Newer
Older
url: https://keycloak.dev.bigbang.mil/auth/realms/baby-yoda
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
# LetsEncrypt certificate authority
certificateAuthority:
cert: |
-----BEGIN CERTIFICATE-----
MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
-----END CERTIFICATE-----
saml:
# Retrieve from {{ .Values.sso.url }}/protocol/saml/descriptor
metadata: <md:EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://keycloak.dev.bigbang.mil/auth/realms/baby-yoda"><md:IDPSSODescriptor WantAuthnRequestsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:KeyDescriptor use="signing"><ds:KeyInfo><ds:KeyName>4CK69bW66HE2wph9VuBs0fTc1MaETSTpU1iflEkBHR4</ds:KeyName><ds:X509Data><ds:X509Certificate>MIICoTCCAYkCBgF/iYn0azANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAliYWJ5LXlvZGEwHhcNMjIwMzE0MTc0NDUzWhcNMzIwMzE0MTc0NjMzWjAUMRIwEAYDVQQDDAliYWJ5LXlvZGEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCoCX4G1TCnZlWXvCLH/z6m5y/6NMrUv1AYVVbTaQ9iUWLR+uD44v1exIHUywkgQV+cMhn+my+9ZihmRWfOJuBWV8CM5BfIh685YulKVQrcGlYWcB877SjJBZKxyXITz7GnNOJ8vvlK9tK8OncldUFrhR2BXaqw2zvG733CKlDtyujaWmd7kQge/p4okx4bV4VBLYMmsjrJ004uvMcU4DekCFlGmEh3p3FhZorMf+1xHfi5DaCD4iCYZqRgsWEb8/Zmsx0+qi56P9YWhz1j2GUfHw0At8Dq5h7hoMJtYJMvVXWxkmPNVHtaJMOHt8iiBO7/a6SkI6ddf9Jotp2i6XEvAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAJwSLJ0eybbeBYPvXnawqpy6JSXJ/MnnRvSGN9tXJ2+d/QXMOEPwJaAaOrvFtpUQxyPELJ8nU/Ukf7AL2zWltsCLiwtTrJkC+BpbZYkb1UsByveBS5wTPfiNkFzHeGg+MxBjiju2y04P4kEngXhQh4ZIUdi+WJjew721nJa/tjrMfnuEsMjxY/tWnzkk8xkGgaApZpGyaj1tOmVH4GR6CeBU6459m/GXmGH5TCGwT3EyfpZ189te+xV73WZR/r2nDlGuuy//w/P4JGHh4lcCwLfPcOOH30otcPAgctyX9Takk4MkVjva+b9S88sGaWPg075bxA2sysmkuqEOULjdXjU=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://keycloak.dev.bigbang.mil/auth/realms/baby-yoda/protocol/saml/resolve" index="0"></md:ArtifactResolutionService><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://keycloak.dev.bigbang.mil/auth/realms/baby-yoda/protocol/saml"></md:SingleLogoutService><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://keycloak.dev.bigbang.mil/auth/realms/baby-yoda/protocol/saml"></md:SingleLogoutService><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://keycloak.dev.bigbang.mil/auth/realms/baby-yoda/protocol/saml"></md:SingleLogoutService><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://keycloak.dev.bigbang.mil/auth/realms/baby-yoda/protocol/saml"></md:SingleSignOnService><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://keycloak.dev.bigbang.mil/auth/realms/baby-yoda/protocol/saml"></md:SingleSignOnService><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://keycloak.dev.bigbang.mil/auth/realms/baby-yoda/protocol/saml"></md:SingleSignOnService><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://keycloak.dev.bigbang.mil/auth/realms/baby-yoda/protocol/saml"></md:SingleSignOnService></md:IDPSSODescriptor></md:EntityDescriptor>
install:
remediation:
retries: 3
rollback:
cleanupOnFail: false
## override cleanup on upgrade to allow artifacts to upload
upgrade:
cleanupOnFail: false
ingressGateways:
passthrough-ingressgateway:
type: "LoadBalancer"
gateways:
passthrough:
ingressGateway: "passthrough-ingressgateway"
hosts:
- "*.{{ .Values.domain }}"
tls:
mode: "PASSTHROUGH"
public:
tls:
key: "" # Gets added via chart/ingress-certs.yaml
cert: "" # Gets added via chart/ingress-certs.yaml
kiali:
dashboard:
auth:
strategy: "anonymous"
client_id: dev_00eb8904-5b88-4c68-ad67-cec0d2e07aa6_jaeger
Andrew Shoell
committed
hardened:
customAuthorizationPolicies:
- name: "allow-intranamespace-jaeger"
enabled: true
spec:
action: ALLOW
rules:
- from:
- source:
namespaces:
- jaeger
customServiceEntries:
- name: "cypress-service-entries-jaeger"
enabled: true
spec:
hosts:
- 'registry.npmjs.org'
- 'download.cypress.io'
- 'cdn.cypress.io'
- 'repo1.dso.mil'
- 'tracing.dev.bigbang.mil'
location: MESH_EXTERNAL
ports:
- number: 443
protocol: TLS
name: https
resolution: DNS
bbtests:
enabled: true
cypress:
envs:
cypress_url: "https://tracing.dev.bigbang.mil"
# uncomment following variables for sso keycloak testing in bb
# cypress_tnr_username: "cypress"
# cypress_tnr_password: "tnr_w!G33ZyAt@C8"
# cypress_keycloak_test_enable: "true"
client_id: dev_00eb8904-5b88-4c68-ad67-cec0d2e07aa6_kiali
- name: "cypress-service-entries-kiali"
- 'registry.npmjs.org'
- 'download.cypress.io'
- 'cdn.cypress.io'
- 'repo1.dso.mil'
location: MESH_EXTERNAL
ports:
- number: 443
protocol: TLS
name: https
resolution: DNS
# if enabling the keycloak SSO integration test, comment out or change strategy to "openid".
# strategy defaults to "openid"
bbtests:
enabled: true
cypress:
envs:
cypress_url: 'https://kiali.dev.bigbang.mil'
# uncomment these next 3 lines if enabling the keycloak SSO integration test
#cypress_keycloak_test_enable: "true"
#cypress_keycloak_username: "cypress"
#cypress_keycloak_password: "tnr_w!G33ZyAt@C8"
cpu: 3
memory: 4Gi
cpu: 3
memory: 4Gi
Josh Wolf
committed
values:
resources:
requests:
cpu: 100m
Josh Wolf
committed
limits: {}
bbtests:
enabled: true
cypress:
envs:
cypress_grafana_url: 'https://grafana.dev.bigbang.mil'
cypress_prometheus_url: 'https://prometheus.dev.bigbang.mil'
cypress_url: 'https://grafana.dev.bigbang.mil/d/YBgRZG6Mz/opa-violations?orgId=1'
istio:
hardened:
customServiceEntries:
- name: "cypress-service-entries-cluster-auditor"
enabled: true
spec:
hosts:
- 'registry.npmjs.org'
- 'download.cypress.io'
- 'cdn.cypress.io'
- 'repo1.dso.mil'
- 'grafana.dev.bigbang.mil'
- 'prometheus.dev.bigbang.mil'
location: MESH_EXTERNAL
ports:
- number: 443
protocol: TLS
name: https
resolution: DNS
controllerManager:
resources:
limits: {}
requests:
cpu: 100m
memory: 256Mi
allowedCapabilities:
parameters:
excludedResources:
# Allows k3d load balancer containers to not drop capabilities
- istio-system/lb-port-.*
# Allow kyverno test vectors for Helm test
- default/c.?
- default/i.?
parameters:
excludedResources:
# Allows k3d load balancer containers to pull from public repos
- istio-system/lb-port-.*
# Allow argocd to deploy a test app in its cypress test
# Allow kyverno test vectors for Helm test
- default/c.?
- default/i.?
allowedHostFilesystem:
parameters:
excludedResources:
- cluster-auditor/cluster-auditor-cypress-test
- fortify/fortify-cypress-test
- fortify/fortify-ssc-cypress-test
- gitlab/gitlab-cypress-test
- gitlab/gitlab-runner-cypress-test
- gitlab-runner/gitlab-runner-cypress-test
- harbor/harbor-cypress-test
- keycloak/keycloak-cypress-test
- kyverno-reporter/kyverno-reporter-cypress-test
- logging/elasticsearch-kibana-cypress-test
- logging/loki-cypress-test
- mattermost/mattermost-cypress-test
- minio/minio-instance-cypress-test
- minio-operator/minio-operator-cypress-test
- monitoring/grafana-cypress-test
- monitoring/monitoring-cypress-test
- neuvector/neuvector-cypress-test
- nexus-repository-manager/nexus-repository-manager-cypress-test
- sonarqube/sonarqube-cypress-test
- tempo/tempo-cypress-test
- thanos/thanos-cypress-test
- twistlock/twistlock-cypress-test
- vault/vault-cypress-test
# Allow kyverno test vectors for Helm test
- default/restrict-host-path-mount-.?
