From 618ea18bdafb1108a213785eecc32c1cb3f43918 Mon Sep 17 00:00:00 2001 From: chipzoller Date: Wed, 7 Feb 2024 14:41:51 -0500 Subject: [PATCH 1/4] bump to 2.0.2 Signed-off-by: chipzoller --- eks-anywhere-common/Addons/Partner/Kubecost/kubecost.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eks-anywhere-common/Addons/Partner/Kubecost/kubecost.yaml b/eks-anywhere-common/Addons/Partner/Kubecost/kubecost.yaml index 59f20d81..f072a207 100644 --- a/eks-anywhere-common/Addons/Partner/Kubecost/kubecost.yaml +++ b/eks-anywhere-common/Addons/Partner/Kubecost/kubecost.yaml @@ -13,7 +13,7 @@ spec: kind: HelmRepository name: kubecost-charts namespace: flux-system - version: 1.106.0 + version: 2.0.2 interval: 1m0s targetNamespace: kubecost valuesFrom: From 3402d4de17f66a85699d6bf9f7f0d939eabe6013 Mon Sep 17 00:00:00 2001 From: chipzoller Date: Wed, 7 Feb 2024 17:15:39 -0500 Subject: [PATCH 2/4] fix/update testJob Signed-off-by: chipzoller --- .../Testers/Kubecost/kubecost-testJob.yaml | 35 ++----------------- 1 file changed, 2 insertions(+), 33 deletions(-) diff --git a/eks-anywhere-common/Testers/Kubecost/kubecost-testJob.yaml b/eks-anywhere-common/Testers/Kubecost/kubecost-testJob.yaml index e92c498c..47486901 100644 --- a/eks-anywhere-common/Testers/Kubecost/kubecost-testJob.yaml +++ b/eks-anywhere-common/Testers/Kubecost/kubecost-testJob.yaml @@ -9,7 +9,7 @@ spec: spec: template: spec: - serviceAccountName: tester + automountServiceAccountToken: false containers: - name: test-kubecost image: alpine/k8s:1.26.9 @@ -18,9 +18,8 @@ spec: args: - -c - >- - svc=$(kubectl -n kubecost get svc -l app.kubernetes.io/name=cost-analyzer -o json | jq -r .items[0].metadata.name); echo Getting current Kubecost state.; - response=$(curl -sL http://${svc}:9090/model/getConfigs); + response=$(curl -sL http://kubecost-cost-analyzer:9090/model/getConfigs); code=$(echo ${response} | jq .code); if [ "$code" -eq 200 ]; then echo "Got Kubecost working configuration. Successful." @@ -31,33 +30,3 @@ spec: fi restartPolicy: Never backoffLimit: 1 ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: test-role - namespace: kubecost -rules: -- apiGroups: [""] - resources: ["services"] - verbs: ["list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: test-rolebinding - namespace: kubecost -subjects: -- kind: ServiceAccount - name: tester - namespace: kubecost -roleRef: - kind: Role - name: test-role - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: tester - namespace: kubecost \ No newline at end of file From 27032398fcb2cf86fa4a33150292230dacdad387 Mon Sep 17 00:00:00 2001 From: chipzoller Date: Thu, 8 Feb 2024 09:35:24 -0500 Subject: [PATCH 3/4] fix tests Signed-off-by: chipzoller --- .../Testers/Kubecost/kubecost-testJob.yaml | 35 +++++++++++++++++-- 1 file changed, 33 insertions(+), 2 deletions(-) diff --git a/eks-anywhere-common/Testers/Kubecost/kubecost-testJob.yaml b/eks-anywhere-common/Testers/Kubecost/kubecost-testJob.yaml index 47486901..9d2b0c70 100644 --- a/eks-anywhere-common/Testers/Kubecost/kubecost-testJob.yaml +++ b/eks-anywhere-common/Testers/Kubecost/kubecost-testJob.yaml @@ -9,7 +9,7 @@ spec: spec: template: spec: - automountServiceAccountToken: false + serviceAccountName: tester containers: - name: test-kubecost image: alpine/k8s:1.26.9 @@ -18,8 +18,9 @@ spec: args: - -c - >- + svc=$(kubectl get --raw /api/v1/namespaces/kubecost/services | jq -r '.items[] | select(.metadata.name | test("cost-analyzer$")).metadata.name'); echo Getting current Kubecost state.; - response=$(curl -sL http://kubecost-cost-analyzer:9090/model/getConfigs); + response=$(curl -sL http://${svc}:9090/model/getConfigs); code=$(echo ${response} | jq .code); if [ "$code" -eq 200 ]; then echo "Got Kubecost working configuration. Successful." @@ -30,3 +31,33 @@ spec: fi restartPolicy: Never backoffLimit: 1 +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: test-role + namespace: kubecost +rules: +- apiGroups: [""] + resources: ["services"] + verbs: ["list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: test-rolebinding + namespace: kubecost +subjects: +- kind: ServiceAccount + name: tester + namespace: kubecost +roleRef: + kind: Role + name: test-role + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: tester + namespace: kubecost \ No newline at end of file From c975023385f385328552d3b93ad44ece86187732 Mon Sep 17 00:00:00 2001 From: chipzoller Date: Thu, 8 Feb 2024 09:50:15 -0500 Subject: [PATCH 4/4] implement PSS restricted Signed-off-by: chipzoller --- .../Testers/Kubecost/kubecost-testJob.yaml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/eks-anywhere-common/Testers/Kubecost/kubecost-testJob.yaml b/eks-anywhere-common/Testers/Kubecost/kubecost-testJob.yaml index 9d2b0c70..a6cfbdd9 100644 --- a/eks-anywhere-common/Testers/Kubecost/kubecost-testJob.yaml +++ b/eks-anywhere-common/Testers/Kubecost/kubecost-testJob.yaml @@ -9,10 +9,24 @@ spec: spec: template: spec: + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 3000 + fsGroup: 2000 serviceAccountName: tester containers: - name: test-kubecost image: alpine/k8s:1.26.9 + securityContext: + privileged: false + capabilities: + drop: + - ALL + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true command: - /bin/sh args: