diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..034e848 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,21 @@ +# Security Policy + +## Supported Versions + +Use this section to tell people about which versions of your project are +currently being supported with security updates. + +| Version | Supported | +| ------- | ------------------ | +| 5.1.x | :white_check_mark: | +| 5.0.x | :x: | +| 4.0.x | :white_check_mark: | +| < 4.0 | :x: | + +## Reporting a Vulnerability + +Use this section to tell people how to report a vulnerability. + +Tell them where to go, how often they can expect to get an update on a +reported vulnerability, what to expect if the vulnerability is accepted or +declined, etc. diff --git a/cluster.tf b/cluster.tf new file mode 100644 index 0000000..3788092 --- /dev/null +++ b/cluster.tf @@ -0,0 +1,73 @@ +resource "aws_ecs_cluster" "my_cluster" { + name = "${var.name}-ecs" +} + +resource "aws_cloudwatch_log_group" "my_logs" { + name = "${var.name}-logs" +} + +resource "aws_security_group" "my_security_group" { + description = "Allow workload to reach internet" + vpc_id = var.vpc_id +} + +resource "aws_security_group_rule" "my_egress_rule" { + type = "egress" + protocol = "all" + from_port = 0 + to_port = 0 + cidr_blocks = ["0.0.0.0/0"] + security_group_id = aws_security_group.my_security_group.id +} + +resource "aws_iam_role" "my_execution_role" { + assume_role_policy = data.aws_iam_policy_document.assume_role_policy.json + managed_policy_arns = ["arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"] +} + +data "aws_iam_policy_document" "assume_role_policy" { + statement { + actions = ["sts:AssumeRole"] + + principals { + type = "Service" + identifiers = ["ecs-tasks.amazonaws.com"] + } + } +} + +##### +# Create ECS Task +##### + +resource "aws_ecs_task_definition" "my_task_definition" { + family = "${var.name}-workload" + execution_role_arn = aws_iam_role.my_execution_role.arn + + cpu = "256" + memory = "1024" + network_mode = "awsvpc" + requires_compatibilities = ["FARGATE"] + + container_definitions = data.sysdig_fargate_workload_agent.instrumented.output_container_definitions +} + +##### +# Deploy app on ECS cluster +##### + +resource "aws_ecs_service" "my_service" { + name = "${var.name}-service" + + cluster = aws_ecs_cluster.my_cluster.id + task_definition = aws_ecs_task_definition.my_task_definition.arn + desired_count = 1 + launch_type = "FARGATE" + platform_version = "1.4.0" + + network_configuration { + subnets = var.subnets + security_groups = [aws_security_group.my_security_group.id] + assign_public_ip = true + } +} \ No newline at end of file diff --git a/javaapp-deployment.yaml b/javaapp-deployment.yaml new file mode 100644 index 0000000..2ea9fed --- /dev/null +++ b/javaapp-deployment.yaml @@ -0,0 +1,47 @@ +kind: Deployment +apiVersion: apps/v1 +metadata: + name: javaapp + labels: + name: java-deployment + app: demo +spec: + replicas: 3 + selector: + matchLabels: + app: demo + name: javaapp + role: jfrontend + template: + metadata: + labels: + app: demo + name: javaapp + role: jfrontend + spec: + containers: + - name: javaapp + image: ltagliamonte/counterapp + env: + - name: MONGO + value: mongo.java-app.svc.cluster.local + - name: CASSANDRA + value: cassandra.java-app.svc.cluster.local + - name: REDIS + value: redis.java-app.svc.cluster.local + ports: + - containerPort: 8080 + name: java + livenessProbe: + httpGet: + path: /simpleWebJava/TestServlet + port: 8080 + initialDelaySeconds: 120 + timeoutSeconds: 5 + resources: + requests: + memory: "256Mi" + cpu: "250m" + limits: + memory: "512Mi" + cpu: "500m" diff --git a/orchestrator-agent.tf b/orchestrator-agent.tf new file mode 100644 index 0000000..7a58cfd --- /dev/null +++ b/orchestrator-agent.tf @@ -0,0 +1,17 @@ +module "fargate-orchestrator-agent" { + source = "sysdiglabs/fargate-orchestrator-agent/aws" + version = "0.3.1" + + name = "${var.name}-orchestrator" + + vpc_id = var.vpc_id + subnets = var.subnets + + assign_public_ip = true # if using Internet Gateway + + collector_host = var.collector_host + collector_port = var.collector_port + access_key = var.sysdig_access_key + #access_key = "arn:aws:secretsmanager:us-east-1:059797578166:secret:giri-sysdig-json-EJCDBF:SysdigAccessKey::" + check_collector_certificate = "false" +} \ No newline at end of file diff --git a/sysdig-agent-daemonset-v2.yaml b/sysdig-agent-daemonset-v2.yaml new file mode 100644 index 0000000..2bd655f --- /dev/null +++ b/sysdig-agent-daemonset-v2.yaml @@ -0,0 +1,134 @@ +### WARNING: this file is supported from Sysdig Agent 0.80.0 +# apiVersion: extensions/v1beta1 # If you are in Kubernetes version 1.8 or less please use this line instead of the following one +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: sysdig-agent + labels: + app: sysdig-agent +spec: + selector: + matchLabels: + app: sysdig-agent + updateStrategy: + type: RollingUpdate + template: + metadata: + labels: + app: sysdig-agent + spec: + volumes: + - name: modprobe-d + hostPath: + path: /etc/modprobe.d + - name: osrel + hostPath: + path: /etc/os-release + type: FileOrCreate + - name: dshm + emptyDir: + medium: Memory + - name: dev-vol + hostPath: + path: /dev + - name: proc-vol + hostPath: + path: /proc + - name: boot-vol + hostPath: + path: /boot + - name: modules-vol + hostPath: + path: /lib/modules + - name: usr-vol + hostPath: + path: /usr + - name: run-vol + hostPath: + path: /run + - name: varrun-vol + hostPath: + path: /var/run + # Uncomment these lines if you'd like to map /root/ from the + # host into the container. This can be useful to map + # /root/.sysdig to pick up custom kernel modules. + #- name: host-root-vol + # hostPath: + # path: /root + - name: sysdig-agent-config + configMap: + name: sysdig-agent + optional: true + - name: sysdig-agent-secrets + secret: + secretName: sysdig-agent + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet + hostPID: true + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/master + # The following line is necessary for RBAC + serviceAccount: sysdig-agent + terminationGracePeriodSeconds: 5 + containers: + - name: sysdig-agent + image: sysdig/agent + imagePullPolicy: Always + securityContext: + privileged: true + resources: + # Resources needed are subjective to the actual workload. + # Please refer to Sysdig Support for more info. + requests: + cpu: 600m + memory: 512Mi + limits: + cpu: 2000m + memory: 1536Mi + readinessProbe: + exec: + command: [ "test", "-e", "/opt/draios/logs/running" ] + initialDelaySeconds: 10 + # This section is for eBPF support. Please refer to Sysdig Support before + # uncommenting, as eBPF is recommended for only a few configurations. + #env: + # - name: SYSDIG_BPF_PROBE + # value: "" + volumeMounts: + - mountPath: /etc/modprobe.d + name: modprobe-d + readOnly: true + - mountPath: /host/dev + name: dev-vol + readOnly: false + - mountPath: /host/proc + name: proc-vol + readOnly: true + - mountPath: /host/boot + name: boot-vol + readOnly: true + - mountPath: /host/lib/modules + name: modules-vol + readOnly: true + - mountPath: /host/usr + name: usr-vol + readOnly: true + - mountPath: /host/run + name: run-vol + - mountPath: /host/var/run + name: varrun-vol + - mountPath: /dev/shm + name: dshm + - mountPath: /opt/draios/etc/kubernetes/config + name: sysdig-agent-config + - mountPath: /opt/draios/etc/kubernetes/secrets + name: sysdig-agent-secrets + - mountPath: /host/etc/os-release + name: osrel + readOnly: true + # Uncomment these lines if you'd like to map /root/ from the + # host into the container. This can be useful to map + # /root/.sysdig to pick up custom kernel modules. + #- mountPath: /root + # name: host-root-vol