- default/restrict-host-path-write-.?
- default/restrict-volume-types-.?
allowedIPs:
parameters:
excludedResources:
# Allow kyverno test vectors for Helm test
- default/restrict-external-ips-.?
allowedSecCompProfiles:
parameters:
excludedResources:
# Allows k3d load balancer containers to have an undefined defined seccomp
- istio-system/lb-port-.*
# Allow kyverno test vectors for Helm test
- default/c.?
- default/i.?
allowedUsers:
parameters:
excludedResources:
# Allows k3d load balancer containers to run as any user/group
- istio-system/lb-port-.*
# Allow kyverno test vectors for Helm test
- default/c.?
- default/i.?
bannedImageTags:
parameters:
excludedResources:
# Allow kyverno test vectors for Helm test
- default/c.?
- default/i.?
containerRatio:
parameters:
excludedResources:
# Allows k3d load balancer containers to have undefined limits/requests
- istio-system/lb-port-.*
parameters:
excludedResources:
# Allows k3d load balancer containers to mount host ports
- istio-system/lb-port-.*
# Allow kyverno test vectors for Helm test
- default/c.?
- default/i.?
noBigContainers:
parameters:
excludedResources:
# Allows k3d load balancer containers to have undefined limits/requests
- istio-system/lb-port-.*
noHostNamespace:
parameters:
excludedResources:
# Allow kyverno test vectors for Helm test
- default/disallow-host-namespaces-.?
noPrivilegedContainers:
parameters:
excludedResources:
# Allow kyverno test vectors for Helm test
- default/c.?
- default/i.?
noPrivilegedEscalation:
parameters:
excludedResources:
# Allows k3d load balancer containers to have undefined security context
- istio-system/lb-port-.*
# Allow kyverno test vectors for Helm test
- default/c.?
- default/i.?
noSysctls:
parameters:
excludedResources:
# Allow kyverno test vectors for Helm test
- default/restrict-sysctls-.?
readOnlyRoot:
parameters:
excludedResources:
# Allows k3d load balancer containers to mount filesystems read/write
- istio-system/lb-port-.*
# Allow kyverno test vectors for Helm test
- default/c.?
- default/i.?
requiredLabels:
parameters:
excludedResources:
# Allows k3d load balancer pods to not have required labels
- istio-system/svclb-.*
# Allow kyverno test vectors for Helm test
- default/require-labels-.?
requiredProbes:
parameters:
excludedResources:
# Allows k3d load balancer containers to not have readiness/liveness probes
- istio-system/lb-port-.*
# Allow kyverno test vectors for Helm test
- default/c.?
- default/i.?
restrictedTaint:
parameters:
excludedResources:
# Allow kyverno test vectors for Helm test
- default/disallow-tolerations-.?
selinuxPolicy:
parameters:
excludedResources:
# Allow kyverno test vectors for Helm test
- default/c.?
- default/i.?
- default/disallow-selinux-options-.?
- default/restrict-selinux-type-.?
volumeTypes:
parameters:
excludedResources:
- cluster-auditor/cluster-auditor-cypress-test
- gitlab/gitlab-cypress-test
- gitlab/gitlab-runner-cypress-test
- gitlab-runner/gitlab-runner-cypress-test
- harbor/harbor-cypress-test
- keycloak/keycloak-cypress-test
- kyverno-reporter/kyverno-reporter-cypress-test
- logging/elasticsearch-kibana-cypress-test
- logging/loki-cypress-test
- mattermost/mattermost-cypress-test
- minio/minio-instance-cypress-test
- minio-operator/minio-operator-cypress-test
- monitoring/grafana-cypress-test
- monitoring/monitoring-cypress-test
- neuvector/neuvector-cypress-test
- nexus-repository-manager/nexus-repository-manager-cypress-test
- sonarqube/sonarqube-cypress-test
- tempo/tempo-cypress-test
- thanos/thanos-cypress-test
- twistlock/twistlock-cypress-test
- vault/vault-cypress-test
# Allow kyverno test vectors for Helm test
- default/restrict-host-path-mount-.?
- default/restrict-host-path-write-.?
