add CODEOWNERS (#21)

* add CODEOWNERS Signed-off-by: Michael Fornaro <[email protected]> * test Signed-off-by: Michael Fornaro <[email protected]> * test Signed-off-by: Michael Fornaro <[email protected]>
raspbernetes · Dec 8, 2020 · 43d36cd · 43d36cd
1 parent 4d26222
commit 43d36cd
Show file tree

Hide file tree

Showing 5 changed files with 89 additions and 30 deletions.
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -0,0 +1,13 @@
+# These owners will be the default owners for everything in
+# the repo.
+#
+# Order is important; the last matching pattern takes the most
+# precedence.
+#
+# Unless a later match takes precedence,
+# @<users> will be requested for
+# review when someone opens a pull request.
+
+*     @xUnholy @saurabhpandit @hsy3418
+
+
diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
@@ -1,22 +1,19 @@
 # Description
 
-Please provide a description for what this PR is for.
+Please provide a description of what this PR is for.
 
-## Type Of Change
+## Checklist
 
-To help us figure out who should review this PR, please put an X in all the areas that this PR affects.
-
-- [ ] Docs
-- [ ] Installation
-- [ ] Performance and Scalability
-- [ ] Security
-- [ ] Test and/or Release
-- [ ] User Experience
+- [ ] All commits are signed off. See the section [Developer’s Certificate of Origin](https://developercertificate.org/)
+- [ ] Provide a title or release-note blurb suitable for the release notes.
+- [ ] All pre-commit hook validation passed successfully.
+- [ ] All commits contain a well-written commit description including a title, description, and a Fixes: #XXX line if the commit addresses a particular GitHub issue.
+- [ ] All workflow validation and compliance checks are passing.
 
 ## Issue Ref (Optional)
 
 Which issue(s) this PR fixes (optional, using fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when the PR gets merged): Fixes #
 
 ## Notes
 
-Add special notes for your reviewer here.
+Add special notes for your reviewer here.
diff --git a/.github/release-drafter.yml b/.github/release-drafter.yml
@@ -0,0 +1,34 @@
+name-template: 'v$RESOLVED_VERSION'
+tag-template: 'v$RESOLVED_VERSION'
+categories:
+  - title: 'Community'
+    label:
+      - 'community'
+  - title: 'Features'
+    labels:
+      - 'feature_request'
+      - 'enhancement'
+  - title: 'Bug Fixes'
+    labels:
+      - 'bug'
+  - title: 'Maintenance'
+    label:
+      - 'chore'
+      - 'documentation'
+change-template: '- $TITLE @$AUTHOR (#$NUMBER)'
+change-title-escapes: '\<*_&' # You can add # and @ to disable mentions, and add ` to disable code blocks.
+version-resolver:
+  major:
+    labels:
+      - 'major'
+  minor:
+    labels:
+      - 'minor'
+  patch:
+    labels:
+      - 'patch'
+  default: patch
+template: |
+  ## Changes
+
+  $CHANGES
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -19,18 +19,28 @@ jobs:
           result="${result//'%'/'%25'}"
           result="${result//$'\n'/'%0A'}"
           result="${result//$'\r'/'%0D'}"
-          echo $result
           echo "::set-output name=result::$result"
 
-      - name: Post Results
-        uses: unsplash/comment-on-pr@master
-        if: ${{ always() }}
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - uses: actions/[email protected]
+        if: github.event_name == 'pull_request'
         with:
-          msg: |
-            ## OPA Test Results
-            ```
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const output = `#### OPA Test Validation 🖌  \`${{ steps.opa.outcome }}\`
+
+            <details><summary>Show OPA Test Validation Report</summary>
+
+            \`\`\`
             ${{ steps.opa.outputs.result }}
-            ```
-          check_for_duplicate_msg: true
+            \`\`\`
+
+            </details>
+
+            *Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`, Working Directory: \`.\`, Workflow: \`${{ github.workflow }}\`*`;
+
+            github.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: output
+            })
diff --git a/README.md b/README.md
@@ -1,9 +1,14 @@
-# Security Policies
+<h1 align="center">
+  <p align="center">Kubernetes Security Policies</p>
+  <a href="https://raspbernetes.github.io/docs/"><img src="https://raspbernetes.github.io/img/logo.svg" alt="Raspbernetes"></a>
+</h1>
+
+![build](https://github.com/raspbernetes/k8s-security-policies/workflows/build/badge.svg)
 [![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fraspbernetes%2Fk8s-security-policies.svg?type=shield)](https://app.fossa.com/projects/git%2Bgithub.com%2Fraspbernetes%2Fk8s-security-policies?ref=badge_shield)
 
