UNCLASSIFIED

Skip to content

GitLab

Commit 7a81ef6a authored by Andy Maksymowicz's avatar Andy Maksymowicz
Browse files

Merge branch 'development' into 'master' 

Development

See merge request !19
parents 5864302d 3a4ec132
Pipeline #465615 passed with stages
in 10 minutes and 17 seconds
Hide whitespace changes
Inline Side-by-side
Showing with 1140 additions and 14 deletions
.gitlab/issue_templates/Application - Initial.md
View file @ 7a81ef6a
......@@ -17,6 +17,13 @@ If you need to contact the Container Hardening team, please identify your assign
If you have no assignee, feel free to tag Container Hardening leadership in your issue by commenting on this issue with your questions/concerns and then add `/cc @ironbank-notifications/leadership`. Gitlab will automatically notify all Container Hardening leadership to look at this issue and respond.
## Get Unstuck/AMA:
Iron Bank Get Unstuck/AMA Working Sessions every Wednesday from 1630-1730EST.
Need some help with your containers getting through Iron Bank? Have questions on where things are at? Are you feeling stuck and want to figure out the next steps? This is the meeting for you! Come meet with the Iron Bank leadership and engineers to get answers to your questions.
Register in advance for this meeting: https://www.zoomgov.com/meeting/register/vJIsf-ytpz8qHSN_JW8Hl9Qf0AZZXSCSmfo
After registering, you will receive a confirmation email containing information about joining the meeting.
If you have any questions, please come to our Get Unstuck/AMA sessions. There we will have the right combination of business folks and engineers to get your questions answered.
## Responsibilities
......@@ -25,28 +32,140 @@ If this application is owned by a Contributor or Vendor (identifed as `Owner::Co
## Definition of Done
Hardening:
- [ ] Hardening manifest is created and adheres to the schema (https://repo1.dsop.io/ironbank-tools/ironbank-pipeline/-/blob/master/schema/hardening_manifest.schema.json)
- [ ] Container builds successfully through the Gitlab CI pipeline
- [ ] Branch has been merged into `development`
- [ ] Project is configured for automatic renovate updates (if possible)
Justifications:
- [ ] All findings have been justified per the above documentation
This checklist is meant to provide a high level overview of the process and steps for getting your container(s) onto Iron Bank.
- [ ] Create a Repo1 account (https://repo1.dso.mil/users/sign_in) to get access to the public repository of containers. You can register by clicking on the 'Sign in with Iron Bank SSO' button in the sign-in page, followed by the Register button
- [ ] Fill out the onboarding form: https://p1.dso.mil/#/products/iron-bank/getting-started
- [ ] Attend our once weekly onboarding session where you can ask questions. [Register here](https://www.zoomgov.com/meeting/register/vJIsce6rpzkqGq9hHHRscNfGENYqvRL1s10%E2%81%A9).
- [ ] Your Onboarding form will be processed by the Iron Bank team, who will then assign it a priority level and create your repository. You will receive an email that your Gitlab issue has been created and is ready for you to complete the hardening process
- [ ] Ensure that all POCs are assigned to the issue to ensure proper tracking and notifications
## Hardening Process
### Repository Requirements
[Full documentation](https://repo1.dso.mil/dsop/dccscr/-/blob/master/Hardening/structure_requirements.md)
- [ ] A Dockerfile has been created in the root of the repository
- [ ] Hardening_manifest.yaml has been created in the root of the repository
- [ ] The project has a LICENSE or a copy of the EULA
- [ ] The project has a README in the root of the repository with sufficient instructions on using the Iron Bank version of the image
- [ ] If your container is an enterprise/commercial container, the opensource version is ready
- [ ] Scripts used in the Dockerfile are placed into a `scripts` directory
- [ ] Configuration files are placed into a `config` directory
- [ ] Project is [configured for automatic renovate updates](https://repo1.dso.mil/dsop/dccscr/-/blob/master/Hardening/Renovate.md) (if possible)
- [ ] Renovate.json is present in root of repository
- [ ] Reviewers have been specified for notifications on new merge requests
### Dockerfile Requirements
[Full documentation](https://repo1.dso.mil/dsop/dccscr/-/blob/master/Hardening/Dockerfile_Requirements.md)
- [ ] There is one Dockerfile named Dockerfile
- [ ] The Dockerfile has the BASE_REGISTRY, BASE_IMAGE, and BASE_TAG arguments (used for local builds; the values in hardening_manifest.yaml are what will be used in the Container Hardening Pipeline)
- [ ] The Dockerfile is [based on a hardened Iron Bank image](https://repo1.dso.mil/dsop/dccscr/-/blob/master/Hardening/Dockerfile_Requirements.md#requirements)
- [ ] The Dockerfile includes a HEALTHCHECK (required if it is an application container)
- [ ] The Dockerfile starts the container as a non-root USER. Otherwise, if you must run as root, you must have proper justification.
- [ ] If your ENTRYPOINT entails using a script, the script is copied from a scripts directory on the project root
- [ ] No ADD instructions are used in the Dockerfile
## Hardening Manifest
[Full documentation](https://repo1.dso.mil/dsop/dccscr/-/tree/master/hardening%20manifest)
- [ ] Begin with this example and update with relevant information: https://repo1.dso.mil/dsop/dccscr/-/blob/master/hardening%20manifest/hardening_manifest.yaml
- [ ] Hardening manifest adheres to the following schema: https://repo1.dsop.io/ironbank-tools/ironbank-pipeline/-/blob/master/schema/hardening_manifest.schema.json
- [ ] The BASE_IMAGE and BASE_TAG arguments refer to a hardened/approved Iron Bank image (BASE_REGISTRY defaults to `registry1.dso.mil/ironbank` in the pipeline)
- [ ] Relevant image metadata has been entered for the corresponding labels
- [ ] Any downloaded resources include a checksum for verification (letters must be lowercase)
- [ ] For resource URLs that require authentication, credentials have been provided to an Iron Bank team member
- [ ] The maintainers' contact information has been provided in the `maintainers` section
## Gitlab CI Pipeline
[Full documentation](https://repo1.dso.mil/dsop/dccscr/-/tree/master/pipeline)
- [ ] Validate your container builds successfully through the Gitlab CI pipeline. When viewing the repository in repo1.dso.mil, go to `CI/CD > Pipelines` on the left. From there, you can see the status of your pipelines.
- [ ] Review scan output from `csv output` stage of the pipeline. For instructions on downloading the findings spreadsheet, click [here](https://repo1.dso.mil/dsop/dccscr/-/blob/master/pre-approval/spreadsheet.md)
- [ ] Fix vulnerabilities that were found and run the pipeline again before requesting a merge to the development branch
## Pre-Approval:
[Full documentation](https://repo1.dso.mil/dsop/dccscr/-/tree/master/pre-approval)
- [ ] Submit a Merge Request to the development branch
- [ ] Feature branch has been merged into development
- [ ] All findings from the development branch pipeline have been justified per the above documentation
- [ ] Justifications have been attached to this issue
- [ ] Apply the label `Approval` to indicate this container is ready for the approval phase
Note: The justifications must be provided in a timely fashion. Failure to do so could result in new findings being identified which may start this process over.
