github/intel-device-plugins-for-kubernetes
7
0
Fork 0
mirror of https://github.com/intel/intel-device-plugins-for-kubernetes.git synced 2025-06-03 03:59:37 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #906 from bart0sh/PR136-terrascan-check

Browse Source 
implement terrascan check
This commit is contained in:
Mikko Ylinen 2022-03-01 17:43:09 +02:00 committed by GitHub
commit 711fbbff07
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
32 changed files with 85 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
.github/workflows/ci.yaml vendored
View File

@ -166,3 +166,17 @@ jobs:
- name: Test SGX & FPGA Admission Webhook, Deploy Operator
run: |
make test-with-kind
terrascan:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v2
- name: Install terrascan
run: |
curl -L "$(curl -s https://api.github.com/repos/accurics/terrascan/releases/latest | grep -o -E "https://.+?_Linux_x86_64.tar.gz")" > terrascan.tar.gz
tar -xf terrascan.tar.gz terrascan && rm terrascan.tar.gz
install terrascan /usr/local/bin && rm terrascan
- name: Run Terrascan
run: make terrascan

9
Jenkinsfile vendored
View File

@ -67,6 +67,15 @@ pipeline {
}
stage("make lint"){
parallel {
stage("make terrascan") {
steps {
dir(path: "$REPO_DIR") {
sh "curl -sL `curl -s https://api.github.com/repos/accurics/terrascan/releases/latest | grep -o -E https://.+?_Linux_x86_64.tar.gz` | tar -zx terrascan"
sh "sudo mv terrascan /usr/local/bin/"
sh "make terrascan"
}
}
}
stage("make lint") {
steps {
dir(path: "$REPO_DIR") {

9
Makefile
View File

@ -148,6 +148,15 @@ e2e-sgx:
e2e-gpu:
@$(GO) test -v ./test/e2e/... -ginkgo.v -ginkgo.progress -ginkgo.focus "GPU" -delete-namespace-on-failure=false
terrascan:
@ls deployments/*/kustomization.yaml | while read f ; \
do \
echo "\n==== $$(basename $$(dirname $$f)) ====" ; \
terrascan scan -v --show-passed -d $$(dirname $$f) -i kustomize --severity high \
--skip-rules 'AC_K8S_0051,AC_K8S_0076,AC_K8S_0087' \
|| exit $$? ; \
done
pre-pull:
ifeq ($(TAG),devel)
@$(BUILDER) pull golang:1.17-bullseye

1
deployments/dlb_plugin/base/intel-dlb-plugin.yaml
View File

@ -24,6 +24,7 @@ spec:
imagePullPolicy: IfNotPresent
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
terminationMessagePath: /tmp/termination-log
volumeMounts:
- name: devfs

1
deployments/dsa_plugin/base/intel-dsa-plugin.yaml
View File

@ -24,6 +24,7 @@ spec:
imagePullPolicy: IfNotPresent
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
volumeMounts:
- name: devfs
mountPath: /dev/dsa

2
deployments/fpga_admissionwebhook/kustomization.yaml Normal file
View File

@ -0,0 +1,2 @@
bases:
- base

1
deployments/fpga_admissionwebhook/manager/manager.yaml
View File

@ -24,6 +24,7 @@ spec:
runAsUser: 65532
runAsGroup: 65532
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
resources:
limits:
cpu: 100m

2
deployments/fpga_plugin/base/intel-fpga-plugin-daemonset.yaml
View File

@ -20,6 +20,7 @@ spec:
imagePullPolicy: IfNotPresent
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
volumeMounts:
- mountPath: /opt/intel/fpga-sw
name: intel-fpga-sw
@ -39,6 +40,7 @@ spec:
terminationMessagePath: /tmp/termination-log
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
volumeMounts:
- name: devfs
mountPath: /dev

2
deployments/fpga_plugin/kustomization.yaml Normal file
View File

@ -0,0 +1,2 @@
resources:
- base

2
deployments/gpu_plugin/base/intel-gpu-plugin.yaml
View File

@ -19,6 +19,7 @@ spec:
imagePullPolicy: IfNotPresent
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
volumeMounts:
- mountPath: /etc/kubernetes/node-feature-discovery/source.d/
name: nfd-source-hooks
@ -33,6 +34,7 @@ spec:
imagePullPolicy: IfNotPresent
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
volumeMounts:
- name: devfs
mountPath: /dev/dri

1
deployments/operator/default/manager_auth_proxy_patch.yaml
View File

@ -24,6 +24,7 @@ spec:
runAsUser: 1000
runAsGroup: 1000
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
- name: manager
args:
- "--metrics-addr=127.0.0.1:8080"