- default/restrict-volume-types-.?
networkPolicies:
externalRegistries:
allowEgress: true
admissionController:
container:
extraArgs:
webhookTimeout: 30
resources:
limits:
cpu: 1
memory: 768Mi
requests:
cpu: 1
memory: 768Mi
cypress_grafana_url: https://grafana.dev.bigbang.mil
cypress_prometheus_url: https://prometheus.dev.bigbang.mil
resources:
requests:
cpu: 2
memory: 3Gi
limits:
cpu: 2
memory: 3Gi
istio:
hardened:
customServiceEntries:
- name: "cypress-service-entries-kyvernoreporter"
enabled: true
spec:
hosts:
- 'registry.npmjs.org'
- 'download.cypress.io'
- 'cdn.cypress.io'
- 'repo1.dso.mil'
location: MESH_EXTERNAL
exportTo:
- "."
ports:
- number: 443
protocol: TLS
name: https
resolution: DNS
values:
bbtests:
enabled: true
excludeContainers:
- not-me
- or-me
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
exclude:
any:
# Allows k3d load balancer to bypass policies.
- resources:
namespaces:
- istio-system
names:
- svclb-*
# Exclude gatekeeper test resources so Helm tests will work
- resources:
namespaces:
- default
names:
- bad-test*
- good-test*
# Parameters are copied from kyverno policies for test vectors
# Exclusions are for allowing other helm tests to function
policies:
clone-configs:
parameters:
clone:
- name: clone-configs-1
kind: ConfigMap
namespace: "{{ .Release.Namespace }}"
- name: clone-configs-2
kind: Secret
namespace: "{{ .Release.Namespace }}"
disallow-annotations:
parameters:
disallow:
- 'kyverno-policies-bbtest/test: disallowed'
- kyverno-policies-bbtest/disallowed
disallow-labels:
parameters:
disallow:
- 'kyverno-policies-bbtest/test: disallowed'
- kyverno-policies-bbtest/disallowed
disallow-tolerations:
parameters:
disallow:
- effect: NoSchedule
key: notallowed
value: 'false'
- effect: '*NoSchedule'
key: disa??owed
value: 'true'
require-annotations:
parameters:
require:
- 'kyverno-policies-bbtest/test: required'
- kyverno-policies-bbtest/required
require-image-signature:
# set to Audit for now -- having signature issues with registry1.dso.mil/ironbank/bitnami/redis:7.0.0-debian-10-r3
validationFailureAction: Audit
parameters:
require:
- imageReferences:
- "ghcr.io/kyverno/test-verify-image:*"
attestors:
- count: 1
entries:
- keys:
publicKeys: |-
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM
5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA==
-----END PUBLIC KEY-----
# Skip Rekor Transparency log check
rekor:
ignoreTlog: true
url: ""
mutateDigest: false
- imageReferences:
- "registry1.dso.mil/ironbank/*"
attestors:
- count: 1
entries:
- keys:
publicKeys: |-
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7CjMGH005DFFz6mffqTIGurBt6fL
UfTZxuEDFRBS8mFJx1xw8DEVvjMibLTtqmAoJxUmzmGFgzz+LV875syVEg==
-----END PUBLIC KEY-----
# Skip Rekor Transparency log check
rekor:
ignoreTlog: true
url: ""
# Ironbank images are rebuilt nightly and tags are not immutable
mutateDigest: false
verifyDigest: false
require-labels:
parameters:
require:
- 'kyverno-policies-bbtest/test: required'
- kyverno-policies-bbtest/required
restrict-external-ips:
parameters:
allow:
- 192.168.0.1
restrict-external-names:
parameters:
allow:
- allowed
restrict-host-path-mount:
exclude:
any:
- resources:
namespaces:
- mattermost
- nexus-repository-manager
- vault
- tempo
names:
- "*-cypress-test*"
parameters:
allow:
- /tmp/allowed
restrict-host-path-mount-pv:
parameters:
allow:
- /tmp/allowed
- /var/lib/rancher/k3s/storage/pvc-*
restrict-host-path-write:
exclude:
any:
- resources:
namespaces:
- mattermost
- nexus-repository-manager
- vault
- tempo
names:
- "*-cypress-test*"
- resources:
namespaces:
- neuvector
names:
- "neuvector-enforcer-*"
- "neuvector-manager-*"
parameters:
allow:
- /tmp/allowed
restrict-host-ports:
parameters:
allow:
- '63999'
- '>= 64000 & < 65000'
- '> 65000'
restrict-volume-types:
exclude:
any:
- resources:
namespaces:
- mattermost
- nexus-repository-manager
- vault
- tempo
names:
- "*-cypress-test*"
update-image-registry:
parameters:
update:
- from: replace.image.registry
to: registry1.dso.mil
require-drop-all-capabilities:
exclude:
any:
# Twistlock Defenders run as root to perform real time scanning on the nodes/cluster
- resources:
namespaces:
- twistlock
names:
- twistlock-defender-ds*
# Neuvector needs access to host to inspect network traffic
- resources:
namespaces:
- neuvector
names:
- neuvector-enforcer-pod*
- neuvector-controller-pod*
- neuvector-prometheus-exporter-pod*
- resources:
namespaces:
- argocd
names:
- guestbook-ui-*
require-non-root-group:
exclude:
any:
- resources:
namespaces:
- fortify
names:
- fortify-mysql-* # mysql breaks if you give it a different group
- resources:
namespaces:
- metallb-system
names:
- speaker-*
- controller-*
- resources:
namespaces:
- velero
names:
- resources:
namespaces:
- alloy
names:
- alloy-config-validator*
- alloy-config-analysis*
- alloy-test*
require-non-root-user:
exclude:
any:
- resources:
namespaces:
- metallb-system
names:
- speaker-*
- resources:
namespaces:
- argocd
names:
- resources:
namespaces:
- velero
names:
- resources:
namespaces:
- twistlock
names:
- volume-upgrade-job*
- resources:
namespaces:
- alloy
names:
- alloy-config-validator*
- alloy-config-analysis*
- alloy-test*
require-non-root-user:
disallow-namespaces:
parameters:
disallow:
- bigbang
eckOperator:
# -- Toggle deployment of ECK Operator.
enabled: false
values:
istio:
hardened:
customServiceEntries:
- name: "cypress-service-entries-eckoperator"
enabled: true
spec:
hosts:
- 'registry.npmjs.org'
- 'download.cypress.io'
- 'cdn.cypress.io'
- 'repo1.dso.mil'
location: MESH_EXTERNAL
ports:
- number: 443
protocol: TLS
name: https
resolution: DNS
client_id: dev_00eb8904-5b88-4c68-ad67-cec0d2e07aa6_kibana
- name: "cypress-service-entries-elasticsearchkibana"
Andrew Shoell
committed
- 'kibana.dev.bigbang.mil'
location: MESH_EXTERNAL
ports:
- number: 443
protocol: TLS
name: https
resolution: DNS
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
elasticsearch:
master:
count: 1
persistence:
size: 256Mi
resources:
requests:
cpu: .5
limits: {}
heap:
min: 1g
max: 1g
data:
count: 2
persistence:
size: 256Mi
resources:
requests:
cpu: .5
limits: {}
heap:
min: 1g
max: 1g
kibana:
count: 1
bbtests:
enabled: true
cypress:
envs:
cypress_kibana_url: "https://kibana.dev.bigbang.mil"
resources:
requests:
cpu: "2"
memory: "4Gi"
limits:
cpu: "2"
memory: "4Gi"
- name: "cypress-service-entries-fluentbit"
enabled: true
spec:
hosts:
- 'registry.npmjs.org'
- 'download.cypress.io'
- 'cdn.cypress.io'
- 'repo1.dso.mil'
location: MESH_EXTERNAL
ports:
- number: 443
protocol: TLS
name: https
securityContext:
privileged: true
bbtests:
enabled: true
- name: "cypress-service-entries-loki"
enabled: true
spec:
hosts:
- 'registry.npmjs.org'
- 'download.cypress.io'
- 'cdn.cypress.io'
- 'repo1.dso.mil'
Andrew Shoell
committed
- 'grafana.dev.bigbang.mil'
- 'clientservices.googleapis.com'
- 'accounts.google.com'
- 'redirector.gvt1.com'
- 'content-autofill.googleapis.com'
- 'safebrowsing.googleapis.com'
location: MESH_EXTERNAL
ports:
- number: 443
protocol: TLS
name: https
resolution: DNS
minio:
enabled: true
write:
persistence:
size: 2Gi
resources:
limits:
persistence:
size: 2Gi
resources:
limits:
persistence:
size: 2Gi
resources:
limits:
bbtests:
enabled: true
cypress:
envs:
cypress_check_datasource: 'true'
cypress_grafana_url: 'https://grafana.dev.bigbang.mil'
scripts:
envs:
LOKI_URL: 'http://logging-loki-write.logging.svc:3100'
sso:
enabled: false
client_id: dev_00eb8904-5b88-4c68-ad67-cec0d2e07aa6_tempo
values:
istio:
tempoQuery:
hosts:
- "tempo.{{ .Values.domain }}"
Andrew Shoell
committed
enabled: true
hardened:
customServiceEntries:
- name: "cypress-service-entries-tempo"
enabled: true
spec:
hosts:
- 'registry.npmjs.org'
- 'download.cypress.io'