- [ ] Apply the `Approval` label and remove the `Doing` label to indicate this container is ready for the approval phase
_Note: The justifications must be provided in a timely fashion. Failure to do so could result in new findings being identified which may start this process over._
## Approval Process (Container Hardening Team processes):
[Full documentation](https://repo1.dso.mil/dsop/dccscr/-/tree/master/approval)
Approval Process (Container Hardening Team processes):
- [ ] Peer review from Container Hardening Team
- [ ] Findings Approver has reviewed and approved all justifications
- [ ] Approval request has been sent to Authorizing Official
- [ ] Approval request has been processed by Authorizing Official
Note: If the above approval process is kicked back for any reason, the `Approval` label will be removed and the issue will be sent back to `Open`. Any comments will be listed in this issue for you to address. Once they have been addressed, you may re-add the `Approval` label.
One of the following statuses is assigned:
- [ ] Conditional approval has been granted by the Authorizing Official for this container (`Approval::Expiring` label is applied)
- [ ] This container has been approved by the Authorizing Official (`Approved` label is applied)
_Note: If the above approval process is kicked back for any reason, the `Approval` label will be removed and the issue will be sent back to `Open`. Any comments will be listed in this issue for you to address. Once they have been addressed, you may re-add the `Approval` label._
## Post-Approval
[Full documentation](https://repo1.dso.mil/dsop/dccscr/-/tree/master/post%20approval)
- [ ] Your issue has been closed
- [ ] Your project has been merged into master
- [ ] Master branch pipeline has completed successfully (at this point, the image is made available on `ironbank.dso.mil` and `registry1.dso.mil` )
_Note: Now that your application has been approved, your container(s) will be subjected to continuous monitoring. If new CVEs are discovered or bugs are identified, you will need to address the issues and return to step 5 (Gitlab CI Pipeline). As you make changes, please make sure you are adhering to all of the requirements of the hardening process._
## Post Approval
### Continuous Monitoring
......
Dockerfile 0 → 100644
View file @ 7a81ef6a
# These three ARGs must point to an Iron Bank image - the BASE_REGISTRY should always be what is written below; please use \
# '--build-arg' when building locally to replace these values
# If your container is not based on either the ubi7/ubi8 Iron Bank images, then it should be based on a different Iron Bank image
# Note that you will not be able to pull containers from nexus-docker-secure.levelup-dev.io into your local dev machine
ARG BASE_REGISTRY=registry1.dsop.io
ARG BASE_IMAGE=ironbank/redhat/ubi/ubi8-minimal
ARG BASE_TAG=8.4
# FROM statement must reference the base image using the three ARGs established
FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG}
ENV REQIRED_PACKAGES="shadow-utils libsemanage"
RUN microdnf update -y --setopt=install_weak_deps=0 --nodocs \
&& microdnf --setopt=tsflags=nodocs install $REQIRED_PACKAGES \
&& useradd sysdig -u 1000 \
&& microdnf remove $REQIRED_PACKAGES \
&& microdnf clean all \
&& rm -rf /var/cache/yum
ARG BINARY="webhook-v3.2.0"
COPY ${BINARY} /bin/webhook
EXPOSE 5000
HEALTHCHECK --start-period=30s CMD curl -f 127.0.0.1:5000 || exit 1
USER 1000
ENTRYPOINT ["/bin/webhook"]
LICENSE 0 → 100644
View file @ 7a81ef6a
Sysdig, Inc. |85 Second Street, Suite 800, San Francisco, CA 94105 | 415- 872 - 9473 | http://www.sysdig.com
LICENSE SUBSCRIPTION AGREEMENT
(On-Premise)
This License Subscription Agreement, including all exhibits, schedules, Statements of Work and Order Forms (as defined below) (collectively,
the “Agreement”) are the terms under which Sysdig, Inc. (“Sysdig”) agrees to grant the customer (“Customer”) use of the Software and access
to the Support Services and Services (as defined below). By indicating Customer’s acceptance of this Agreement, executing an Order Form
that references this Agreement, or using the Software, Support Services and/or Services, Customer agrees to be bound by this Agreement. If
you are entering into this Agreement on behalf of an entity, such as the company you work for, then you represent to Sysdig that you have the
legal authority to bind the Customer to this Agreement. Sysdig and Customer are each a “Party” and collectively, the “Parties”, hereunder.
1. DEFINITIONS
"Affiliate" means with respect to a Party, any person or entity that
controls, is controlled by, or is under common control with such
Party, where "control" means ownership of fifty percent (50%) or
more of the outstanding voting securities.
“B2B Relationship Data” means any administrative, transactional
or account related data or communications provided by or on behalf
of Customer to Sysdig in connection with the creation, purchase,
maintenance, or support of Customer’s account with Sysdig.
"Contractor(s)" means any third-party provider, agents,
outsourcers or contractors performing services on Customer's
behalf.
"Customer Data" means any data or other information which is
provided by (or on behalf of) Customer directly or indirectly in
connection with the Software, Services or Beta Releases, and shall
not include Customer Personal Data or Service Analytics as defined
hereunder.
"Customer Personal Data" means any Customer Data which (i)
qualifies as “Personal Data” “Personal Information” “Personally
Identifiable Information” or any substantially similar term under
applicable privacy laws and (ii) is processed by Sysdig on behalf of
Customer in connection with the Agreement. For the avoidance of
doubt, Customer Personal Data shall not include B2B Relationship
Data or Service Analytics as defined hereunder.
"Documentation" means the online help materials, including
technical specifications, describing functionality of the Software
provided by Sysdig on a publicly available website and updated
from time to time.
"Intellectual Property Rights" means all current and future
worldwide intellectual property rights, including without limitation,
all patents, copyrights, trademarks, service marks, trade names,
domain name rights know-how and other trade secret rights, and all
other intellectual property rights and similar forms of protection, and
all applications and registrations for any of the foregoing.
"License Entitlement" means the quantity of the license metrics
pursuant to which the Software is licensed by Sysdig, as set forth in
Order Form, which may include servers, agents, containers or hosts.
"License Keys" means an alphanumeric code that enables use of
the Software.
“Open Source Software” means a program in which source code
is made publicly and freely available for use and modification
pursuant to certain license terms.
"Order Form" means a document executed by and between Sysdig
and Customer or electronically accepted by Customer that
references this Agreement, purchase confirmation or any other
document which details the Software and Services to be provided by
Sysdig, the fees associated therewith, and any other transaction-
specific terms and conditions.
“Statement of Work” or “SOW” means a statement of work or
other such executed document that references this Agreement,
whereby Customer engages Sysdig to perform certain training,
consulting, technical account management, professional, or similar
services related thereto.
"Services" means any of the training services, technical account
management services, and/or consulting or other professional
services, pursuant to one or more Order Forms and SOW(s), if
applicable.
"Software" means any current and future Sysdig branded software
that is licensed for use on Customer’s premises or in Customer’s
cloud, during the Subscription Term, including all Updates thereto.
"Subscription Term" means the subscription period(s) specified in
an Order Form during which Customer is licensed to use and deploy
the Software, subject to the terms of this Agreement.
"Support Services" means the maintenance and support services
provided by Sysdig to Customer for the Software.
"Support Services Subscription" means the level of Support
Services purchased by Customer, as set forth in the Order Form.
Sysdig's commitments for each Support Services Subscription are
more fully described in the Support Services Policy, a current copy
of which is set forth in Exhibit A.
“Update” is a Software release that Sysdig makes generally
available to all Sysdig customers, along with any corresponding
changes to Documentation. An Update may be an error correction
or bug fix; or it may be enhancement, new feature, or new
functionality.
