Merge branch '1237-integrate-neuvector-with-bb-as-a-core-package' into 'master'

Resolve "Integrate Neuvector with BB as a core package"

Closes #1237

See merge request platform-one/big-bang/bigbang!2233

chart/templates/gatekeeper/values.yaml

@@ -43,7 +43,7 @@ violations:  # Try to keep this in alpha order to make it easier to find keys
         - registry1.dso.mil
         - registry.dso.mil
 
-  {{- if or .Values.monitoring.enabled .Values.fluentbit.enabled .Values.twistlock.enabled .Values.promtail.enabled (and .Values.addons.velero.enabled .Values.addons.velero.values.deployRestic)}}
+  {{- if or .Values.monitoring.enabled .Values.fluentbit.enabled .Values.twistlock.enabled .Values.promtail.enabled .Values.neuvector.enabled (and .Values.addons.velero.enabled .Values.addons.velero.values.deployRestic)}}
   allowedHostFilesystem:
     parameters:
       excludedResources:
@@ -55,6 +55,10 @@ violations:  # Try to keep this in alpha order to make it easier to find keys
       # Fluentbit pods need access to host to get log files
       - logging/logging-fluent-bit-.*
       {{- end }}
+      {{- if .Values.neuvector.enabled }}
+      - neuvector/neuvector-enforcer-pod.*
+      - neuvector/neuvector-controller-pod.*
+      {{- end }}
       {{- if .Values.twistlock.enabled }}
       - twistlock/twistlock-defender-ds-.*
       {{- end }}
@@ -69,6 +73,13 @@ violations:  # Try to keep this in alpha order to make it easier to find keys
       {{- end }}
   {{- end }}
 
+  {{- if .Values.neuvector.enabled }}
+  bannedImageTags:
+    parameters:
+      excludedResources:
+        - neuvector/neuvector-scanner-pod.*
+  {{- end }}
+
   {{- if .Values.twistlock.enabled }}
   hostNetworking:
     parameters:
@@ -78,10 +89,18 @@ violations:  # Try to keep this in alpha order to make it easier to find keys
         # not be able to self monitor. If both Istio sidecar injection and TL monitoring are disabled, a security gap will
         # be created for network monitoring in Twistlock, so it is  important to make sure at least one is enabled.
         - twistlock/twistlock-defender-ds-.*
+  {{- end }}
+  
+  {{- if or .Values.twistlock.enabled .Values.neuvector.enabled }}
   noHostNamespace:
     parameters:
       excludedResources:
+        {{- if .Values.twistlock.enabled }}
         - twistlock/twistlock-defender-ds-.*
+        {{- end }}
+        {{- if .Values.neuvector.enabled }}
+        - neuvector/neuvector-enforcer-pod.*
+        {{- end }}
   {{- end }}
 
   imageDigest:
@@ -90,12 +109,16 @@ violations:  # Try to keep this in alpha order to make it easier to find keys
   namespacesHaveIstio:
     enabled: {{ .Values.istio.enabled }}
 
-  {{- if .Values.fluentbit.enabled }}
+  {{- if or .Values.fluentbit.enabled .Values.neuvector.enabled }}
   noPrivilegedContainers:
     parameters:
       excludedResources:
         # Fluentbit needs privileged to read and store the buffer for tailing logs from the nodes
         - logging/fluent-bit
+        {{- if .Values.neuvector.enabled }}
+        - neuvector/neuvector-enforcer-pod.*
+        - neuvector/neuvector-controller-pod.*
+        {{- end }}
   {{- end }}
 
   podsHaveIstio:
@@ -137,7 +160,7 @@ violations:  # Try to keep this in alpha order to make it easier to find keys
       {{- end }}
   {{- end }}
 
