diff --git a/.github/workflows/terrascan.yml b/.github/workflows/terrascan.yml new file mode 100644 index 0000000..6a9821a --- /dev/null +++ b/.github/workflows/terrascan.yml @@ -0,0 +1,31 @@ +name: Terrascan IaC scanner + +on: + push: + branches: + - main + pull_request: + branches: + - main + +permissions: + pull-requests: read + contents: read + +jobs: + Analysis: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Set up Terrascan + uses: tenable/terrascan-action@v1.4.1 + with: + iac_type: k8s + iac_version: v1 + iac_dir: k8s + policy_type: k8s + verbose: true + skip_rules: AC_K8S_0080 + only_warn: true \ No newline at end of file diff --git a/k8s/deployment.yml b/k8s/deployment.yml index 04f4dfd..4d38fc8 100644 --- a/k8s/deployment.yml +++ b/k8s/deployment.yml @@ -13,15 +13,32 @@ spec: metadata: labels: app: hivebox + annotations: + container.apparmor.security.beta.kubernetes.io/hivebox: runtime/default spec: + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + seccompProfile: + type: RuntimeDefault containers: - name: hivebox - image: ghcr.io/gabrielpalmar/hivebox:latest + image: ghcr.io/gabrielpalmar/hivebox:0.4.0@sha256:31dccc066ffd02ef65850ed8125fc2dadf0bd65958fb49bee0517e40afab2e1c ports: - containerPort: 5000 env: - name: FLASK_ENV value: "production" + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + capabilities: + drop: + - ALL resources: limits: memory: "512Mi" @@ -29,3 +46,25 @@ spec: requests: memory: "256Mi" cpu: "250m" + livenessProbe: + httpGet: + path: /version + port: 5000 + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 3 + readinessProbe: + httpGet: + path: /version + port: 5000 + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 3 + failureThreshold: 3 + volumeMounts: + - name: tmp-volume + mountPath: /tmp + volumes: + - name: tmp-volume + emptyDir: {}