LICENSE
2.1. License Scope. Subject to the terms of this Agreement,
Sysdig grants to Customer a limited, revocable, non-exclusive, non-
transferable and non-sublicensable right and license to install and
use, in object code form, solely for internal business purposes, the
Software in accordance with the purchased License Entitlements as
set forth in the Order Form. Customer may permit its Contractors
and Affiliates to use and deploy the Software and Documentation
solely on behalf of and for the benefit of Customer, provided that
the Customer shall be liable for the compliance of all Contractors
and Affiliates with this Agreement, Documentation, and the Order
Form(s).
2.2. Delivery and Acceptance. Promptly following
execution of an Order Form and receipt of Customer's purchase
order, if applicable, Sysdig shall make the Software available for
Sysdig, Inc. |85 Second Street, Suite 800, San Francisco, CA 94105 | 415- 872 - 9473 | http://www.sysdig.com
download or deliver License Keys, which enable the Customer to
download the Software. The Software will be deemed to have been
delivered to Customer upon provision of the License Key or making
the Software available for download.
2.3. Restrictions. Customer acknowledges that the Software
and its structure, organization and source code constitute valuable
trade secrets of Sysdig. Accordingly, except as otherwise expressly
set forth in this Agreement, Customer may not and shall not permit
any third party to: (a) translate, disclose, modify or create any
derivative works based on the Software; (b) market, sell, license,
sublicense, distribute, publish, display, reproduce, rent, lease, loan,
assign or otherwise transfer to a third party the Software or
Documentation or any copy thereof, in whole or in part; (c) except
to the extent permitted by law, decompile, disassemble, reverse
engineer, or otherwise attempt to derive source code from the
Software, in whole or in part; (d) operate the Software on behalf of
or for the benefit of any third party, including the operation of any
service that is accessed by a third party, for third-party training,
commercial time-sharing or service bureau use; (e) remove any
product identification, proprietary copyright or other notices
contained in the Software; (f) access or use the Software for the
purpose of building a product or service in competition with the
Software; and (g) circumvent or attempt to circumvent contractual
usage restrictions.
2.4. Open Source Software and Third-Party Software.
Customer acknowledges and agrees that certain Open Source
Software libraries, components and utilities, and other third-party
software not owned or developed by Sysdig are embedded in the
Software. The publicly available open source license terms
governing the Open Source Software shall take precedence over this
Agreement to the extent that the Agreement imposes greater
restrictions on Customer. Customer hereby acknowledges that
Sysdig disclaims and makes no representation or warranty with
respect to the Open Source Software, or any portion thereof, and
assumes no liability for any claim that may arise with respect to such
Open Source Software or Customer's use or inability to use the
same.
2.5. License Entitlement Review. Customer shall monitor
and ensure that use and deployment of the Software under this
Agreement is consistent with the applicable License Entitlement, as
set forth in the relevant Order Form. Sysdig, may, upon reasonable
notice, review Customer’s records of Software usage to verify that
Customer has: (a) used the Software solely in the manner authorized
herein; (b) paid all applicable license fees; and (c) otherwise
complied with the terms of this Agreement and Order Form(s). In
general, Sysdig does not require physical access to Customer's
premises, computing devices or systems in connection with any such
review. If, as a result of the review, it is determined that Customer
is utilizing more licenses than it is entitled under the License
Entitlement as set forth in the Order Form, Customer will promptly
pay directly to Sysdig all underpayments revealed by such review.
2.6 Use of Services Deliverables. Subject to Customer’s
payment of all fees due hereunder, Sysdig grants Customer a
limited, non-exclusive, royalty-free, non-sublicensable, non-
transferable license (except as specifically permitted in this
Agreement), to use those elements of the Sysdig Technology (as
defined below) embodied in the Services deliverables, if any, in
Customer’s ordinary course of business, solely as so embodied.
Sysdig reserves all other rights in and to the Sysdig Technology.
2.7 Affiliates. The Parties agree that their respective Affiliates
may also conduct business under this Agreement by entering into
Order Forms, subject to this Agreement. Accordingly, where
Affiliates of the Parties conduct business hereunder, references to
Customer herein shall include any applicable Affiliate of Customer.
SUPPORT SERVICES
3.1. Sysdig will provide Customer with Support Services in
accordance with the purchased Support Services Subscription, as set
forth in the Order Form.
3.2. Support Services will be delivered to Customer as set
forth in this Agreement, provided that the Customer: notifies Sysdig
of issues in accordance with the Support Services Policy; engages
with Sysdig in good faith to resolve any issues with the Software by
making necessary resources and information available to Sysdig;
makes reasonable efforts to apply the solution recommended by
Sysdig; and has deployed all of the major and minor releases of the
Software issued by Sysdig that are no more than two releases back
or six (6) months old from the date of their release. Customer shall
be entitled to Updates to the extent Sysdig incorporates such
Updates into the Software subject to the applicable Order Form
during the Subscription Term.
SOFTWARE PURCHASED THROUGH
RESELLERS. The Parties agree that Customer may purchase
through Resellers Software, Support Services and Services that are
governed by this Agreement. Where Customer purchases through a
Reseller, the Reseller will enter into an Order Form with Sysdig that
shows Customer as the "ship to" party and Reseller as the "bill to"
party, and Reseller and Customer will enter into a separate
agreement setting forth the fees to be paid by Customer to Reseller,
as well as any other terms or conditions that apply between them.
Sysdig hereby agrees that, subject to receiving payment from the
Reseller, Sysdig shall be responsible to Customer, pursuant to the
terms and conditions of this Agreement, for providing the Software
under any such Order Form. Customer hereby acknowledges that
Sysdig will not be responsible for the obligations of any Reseller to
Customer under such separate agreement, for the acts or omissions
of Reseller, or for any third-party products or services furnished to
Customer by any Reseller. For the avoidance of doubt, the Sections
herein entitled “Payment” and “Taxes” will be of no effect where
Customer purchases through a Reseller, as payment and taxes will
be addressed in the agreement between Reseller and Customer.
OWNERSHIP. The Software, Support Services,
Services and Documentation, all copies and portions thereof, and all
Intellectual Property Rights therein, including, but not limited to
derivative works therefrom (“Sysdig Technology”), are and shall
remain the sole and exclusive property of Sysdig notwithstanding
any other provision in this Agreement. Customer is not authorized
to use (and shall not permit any third party to use) the Sysdig
Technology or any portion thereof except as expressly authorized
by this Agreement.
5.1. Service Analytics. Sysdig may process Service Analytics for
internal business purposes in order to deliver, enhance, secure and
support Sysdig products and services, including Software and
Services. Customer may have the ability to configure the Software
to limit the Service Analytics that are collected. Customer may
Sysdig, Inc. |85 Second Street, Suite 800, San Francisco, CA 94105 | 415- 872 - 9473 | http://www.sysdig.com
refer to the Documentation and/or Customer’s account
representative for more information. “Service Analytics” means all
information and data that the Software generates or otherwise
obtain from Customer’s use of the foregoing, including but not
limited to usage statistics, telemetry and analytics and similar
information, collected by cookies, web beacons, and other similar
applications. Sysdig may disclose the results of its analysis of the
Service Analytics publicly or to third parties in connection with our
marketing and promotion efforts, including but not limited to
presentations, technical reports and whitepapers, provided that such
results do not contain any personally identifiable information, or
enable a third Party to determine the source of such information.
PAYMENT; TAXES
6.1. Fees and Payment. All fees are as set forth in the
applicable Order Form and shall be paid by Customer within thirty
(30) days from the date of the invoice, unless otherwise specified in
the applicable Order Form. Except as expressly set forth in an Order
Form: (a) payment obligations are non-cancelable and fees are non-
refundable, unless specifically provided herein; and (b) Customer
may not decrease the purchased number of subscription rights
during the applicable Subscription Term. Where Customer
designates use of a third-party payment processor network,
Customer shall be responsible for payment of all fees and charges
associated with use of such network (including registration,
participation, and payment processing fees) and Sysdig may invoice
for such fees together with the subscription fees or on separate
invoice.