-  {{- if or .Values.fluentbit.enabled .Values.twistlock.enabled .Values.monitoring.enabled .Values.promtail.enabled (and .Values.addons.velero.enabled .Values.addons.velero.values.deployRestic) }}
+  {{- if or .Values.fluentbit.enabled .Values.twistlock.enabled .Values.monitoring.enabled .Values.promtail.enabled .Values.neuvector.enabled (and .Values.addons.velero.enabled .Values.addons.velero.values.deployRestic) }}
   volumeTypes:
     parameters:
       excludedResources:
@@ -161,6 +184,12 @@ violations:  # Try to keep this in alpha order to make it easier to find keys
         # https://github.com/grafana/helm-charts/blob/main/charts/promtail/templates/daemonset.yaml#L120
         - logging/logging-promtail-.*
        {{- end }}
+       {{- if .Values.neuvector.enabled }}
+        # Neuvecotr requires hostpath volume types
+        # https://github.com/neuvector/neuvector-helm/blob/master/charts/core/templates/enforcer-daemonset.yaml#L108
+        - neuvector/neuvector-enforcer-pod.*
+        - neuvector/neuvector-controller-pod.*
+       {{- end }}
        {{- if and .Values.addons.velero.enabled .Values.addons.velero.values.deployRestic }}
         # Restic requires hostpath volume mounts in order to facilitate backing up cluster PV/C resources
         - velero/restic-.*

chart/templates/kyverno/policies/values.yaml

@@ -14,7 +14,7 @@ waitforready:
 
 policies:
 
-  {{- if .Values.twistlock.enabled }}
+  {{- if or .Values.twistlock.enabled .Values.neuvector.enabled }}
   disallow-host-namespaces:
     exclude:
       any:
@@ -28,7 +28,14 @@ policies:
           - twistlock
           names:
           - twistlock-defender-ds*
-        {{- end }}
+      {{- end }}
+      {{- if .Values.neuvector.enabled }}
+      - resources:
+          namespaces:
+          - neuvector
+          names:
+          - neuvector-enforcer-pod*
+      {{- end }}
   {{- end }}
 
   {{- $nodePortIngressGateways := list }}
@@ -62,7 +69,17 @@ policies:
     {{- end }}
 
   disallow-image-tags:
+    enabled: true
     validationFailureAction: enforce
+    {{- if .Values.neuvector.enabled }}
+    exclude:
+      any:
+      - resources:
+          namespaces:
+          - neuvector
+          names:
+          - neuvector-scanner-pod*
+    {{- end }}
 
   disallow-istio-injection-bypass:
     enabled: {{ .Values.istio.enabled }}
@@ -80,7 +97,7 @@ policies:
       - bigbang
       - default
 
-  {{- if .Values.fluentbit.enabled }}
+  {{- if or .Values.fluentbit.enabled .Values.neuvector.enabled}}
   disallow-privileged-containers:
     exclude:
       any:
@@ -93,6 +110,14 @@ policies:
           names:
           - logging-fluent-bit*
       {{- end }}
+      {{- if .Values.neuvector.enabled }}
+      - resources:
+          namespaces:
+          - neuvector
+          names:
+          - neuvector-enforcer-pod*
+          - neuvector-controller-pod*
+      {{- end }}
   {{- end }}
 
 {{- if or (.Values.addons.gitlab.enabled) (and (dig "console" "localVolumeUpgrade" false .Values.twistlock.values) (.Release.IsUpgrade)) }}
@@ -396,7 +421,7 @@ policies:
 
   restrict-host-path-mount:
     validationFailureAction: enforce
-    {{- if or .Values.fluentbit.enabled .Values.monitoring.enabled .Values.promtail.enabled .Values.twistlock.enabled $deployRestic }}
+    {{- if or .Values.fluentbit.enabled .Values.monitoring.enabled .Values.promtail.enabled .Values.twistlock.enabled .Values.neuvector.enabled $deployRestic }}
     exclude:
       any:
       {{- if or .Values.fluentbit.enabled .Values.promtail.enabled }}
@@ -454,6 +479,14 @@ policies:
           names:
           - twistlock-defender-ds*
       {{- end }}
+      {{- if .Values.neuvector.enabled }}
+      - resources:
+          namespaces:
+          - neuvector
+          names: 
+          - neuvector-enforcer-pod*
+          - neuvector-controller-pod*
+      {{- end }}
       {{- if $deployRestic }}
       # Velero.  The restic backup tool requires root user access to the host's runtime pod directory which is
       # mounted inside velero/restic pods.  Since the host's pod runtime directory may expose sensitive information, 
@@ -474,7 +507,7 @@ policies:
 