 ## Introduction
-This repository provides a security policies library that is used for securing Kubernetes clusters configurations. The security policies are created based on [CIS Kubernetes benchmark](https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks) and rules defined in [Kubesec.io](https://kubesec.io/). 
-The policies are written in Rego, a high-level declarative language, its purpose-built for expressing policies over complex hierarchical data structures. For detailed information on Rego see the [Policy Language](https://www.openpolicyagent.org/docs/latest/policy-language/) documentation.  
+This repository provides a security policies library that is used for securing Kubernetes clusters configurations. The security policies are created based on [CIS Kubernetes benchmark](https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks) and rules defined in [Kubesec.io](https://kubesec.io/).
+The policies are written in Rego, a high-level declarative language, its purpose-built for expressing policies over complex hierarchical data structures. For detailed information on Rego see the [Policy Language](https://www.openpolicyagent.org/docs/latest/policy-language/) documentation.
 
 ## Structure of the repo
 The policies directory contains a list of folders, which corresponds to the list of policies. The folder is named with the benchmark standard and a number to differentiate with each other. For example, the 1.2.1 Ensure that the --anonymous-auth argument is set to false that in CIS benchmark is checked by the REGO files in directory CIS1.2.1. Check more on each policy in [Policy Inventory](policies/POLICIES.md)
@@ -29,14 +34,14 @@ violation[msg] {
 The `kubernetes.` indicates it is calling a function from `kubernetes.rego`, which put general functions. The logic that specific to this control will be written in the same rego files.
 
 ### Parameters
-For each of the security policies, there will be parameters going to be used for checking against the resources. The parameters can be from external, for example, if these policies are going to be checked in gatekeeper engine, the parameters can be defined in the gatekeeper `constraints`, or we can directly have default parameters in the file itself, for standardizing the parameters, that we will union these parameters 
+For each of the security policies, there will be parameters going to be used for checking against the resources. The parameters can be from external, for example, if these policies are going to be checked in gatekeeper engine, the parameters can be defined in the gatekeeper `constraints`, or we can directly have default parameters in the file itself, for standardizing the parameters, that we will union these parameters
 ```
 params = object.union(default_parameters, kubernetes.parameters)
 
 ```
-### Unit tests 
+### Unit tests
 To verify the correctness of the policies, we use `OPA` testing [framework](https://www.openpolicyagent.org/docs/v0.12.2/how-do-i-test-policies/) to write the unit tests.
-Each unit tests will have test functions that need to start with the `test` in the function name, so they can be picked by the `op test` the positive case start with the name of `test_no_violation` and negative starts with `test_violation` and tests with a policy_input that will be in the same structure of the manifests. 
+Each unit tests will have test functions that need to start with the `test` in the function name, so they can be picked by the `op test` the positive case start with the name of `test_no_violation` and negative starts with `test_violation` and tests with a policy_input that will be in the same structure of the manifests.
 ```
 test_violation {
     test.violations(violation) with input as policy_input(true)
@@ -71,7 +76,7 @@ The rego policies can be used as a schema in the gatekeeper `ConstraintTemplate`
 Using conftest to check the structured yaml manifests files that will be deployed to your clusters.
 Make srue you have installed `Conftest`([Conftest](https://github.com/open-policy-agent/conftest)) and run `conftest test` a yaml file agaist the policy library
 ```
-conftest test deployment.yaml -p policies/. --all-namespaces  
+conftest test deployment.yaml -p policies/. --all-namespaces
 ```
 and the output will indicate if tests passed. An example:
 ```
@@ -83,4 +88,4 @@ FAIL - deployment.yaml - Deployments are not allowed
 
 
 ## License
-[![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fraspbernetes%2Fk8s-security-policies.svg?type=large)](https://app.fossa.com/projects/git%2Bgithub.com%2Fraspbernetes%2Fk8s-security-policies?ref=badge_large)
+[![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fraspbernetes%2Fk8s-security-policies.svg?type=large)](https://app.fossa.com/projects/git%2Bgithub.com%2Fraspbernetes%2Fk8s-security-policies?ref=badge_large)