6.2. Travel and Expenses. Customer will pay any
reasonable and actual out-of-pocket expenses incurred in
connection with the Services according to Sysdig’s Travel Policy,
including, without limitation, transportation, lodging, and any
incidentals associated with the Services provided to Customer such
as airfare, hotel, and meals. Sysdig shall provide Customer invoices
and receipts for such costs.
6.3. Rescheduling Policy Applicable to Services. Sysdig
and Customer will commence Services on a start date to be mutually
agreed to between the Parties. Customer may reschedule Services
by notifying Sysdig in writing (which can include by email) with
fifteen (15) business days’ prior notice and Sysdig will make
commercially reasonable efforts to reschedule. If performance of
the Services is delayed due to Customer’s failure to provide
required access, personnel availability or is otherwise canceled with
less than fifteen (15) business days’ notice once ordered by
Customer, Sysdig may charge Customer the then prevailing daily
charge, plus reimbursement of all travel-related expenses (if
applicable), for each day (up to a maximum of 15 days) for each
person assigned by Sysdig to provide the Services. Sysdig strongly
recommends scheduling the Services engagement in a single
instance over a period of consecutive days. However, in no event
shall Services be scheduled in fewer than in one full day increments,
unless otherwise set forth in an SOW. No Services shall be
scheduled in partial day increments.
6.4. Effect of Nonpayment. If Customer's account fails
into arrears and continues to remain unpaid for ten (10) days after
Sysdig provides notice to Customer of its delinquency, Sysdig
reserves the right to suspend or terminate this Agreement,
Customer’s right and license to the Software and Customer’s access
to the Support Services. In the case of termination, Customer shall
uninstall all copies of the deployed Software immediately after the
termination. Unpaid amounts may be subject to interest at the lesser
of one and one-half percent (1.5%) per month or the maximum
permitted by law, plus collection costs.
6.5. Taxes. All fees stated on Order Form are exclusive of
any taxes, levies, or duties ("Taxes"), and Customer will be
responsible for payment of all such Taxes excluding taxes based
solely on Sysdig income. Unless Customer provides Sysdig a valid
state sales/use/excise tax exemption certificate, Customer will pay
and be solely responsible for all Taxes. Sysdig may invoice Taxes
in accordance with the applicable law together on one invoice or a
separate invoice. Sysdig reserves the right to determine the Taxes
for a transaction based on Customer's "bill to" or "ship to" address,
or other information provided by Customer on the location of
Customer's use of the Software. Customer will be responsible for
any Taxes, penalties or interests that might apply based on Sysdig's
failure to charge appropriate tax due to incomplete or incorrect
location information provided by Customer. If Customer is required
by any foreign governmental authority to deduct or withhold any
portion of the amount invoiced for the delivery or use of the Service
under this Agreement, Customer shall increase the sum paid to
Sysdig by an amount necessary for the total payment to Sysdig
equal to the amount originally invoiced.
TERM AND TERMINATION
7.1. Term. This Agreement commences on the Effective
Date and unless earlier terminated pursuant to the terms of this
Agreement, the Agreement will continue for so long as there is an
Order Form in effect between the Parties.
7.2. Termination for Cause. Either Party may terminate this
Agreement (or any affected Order Form or Statement of Work) (a)
upon the other Party’s material breach that remains uncured for
thirty (30) days following notice of such breach, except that
termination will take effect on notice in the event of a breach of
Section 2.3 (“Restrictions”), Section 2.6 (“Use of Services
Deliverables”) or 11 (“Confidential Information”); or (b)
immediately in the event the other Party becomes the subject of a
petition in bankruptcy or any other proceeding relating to
insolvency, receivership, liquidation or assignment for the benefit
of creditors (and not dismissed within sixty (60) days thereafter).
7.3. Termination for Convenience. Either Party may
terminate this Agreement, Order Form(s) or Statement of Work, for
any reason or for no reason, by providing the other Party at least
thirty (30) days’ prior written notice. However, in the event of a
Customer termination for convenience, Customer shall not be
entitled to any refund or relief from payment of any fees paid or
payable under the Agreement, applicable Order Forms or Statement
of Work.
7.4. Effect of Termination. Upon early termination of this
Agreement by Customer for Sysdig's uncured material breach
pursuant to Section 7 .2 or by Sysdig pursuant to Section 7 .3,
Customer is entitled to a prorated refund of prepaid fees relating to
the Software applicable to the remaining period in the applicable
Subscription Term. Upon expiration or termination of this
Agreement by Sysdig for Customer’s uncured material breach
pursuant to Section 7 .2 or by Customer pursuant to Section 7 .3, fees
applicable to the duration of any applicable Subscription Term will
Sysdig, Inc. |85 Second Street, Suite 800, San Francisco, CA 94105 | 415- 872 - 9473 | http://www.sysdig.com
be immediately due and payable. Notwithstanding the terms and
conditions of an Order Form, Sysdig reserves the right not to renew
any Order Form. In addition, upon expiration or termination of this
Agreement for any reason: (a) all rights granted to Customer under
this Agreement, and Sysdig's obligation to provide Support
Services, Services, the Software and Beta Releases will terminate;
and (b) any payment obligations accrued pursuant to this
Agreement, as well as the provisions of Section 2.5, 5, 6, 7. 4 , 9 , 11,
and 12 of this Agreement will survive such expiration or
termination. Within thirty (30) days after termination of this
Agreement, the Recipient (as defined below) shall return or destroy
(or in the case of electronic data, use commercially reasonable
efforts to delete or render practicably inaccessible by Recipient) all
Confidential Information and materials containing any Confidential
Information of the Discloser (as defined below). Within thirty
(30) days after termination of this Agreement, Customer shall return
or destroy all copies of the Software and Beta Releases, and upon
Sysdig request, provide written certification of compliance with
such request.
LIMITED WARRANTY
8.1. Mutual Warranties. Each Party represents and
warrants that it has the power and authority to enter into this
Agreement.
8.2. Limited Performance Warranty. Sysdig warrants to
the Customer that the Software will, for a period of ninety (90) days
following its initial delivery ("Warranty Period"), substantially
conform to the applicable Documentation, provided that the
Software: (a) has been properly installed and used at all times and
in accordance with the applicable Documentation; and (b) has not
been altered or modified by anyone other than Sysdig or its
designee. Sysdig will, at its own expense correct any reproducible
error in the Software reported to Sysdig by Customer in writing
during the Warranty Period. If Sysdig determines that it is unable to
correct the error, Sysdig will replace the Software in accordance
with the Support Services Policy. This Section 8 .2 represents
Customer's exclusive remedy, and Sysdig's entire liability, for any
breach of the warranties set forth herein.
8.3. Malicious Code. Sysdig warrants that Sysdig will not
knowingly introduce, software viruses, worms, Trojan horses or
other code, files, scripts, or agents intended to do harm.
