Merge pull request #906 from bart0sh/PR136-terrascan-check

implement terrascan check
2025-06-03 03:59:37 +00:00 · 2022-03-01 17:43:09 +02:00 · 2022-03-01 17:43:09 +02:00 · 711fbbff07
commit 711fbbff07
parent b7d0e7e168 13780a8cdc
32 changed files with 85 additions and 7 deletions
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@ -166,3 +166,17 @@ jobs:
      - name: Test SGX & FPGA Admission Webhook, Deploy Operator
        run: |
          make test-with-kind
  terrascan:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout repository
      uses: actions/checkout@v2
    - name: Install terrascan
      run: |
        curl -L "$(curl -s https://api.github.com/repos/accurics/terrascan/releases/latest | grep -o -E "https://.+?_Linux_x86_64.tar.gz")" > terrascan.tar.gz
        tar -xf terrascan.tar.gz terrascan && rm terrascan.tar.gz
        install terrascan /usr/local/bin && rm terrascan
    - name: Run Terrascan
      run: make terrascan
--- a/9
+++ b/9
@ -67,6 +67,15 @@ pipeline {
        }
        stage("make lint"){
          parallel {
            stage("make terrascan") {
              steps {
                dir(path: "$REPO_DIR") {
                  sh "curl -sL `curl -s https://api.github.com/repos/accurics/terrascan/releases/latest | grep -o -E https://.+?_Linux_x86_64.tar.gz` | tar -zx terrascan"
                  sh "sudo mv terrascan /usr/local/bin/"
                  sh "make terrascan"
                }
              }
            }
            stage("make lint") {
              steps {
                dir(path: "$REPO_DIR") {
--- a/9
+++ b/9
@ -148,6 +148,15 @@ e2e-sgx:
 e2e-gpu:
 	@$(GO) test -v ./test/e2e/... -ginkgo.v -ginkgo.progress -ginkgo.focus "GPU" -delete-namespace-on-failure=false
 terrascan:
 	@ls deployments/*/kustomization.yaml | while read f ; \
 	do \
 		echo "\n==== $$(basename $$(dirname $$f)) ====" ; \
 		terrascan scan -v --show-passed -d $$(dirname $$f) -i kustomize --severity high \
 		--skip-rules 'AC_K8S_0051,AC_K8S_0076,AC_K8S_0087' \
 		|| exit $$? ; \
 	done
 pre-pull:
 ifeq ($(TAG),devel)
 	@$(BUILDER) pull golang:1.17-bullseye
--- a/deployments/dlb_plugin/base/intel-dlb-plugin.yaml
+++ b/deployments/dlb_plugin/base/intel-dlb-plugin.yaml
@ -24,6 +24,7 @@ spec:
        imagePullPolicy: IfNotPresent
        securityContext:
          readOnlyRootFilesystem: true
          allowPrivilegeEscalation: false
        terminationMessagePath: /tmp/termination-log          
        volumeMounts:
        - name: devfs
--- a/deployments/dsa_plugin/base/intel-dsa-plugin.yaml
+++ b/deployments/dsa_plugin/base/intel-dsa-plugin.yaml
@ -24,6 +24,7 @@ spec:
        imagePullPolicy: IfNotPresent
        securityContext:
          readOnlyRootFilesystem: true
          allowPrivilegeEscalation: false
        volumeMounts:
        - name: devfs
          mountPath: /dev/dsa
--- a/deployments/fpga_admissionwebhook/kustomization.yaml
+++ b/deployments/fpga_admissionwebhook/kustomization.yaml
@ -0,0 +1,2 @@
 bases:
  - base
--- a/deployments/fpga_admissionwebhook/manager/manager.yaml
+++ b/deployments/fpga_admissionwebhook/manager/manager.yaml
@ -24,6 +24,7 @@ spec:
          runAsUser: 65532
          runAsGroup: 65532
          readOnlyRootFilesystem: true
          allowPrivilegeEscalation: false
        resources:
          limits:
            cpu: 100m
--- a/deployments/fpga_plugin/base/intel-fpga-plugin-daemonset.yaml
+++ b/deployments/fpga_plugin/base/intel-fpga-plugin-daemonset.yaml
@ -20,6 +20,7 @@ spec:
        imagePullPolicy: IfNotPresent
        securityContext:
          readOnlyRootFilesystem: true
          allowPrivilegeEscalation: false
        volumeMounts:
        - mountPath: /opt/intel/fpga-sw
          name: intel-fpga-sw
@ -39,6 +40,7 @@ spec:
        terminationMessagePath: /tmp/termination-log
