From bd2f5ec2b0cacc73f2b75749b31f12c58c0de4fd Mon Sep 17 00:00:00 2001 From: github-actions Date: Thu, 19 Oct 2023 10:18:19 +0000 Subject: [PATCH] Fixed traefik template chart --- .../traefik_checkov_fixed_template.yaml | 292 ++++++++++++++++++ 1 file changed, 292 insertions(+) create mode 100644 fixed_templates/traefik_checkov_fixed_template.yaml diff --git a/fixed_templates/traefik_checkov_fixed_template.yaml b/fixed_templates/traefik_checkov_fixed_template.yaml new file mode 100644 index 0000000..f8aa51d --- /dev/null +++ b/fixed_templates/traefik_checkov_fixed_template.yaml @@ -0,0 +1,292 @@ +kind: ServiceAccount +apiVersion: v1 +metadata: + name: release-name-traefik + namespace: traefik + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: release-name-default + helm.sh/chart: traefik-23.1.0 + app.kubernetes.io/managed-by: Helm + annotations: null +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: release-name-traefik-default + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: release-name-default + helm.sh/chart: traefik-23.1.0 + app.kubernetes.io/managed-by: Helm +rules: +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingressclasses + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - '' + resources: + - services + - endpoints + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - traefik.io + - traefik.containo.us + resources: + - ingressroutes + - ingressroutetcps + - ingressrouteudps + - middlewares + - middlewaretcps + - tlsoptions + - tlsstores + - traefikservices + - serverstransports + verbs: + - get + - list + - watch +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: release-name-traefik-default + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: release-name-default + helm.sh/chart: traefik-23.1.0 + app.kubernetes.io/managed-by: Helm +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: release-name-traefik-default +subjects: +- kind: ServiceAccount + name: release-name-traefik + namespace: traefik +--- +apiVersion: v1 +kind: Service +metadata: + name: release-name-traefik + namespace: traefik + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: release-name-default + helm.sh/chart: traefik-23.1.0 + app.kubernetes.io/managed-by: Helm + annotations: null +spec: + type: LoadBalancer + selector: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: release-name-default + ports: + - port: 80 + name: web + targetPort: web + protocol: TCP + - port: 443 + name: websecure + targetPort: websecure + protocol: TCP +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: release-name-traefik + namespace: traefik + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: release-name-default + helm.sh/chart: traefik-23.1.0 + app.kubernetes.io/managed-by: Helm + annotations: + seccomp.security.alpha.kubernetes.io/pod: runtime/default +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: release-name-default + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + minReadySeconds: 0 + template: + metadata: + annotations: + prometheus.io/scrape: 'true' + prometheus.io/path: /metrics + prometheus.io/port: '9100' + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: release-name-default + helm.sh/chart: traefik-23.1.0 + app.kubernetes.io/managed-by: Helm + spec: + serviceAccountName: release-name-traefik + terminationGracePeriodSeconds: 60 + hostNetwork: false + containers: + - image: docker.io/traefik:2.10@sha256:9701f2c228e65fbaced54478b24f3953502192d396823ebdb2aa9b9e37b0e647 + imagePullPolicy: Always + name: release-name-traefik + readinessProbe: + httpGet: + path: /ping + port: 9000 + scheme: HTTP + failureThreshold: 1 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + livenessProbe: + httpGet: + path: /ping + port: 9000 + scheme: HTTP + failureThreshold: 3 + initialDelaySeconds: 2 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 2 + resources: + limits: + cpu: 100m + memory: 100Mi + requests: + cpu: + memory: 100Mi + lifecycle: null + ports: + - name: metrics + containerPort: 9100 + protocol: TCP + - name: traefik + containerPort: 9000 + protocol: TCP + - name: web + containerPort: 8000 + protocol: TCP + - name: websecure + containerPort: 8443 + protocol: TCP + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + volumeMounts: + - name: data + mountPath: /data + - name: tmp + mountPath: /tmp + args: + - --global.checknewversion + - --global.sendanonymoususage + - --entrypoints.metrics.address=:9100/tcp + - --entrypoints.traefik.address=:9000/tcp + - --entrypoints.web.address=:8000/tcp + - --entrypoints.websecure.address=:8443/tcp + - --api.dashboard=true + - --ping=true + - --metrics.prometheus=true + - --metrics.prometheus.entrypoint=metrics + - --providers.kubernetescrd + - --providers.kubernetesingress + - --entrypoints.websecure.http.tls=true + volumes: + - name: data + emptyDir: {} + - name: tmp + emptyDir: {} + securityContext: + fsGroupChangePolicy: OnRootMismatch + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 + seccompProfile: + type: RuntimeDefault + automountServiceAccountToken: false +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: traefik-net-policy + namespace: traefik +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: traefik + policyTypes: + - Ingress + - Egress + ingress: + - from: + - ipBlock: + cidr: 10.0.1.0/24 + egress: + - to: + - ipBlock: + cidr: 10.0.1.0/24 + ports: + - protocol: TCP + port: 9000 +--- +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + annotations: + ingressclass.kubernetes.io/is-default-class: 'true' + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: release-name-default + helm.sh/chart: traefik-23.1.0 + app.kubernetes.io/managed-by: Helm + name: release-name-traefik +spec: + controller: traefik.io/ingress-controller +--- +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: release-name-traefik-dashboard + namespace: traefik + annotations: null + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/instance: release-name-default + helm.sh/chart: traefik-23.1.0 + app.kubernetes.io/managed-by: Helm +spec: + entryPoints: + - traefik + routes: + - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) + kind: Rule + services: + - name: api@internal + kind: TraefikService