8.4. Warranty Disclaimer. EXCEPT FOR THE
EXCLUSIVE WARRANTIES SET FORTH IN THIS SECTION 8,
TO THE MAXIMUM EXTENT PERMITTED UNDER
APPLICABLE LAW, THE SOFTWARE, DOCUMENTATION
SERVICES AND SUPPORT SERVICES ARE PROVIDED “AS
IS” WITHOUT WARRANTY OF ANY KIND, AND SYSDIG
MAKES NO WARRANTIES, EXPRESS, IMPLIED,
STATUTORY, OR OTHERWISE, WITH REGARDING OR
RELATING TO THE SOFTWARE, DOCUMENTATION,
SERVICES OR SUPPORT SERVICES. SYSDIG
SPECIFICALLY AND EXPLICITLY DISCLAIMS ALL OTHER
WARRANTIES, EXPRESS AND IMPLIED, INCLUDING
WITHOUT LIMITATION THE IMPLIED WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE, NON-INFRINGEMENT, THOSE ARISING FROM A
COURSE OF DEALING, COURSE OF PERFORMANCE,
USAGE OR TRADE, AND ALL SUCH WARRANTIES ARE
HEREBY EXCLUDED TO THE FULLEST EXTENT
PERMITTED BY LAW. FURTHER, SYSDIG DOES NOT
WARRANT THAT THE SOFTWARE WILL BE ERROR FREE
OR THAT THE USE OF THE SOFTWARE WILL BE
UNINTERRUPTED. SYSDIG’S SOLE AND EXCLUSIVE
LIABILITY AND CUSTOMER’S SOLE AND EXCLUSIVE
REMEDY IN RESPECT OF ANY MAINTENANCE OR
SUPPORT ISSUE SHALL BE LIMITED TO THE PROVISION
OF SUPPORT SERVICES.
9. LIMITATION OF REMEDIES AND DAMAGES
9.1. Liability Cap. EXCEPT WITH RESPECT TO: (A)
SYSDIG’S OBLIGATIONS UNDER SECTION 10
(“INDEMNIFICATION”) (FOR WHICH THE LIABILITY
LIMITATION SHALL BE ONE MILLION DOLLARS
($1,000,000) IN THE AGGREGATE); AND (B) CUSTOMER’S
BREACH OF SECTION 2 (“LICENSE”) OR INFRINGEMENT
OF SYSDIG’S INTELLECTUAL PROPERTY, IN NO EVENT
SHALL EITHER PARTY’S TOTAL AGGREGATE LIABILITY
EXCEED THE AMOUNTS PAID BY AND/OR DUE FROM
CUSTOMER FOR THE THEN-CURRENT ANNUAL
SUBSCRIPTION TERM, UNDER THE APPLICABLE ORDER
FORM(S) RELATING TO THE CLAIM.
9.2. Consequential Damages. EXCEPT FOR
CUSTOMER'S INFRINGEMENT OF SYSDIG’S
INTELLECTUAL PROPERTY, IN NO EVENT SHALL EITHER
PARTY, OR SYSDIG'S AFFILIATES OR ITS LICENSORS BE
LIABLE FOR ANY CONSEQUENTIAL, INCIDENTAL,
SPECIAL, INDIRECT, PUNITIVE OR EXEMPLARY
DAMAGES, INCLUDING WITHOUT LIMITATION LOST
PROFITS, LOSS OF USE, BUSINESS INTERRUPTIONS, LOSS
OF DATA, REVENUE, GOODWILL, PRODUCTION,
ANTICIPATED SAVINGS, OR COSTS OF PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES, IN CONNECTION
WITH OR ARISING OUT OF THE PERFORMANCE OF OR
FAILURE TO PERFORM THIS AGREEMENT, WHETHER
ALLEGED AS A BREACH OF CONTRACT OR TORTIOUS
CONDUCT, INCLUDING NEGLIGENCE, EVEN OF A PARTY
HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES.
9.3. Limitations Fair and Reasonable. EACH PARTY
ACKNOWLEDGES THAT THE LIMITATIONS OF LIABILITY
SET FORTH IN THIS SECTION 9 REFLECT THE
ALLOCATION OF RISK BETWEEN THE PARTIES UNDER
THIS AGREEMENT, AND THAT IN THE ABSENCE OF SUCH
LIMITATIONS OF LIABILITY, THE ECONOMIC TERMS OF
THIS AGREEMENT WOULD BE SIGNIFICANTLY
DIFFERENT.
INDEMNIFICATION
10.1. By Sysdig. Sysdig shall defend Customer from and
against any claim by a third party alleging that the Software, when
used as authorized under this Agreement, infringes any trademark
or copyright of such third party, enforceable in the jurisdiction of
Customer’s use of the Software, or misappropriates a trade secret
(but only to the extent that such misappropriation is not a result of
Customer’s actions) (“Infringement Claim”) and shall indemnify
and hold harmless Customer from and against any damages and
costs awarded against Customer by a court of competent
jurisdiction or agreed in settlement by Sysdig (including reasonable
attorneys’ fees) resulting from such Infringement Claim, provided
Sysdig, Inc. |85 Second Street, Suite 800, San Francisco, CA 94105 | 415- 872 - 9473 | http://www.sysdig.com
that Customer: (a) promptly provides Sysdig with a written notice
of the Infringement Claim; (b) allows Sysdig sole control of the
defense and settlement of the Infringement Claim; and (c)
reasonably cooperated in response to Sysdig’s requests for
assistance and information. The Customer may participate in the
defense of the Infringement Claim, at the Customer’s sole expense
(not subject to reimbursement). Customer will not, without Sysdig’s
prior written consent, make any admission or prejudicial statement,
settle, compromise or consent to the entry of any judgement with
respect to any pending or threatened Infringement Claim.
10.2. Exclusions. Sysdig shall have no obligation and assumes
no liability under this Section 10 or otherwise with respect to any
claim based on: (a) any modification of the software that is not
performed by or on behalf of Sysdig, or was performed in
compliance with customer's specifications; (b) the combination,
operation or use of the software with any other products, services,
or equipment not provided by Sysdig where there would be no
infringement claim but for such combination; (c) use of the
applicable software other than in accordance with the terms and
conditions of this agreement and the documentation; (d) use of any
older version of the software when use of a newer revision would
have avoided the infringement claim; (e) any claim that relates to
the Open Source Software, freeware and any derivatives or other
adaptations thereof; or (f) any software provided on a no-charge,
beta or evaluation basis. THIS SECTION 10 STATES
CUSTOMER'S SOLE AND EXCLUSIVE REMEDY AND
SYSDIG’S ENTIRE LIABILITY FOR ANY INFRINGEMENT
CLAIMS OR ACTIONS.
10.3. Remedies. If Customer’s use of the Software is (or in
Sysdig’s opinion is likely to be) enjoined, if required by settlement
or if Sysdig determines such actions are reasonably necessary to
avoid material liability, Sysdig may, at its option: (i) procure for
Customer the right to use the Software in accordance with this
Agreement; (ii) replace or modify, the Software to make it non-
infringing; or (iii) terminate Customer's right to use the Software
and discontinue the related Support Services, and upon Customer's
certification of deletion of the Software, refund prorated pre-paid
fees for the remainder of the applicable Subscription Term for the
Software.
