D_IMAGE=${K3D_IMAGE} --confirm --no-progress --no-tea - name: single-package actions: diff --git a/tasks/iac.yaml b/tasks/iac.yaml index c29f8a068..bcd049b1c 100644 --- a/tasks/iac.yaml +++ b/tasks/iac.yaml @@ -132,7 +132,7 @@ tasks: - name: create-uds-config actions: - cmd: | - cat < .github/bundles/uds-config.yaml + cat < .github/bundles/infra-bundle/uds-config.yaml options: architecture: amd6 variables: diff --git a/tasks/publish.yaml b/tasks/publish.yaml index 4c92386c5..b79978b86 100644 --- a/tasks/publish.yaml +++ b/tasks/publish.yaml @@ -48,3 +48,8 @@ tasks: uds zarf tools registry copy ${pkgPath}:${VERSION} ${pkgPath}:latest pkgPath="${TARGET_REPO}/bundles/k3d-core-slim-dev" uds zarf tools registry copy ${pkgPath}:${VERSION} ${pkgPath}:latest + + - name: exemption-crd-package + description: "Publish the UDS Exemption CRD Package" + actions: + - cmd: uds publish build/zarf-package-uds-core-exemption-crd-*.tar.zst oci://${TARGET_REPO} --no-progress diff --git a/tasks/test.yaml b/tasks/test.yaml index bffdbd5bb..1a9ff4519 100644 --- a/tasks/test.yaml +++ b/tasks/test.yaml @@ -20,7 +20,7 @@ tasks: actions: - cmd: | for package in src/*; do - uds run -f ${package}/tasks.yaml validate --no-progress + uds run -f "${package}/tasks.yaml" validate --no-progress done set +e @@ -30,6 +30,8 @@ tasks: - task: create:standard-package - task: create:k3d-standard-bundle - task: deploy:k3d-standard-bundle + with: + config: .github/bundles/exemption/uds-config.yaml - cmd: uds zarf tools clear-cache - task: validate-packages diff --git a/zarf-config.yaml b/zarf-config.yaml index 8ee66a63c..13a3fb6b2 100644 --- a/zarf-config.yaml +++ b/zarf-config.yaml @@ -4,3 +4,23 @@ no_progress: true package: create: output: build + + deploy: + set: + pre_core_exemptions_enabled: true + pre_core_exemptions: | + - policies: + - DisallowPrivileged + - RequireNonRootUser + - DropAllCapabilities + title: "podinfo1" + matcher: + namespace: podinfo + name: "^podinfo.*" + - policies: + - DisallowNodePortServices + title: "podinfo2" + matcher: + namespace: podinfo + name: "^.*-local.*" + kind: service