From f6898b2acc932245ae6706a545c089ab6d7b56cc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Franti=C5=A1ek=20Dvo=C5=99=C3=A1k?= <valtri@civ.zcu.cz>
Date: Mon, 24 Jun 2024 18:05:55 +0200
Subject: [PATCH] Kubernetes examples

---
 .mega-linter.yml        | 18 +++++++++--
 examples/debugging.yaml | 50 ++++++++++++++++++++++++++++++
 examples/mount.yaml     | 68 +++++++++++++++++++++++++++++++++++++++++
 3 files changed, 134 insertions(+), 2 deletions(-)
 create mode 100644 examples/debugging.yaml
 create mode 100644 examples/mount.yaml

diff --git a/.mega-linter.yml b/.mega-linter.yml
index 69fc435..b1a57f0 100644
--- a/.mega-linter.yml
+++ b/.mega-linter.yml
@@ -15,6 +15,20 @@ FILTER_REGEX_EXCLUDE: ^(TODO|.*\.swp)$
 # DL3008: Pin versions in apt get install: do not want
 DOCKERFILE_HADOLINT_ARGUMENTS: --ignore DL3008
 
-# CKV_DOCKER_2: Ensure that HEALTHCHECK instructions have been added to container images: not a service
+# CKV_DOCKER_2 Ensure that HEALTHCHECK instructions have been added to container images: not a service
 # CKV_DOCKER_3 Ensure that a user for the container has been created: debugging easier with root
-REPOSITORY_CHECKOV_ARGUMENTS: --skip-check CKV_DOCKER_2,CKV_DOCKER_3
+# CKV_K8S_8 Liveness Probe Should be Configured: not a service
+# CKV_K8S_9 Readiness Probe Should be Configured: not a service
+# CKV_K8S_14 Image Tag should be fixed - not latest or blank: do want
+# CKV_K8S_16 Container should not be privileged: necessary for mounting
+# CKV_K8S_20 Containers should not run with allowPrivilegeEscalation: necessary for mounting
+# CKV_K8S_22 Use read-only filesystem for containers where possible: debugging easier with write
+# CKV_K8S_23 Minimize the admission of root containers: debugging easier with root
+# CKV_K8S_25 Minimize the admission of containers with added capability: necessary for mounting
+# CKV_K8S_29 Apply security context to your pods and containers: bug in checkov
+# CKV_K8S_37 Minimize the admission of containers with capabilities assigned: ALL is needed for OIDC agent socket
+# CKV_K8S_39 Do not use the CAP_SYS_ADMIN linux capability: necessary for mounting
+# CKV_K8S_40 Containers should run as a high UID to avoid host conflict: debugging easier with root
+# CKV_K8S_43 Image should use digest: do want
+# CKV2_K8S_6 Minimize the admission of pods which lack an associated NetworkPolicy: complicates cleanups
+REPOSITORY_CHECKOV_ARGUMENTS: --skip-check CKV_DOCKER_2,CKV_DOCKER_3,CKV_K8S_8,CKV_K8S_9,CKV_K8S_14,CKV_K8S_16,CKV_K8S_20,CKV_K8S_22,CKV_K8S_23,CKV_K8S_25,CKV_K8S_29,CKV_K8S_37,CKV_K8S_39,CKV_K8S_40,CKV_K8S_43,CKV2_K8S_6
diff --git a/examples/debugging.yaml b/examples/debugging.yaml
new file mode 100644
index 0000000..4c395dd
--- /dev/null
+++ b/examples/debugging.yaml
@@ -0,0 +1,50 @@
+---
+# ssh -R /tmp/oidc-forward-host:$OIDC_SOCK ubuntu@k8s-node.example.com
+apiVersion: v1
+kind: Pod
+metadata:
+  labels:
+    app: eosc-owncloud-debugging
+  name: eosc-owncloud-debugging
+  namespace: example
+spec:
+  automountServiceAccountToken: false
+  containers:
+    - command:
+        - sh
+        - -c
+        - "rclone ls owncloud-test:/; while true; do sleep 3600; done"
+      image: valtri/eosc-owncloud-debugging
+      imagePullPolicy: Always
+      name: rclone
+      env:
+        - name: OIDC_SOCK
+          value: /tmp-host/oidc-forward-host
+      resources:
+        limits:
+          cpu: 0.5
+          memory: 512Mi
+      securityContext:
+        capabilities:
+          drop:
+            - NET_RAW
+        seccompProfile:
+          type: RuntimeDefault
+      volumeMounts:
+        - name: tmp
+          mountPath: /tmp-host
+  securityContext:
+  volumes:
+    - name: tmp
+      hostPath:
+        path: /tmp
+        type: Directory
+  affinity:
+    nodeAffinity:
+      requiredDuringSchedulingIgnoredDuringExecution:
+        nodeSelectorTerms:
+          - matchExpressions:
+              - key: kubernetes.io/hostname
+                operator: In
+                values:
+                  - k8s-node.example.com
diff --git a/examples/mount.yaml b/examples/mount.yaml
new file mode 100644
index 0000000..9167474
--- /dev/null
+++ b/examples/mount.yaml
@@ -0,0 +1,68 @@
+---
+# ssh -R /tmp/oidc-forward-host:$OIDC_SOCK ubuntu@k8s-node.example.com
+apiVersion: v1
+kind: Pod
+metadata:
+  labels:
+    app: eosc-owncloud-mount
+  name: eosc-owncloud-mount
+  namespace: example
+spec:
+  automountServiceAccountToken: false
+  containers:
+    - command:
+        - rclone
+        - mount
+        - owncloud-test:/
+        - /owncloud
+        - --allow-non-empty
+        - --allow-other
+        - --uid=1001
+        - --gid=1001
+        - --vfs-cache-mode=full
+        # - sh
+        # - -c
+        # - "while true; do sleep 3600; done"
+      image: valtri/eosc-owncloud-debugging
+      imagePullPolicy: Always
+      name: rclone
+      env:
+        - name: OIDC_SOCK
+          value: /tmp-host/oidc-forward-host
+      resources:
+        limits:
+          cpu: 0.5
+          memory: 512Mi
+      securityContext:
+        capabilities:
+          add:
+            - SYS_ADMIN
+          drop:
+            - NET_RAW
+        privileged: true
+        seccompProfile:
+          type: RuntimeDefault
+      volumeMounts:
+        - name: tmp
+          mountPath: /tmp-host
+        - name: owncloud
+          mountPath: /owncloud:shared
+  securityContext:
+  volumes:
+    - name: tmp
+      hostPath:
+        path: /tmp
+        type: Directory
+    - name: owncloud
+      hostPath:
+        path: /mnt/owncloud
+        type: Directory
+  affinity:
+    nodeAffinity:
+      requiredDuringSchedulingIgnoredDuringExecution:
+        nodeSelectorTerms:
+          - matchExpressions:
+              - key: kubernetes.io/hostname
+                operator: In
+                values:
+                  - k8s-node.example.com
-- 
GitLab