CONFIDENTIAL INFORMATION
11.1. “Confidential Information” means information and/or
materials provided by one party (“Discloser”) to the other party
(“Recipient”) which is identified as confidential at the time of
disclosure or should be reasonably known by the Receiving Party
to be confidential or proprietary due to the nature of the information
disclosed and the circumstances surrounding the disclosure. The
following information shall be considered Confidential Information
whether or not marked or identified as such: this Agreement, the
Sysdig Technology, License Keys, pricing information, any Beta
Releases, product roadmap or strategic marketing plans, non-public
material relating to the Software. Except as expressly authorized
herein, the Receiving Party shall (1) hold in confidence and not
disclose any Confidential Information to third parties and (2) not
use Confidential Information for any purpose other than fulfilling
its obligations and exercising its rights under this Agreement. The
Receiving Party may disclose Confidential Information to its
employees, agents, contractors and other representatives having a
legitimate need to know, provided that such representatives are
bound to confidentiality obligations no less protective of the
Disclosing Party than this Section 11 and that the Receiving Party
remains responsible for compliance by any such representative with
the terms of this Section 11. The Receiving Party’s confidentiality
obligations shall not apply to information that the Receiving Party
can document: (i) was rightfully in its possession or known to it
prior to receipt of the Confidential Information; (ii) is or has become
public knowledge through no fault of the Receiving Party; (iii) is
rightfully obtained by the Receiving Party from a third party
without breach of any confidentiality obligation; or (iv) is
independently developed by employees of the Receiving Party who
had no access to such information. The Receiving Party may make
disclosures to the extent required by law or court order, provided
the Receiving Party notifies the Disclosing Party in advance and
cooperates in any effort to obtain confidential treatment. The
Receiving Party acknowledges that disclosure of Confidential
Information would cause substantial harm for which damages alone
would not be a sufficient remedy, and therefore that upon any such
disclosure by the Receiving Party the Disclosing Party shall be
entitled to seek appropriate equitable relief in addition to whatever
other remedies it might have at law.
11.2 Customer Personal Data. Customer acknowledges that the
Software and Services do not require Customer to input or otherwise
transmit Customer Personal Data and Customer agrees not to input
or otherwise transmit any Customer Personal Data to the Software
and Services without Sysdig’s explicit consent or as otherwise set
forth in the applicable Order Form or other written agreement
between the Parties.
3 Data Processing Agreement. Subject to Section 11.2, and
so long as Customer has separately executed the same, the terms of
the Sysdig Global Data Processing Agreement (“DPA”) are hereby
incorporated by reference and shall apply to Sysdig’s processing of
Customer Personal Data on behalf of Customer. Customer
represents and warrants that it has obtained all necessary consents
and permissions from data subjects for the submission and
processing of Customer Personal Data.
11.4 B2B Relationship Data; Service Analytics. For the
avoidance of doubt and subject to the terms hereunder, Sysdig
processes Service Analytics and B2B Relationship Data in its role
as an independent controller and in accordance with applicable laws
and Sysdig’s privacy policy.
GENERAL TERMS
12.1. Assignment. Neither Party may assign this Agreement,
in whole or in part, without the prior written consent of the other
Party, provided that no such consent will be required to assign this
Agreement in its entirety to (i) an Affiliate that is able to satisfy the
obligations of the assignor under this Agreement or (ii) a successor
in interest in connection with a merger, acquisition or sale of all or
substantially of the assigning Party’s assets, provided that the
assignee has agreed to be bound by all of the terms of this
Agreement and all fees owed to the other Party are paid in full. If
Customer is acquired by, sells substantially all its asses to, or
undergoes a change of control in a favor of, a direct competitor of
Sysdig, then Sysdig may terminate this Agreement upon thirty (30)
days prior written notice.
12.2. Severability. If any provision of this Agreement shall be
adjudged by any court of competent jurisdiction to be
unenforceable or invalid, that provision shall be limited to the
Sysdig, Inc. |85 Second Street, Suite 800, San Francisco, CA 94105 | 415- 872 - 9473 | http://www.sysdig.com
minimum extent necessary so that this Agreement shall otherwise
remain in effect.
12.3. Governing Law; Jurisdiction and Venue. This
Agreement will be governed by the Applicable Law described
below as applicable (without regard to the conflicts of law
provisions of any jurisdiction), and claims arising out of or in
connection with this Agreement will be subject to binding
arbitration in accordance with Section 12.4 to be located in the
Arbitration Tribunal and Venue described below based on the
Customer's country of residence, as provided in the following table:
Customer ’s
Residence
Applicable Law Arbitration Tribunal
and Venue
Americas State of
California, USA
American Arbitration
Association in San
Francisco, California,
USA
Outside of
the
Americas
England & Wales London Court of
International Arbitration,
London, England
Each Party irrevocably submits to the personal jurisdiction and
venue of and agrees to service of process issued or authorized by,
any court in the Jurisdiction in any action or proceeding. Neither
the United Nations Convention of Contracts for the International
Sale of Goods nor the Uniform Computer Information Transactions
Act will apply to this Agreement.
12.4. Arbitration. Any and all disputes, claims or causes of
action, in law or equity, including without limitation, claims arising
out of or related to the Parties’ negotiations and inducements to
enter into this Agreement, enforcement, breach, performance or
interpretation of this Agreement will be submitted to mandatory,
binding arbitration under the auspices of the Arbitration Tribunal
applicable above, or its successors, under its then-current
commercial arbitration rules and procedures. Both Parties
acknowledge that by agreeing to arbitration, they waive the
right to resolve any such dispute through a trial by jury or
judge or administrative proceeding. Nothing in this Agreement
is intended to prevent either Party from obtaining injunctive relief
in any competent court to prevent irreparable harm pending the
conclusion of any such arbitration. Each Party will bear its own
expenses in the arbitration and will share equally the costs of the
arbitration; provided, however, that the arbitrator(s) or any other
court may, in its discretion, award reasonable costs and fees to the
prevailing Party. This Agreement is subject to the operation of the
1958 United Nations Convention on the Recognition and
Enforcement of Foreign Arbitral Awards.
12.5. Notice. Notices to a Party will be sent by first-class mail,
overnight courier or prepaid post to the address for such Party as
identified on the first page of this Agreement and will be deemed
given seventy-two (72) hours after mailing or upon confirmed
delivery or receipt, whichever is sooner. Customer will address
notices to Sysdig Legal Department, with a copy to
legalnotices@sysdig.com. Either Party may from time to time
change its address for notices under this Section by giving the other
Party at least thirty (30) days prior written notice of the change.
12.6. Force Majeure. Neither Party will be in default or liable
under this Agreement by reason of any failure in performance of
this Agreement if such failure arises, directly or indirectly, out of
causes reasonably beyond the reasonable control of such Party,
including acts of God or of the public enemy, terrorism, political
unrest, U.S. or foreign governmental acts in either a sovereign or
contractual capacity, fire, flood, failure of third Party connections,
epidemic, pandemic or virus, utilities or networks, earthquake,
hostile attacks, restrictions, strikes, and/or freight embargoes.
12.7. Amendments; Waivers. No supplement, modification,
or amendment of this Agreement shall be binding, unless executed
in writing by a duly authorized representative of each Party to this
Agreement. No waiver will be implied from conduct or failure to
enforce or exercise rights under this Agreement, nor will any waiver
be effective unless in a writing signed by a duly authorized
representative on behalf of the Party claimed to have waived. No
provision of any purchase order or other business form employed
by Customer will supersede the terms and conditions of this
Agreement, and any such document relating to this Agreement shall
be for administrative purposes only and shall have no legal effect.
12.8. Entire Agreement; Interpretation. This Agreement
is the complete and exclusive statement of the mutual
understanding of the Parties and supersedes all previous written and
oral agreements and communications relating to the subject matter
of this Agreement. In this Agreement, headings are for
convenience only and “including”, “e.g.”, and similar terms will be
construed without limitation. In the event of a conflict between the
terms of this Agreement and the terms of any Order Form, or
Exhibit hereto, such conflict will be resolved in the following order,
except to the extent expressly specified otherwise in the applicable
Order Form or SOW: (a) this Agreement; (b) the Exhibits (c) Order
Form and (d) Statement of Work. Any preprinted terms on any
Customer ordering documents or terms referenced or linked therein
will have no effect on the terms of this Agreement and are hereby
rejected, including where such Customer ordering document is
signed by Sysdig. The Support Service Policy may be updated from
time to time upon reasonable notice to Customer to reflect process
improvements or changing practices (but the modifications will not
materially decrease Sysdig’s obligations).