4
deployments/operator/kustomization.yaml Normal file
View File

@ -0,0 +1,4 @@
bases:
- default
- manager
- webhook

1
deployments/operator/manager/manager.yaml
View File

@ -38,6 +38,7 @@ spec:
runAsUser: 65532
runAsGroup: 65532
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
env:
- name: DEVICEPLUGIN_NAMESPACE
valueFrom:

1
deployments/qat_dpdk_app/base/crypto-perf-dpdk-pod-requesting-qat.yaml
View File

@ -27,6 +27,7 @@ spec:
hugepages-2Mi: "128Mi"
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
add:
["IPC_LOCK"]

2
deployments/qat_dpdk_app/kustomization.yaml Normal file
View File

@ -0,0 +1,2 @@
bases:
- base

1
deployments/qat_plugin/base/intel-qat-kernel-plugin.yaml
View File

@ -17,6 +17,7 @@ spec:
- name: intel-qat-kernel-plugin
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
privileged: true
image: intel/intel-qat-plugin:devel
imagePullPolicy: IfNotPresent

1
deployments/qat_plugin/base/intel-qat-plugin.yaml
View File

@ -18,6 +18,7 @@ spec:
image: intel/intel-qat-plugin:devel
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
imagePullPolicy: IfNotPresent
volumeMounts:
- name: devdir

2
deployments/sgx_admissionwebhook/kustomization.yaml Normal file
View File

@ -0,0 +1,2 @@
bases:
- base

1
deployments/sgx_admissionwebhook/manager/manager.yaml
View File

@ -24,6 +24,7 @@ spec:
runAsUser: 65532
runAsGroup: 65532
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
resources:
limits:
cpu: 100m

1
deployments/sgx_aesmd/base/intel-sgx-aesmd.yaml
View File

@ -21,6 +21,7 @@ spec:
image: intel/sgx-aesmd-demo:devel
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
resources:
limits:
sgx.intel.com/epc: "1Mi"

1
deployments/sgx_enclave_apps/base/intelsgx-job.yaml
View File

@ -20,6 +20,7 @@ spec:
command: ["/opt/intel/sgx-sample-app/sgx-sample-app"]
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
add: ["IPC_LOCK"]
resources:

2
deployments/sgx_enclave_apps/kustomization.yaml Normal file
View File

@ -0,0 +1,2 @@
bases:
- base

1
deployments/sgx_plugin/base/intel-sgx-plugin.yaml
View File

@ -18,6 +18,7 @@ spec:
image: intel/intel-sgx-plugin:devel
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
imagePullPolicy: IfNotPresent
volumeMounts:
- name: kubeletsockets

1
deployments/sgx_plugin/overlays/epc-hook-initcontainer/add-epc-nfd-initcontainer.yaml
View File

@ -11,6 +11,7 @@ spec:
imagePullPolicy: IfNotPresent
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
volumeMounts:
- mountPath: /etc/kubernetes/node-feature-discovery/source.d/
name: nfd-source-hooks

1
deployments/sgx_plugin/overlays/epc-nfd/add-epc-nfd-initcontainer.yaml
View File

@ -11,6 +11,7 @@ spec:
imagePullPolicy: IfNotPresent
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
volumeMounts:
- mountPath: /etc/kubernetes/node-feature-discovery/source.d/
name: nfd-source-hooks

1
deployments/vpu_plugin/base/intel-vpu-plugin.yaml
View File

@ -24,6 +24,7 @@ spec:
imagePullPolicy: IfNotPresent
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
volumeMounts:
- name: devion
mountPath: /dev/ion

4
pkg/controllers/dlb/controller_test.go
View File

@ -33,6 +33,7 @@ const appLabel = "intel-dlb-plugin"
func (c *controller) newDaemonSetExpected(rawObj client.Object) *apps.DaemonSet {
devicePlugin := rawObj.(*devicepluginv1.DlbDevicePlugin)
yes := true
no := false
daemonSet := apps.DaemonSet{
TypeMeta: metav1.TypeMeta{
@ -77,7 +78,8 @@ func (c *controller) newDaemonSetExpected(rawObj client.Object) *apps.DaemonSet
Image: devicePlugin.Spec.Image,
ImagePullPolicy: "IfNotPresent",
SecurityContext: &v1.SecurityContext{
ReadOnlyRootFilesystem: &yes,
ReadOnlyRootFilesystem: &yes,
AllowPrivilegeEscalation: &no,
},
VolumeMounts: []v1.VolumeMount{
{

