From 34bd81c6f9e7a894a51ea82a0c29bf72de49a126 Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach Date: Mon, 8 Nov 2021 13:07:32 +0100 Subject: [PATCH 1/4] Expose history limit configs via helm values Signed-off-by: Jannik Hollenbach --- scanners/nuclei/templates/nuclei-update-cache-job.yaml | 2 ++ scanners/nuclei/values.yaml | 2 ++ 2 files changed, 4 insertions(+) diff --git a/scanners/nuclei/templates/nuclei-update-cache-job.yaml b/scanners/nuclei/templates/nuclei-update-cache-job.yaml index f1c190a786..4f4995d770 100644 --- a/scanners/nuclei/templates/nuclei-update-cache-job.yaml +++ b/scanners/nuclei/templates/nuclei-update-cache-job.yaml @@ -14,6 +14,8 @@ metadata: name: nuclei-update-template-cache spec: schedule: {{ .Values.nucleiTemplateCache.schedule | default "0 8 * * *" }} + failedJobsHistoryLimit: {{ .Values.nucleiTemplateCache.failedJobsHistoryLimit }} + successfulJobsHistoryLimit: {{ .Values.nucleiTemplateCache.successfulJobsHistoryLimit }} jobTemplate: spec: template: diff --git a/scanners/nuclei/values.yaml b/scanners/nuclei/values.yaml index 4087c3d9e4..42cd68d169 100644 --- a/scanners/nuclei/values.yaml +++ b/scanners/nuclei/values.yaml @@ -81,6 +81,8 @@ nucleiTemplateCache: # every full hour: "0 */1 * * *"" # -- The schedule indicates when and how often the nuclei template cache should be updated schedule: "0 */1 * * *" + failedJobsHistoryLimit: 10 + successfulJobsHistoryLimit: 3 cascadingRules: # cascadingRules.enabled -- Enables or disables the installation of the default cascading rules for this scanner From 77dae5d8db68da763dedd8788c31cd17e9d9058c Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach Date: Tue, 9 Nov 2021 13:10:36 +0100 Subject: [PATCH 2/4] Add configurable concurency policy and set the default concurrencyPolicy Signed-off-by: Jannik Hollenbach --- scanners/nuclei/templates/nuclei-update-cache-job.yaml | 1 + scanners/nuclei/values.yaml | 1 + 2 files changed, 2 insertions(+) diff --git a/scanners/nuclei/templates/nuclei-update-cache-job.yaml b/scanners/nuclei/templates/nuclei-update-cache-job.yaml index 4f4995d770..934b6cd9b6 100644 --- a/scanners/nuclei/templates/nuclei-update-cache-job.yaml +++ b/scanners/nuclei/templates/nuclei-update-cache-job.yaml @@ -16,6 +16,7 @@ spec: schedule: {{ .Values.nucleiTemplateCache.schedule | default "0 8 * * *" }} failedJobsHistoryLimit: {{ .Values.nucleiTemplateCache.failedJobsHistoryLimit }} successfulJobsHistoryLimit: {{ .Values.nucleiTemplateCache.successfulJobsHistoryLimit }} + concurrencyPolicy: {{ .Values.nucleiTemplateCache.concurrencyPolicy }} jobTemplate: spec: template: diff --git a/scanners/nuclei/values.yaml b/scanners/nuclei/values.yaml index 42cd68d169..20e7914b07 100644 --- a/scanners/nuclei/values.yaml +++ b/scanners/nuclei/values.yaml @@ -83,6 +83,7 @@ nucleiTemplateCache: schedule: "0 */1 * * *" failedJobsHistoryLimit: 10 successfulJobsHistoryLimit: 3 + concurrencyPolicy: "Replace" cascadingRules: # cascadingRules.enabled -- Enables or disables the installation of the default cascading rules for this scanner From cd56ae46947a096773cfbca76f6884f2321564fd Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach Date: Wed, 10 Nov 2021 11:12:44 +0100 Subject: [PATCH 3/4] Add proper docs to added values Signed-off-by: Jannik Hollenbach --- scanners/nuclei/README.md | 3 +++ scanners/nuclei/values.yaml | 5 ++++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/scanners/nuclei/README.md b/scanners/nuclei/README.md index 9986f57b81..118b3ecc8d 100644 --- a/scanners/nuclei/README.md +++ b/scanners/nuclei/README.md @@ -161,8 +161,11 @@ Kubernetes: `>=v1.11.0-0` | Key | Type | Default | Description | |-----|------|---------|-------------| | cascadingRules.enabled | bool | `true` | Enables or disables the installation of the default cascading rules for this scanner | +| nucleiTemplateCache.concurrencyPolicy | string | `"Replace"` | Determines how kubernetes handles cases where multiple instances of the cronjob would work if they are running at the same time. See: https://kubernetes.io/docs/tasks/job/automated-tasks-with-cron-jobs/#concurrency-policy | | nucleiTemplateCache.enabled | bool | `true` | Enables or disables the use of an persistent volume to cache the always downloaded nuclei-templates for all scans. | +| nucleiTemplateCache.failedJobsHistoryLimit | int | `10` | Determines how many failed jobs are kept until kubernetes cleans them up. See: https://kubernetes.io/docs/tasks/job/automated-tasks-with-cron-jobs/#jobs-history-limits | | nucleiTemplateCache.schedule | string | `"0 */1 * * *"` | | +| nucleiTemplateCache.successfulJobsHistoryLimit | int | `3` | Determines how many successful jobs are kept until kubernetes cleans them up. See: https://kubernetes.io/docs/tasks/job/automated-tasks-with-cron-jobs/#jobs-history-limits | | parser.env | list | `[]` | Optional environment variables mapped into each parseJob (see: https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) | | parser.