12.9. Feedback. Sysdig will be free to use, irrevocably, in
perpetuity, for free and for any purpose, all suggestions, ideas
and/or feedback relating to the Software, Support Services, Services
or Beta Releases (collectively, “Feedback”) provided by Customer,
its Affiliates and Contractors.
12.10. Independent Contractors. The Parties to this
Agreement are independent contractors. There is no relationship
of partnership, joint venture, employment, franchise or agency
created hereby between the Parties. Neither Party will have the
power to bind the other or incur obligations on the other Party’s
behalf without the other Party’s prior written consent.
12.11 Beta Releases. From time to time, Sysdig may grant
Customer access to “alpha”, “beta”, “technical preview” or other
early-stage products (“Beta Releases”). Customer shall comply
with all terms related to any Beta Releases as posted or otherwise
made available to Customer. Sysdig may add or modify terms
related to access or use of the Beta Release at any time. While
Sysdig may provide assistance with Beta Releases in its discretion,
Sysdig, Inc. |85 Second Street, Suite 800, San Francisco, CA 94105 | 415- 872 - 9473 | http://www.sysdig.com
notwithstanding anything to the contrary in this Agreement,
CUSTOMER AGREES THAT ANY BETA RELEASE IS
PROVIDED ON AN “AS IS” AND “AS AVAILABLE” BASIS
WITHOUT ANY WARRANTY, SUPPORT SERVICES,
MAINTENANCE, STORAGE, OR SERVICE LEVEL
OBLIGATIONS OF ANY KIND. CUSTOMER FURTHER
ACKNOWLEDGES AND AGREES THAT BETA RELEASES
MAY NOT BE COMPLETE OR FULLY FUNCTIONAL AND
MAY CONTAIN BUGS, ERRORS, OMISSIONS, AND OTHER
PROBLEMS FOR WHICH SYSDIG WILL NOT BE
RESPONSIBLE. Sysdig makes no promises that future versions of
a Beta Release will be released. Customer’s use of the Beta Release
will automatically terminate upon the release of a generally
available version of the applicable Beta Release or upon notice of
termination by Sysdig. Either Party may suspend or terminate
access or use of any Beta Release at any time for any reason or no
reason. Notwithstanding anything to the contrary in the
Agreement, after suspension or termination of Customer’s access to
or use of any Beta Release for any reason Customer will not have
any further right to access or use the applicable Beta Release.
Notwithstanding anything contained to the contrary in this
Agreement, Sysdig and its licensors’ cumulative and aggregate
liability arising out of or relating to the Beta Releases is limited to
$1,000 USD.
12.12 Export Control. In its use of the Software, Support
Services, Services, and Beta Releases, Customer agrees to comply
with all export and import laws and regulations of the United States
and other applicable jurisdictions. Without limiting the foregoing,
(i) Customer represents and warrants that it is not listed on any U.S.
government list of prohibited or restricted parties or located in (or a
national of) a country that is subject to a U.S. government embargo
or that has been designated by the U.S. government as a “terrorist
supporting” country, and (ii) Customer shall not (and shall not
permit any of its users to) deploy or use the Software or Beta
Releases in violation of any U.S. export embargo, prohibition or
restriction.
12.13 Government End-Users. Elements of the Software,
Services, Support Services and Beta Releases are commercial
computer software. If the user or licensee of the Software is an
agency, department, or other entity of the United States
Government, the use, duplication, reproduction, release,
modification, disclosure, or transfer of the Software, or any related
documentation of any kind, including technical data and manuals,
is restricted by a license agreement or by the terms of this
Agreement in accordance with Federal Acquisition Regulation
12.212 for civilian purposes and Defense Federal Acquisition
Regulation Supplement 227.7202 for military purposes. The
Software, Support Services, Services and Beta Releases were
developed fully at private expense. All other use is prohibited.
12.14 References. Unless otherwise specified in the applicable
Order Form, Sysdig may refer to Customer as one of Sysdig’s
customers and use Customer’s logo as part of such reference,
provided that Sysdig complies with any Customer trademark usage
requirements provided by Customer. Upon reasonable request,
Customer will serve as a reference account for Sysdig, provided,
however, that Sysdig will provide Customer with reasonable notice
and obtain Customer’s consent before scheduling any reference
activity. Furthermore, if so specified in the applicable Order Form,
Sysdig may either: (a) issue a press release announcing the
relationship between Sysdig and Customer, or (b) submit a joint
press release to Customer for Customer’s approval, such approval
not to be unreasonably withheld or delayed.
12.1 5 Counterparts. This Agreement may be executed in
counterparts, which taken together shall form one binding legal
instrument. The Parties hereby consent to the use of electronic
signatures in connection with the execution of this Agreement, and
further agree that electronic signatures to this Agreement shall be
legally binding with the same force and effect as manually executed
signatures.
Sysdig, Inc. |85 Second Street, Suite 800, San Francisco, CA 94105 | 415- 872 - 9473 | http://www.sysdig.com
SUPPORT SERVICES POLICY
(On Prem)
DEFINITIONS
1.1 “Error” means a failure of the Software to conform to the specifications set forth in the Documentation, resulting in the
inability to use, or material restriction in, the use of the Software.
1.2 “Start Time” means the time at which Sysdig first becomes aware of an Error.
SUPPORT SERVICES POLICY
Sysdig will provide Support Services to Customer through the portal located at https://support.sysdig.com or through other customer support
center contacts, set forth below (the “Customer Support Center”). Customer will receive Updates, other software modifications or additions,
procedures, or routine or configuration changes that may solve, bypass or eliminate the practical adverse effect of the Error. Customer will
designate a certain number of employees or agents that will interface with the Customer Support Center, and submit Errors, requests or support
tickets (the “Technical Support Contacts”). Customer is permitted to name as many Technical Contacts as allowed pursuant to the purchased
Support Service Subscription. Customer’s non-named Technical Contacts may contact the Customer Support Center only in case of an
emergency or on an exception basis, and Sysdig will respond to such Error submission and cooperate with the non-named Technical Contact,
subject to later verification and involvement of a named Technical Support Contact. Additional named Technical Support Contacts may be
permitted upon mutual agreement of the Parties.
SUPPORT SERVICES SUBSCRIPTION
Pursuant to the purchased Support Services Subscription, set forth in the Order Form, Sysdig shall provide and Customer shall purchase and
maintain Premium Support Services. Customer will have access to the Customer Support Center 24 hours per day, 7 days a week. Submitted
Errors will be classified by severity as set forth in the table below. Customer may assign eight (8) Technical Support Contacts, which may
contact the Customer Support Center through any of the Customer Support Center Contacts, as set forth below.
