feat!: add netpols and monitoring (#81)

## Description ... ## Related Issue Fixes #76 ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [x] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Checklist before merging - [ ] Test, docs, adr added or updated as needed - [ ] [Contributor Guide Steps](https://github.com/defenseunicorns/uds-package-gitlab-runner/blob/main/CONTRIBUTING.md#developer-workflow) followed --------- Co-authored-by: Wayne Starr <Racer159@users.noreply.github.com> Release-As: v16.11.0-uds.1
defenseunicorns · May 16, 2024 · 71c40fb · 71c40fb
1 parent 8dbb0ea
commit 71c40fb
Show file tree

Hide file tree

Showing 10 changed files with 106 additions and 29 deletions.
diff --git a/chart/templates/clusterrole.yaml b/chart/templates/clusterrole.yaml
@@ -1,7 +1,7 @@
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: {{ .Values.runnerNamespace }}
+  name: {{ .Values.sandboxNamespace }}
 rules:
   - apiGroups: [""]
     resources: ["configmaps", "pods", "pods/attach", "secrets", "services"]

diff --git a/chart/templates/namespace.yaml b/chart/templates/namespace.yaml
@@ -1,6 +1,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: {{ .Values.runnerNamespace }}
-  labels:
-    istio-injection: enabled
+  name: {{ .Values.sandboxNamespace }}
diff --git a/chart/templates/rolebinding.yaml b/chart/templates/rolebinding.yaml
@@ -1,13 +1,13 @@
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: {{ .Values.runnerNamespace }}
-  namespace: {{ .Values.runnerNamespace }}
+  name: {{ .Values.sandboxNamespace }}
+  namespace: {{ .Values.sandboxNamespace }}
 subjects:
   - kind: ServiceAccount
-    name: default
+    name: {{ .Values.serviceAccountName }}
     namespace: gitlab-runner
 roleRef:
   apiGroup: ""
   kind: ClusterRole
-  name: {{ .Values.runnerNamespace }}
+  name: {{ .Values.sandboxNamespace }}
diff --git a/chart/templates/uds-package-sandbox.yaml b/chart/templates/uds-package-sandbox.yaml
@@ -0,0 +1,37 @@
+apiVersion: uds.dev/v1alpha1
+kind: Package
+metadata:
+  name: gitlab-runner-sandbox
+  namespace: {{ .Values.sandboxNamespace }}
+spec:
+  network:
+    allow:
+      - direction: Egress
+        selector:
+          uds/network-access-gitlab: "true"
+        remoteNamespace: gitlab
+        remoteSelector:
+          app: webservice
+        port: 8181
+
+      - direction: Ingress
+        selector: 
+          uds/network-access-gitlab: "true"
+        remoteNamespace: gitlab-runner
+        remoteSelector:
+          app: gitlab-runner
+
+    {{- range .Values.customSandbox }}
+      - direction: {{ .direction }}
+        selector:
+          {{ .selector | toYaml | nindent 10 }}
+        {{- if not .remoteGenerated }}
+        remoteNamespace: {{ .remoteNamespace }}
+        remoteSelector:
+          {{ .remoteSelector | toYaml | nindent 10 }}
+        port: {{ .port }}
+        {{- else }}
+        remoteGenerated: {{ .remoteGenerated }}
+        {{- end }}
+        description: {{ .description }}
+    {{- end }}
diff --git a/chart/templates/uds-package.yaml b/chart/templates/uds-package.yaml
@@ -4,28 +4,47 @@ metadata:
   name: gitlab-runner
   namespace: {{ .Release.Namespace }}
 spec:
+  monitor:
+    - selector:
+        app: gitlab-runner 
+      targetPort: 9252
+      portName: metrics
+      description: Metrics
+
   network:
     allow:
       - direction: Egress
-        podLabels:
+        selector:
           app: gitlab-runner
         remoteNamespace: gitlab
-        remotePodLabels:
+        remoteSelector:
           app: webservice
         port: 8181
 
-      - direction: Ingress
-        remoteGenerated: IntraNamespace
-
-      - direction: Egress
-        remoteGenerated: IntraNamespace
-
       - direction: Egress
         podLabels:
           app: gitlab-runner
-        remoteNamespace: {{ .Values.runnerNamespace }}
+        remoteGenerated: KubeAPI
 