4
pkg/controllers/dsa/controller_test.go
View File

@ -35,6 +35,7 @@ func (c *controller) newDaemonSetExpected(rawObj client.Object) *apps.DaemonSet
devicePlugin := rawObj.(*devicepluginv1.DsaDevicePlugin)
yes := true
no := false
daemonSet := apps.DaemonSet{
TypeMeta: metav1.TypeMeta{
Kind: "DaemonSet",
@ -77,7 +78,8 @@ func (c *controller) newDaemonSetExpected(rawObj client.Object) *apps.DaemonSet
Image: devicePlugin.Spec.Image,
ImagePullPolicy: "IfNotPresent",
SecurityContext: &v1.SecurityContext{
ReadOnlyRootFilesystem: &yes,
ReadOnlyRootFilesystem: &yes,
AllowPrivilegeEscalation: &no,
},
VolumeMounts: []v1.VolumeMount{
{

7
pkg/controllers/fpga/controller_test.go
View File

@ -35,6 +35,7 @@ const appLabel = "intel-fpga-plugin"
func (c *controller) newDaemonSetExpected(rawObj client.Object) *apps.DaemonSet {
devicePlugin := rawObj.(*devicepluginv1.FpgaDevicePlugin)
yes := true
no := false
directoryOrCreate := v1.HostPathDirectoryOrCreate
return &apps.DaemonSet{
@ -79,7 +80,8 @@ func (c *controller) newDaemonSetExpected(rawObj client.Object) *apps.DaemonSet
ImagePullPolicy: "IfNotPresent",
Name: appLabel,
SecurityContext: &v1.SecurityContext{
ReadOnlyRootFilesystem: &yes,
ReadOnlyRootFilesystem: &yes,
AllowPrivilegeEscalation: &no,
},
TerminationMessagePath: "/tmp/termination-log",
VolumeMounts: []v1.VolumeMount{
@ -106,7 +108,8 @@ func (c *controller) newDaemonSetExpected(rawObj client.Object) *apps.DaemonSet
ImagePullPolicy: "IfNotPresent",
Name: "intel-fpga-initcontainer",
SecurityContext: &v1.SecurityContext{
ReadOnlyRootFilesystem: &yes,
ReadOnlyRootFilesystem: &yes,
AllowPrivilegeEscalation: &no,
},
VolumeMounts: []v1.VolumeMount{
{

4
pkg/controllers/gpu/controller_test.go
View File

@ -36,6 +36,7 @@ func (c *controller) newDaemonSetExpected(rawObj client.Object) *apps.DaemonSet
devicePlugin := rawObj.(*devicepluginv1.GpuDevicePlugin)
yes := true
no := false
daemonSet := apps.DaemonSet{
TypeMeta: metav1.TypeMeta{
Kind: "DaemonSet",
@ -78,7 +79,8 @@ func (c *controller) newDaemonSetExpected(rawObj client.Object) *apps.DaemonSet
Image: devicePlugin.Spec.Image,
ImagePullPolicy: "IfNotPresent",
SecurityContext: &v1.SecurityContext{
ReadOnlyRootFilesystem: &yes,
ReadOnlyRootFilesystem: &yes,
AllowPrivilegeEscalation: &no,
},
VolumeMounts: []v1.VolumeMount{
{

4
pkg/controllers/qat/controller_test.go
View File

@ -35,6 +35,7 @@ const appLabel = "intel-qat-plugin"
func (c *controller) newDaemonSetExpected(rawObj client.Object) *apps.DaemonSet {
devicePlugin := rawObj.(*devicepluginv1.QatDevicePlugin)
yes := true
no := false
pluginAnnotations := devicePlugin.ObjectMeta.DeepCopy().Annotations
return &apps.DaemonSet{
@ -71,7 +72,8 @@ func (c *controller) newDaemonSetExpected(rawObj client.Object) *apps.DaemonSet
Image: devicePlugin.Spec.Image,
ImagePullPolicy: "IfNotPresent",
SecurityContext: &v1.SecurityContext{
ReadOnlyRootFilesystem: &yes,
ReadOnlyRootFilesystem: &yes,
AllowPrivilegeEscalation: &no,
},
VolumeMounts: []v1.VolumeMount{
{

4
pkg/controllers/sgx/controller_test.go
View File

@ -36,6 +36,7 @@ func (c *controller) newDaemonSetExpected(rawObj client.Object) *apps.DaemonSet
devicePlugin := rawObj.(*devicepluginv1.SgxDevicePlugin)
yes := true
no := false
charDevice := v1.HostPathCharDev
directoryOrCreate := v1.HostPathDirectoryOrCreate
daemonSet := apps.DaemonSet{
@ -70,7 +71,8 @@ func (c *controller) newDaemonSetExpected(rawObj client.Object) *apps.DaemonSet
Image: devicePlugin.Spec.Image,
ImagePullPolicy: "IfNotPresent",
SecurityContext: &v1.SecurityContext{
ReadOnlyRootFilesystem: &yes,
ReadOnlyRootFilesystem: &yes,
AllowPrivilegeEscalation: &no,
},
VolumeMounts: []v1.VolumeMount{
{