   restrict-host-path-write:
     validationFailureAction: enforce
-    {{- if .Values.twistlock.enabled }}
+    {{- if or .Values.neuvector.enabled .Values.twistlock.enabled }}
     exclude:
       any:
       # NEEDS FURTHER JUSTIFICATION
@@ -486,11 +519,20 @@ policies:
       # - `/var/log/audit`: Audit logs
       # Because the mounts are dynamically created for defenders at runtime, we cannot
       # anticipate all of the paths it may mount and must exclude it from the policy
+      {{- if .Values.twistlock.enabled }}
       - resources:
           namespaces:
           - twistlock
           names:
           - twistlock-defender-ds*
+      {{- end }}
+      {{- if .Values.neuvector.enabled }}
+      - resources:
+          namespaces:
+          - neuvector
+          names:
+          - neuvector-controller-pod*
+      {{- end }}
     {{- end }}
     {{- if or .Values.fluentbit.enabled .Values.promtail.enabled }}
     parameters:
@@ -562,7 +604,7 @@ policies:
       {{- end }}
   {{- end }}
 
-  {{- if or .Values.fluentbit.enabled .Values.monitoring.enabled .Values.promtail.enabled .Values.twistlock.enabled $deployRestic }}
+  {{- if or .Values.fluentbit.enabled .Values.monitoring.enabled .Values.promtail.enabled .Values.twistlock.enabled .Values.neuvector.enabled $deployRestic }}
   restrict-volume-types:
     exclude:
       any:
@@ -600,6 +642,16 @@ policies:
           names:
           - twistlock-defender-ds*
       {{- end }}
+      {{- if .Values.neuvector.enabled }}
+      # Neuvector requires HostPath volume types
+      # https://github.com/neuvector/neuvector-helm/blob/master/charts/core/templates/enforcer-daemonset.yaml#L108
+      - resources:
+          namespaces:
+          - neuvector
+          names:
+          - neuvector-enforcer-pod*
+          - neuvector-controller-pod*
+      {{- end }}
       {{- if $deployRestic }}
       # Velero.  The restic backup tool requires root user access to the host's runtime pod directory which is
       # mounted inside velero/restic pods.

chart/templates/neuvector/gitrepository.yaml

+{{- if and (not .Values.offline) .Values.neuvector.enabled }}
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: GitRepository
+metadata:
+  name: neuvector
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: neuvector
+    app.kubernetes.io/component: "core"
+    {{- include "commonLabels" . | nindent 4}}
+spec:
+  interval: {{ .Values.flux.interval }}
+  url: {{ .Values.neuvector.git.repo }}
+  ref:
+    {{- include "validRef" .Values.neuvector.git | nindent 4 }}
+  {{ include "gitIgnore" . }}
+  {{- include "gitCreds" . | nindent 2 }}
+{{- end }}
\ No newline at end of file