        securityContext:
          readOnlyRootFilesystem: true
          allowPrivilegeEscalation: false
        volumeMounts:
        - name: devfs
          mountPath: /dev
--- a/deployments/fpga_plugin/kustomization.yaml
+++ b/deployments/fpga_plugin/kustomization.yaml
@ -0,0 +1,2 @@
 resources:
  - base
--- a/deployments/gpu_plugin/base/intel-gpu-plugin.yaml
+++ b/deployments/gpu_plugin/base/intel-gpu-plugin.yaml
@ -19,6 +19,7 @@ spec:
        imagePullPolicy: IfNotPresent
        securityContext:
          readOnlyRootFilesystem: true
          allowPrivilegeEscalation: false
        volumeMounts:
        - mountPath: /etc/kubernetes/node-feature-discovery/source.d/
          name: nfd-source-hooks
@ -33,6 +34,7 @@ spec:
        imagePullPolicy: IfNotPresent
        securityContext:
          readOnlyRootFilesystem: true
          allowPrivilegeEscalation: false
        volumeMounts:
        - name: devfs
          mountPath: /dev/dri
--- a/deployments/operator/default/manager_auth_proxy_patch.yaml
+++ b/deployments/operator/default/manager_auth_proxy_patch.yaml
@ -24,6 +24,7 @@ spec:
          runAsUser: 1000
          runAsGroup: 1000
          readOnlyRootFilesystem: true
          allowPrivilegeEscalation: false
      - name: manager
        args:
        - "--metrics-addr=127.0.0.1:8080"
--- a/deployments/operator/kustomization.yaml
+++ b/deployments/operator/kustomization.yaml
@ -0,0 +1,4 @@
 bases:
  - default
  - manager
  - webhook
--- a/deployments/operator/manager/manager.yaml
+++ b/deployments/operator/manager/manager.yaml
@ -38,6 +38,7 @@ spec:
          runAsUser: 65532
          runAsGroup: 65532
          readOnlyRootFilesystem: true
          allowPrivilegeEscalation: false
        env:
          - name: DEVICEPLUGIN_NAMESPACE
            valueFrom:
--- a/deployments/qat_dpdk_app/base/crypto-perf-dpdk-pod-requesting-qat.yaml
+++ b/deployments/qat_dpdk_app/base/crypto-perf-dpdk-pod-requesting-qat.yaml
@ -27,6 +27,7 @@ spec:
        hugepages-2Mi: "128Mi"
    securityContext:
      readOnlyRootFilesystem: true
      allowPrivilegeEscalation: false
      capabilities:
        add:
          ["IPC_LOCK"]
--- a/deployments/qat_dpdk_app/kustomization.yaml
+++ b/deployments/qat_dpdk_app/kustomization.yaml
@ -0,0 +1,2 @@
 bases:
  - base
--- a/deployments/qat_plugin/base/intel-qat-kernel-plugin.yaml
+++ b/deployments/qat_plugin/base/intel-qat-kernel-plugin.yaml
@ -17,6 +17,7 @@ spec:
      - name: intel-qat-kernel-plugin
        securityContext:
          readOnlyRootFilesystem: true
          allowPrivilegeEscalation: false
          privileged: true
        image: intel/intel-qat-plugin:devel
        imagePullPolicy: IfNotPresent
--- a/deployments/qat_plugin/base/intel-qat-plugin.yaml
+++ b/deployments/qat_plugin/base/intel-qat-plugin.yaml
@ -18,6 +18,7 @@ spec:
        image: intel/intel-qat-plugin:devel
        securityContext:
          readOnlyRootFilesystem: true
          allowPrivilegeEscalation: false
        imagePullPolicy: IfNotPresent
        volumeMounts:
        - name: devdir
--- a/deployments/sgx_admissionwebhook/kustomization.yaml
+++ b/deployments/sgx_admissionwebhook/kustomization.yaml
@ -0,0 +1,2 @@
 bases:
  - base
--- a/deployments/sgx_admissionwebhook/manager/manager.yaml
+++ b/deployments/sgx_admissionwebhook/manager/manager.yaml
@ -24,6 +24,7 @@ spec:
          runAsUser: 65532
          runAsGroup: 65532
          readOnlyRootFilesystem: true
          allowPrivilegeEscalation: false
        resources:
          limits:
            cpu: 100m
--- a/deployments/sgx_aesmd/base/intel-sgx-aesmd.yaml
+++ b/deployments/sgx_aesmd/base/intel-sgx-aesmd.yaml
@ -21,6 +21,7 @@ spec:
        image: intel/sgx-aesmd-demo:devel
        securityContext:
          readOnlyRootFilesystem: true
          allowPrivilegeEscalation: false
        resources:
          limits:
            sgx.intel.com/epc: "1Mi"
--- a/deployments/sgx_enclave_apps/base/intelsgx-job.yaml
+++ b/deployments/sgx_enclave_apps/base/intelsgx-job.yaml
@ -20,6 +20,7 @@ spec:
          command: ["/opt/intel/sgx-sample-app/sgx-sample-app"]
          securityContext:
            readOnlyRootFilesystem: true
            allowPrivilegeEscalation: false
            capabilities:
              add: ["IPC_LOCK"]
          resources:
--- a/deployments/sgx_enclave_apps/kustomization.yaml
+++ b/deployments/sgx_enclave_apps/kustomization.yaml
@ -0,0 +1,2 @@
 bases:
  - base
--- a/deployments/sgx_plugin/base/intel-sgx-plugin.yaml
+++ b/deployments/sgx_plugin/base/intel-sgx-plugin.yaml
@ -18,6 +18,7 @@ spec:
        image: intel/intel-sgx-plugin:devel
        securityContext:
          readOnlyRootFilesystem: true
          allowPrivilegeEscalation: false
        imagePullPolicy: IfNotPresent
        volumeMounts:
        - name: kubeletsockets
--- a/deployments/sgx_plugin/overlays/epc-hook-initcontainer/add-epc-nfd-initcontainer.yaml
+++ b/deployments/sgx_plugin/overlays/epc-hook-initcontainer/add-epc-nfd-initcontainer.yaml
@ -11,6 +11,7 @@ spec:
        imagePullPolicy: IfNotPresent
        securityContext:
          readOnlyRootFilesystem: true
          allowPrivilegeEscalation: false
        volumeMounts:
        - mountPath: /etc/kubernetes/node-feature-discovery/source.d/
          name: nfd-source-hooks
--- a/deployments/sgx_plugin/overlays/epc-nfd/add-epc-nfd-initcontainer.yaml
+++ b/deployments/sgx_plugin/overlays/epc-nfd/add-epc-nfd-initcontainer.yaml
@ -11,6 +11,7 @@ spec:
        imagePullPolicy: IfNotPresent
        securityContext:
          readOnlyRootFilesystem: true
          allowPrivilegeEscalation: false
        volumeMounts:
        - mountPath: /etc/kubernetes/node-feature-discovery/source.d/
          name: nfd-source-hooks
--- a/deployments/vpu_plugin/base/intel-vpu-plugin.yaml
+++ b/deployments/vpu_plugin/base/intel-vpu-plugin.yaml
@ -24,6 +24,7 @@ spec:
        imagePullPolicy: IfNotPresent
        securityContext:
          readOnlyRootFilesystem: true
          allowPrivilegeEscalation: false
        volumeMounts:
        - name: devion
          mountPath: /dev/ion
--- a/pkg/controllers/dlb/controller_test.go
+++ b/pkg/controllers/dlb/controller_test.go
@ -33,6 +33,7 @@ const appLabel = "intel-dlb-plugin"
 func (c *controller) newDaemonSetExpected(rawObj client.Object) *apps.DaemonSet {
 	devicePlugin := rawObj.(*devicepluginv1.DlbDevicePlugin)
 	yes := true
 	no := false
 	daemonSet := apps.DaemonSet{
 		TypeMeta: metav1.TypeMeta{
@ -77,7 +78,8 @@ func (c *controller) newDaemonSetExpected(rawObj client.Object) *apps.DaemonSet
 							Image:                  devicePlugin.Spec.Image,
 							ImagePullPolicy:        "IfNotPresent",
 							SecurityContext: &v1.SecurityContext{
-								ReadOnlyRootFilesystem: &yes,
+								ReadOnlyRootFilesystem:   &yes,
 								AllowPrivilegeEscalation: &no,
 							},
 							VolumeMounts: []v1.VolumeMount{
 								{
--- a/pkg/controllers/dsa/controller_test.go
+++ b/pkg/controllers/dsa/controller_test.go
@ -35,6 +35,7 @@ func (c *controller) newDaemonSetExpected(rawObj client.Object) *apps.DaemonSet
 	devicePlugin := rawObj.(*devicepluginv1.DsaDevicePlugin)
 	yes := true
 	no := false
 	daemonSet := apps.DaemonSet{
 		TypeMeta: metav1.TypeMeta{
 			Kind:       "DaemonSet",
@ -77,7 +78,8 @@ func (c *controller) newDaemonSetExpected(rawObj client.Object) *apps.DaemonSet
 							Image:           devicePlugin.Spec.Image,
 							ImagePullPolicy: "IfNotPresent",
 							SecurityContext: &v1.SecurityContext{
-								ReadOnlyRootFilesystem: &yes,
+								ReadOnlyRootFilesystem:   &yes,
