fix: security fix

2025-11-21 11:23:52 +09:00
parent 71bca4bacd
commit ca134b3585
4 changed files with 198 additions and 0 deletions
--- a/1
+++ b/1
@@ -32,6 +32,7 @@ mod postgres
 mod prometheus
 mod qdrant
 mod querybook
+mod security
 mod superset
 mod trino
 mod utils
--- a/k8s/registry/registry.yaml
+++ b/k8s/registry/registry.yaml
@@ -20,6 +20,12 @@ spec:
      labels:
        app: registry
    spec:
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 65534
+        fsGroup: 65534
+        seccompProfile:
+          type: RuntimeDefault
      containers:
      - name: registry
        image: registry:2
@@ -31,9 +37,19 @@ spec:
          value: "true"
        - name: REGISTRY_HTTP_ADDR
          value: "0.0.0.0:5000"
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          runAsUser: 65534
+          capabilities:
+            drop:
+              - ALL
        volumeMounts:
        - name: registry-data
          mountPath: /var/lib/registry
+        - name: tmp
+          mountPath: /tmp
        livenessProbe:
          httpGet:
            path: /v2/
@@ -49,6 +65,8 @@ spec:
      volumes:
      - name: registry-data
        emptyDir: {}
+      - name: tmp
+        emptyDir: {}
 ---
 apiVersion: v1
 kind: Service
--- a/security/.trivyignore
+++ b/security/.trivyignore
@@ -0,0 +1,38 @@
+# Trivy ignore file for development environment
+# Format: CVE-ID or Misconfiguration ID
+
+# ============================================================================
+# k3s System Components (kube-system namespace)
+# ============================================================================
+# These components are managed by k3s and follow k3s design decisions.
+# Manual modifications would be overwritten during k3s upgrades.
+
+# AVD-KSV-0024: svclb-traefik uses hostPorts by design
+# This is how k3s ServiceLB works - it binds to host ports 80/443
+# Cannot be changed without replacing the entire ServiceLB implementation
+AVD-KSV-0024
+
+# AVD-KSV-0014: readOnlyRootFilesystem not set
+# Many k3s components need write access for proper operation
+# (logs, temp files, state management)
+# Acceptable for trusted system components in development environment
+AVD-KSV-0014
+
+# AVD-KSV-0118: Default securityContext usage
+# k3s components use default security context for compatibility
+# and resource efficiency. Acceptable for development environments.
+# In production, consider hardened Kubernetes distributions.
+AVD-KSV-0118
+
+# ============================================================================
+# Longhorn Storage System
+# ============================================================================
+# Longhorn requires extensive permissions for volume management operations
+# These are expected and necessary for storage orchestration
+
+# ============================================================================
+# Kubernetes RBAC Core Components
+# ============================================================================
+# system:kube-controller-manager needs cluster-wide permissions
+# system:kube-scheduler needs cluster-wide permissions
+# These are standard Kubernetes architecture requirements
--- a/security/justfile
+++ b/security/justfile
@@ -0,0 +1,141 @@
+set fallback := true
+
+export LOCAL_K8S_HOST := env("LOCAL_K8S_HOST", "")
+
+[private]
+default:
+    @just --list --unsorted --list-submodules
+
+# Run Trivy security scan (quick: CRITICAL + HIGH only)
+scan-quick:
+    #!/bin/bash
+    set -euo pipefail
+    just env::check
+    echo "Running quick security scan (CRITICAL + HIGH misconfigurations only)..."
+    trivy k8s --report summary \
+        --severity CRITICAL,HIGH \
+        --scanners misconfig \
+        --ignorefile .trivyignore \
+        "${LOCAL_K8S_HOST}" \
+        --timeout 30m
+
+# Run Trivy security scan (standard: CRITICAL + HIGH + MEDIUM)
+scan:
+    #!/bin/bash
+    set -euo pipefail
+    just env::check
+    echo "Running standard security scan (CRITICAL + HIGH + MEDIUM)..."