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images | | parser.image.repository | string | `"docker.io/securecodebox/parser-nuclei"` | Parser image repository | diff --git a/scanners/nuclei/values.yaml b/scanners/nuclei/values.yaml index 20e7914b07..774e39a1d4 100644 --- a/scanners/nuclei/values.yaml +++ b/scanners/nuclei/values.yaml @@ -81,8 +81,11 @@ nucleiTemplateCache: # every full hour: "0 */1 * * *"" # -- The schedule indicates when and how often the nuclei template cache should be updated schedule: "0 */1 * * *" - failedJobsHistoryLimit: 10 + # -- Determines how many successful jobs are kept until kubernetes cleans them up. See: https://kubernetes.io/docs/tasks/job/automated-tasks-with-cron-jobs/#jobs-history-limits successfulJobsHistoryLimit: 3 + # -- Determines how many failed jobs are kept until kubernetes cleans them up. See: https://kubernetes.io/docs/tasks/job/automated-tasks-with-cron-jobs/#jobs-history-limits + failedJobsHistoryLimit: 10 + # -- Determines how kubernetes handles cases where multiple instances of the cronjob would work if they are running at the same time. See: https://kubernetes.io/docs/tasks/job/automated-tasks-with-cron-jobs/#concurrency-policy concurrencyPolicy: "Replace" cascadingRules: From 6f3a1224bd2124e2d1409d56fcbfd340db21c527 Mon Sep 17 00:00:00 2001 From: Jannik Hollenbach Date: Wed, 10 Nov 2021 13:00:09 +0100 Subject: [PATCH 4/4] =?UTF-8?q?Change=20back=20runAsNonRoot=20to=20false?= =?UTF-8?q?=20and=20disable=20readOnly=20FS=20=F0=9F=98=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Nuclei image IS running as root and needs to write to the /tmp folder... Signed-off-by: Jannik Hollenbach --- scanners/nuclei/README.md | 6 +++--- scanners/nuclei/values.yaml | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/scanners/nuclei/README.md b/scanners/nuclei/README.md index 118b3ecc8d..7c57180a1e 100644 --- a/scanners/nuclei/README.md +++ b/scanners/nuclei/README.md @@ -182,12 +182,12 @@ Kubernetes: `>=v1.11.0-0` | scanner.image.tag | string | `nil` | defaults to the charts appVersion | | scanner.nameAppend | string | `nil` | append a string to the default scantype name. | | scanner.resources | object | `{}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) | -| scanner.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["all"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true}` | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) | +| scanner.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["all"]},"privileged":false,"readOnlyRootFilesystem":false,"runAsNonRoot":false}` | Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) | | scanner.securityContext.allowPrivilegeEscalation | bool | `false` | Ensure that users privileges cannot be escalated | | scanner.securityContext.capabilities.drop[0] | string | `"all"` | This drops all linux privileges from the container. | | scanner.securityContext.privileged | bool | `false` | Ensures that the scanner container is not run in privileged mode | -| scanner.securityContext.readOnlyRootFilesystem | bool | `true` | Prevents write access to the containers file system | -| scanner.securityContext.runAsNonRoot | bool | `true` | Enforces that the scanner image is run as a non root user | +| scanner.securityContext.readOnlyRootFilesystem | bool | `false` | Prevents write access to the containers file system | +| scanner.securityContext.runAsNonRoot | bool | `false` | Enforces that the scanner image is run as a non root user | | scanner.ttlSecondsAfterFinished | string | `nil` | seconds after which the kubernetes job for the scanner will be deleted. Requires the Kubernetes TTLAfterFinished controller: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ | ## License diff --git a/scanners/nuclei/values.yaml b/scanners/nuclei/values.yaml index 774e39a1d4..d6fac86b14 100644 --- a/scanners/nuclei/values.yaml +++ b/scanners/nuclei/values.yaml @@ -62,9 +62,9 @@ scanner: # scanner.securityContext -- Optional securityContext set on scanner container (see: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) securityContext: # scanner.securityContext.runAsNonRoot -- Enforces that the scanner image is run as a non root user - runAsNonRoot: true + runAsNonRoot: false # scanner.securityContext.readOnlyRootFilesystem -- Prevents write access to the containers file system - readOnlyRootFilesystem: true + readOnlyRootFilesystem: false # scanner.securityContext.allowPrivilegeEscalation -- Ensure that users privileges cannot be escalated allowPrivilegeEscalation: false # scanner.securityContext.privileged -- Ensures that the scanner container is not run in privileged mode