CUSTOMER SUPPORT CENTER CONTACT
Pursuant to the purchased Premium Support Services Subscription, Customer may contact the Customer Support Center as follows:
a) Telephone:
a. USA Toll Free: 1- 888 - 4 - SYSDIG (+1- 888 - 479 - 7344)
b. USA Regular: +1- 415 - 855 - 4DIG (+1- 415 - 855 - 4344)
c. UK Toll Free: +44- 808 - 168 - 9DIG (+44- 808 - 168 - 9344)
d. UK Regular: +44- 20 - 8049 - 7800
b) Email: Create support ticket via email to support@sysdig.com.
c) Portal: https://support.sysdig.com and each Technical Support Contact must register with the Customer Support Center on the portal,
prior to submitting a ticket.
d) Language: Support Services will be provided in English language
5. EXCLUDED SUPPORT SERVICES.
Sysdig shall not be obligated to fix any Error or problem:
a. where the Software is not used for its intended purpose;
b. where the Software has been altered, damaged, modified or incorporated into other software in a manner not approved by Sysdig;
c. where the Software is a release that is no longer supported by Sysdig;
d. which is caused by Customer’s or a third party’s software or equipment or by Customer’s negligence, abuse, misapplication, or use
of the Software other than as specified in the Documentation; or
e. which would be resolved by the Customer using an Update or newer version of the Software, or by adding hardware.
If Sysdig determines that it has no obligation to fix the reported incident for one of the reasons stated above, the Parties may enter into a separate
agreement authorizing Sysdig to provide additional services at Sysdig’s then-current professional services rates plus expenses.
END OF LIFE POLICY. Customer acknowledges that new features may be added to the Software based on market demand and
technological innovation. Accordingly, as Sysdig develops enhanced versions of the Software, Sysdig may cease to maintain and support older
versions of the Software. Sysdig will use commercially reasonable efforts to provide Support Services with respect to older versions of the
Software. Sysdig shall have no obligation to support Software outside of Sysdig’s stated EOS/EOL policy for the applicable Software. Such
EOS/EOL policies shall be made available to Customer either in the accompanying Documentation or upon request and are subject to update
from time to time in Sysdig’s reasonable discretion.
Sysdig, Inc. |85 Second Street, Suite 800, San Francisco, CA 94105 | 415- 872 - 9473 | http://www.sysdig.com
7. ERROR RESPONSE SERVICE LEVELS
Customer shall submit each ticket with a severity level designation based on the definitions in the table below. Severity response
times do not vary, whether Customer contacts the Customer Support Center via phone, email or portal. Sysdig shall respond to such ticket in
accordance with the severity designation and validate Customer’s severity level designation or notify Customer of a proposed change in the
severity level designation with justification for the change. Sysdig will provide continuous efforts to resolve Severity 1 issues until a workaround
or resolution can be provided or until the incident can be downgraded to a lower severity. Sysdig will use reasonable efforts to meet the target
response times for the Errors stated in the table below.
Severity 1
(Critical)
Description Premium Support
Services
Any Error in the Software causing the Software to be unusable,
resulting in a critical impact on the operation of the Software
and there is no workaround.
Sysdig will promptly: (i) assign a specialist to correct the Error;
(ii) provide ongoing communication on the status of an
Update; and (iii) begin to provide a temporary
workaround or fix.
Response Times
Within 30 minutes
Severity 2
(Serious)
An Error in a Software where the Software will operate but its
operation is severely restricted. No workaround is available,
and performance may be degraded, or functions are limited.
Sysdig will promptly: (i) assign a specialist to correct the Error;
and (ii) provide additional escalated Support Services as
determined necessary by Sysdig.
Response Times
Within 2 hours
Severity 3
(Moderate)
An Error in the Software where the Software will operate with
limitations that are not critical to the overall operation, such as
a workaround forces user and or a systems operator to use a
time-consuming procedure to operate the system; or removes
a non-essential feature.
Sysdig will triage the request and may include a resolution in
the next Update.
Response Time
Within 4 hours
Severity 4
(Low)
An Error in the Software where the Software can be used with
only slight inconvenience. All Software feature requests fall
into this severity level.
Sysdig will triage the request and may include a resolution in
the next Update.
Response Time
Next business day
README.md
View file @ 7a81ef6a
# <application name>
# Sysdig Admission Controller
Sysdig’s Admission Controller uses the Sysdig Secure Image Scanner to evaluate the scan results and the admission context, providing great flexibility on the admission decision.
Project template for all Iron Bank container repositories.
\ No newline at end of file
Using native Kubernetes API extensions to perform the image scanning on admission enables major threat prevention with the hardening use case: “Only the images that are explicitly approved will be allowed to run on your cluster.”
The admission decision relies not only on the image name and tag, but also on additional context from the admission review, including the namespace, pod metadata, etc.
## Features
* Registry and repository whitelist
* Global and per-namespace admission configuration
* Accept only the images that pass the scan (default)
* Directly reject non-whitelisted registries / repos, without scanning
* Accept the image even if it doesn’t pass the scan
* Do not accept any image that hasn’t been scanned already
* Pod mutation: image tag is replaced by digest to prevent TOCTOU issue if the tag is updated between the scan and the pod scheduling.
## Requirements
* Helm 3
* Kubernetes 1.16 or higher
## Installation
Create a values.yaml overriding the desired values from the [values.yaml file in the repository](https://raw.githubusercontent.com/sysdiglabs/charts/master/charts/admission-controller/values.yaml):
```
$ kubectl create ns sysdig-admission-controller
$ helm repo add sysdig https://charts.sysdig.com
$ helm install -n sysdig-admission-controller sysdig-admission-controller -f values.yaml sysdig/admission-controller
```
### Basic settings
The default settings in *values.yaml* should be right for most cases, but you must provide at minimum:
* **sysdigSecureToken** - The Sysdig Secure Token for your account
* **sysdigSecureUrl** - if the default SasS URL does not fit your environment (if using the on-prem version of Sysdig Secure
hardening_manifest.yaml 0 → 100644
View file @ 7a81ef6a
---
apiVersion: v1
# The repository name in registry1, excluding /ironbank/
name: "sysdig/sysdig-secure/admission-controller-3.2.0"
# List of tags to push for the repository in registry1
# The most specific version should be the first tag and will be shown
# on ironbank.dsop.io
tags:
- "3.2.0"
- "latest"
# Build args passed to Dockerfile ARGs
args:
BASE_IMAGE: "redhat/ubi/ubi8-minimal"
BASE_TAG: "8.4"
# Docker image labels
labels:
org.opencontainers.image.title: "admission-controller-3.2.0"
## Human-readable description of the software packaged in the image
org.opencontainers.image.description: "Sysdig - Admission Controller"
## License(s) under which contained software is distributed
org.opencontainers.image.licenses: "proprietary"
## URL to find more information on the image
# org.opencontainers.image.url: "FIXME"
## Name of the distributing entity, organization or individual
org.opencontainers.image.vendor: "Sysdig"
org.opencontainers.image.version: "3.2.0"
## Keywords to help with search (ex. "cicd,gitops,golang")
# mil.dso.ironbank.image.keywords: "FIXME"
## This value can be "opensource" or "commercial"
mil.dso.ironbank.image.type: "commercial"
## Product the image belongs to for grouping multiple images
mil.dso.ironbank.product.name: "sysdig-secure/admission-controller"
# List of resources to make available to the offline build context
resources:
- filename: webhook-v3.2.0
url: https://s3.amazonaws.com/download.draios.com/repo1/admission-controller/webhook-v3.2.0
validation:
type: sha256
value: 767d3ceeac6a255b30442e4f2834e765e98f02c9a645b0483a0db76fb6a973c5
# List of project maintainers
maintainers:
- email: "aitor.acedo@sysdig.com"
# # The name of the current container owner
name: "Aitor Acedo"
# # The gitlab username of the current container owner
username: "aitor.acedo"
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

UNCLASSIFIED