+    trivy k8s --report summary \
+        --severity CRITICAL,HIGH,MEDIUM \
+        "${LOCAL_K8S_HOST}" \
+        --timeout 30m
+
+# Run Trivy security scan (full: all severities)
+scan-full:
+    #!/bin/bash
+    set -euo pipefail
+    just env::check
+    echo "Running full security scan (all severities)..."
+    trivy k8s --report summary \
+        "${LOCAL_K8S_HOST}" \
+        --timeout 30m
+
+# Run Trivy vulnerability scan only (CRITICAL + HIGH)
+scan-vulns:
+    #!/bin/bash
+    set -euo pipefail
+    just env::check
+    echo "Running vulnerability scan (CRITICAL + HIGH only)..."
+    trivy k8s --report summary \
+        --severity CRITICAL,HIGH \
+        --scanners vuln \
+        "${LOCAL_K8S_HOST}" \
+        --timeout 30m
+
+# Run Trivy misconfiguration scan only (CRITICAL + HIGH)
+scan-misconfig:
+    #!/bin/bash
+    set -euo pipefail
+    just env::check
+    echo "Running misconfiguration scan (CRITICAL + HIGH only)..."
+    trivy k8s --report summary \
+        --severity CRITICAL,HIGH \
+        --scanners misconfig \
+        --ignorefile .trivyignore \
+        "${LOCAL_K8S_HOST}" \
+        --timeout 30m
+
+# Run Trivy RBAC assessment
+scan-rbac:
+    #!/bin/bash
+    set -euo pipefail
+    just env::check
+    echo "Running RBAC assessment..."
+    trivy k8s --report summary \
+        --severity CRITICAL,HIGH \
+        --scanners rbac \
+        "${LOCAL_K8S_HOST}" \
+        --timeout 30m
+
+# Run Trivy scan for specific namespace
+scan-namespace namespace severity='CRITICAL,HIGH':
+    #!/bin/bash
+    set -euo pipefail
+    just env::check
+    echo "Running security scan for namespace: {{ namespace }}..."
+    trivy k8s --report summary \
+        --severity {{ severity }} \
+        --include-namespaces {{ namespace }} \
+        "${LOCAL_K8S_HOST}" \
+        --timeout 30m
+
+# Show detailed findings for specific namespace
+scan-namespace-detail namespace severity='CRITICAL,HIGH':
+    #!/bin/bash
+    set -euo pipefail
+    just env::check
+    echo "Showing detailed findings for namespace: {{ namespace }}..."
+    trivy k8s --report all \
+        --severity {{ severity }} \
+        --include-namespaces {{ namespace }} \
+        "${LOCAL_K8S_HOST}" \
+        --timeout 30m
+
+# Show detailed findings for specific resource
+scan-resource namespace kind name severity='CRITICAL,HIGH':
+    #!/bin/bash
+    set -euo pipefail
+    just env::check
+    echo "Showing detailed findings for {{ kind }}/{{ name }} in {{ namespace }}..."
+    trivy k8s --report all \
+        --severity {{ severity }} \
+        --include-namespaces {{ namespace }} \
+        "${LOCAL_K8S_HOST}" \
+        --timeout 30m | grep -A 50 "{{ kind }}/{{ name }}"
+
+# Generate detailed HTML report
+report output='trivy-report.html':
+    #!/bin/bash
+    set -euo pipefail
+    just env::check
+    echo "Generating detailed security report..."
+    trivy k8s --report all \
+        --format template \
+        --template "@contrib/html.tpl" \
+        --output {{ output }} \
+        "${LOCAL_K8S_HOST}" \
+        --timeout 30m
+    echo "Report saved to: {{ output }}"
+
+# Generate JSON report for automation
+report-json output='trivy-report.json':
+    #!/bin/bash
+    set -euo pipefail
+    just env::check
+    echo "Generating JSON security report..."
+    trivy k8s --report all \
+        --format json \
+        --output {{ output }} \
+        "${LOCAL_K8S_HOST}" \
+        --timeout 30m
+    echo "Report saved to: {{ output }}"