diff --git a/infrastructure/kustomization.yaml b/infrastructure/kustomization.yaml index 4090e3baa36e926908ceec9c59003a71b2d697a1..59ab3cb80c686b7c49b10137e9d872578285aa97 100644 --- a/infrastructure/kustomization.yaml +++ b/infrastructure/kustomization.yaml @@ -14,3 +14,4 @@ resources: - k8up - postgres - kubenav + - starboard diff --git a/infrastructure/starboard/README.md b/infrastructure/starboard/README.md new file mode 100644 index 0000000000000000000000000000000000000000..a634845759c957adae0bf8962a6b78a0e62a74a4 --- /dev/null +++ b/infrastructure/starboard/README.md @@ -0,0 +1,18 @@ +Starboard +=== + +Operator to create and manage automated container image scans for all containers deployed in the cluster, this helps to provide visibility for potential security issues and makes it easy to identify containers and deployments affected by CVEs. + +This particular installation utilises a trivy-server setup, that reduces the times to download the vulnerability database, making it API limit friendlier. + +Links +--- + +- [Starboard Docs](https://aquasecurity.github.io/starboard/v0.15.4/) +- [Starboard Helm Chart](https://github.com/aquasecurity/starboard/tree/main/deploy/helm) +- [Starboard Source Code](https://github.com/aquasecurity/starboard/) +- [Starboard Help Forum](https://github.com/aquasecurity/starboard//discussions) +- [Trivy Docs](https://aquasecurity.github.io/trivy/v0.25.4/) +- [Trivy Helm Chart](https://github.com/aquasecurity/trivy/tree/main/helm/trivy) +- [Trivy Source Code](https://github.com/aquasecurity/trivy/) +- [Trivy Help Forum](https://github.com/aquasecurity/trivy/discussions) diff --git a/infrastructure/starboard/kustomization.yaml b/infrastructure/starboard/kustomization.yaml new file mode 100644 index 0000000000000000000000000000000000000000..56dc182cdbb44cdfb943ef4b671e0fe675f5a98c --- /dev/null +++ b/infrastructure/starboard/kustomization.yaml @@ -0,0 +1,19 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: longhorn-system +resources: + - namespace.yaml + - repository.yaml + - release.yaml + - monitoring.yaml + - ../../shared/networkpolicies/allow-from-ingress.yaml + - ../../shared/networkpolicies/allow-from-monitoring.yaml +patchesStrategicMerge: + - networkpolicy.yaml +configMapGenerator: + - name: longhorn-grafana-dashboards + files: + - ./dashboards/longhorn.json + options: + labels: + grafana_dashboard: longhorn-system diff --git a/infrastructure/starboard/monitoring.yaml b/infrastructure/starboard/monitoring.yaml new file mode 100644 index 0000000000000000000000000000000000000000..2dbb497b6c7321459a04917e7ce54b811b602ed4 --- /dev/null +++ b/infrastructure/starboard/monitoring.yaml @@ -0,0 +1,25 @@ +apiVersion: source.toolkit.fluxcd.io/v1beta1 +kind: HelmRepository +metadata: + name: giantswarm + namespace: starboard-system +spec: + interval: 30m + url: https://giantswarm.github.io/giantswarm-catalog +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: starboard-exporter + namespace: starboard-system +spec: + releaseName: starboard-exporter + chart: + spec: + chart: starboard-exporter + sourceRef: + kind: HelmRepository + name: giantswarm + namespace: starboard-system + version: 0.3.3 + interval: 5m diff --git a/infrastructure/starboard/namespace.yaml b/infrastructure/starboard/namespace.yaml new file mode 100644 index 0000000000000000000000000000000000000000..b8e0b9013feddfe6abb3fa4fc643aaa333f3ddbe --- /dev/null +++ b/infrastructure/starboard/namespace.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: starboard-system + labels: + name: starboard-system + kyverno.shivering-isles.com/class: "system" diff --git a/infrastructure/starboard/networkpolicy.yaml b/infrastructure/starboard/networkpolicy.yaml new file mode 100644 index 0000000000000000000000000000000000000000..a268d31e2e20b412375bade5ea59778290851e75 --- /dev/null +++ b/infrastructure/starboard/networkpolicy.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-from-ingress +spec: + podSelector: + matchExpressions: + - key: app.kubernetes.io/name + operator: In + values: + - starboard-exporter diff --git a/infrastructure/starboard/release.yaml b/infrastructure/starboard/release.yaml new file mode 100644 index 0000000000000000000000000000000000000000..7005502d31f4ab5d73b7ee4741f152136d9d8b01 --- /dev/null +++ b/infrastructure/starboard/release.yaml @@ -0,0 +1,46 @@ +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: starboard-operator + namespace: starboard-system +spec: + releaseName: starboard-operator + chart: + spec: + chart: starboard-operator + sourceRef: + kind: HelmRepository + name: aqua + namespace: starboard-system + version: 0.10.4 + interval: 5m + install: + crds: CreateReplace + upgrade: + crds: CreateReplace + values: + operator: + vulnerabilityScannerScanOnlyCurrentRevisions: true + clusterComplianceEnabled: false + kubernetesBenchmarkEnabled: false + trivy: + mode: ClientServer + ignoreUnfixed: false + serverURL: "http://trivy:4954" +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: trivy + namespace: starboard-system +spec: + releaseName: trivy + chart: + spec: + chart: trivy + sourceRef: + kind: HelmRepository + name: aqua + namespace: starboard-system + version: 0.4.13 + interval: 5m diff --git a/infrastructure/starboard/repository.yaml b/infrastructure/starboard/repository.yaml new file mode 100644 index 0000000000000000000000000000000000000000..b27deccb231f77137cb9b6ce14bc0149f9c2f067 --- /dev/null +++ b/infrastructure/starboard/repository.yaml @@ -0,0 +1,8 @@ +apiVersion: source.toolkit.fluxcd.io/v1beta1 +kind: HelmRepository +metadata: + name: longhorn + namespace: longhorn-system +spec: + interval: 30m + url: https://aquasecurity.github.io/helm-charts/