chart/templates/neuvector/helmrelease.yaml

+{{- $fluxSettingsNeuvector := merge .Values.neuvector.flux .Values.flux -}}
+{{- if .Values.neuvector.enabled }}
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: neuvector
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: neuvector
+    app.kubernetes.io/component: "sandbox"
+    {{- include "commonLabels" . | nindent 4}}
+spec:
+  targetNamespace: neuvector
+  chart:
+    spec:
+      chart: {{ .Values.neuvector.git.path }}
+      interval: 5m
+      sourceRef:
+        kind: GitRepository
+        name: neuvector
+        namespace: {{ .Release.Namespace }}
+
+  {{- toYaml $fluxSettingsNeuvector | nindent 2 }}
+
+  {{- if .Values.neuvector.postRenderers }}
+  postRenderers:
+  {{ toYaml .Values.neuvector.postRenderers | nindent 4 }}
+  {{- end }}
+  valuesFrom:
+    - name: {{ .Release.Name }}-neuvector-values
+      kind: Secret
+      valuesKey: "common"
+    - name: {{ .Release.Name }}-neuvector-values
+      kind: Secret
+      valuesKey: "defaults"
+    - name: {{ .Release.Name }}-neuvector-values
+      kind: Secret
+      valuesKey: "overlays"
+
+  {{- if or .Values.gatekeeper.enabled .Values.istio.enabled .Values.kyvernopolicies.enabled .Values.monitoring.enabled }}
+  dependsOn:
+    {{- if .Values.gatekeeper.enabled }}
+    - name: gatekeeper
+      namespace: {{ .Release.Namespace }}
+    {{- end }}
+    {{- if .Values.istio.enabled }}
+    - name: istio
+      namespace: {{ .Release.Namespace }}
+    {{- end }}
+    {{- if .Values.kyvernopolicies.enabled }}
+    - name: kyvernopolicies
+      namespace: {{ .Release.Namespace }}
+    {{- end }}
+    {{- if .Values.monitoring.enabled }}
+    - name: monitoring
+      namespace: {{ .Release.Namespace }}
+    {{- end }}
+  {{- end }}
+{{- end }}

chart/templates/neuvector/imagepullsecret.yaml

+{{- if .Values.neuvector.enabled }}
+{{- if ( include "imagePullSecret" . ) }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: private-registry
+  namespace: neuvector
+  labels:
+    app.kubernetes.io/name: neuvector
+    app.kubernetes.io/component: "sandbox"
+    {{- include "commonLabels" . | nindent 4}}
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: {{ template "imagePullSecret" . }}
+{{- end }}
+{{- end }}
\ No newline at end of file

chart/templates/neuvector/namespace.yaml

+{{- if .Values.neuvector.enabled }}
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: neuvector
+  labels:
+    app.kubernetes.io/name: neuvector
+    app.kubernetes.io/component: "sandbox"
+    {{- include "commonLabels" . | nindent 4}}
+    {{- if .Values.istio.enabled }}
+    istio-injection: "disabled"
+    {{- end }}
+{{- end }}
\ No newline at end of file

chart/templates/neuvector/values.yaml

+{{- define "bigbang.defaults.neuvector" -}}
+# hostname is deprecated and replaced with domain. But if hostname exists then use it.
+domain: {{ default .Values.domain .Values.hostname }}
+istio:
+  enabled: {{ .Values.istio.enabled }}
+  neuvector:
+    gateways:
+    - istio-system/{{ default "public" .Values.neuvector.ingress.gateway }}
+monitoring:
+  enabled: {{ .Values.monitoring.enabled }}
+manager:
+  env:
+    ssl: false
+{{- end }}
+
+{{- /* Create secret */ -}}
+{{- if .Values.neuvector.enabled }}
+{{- include "values-secret" (dict "root" $ "package" .Values.neuvector "name" "neuvector" "defaults" (include "bigbang.defaults.neuvector" .)) }}
+{{- end }}

chart/values.yaml

@@ -568,6 +568,31 @@ loki:
 
 # ----------------------------------------------------------------------------------------------------------------------
 
+neuvector:
+   # -- Toggle deployment of Tempo.
+  enabled: false
+  git:
+    repo: https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/neuvector.git
+    path: "./chart"
+    tag: "2.2.2-bb.1"
+
+  # -- Redirect the package ingress to a specific Istio Gateway (listed in `istio.gateways`).  The default is "public".
+  ingress:
+    gateway: ""
+
+  # -- Flux reconciliation overrides specifically for the Neuvector Package
+  flux: {}
+
+  # -- Values to passthrough to the Neuvector chart: https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/neuvector.git
+  values: {}
+
+  # -- Post Renderers.  See docs/postrenders.md
+  postRenderers: []
+
+# ----------------------------------------------------------------------------------------------------------------------
+
+# ----------------------------------------------------------------------------------------------------------------------
+
 tempo:
   # -- Toggle deployment of Tempo.
   enabled: false