 								AllowPrivilegeEscalation: &no,
 							},
 							VolumeMounts: []v1.VolumeMount{
 								{
--- a/pkg/controllers/fpga/controller_test.go
+++ b/pkg/controllers/fpga/controller_test.go
@ -35,6 +35,7 @@ const appLabel = "intel-fpga-plugin"
 func (c *controller) newDaemonSetExpected(rawObj client.Object) *apps.DaemonSet {
 	devicePlugin := rawObj.(*devicepluginv1.FpgaDevicePlugin)
 	yes := true
 	no := false
 	directoryOrCreate := v1.HostPathDirectoryOrCreate
 	return &apps.DaemonSet{
@ -79,7 +80,8 @@ func (c *controller) newDaemonSetExpected(rawObj client.Object) *apps.DaemonSet
 							ImagePullPolicy: "IfNotPresent",
 							Name:            appLabel,
 							SecurityContext: &v1.SecurityContext{
-								ReadOnlyRootFilesystem: &yes,
+								ReadOnlyRootFilesystem:   &yes,
 								AllowPrivilegeEscalation: &no,
 							},
 							TerminationMessagePath: "/tmp/termination-log",
 							VolumeMounts: []v1.VolumeMount{
@ -106,7 +108,8 @@ func (c *controller) newDaemonSetExpected(rawObj client.Object) *apps.DaemonSet
 							ImagePullPolicy: "IfNotPresent",
 							Name:            "intel-fpga-initcontainer",
 							SecurityContext: &v1.SecurityContext{
-								ReadOnlyRootFilesystem: &yes,
+								ReadOnlyRootFilesystem:   &yes,
 								AllowPrivilegeEscalation: &no,
 							},
 							VolumeMounts: []v1.VolumeMount{
 								{
--- a/pkg/controllers/gpu/controller_test.go
+++ b/pkg/controllers/gpu/controller_test.go
@ -36,6 +36,7 @@ func (c *controller) newDaemonSetExpected(rawObj client.Object) *apps.DaemonSet
 	devicePlugin := rawObj.(*devicepluginv1.GpuDevicePlugin)
 	yes := true
 	no := false
 	daemonSet := apps.DaemonSet{
 		TypeMeta: metav1.TypeMeta{
 			Kind:       "DaemonSet",
@ -78,7 +79,8 @@ func (c *controller) newDaemonSetExpected(rawObj client.Object) *apps.DaemonSet
 							Image:           devicePlugin.Spec.Image,
 							ImagePullPolicy: "IfNotPresent",
 							SecurityContext: &v1.SecurityContext{
-								ReadOnlyRootFilesystem: &yes,
+								ReadOnlyRootFilesystem:   &yes,
 								AllowPrivilegeEscalation: &no,
 							},
 							VolumeMounts: []v1.VolumeMount{
 								{
--- a/pkg/controllers/qat/controller_test.go
+++ b/pkg/controllers/qat/controller_test.go
@ -35,6 +35,7 @@ const appLabel = "intel-qat-plugin"
 func (c *controller) newDaemonSetExpected(rawObj client.Object) *apps.DaemonSet {
 	devicePlugin := rawObj.(*devicepluginv1.QatDevicePlugin)
 	yes := true
 	no := false
 	pluginAnnotations := devicePlugin.ObjectMeta.DeepCopy().Annotations
 	return &apps.DaemonSet{
@ -71,7 +72,8 @@ func (c *controller) newDaemonSetExpected(rawObj client.Object) *apps.DaemonSet
 							Image:           devicePlugin.Spec.Image,
 							ImagePullPolicy: "IfNotPresent",
 							SecurityContext: &v1.SecurityContext{
-								ReadOnlyRootFilesystem: &yes,
+								ReadOnlyRootFilesystem:   &yes,
 								AllowPrivilegeEscalation: &no,
 							},
 							VolumeMounts: []v1.VolumeMount{
 								{
--- a/pkg/controllers/sgx/controller_test.go
+++ b/pkg/controllers/sgx/controller_test.go
@ -36,6 +36,7 @@ func (c *controller) newDaemonSetExpected(rawObj client.Object) *apps.DaemonSet
 	devicePlugin := rawObj.(*devicepluginv1.SgxDevicePlugin)
 	yes := true
 	no := false
 	charDevice := v1.HostPathCharDev
 	directoryOrCreate := v1.HostPathDirectoryOrCreate
 	daemonSet := apps.DaemonSet{
@ -70,7 +71,8 @@ func (c *controller) newDaemonSetExpected(rawObj client.Object) *apps.DaemonSet
 							Image:           devicePlugin.Spec.Image,
 							ImagePullPolicy: "IfNotPresent",
 							SecurityContext: &v1.SecurityContext{
-								ReadOnlyRootFilesystem: &yes,
+								ReadOnlyRootFilesystem:   &yes,
 								AllowPrivilegeEscalation: &no,
 							},
 							VolumeMounts: []v1.VolumeMount{
 								{