       - direction: Egress
-        podLabels:
+        selector:
           app: gitlab-runner
-        remoteGenerated: KubeAPI
+        remoteNamespace: {{ .Values.sandboxNamespace }}
+        remoteSelector:
+          uds/network-access-gitlab: "true"
+
+      # Custom rules for unanticipated scenarios
+    {{- range .Values.custom }}
+      - direction: {{ .direction }}
+        selector:
+          {{ .selector | toYaml | nindent 10 }}
+        {{- if not .remoteGenerated }}
+        remoteNamespace: {{ .remoteNamespace }}
+        remoteSelector:
+          {{ .remoteSelector | toYaml | nindent 10 }}
+        port: {{ .port }}
+        {{- else }}
+        remoteGenerated: {{ .remoteGenerated }}
+        {{- end }}
+        description: {{ .description }}
+    {{- end }}
diff --git a/chart/values.yaml b/chart/values.yaml
@@ -1 +1,10 @@
-runnerNamespace: "gitlab-runner-sandbox"
+sandboxNamespace: "gitlab-runner-sandbox"
+serviceAccountName: "gitlab-runner"
+custom: []
+  # - direction: Egress
+  #   remoteGenerated: Anywhere
+  #   description: "Egress from to external GitLab"
+customSandbox: []
+  # - direction: Egress
+  #   remoteGenerated: Anywhere
+  #   description: "Egress from to external GitLab"
diff --git a/tasks.yaml b/tasks.yaml
@@ -1,11 +1,11 @@
 includes:
   - dependencies: ./tasks/dependencies.yaml
   - test: ./tasks/test.yaml
-  - create: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.4.0/tasks/create.yaml
-  - lint: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.4.0/tasks/lint.yaml
-  - pull: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.4.0/tasks/pull.yaml
-  - deploy: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.4.0/tasks/deploy.yaml
-  - setup: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.4.0/tasks/setup.yaml
+  - create: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.4.2/tasks/create.yaml
+  - lint: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.4.2/tasks/lint.yaml
+  - pull: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.4.2/tasks/pull.yaml
+  - deploy: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.4.2/tasks/deploy.yaml
+  - setup: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.4.2/tasks/setup.yaml
 
 tasks:
   - name: default

diff --git a/tasks/publish.yaml b/tasks/publish.yaml
@@ -1,6 +1,6 @@
 includes:
-  - create: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.4.0/tasks/create.yaml
-  - publish: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.4.0/tasks/publish.yaml
+  - create: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.4.2/tasks/create.yaml
+  - publish: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.4.2/tasks/publish.yaml
 
 tasks:
   - name: package

diff --git a/values/common-values.yaml b/values/common-values.yaml
@@ -1,7 +1,14 @@
 unregisterRunners: true
 
+
+# Create a non-default service account with the name gitlab-runner with minimal permissions
 rbac:
-  create: false
+  create: true
+  generatedServiceAccountName: gitlab-runner
+  rules:
+    - apiGroups: [""]
+      resources: [""]
+      verbs: [""]
 
 runners:
   secret: gitlab-gitlab-runner-secret
@@ -25,6 +32,7 @@ runners:
         "pipeline_id" = "${CI_PIPELINE_ID}"
         "uds/user" = "${UDS_RUN_AS_USER}"
         "uds/group" = "${UDS_RUN_AS_GROUP}"
+        "uds/network-access-gitlab" = "true"
       [runners.kubernetes.helper_container_security_context]
         run_as_non_root = true
         run_as_user = 1001
@@ -43,6 +51,11 @@ securityContext:
   capabilities:
     drop: ["ALL"]
 
+service:
+  enabled: true
+metrics:
+  enabled: true
+
 
 resources:
   limits:

diff --git a/values/config-values.yaml b/values/config-values.yaml
@@ -1 +1,2 @@
-runnerNamespace: "###ZARF_VAR_JOB_RUNNER_NAMESPACE###"
+sandboxNamespace: "###ZARF_VAR_JOB_RUNNER_NAMESPACE###"
+serviceAccountName: "gitlab-runner"