docs/understanding-bigbang/package-architecture/neuvector.md

+# Neuvector
+
+## Overview
+
+[NeuVector](https://neuvector.com/) is an open-source, full lifecycle container security platform. This includes vulnerability scanning (both in pipelines and in live production clusters), network visibility, compliance tracking and much more. [NeuVector core helm chart](https://github.com/neuvector/neuvector-helm/tree/master/charts/core)
+
+[NeuVector Architecture](https://open-docs.neuvector.com/basics/overview#architecture)
+
+## Big Bang Touchpoints
+
+### UI
+
+The Neuvector UI runs on the manager, a simple pod that providesis the primary way of accessing and managing Neuvector. The UI is accessible via a web application on the cluster at the DNS name "neuvector" (e.g. neuvector.bigbang.dev/). UI access is exposed through the Istio Virtual Service. For more information, see [Using the Neuvector UI](https://open-docs.neuvector.com/navigation/navigation).
+
+### Dependency Packages
+
+When deploying BigBang, neuvector depends on monitoring, gatekeeper/kyverno, and istio being installed prior.
+
+```yaml
+  {{- if or .Values.gatekeeper.enabled .Values.istio.enabled .Values.kyvernopolicies.enabled .Values.monitoring.enabled }}
+  dependsOn:
+    {{- if .Values.gatekeeper.enabled }}
+    - name: gatekeeper
+      namespace: {{ .Release.Namespace }}
+    {{- end }}
+    {{- if .Values.istio.enabled }}
+    - name: istio
+      namespace: {{ .Release.Namespace }}
+    {{- end }}
+    {{- if .Values.kyvernopolicies.enabled }}
+    - name: kyvernopolicies
+      namespace: {{ .Release.Namespace }}
+    {{- end }}
+    {{- if .Values.monitoring.enabled }}
+    - name: monitoring
+      namespace: {{ .Release.Namespace }}
+    {{- end }}
+  {{- end }}
+```
+
+

tests/test-values.yaml

@@ -173,6 +173,7 @@ gatekeeper:
           - tempo/tempo-cypress-test
           - argocd/argo-cd-cypress-test
           - minio/minio-instance-cypress-test
+          - neuvector/neuvector-cypress-test
           # Allow kyverno test vectors for Helm test
           - default/restrict-host-path-mount-.?
           - default/restrict-host-path-write-.?
@@ -275,6 +276,7 @@ gatekeeper:
           - tempo/tempo-cypress-test
           - argocd/argo-cd-cypress-test
           - minio/minio-instance-cypress-test
+          - neuvector/neuvector-cypress-test
           # Allow kyverno test vectors for Helm test
           - default/restrict-host-path-mount-.?
           - default/restrict-host-path-write-.?
@@ -401,6 +403,7 @@ kyvernopolicies:
               - tempo
               - argocd
               - minio
+              - neuvector
               names:
               - "*-cypress-test*"
         parameters:
@@ -432,6 +435,7 @@ kyvernopolicies:
               - tempo
               - argocd
               - minio
+              - neuvector
               names:
               - "*-cypress-test*"
         parameters:
@@ -473,6 +477,7 @@ kyvernopolicies:
               - tempo
               - argocd
               - minio
+              - neuvector
               names:
               - "*-cypress-test*"
       update-image-pull-policy:
@@ -723,6 +728,18 @@ monitoring:
           cypress_alertmanager_url: 'https://alertmanager.bigbang.dev'
           cypress_check_istio_dashboards: 'true'
 
+neuvector:
+  enabled: false
+  values:
+    k3s:
+      enabled: true
+    bbtests:
+      enabled: true
+      cypress:
+        artifacts: true
+        envs:
+          cypress_url: https://neuvector.bigbang.dev
+
 twistlock:
   enabled: true
   sso: