From 9057a6ae3f2d7e45bf35f8486bd68d80f9770bf4 Mon Sep 17 00:00:00 2001 From: Andy Mills <61879371+CloudBeard@users.noreply.github.com> Date: Thu, 17 Oct 2024 10:15:21 -0400 Subject: [PATCH] fix: decompose istio oscal (#826) ## Description Splits the validations out from the OSCAL Component-Definition. `lula validate` can work remotely to validate the validations. Updated the OSCAL Assessment-Result as the baseline has changed from High to Moderate. Updated the Istio catalog source url to a tagged version (recent GSA release) This pattern allows for easier maintenance and development of the validations by not reading through 1000s of lines of OSCAL and OSCAL formatting just to make a small update. All of the validations under the ./compliance/validations directory are a pull from the compliance-artifacts repo where OSCAL and Validations development happen. ## Related Issue Relates to https://github.com/defenseunicorns/uds-core/issues/797 ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [x] Other (security config, docs update, etc) ## Checklist before merging - [x] Test, docs, adr added or updated as needed - [x] [Contributor Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md) followed --- compliance/oscal-assessment-results.yaml | 2085 +- .../all-namespaces-istio-injected/README.md | 9 + .../resources.json | 537 + .../all-namespaces-istio-injected/tests.yaml | 10 + .../validation.yaml | 55 + .../istio/all-pods-istio-injected/README.md | 9 + .../all-pods-istio-injected/resources.json | 24014 +++++++++++++++ .../istio/all-pods-istio-injected/tests.yaml | 25 + .../all-pods-istio-injected/validation.yaml | 66 + .../README.md | 9 + .../resources.json | 41 + .../tests.yaml | 20 + .../validation.yaml | 47 + .../authorized-keycloak-access/README.md | 9 + .../authorized-keycloak-access/resources.json | 132 + .../authorized-keycloak-access/tests.yaml | 15 + .../validation.yaml | 72 + .../istio/authorized-traffic-egress/README.md | 9 + .../authorized-traffic-egress/validation.yaml | 14 + .../README.md | 9 + .../resources.json | 546 + .../tests.yaml | 20 + .../validation.yaml | 74 + .../check-istio-logging-all-traffic/README.md | 9 + .../resources.json | 28 + .../tests.yaml | 15 + .../validation.yaml | 46 + .../README.md | 9 + .../validation.yaml | 17 + .../README.md | 9 + .../validation.yaml | 14 + .../istio/enforce-mtls-strict/README.md | 9 + .../istio/enforce-mtls-strict/resources.json | 225 + .../istio/enforce-mtls-strict/tests.yaml | 10 + .../istio/enforce-mtls-strict/validation.yaml | 49 + .../istio/external-traffic-managed/README.md | 9 + .../external-traffic-managed/validation.yaml | 18 + .../istio/fips-evaluation/README.md | 9 + .../istio/fips-evaluation/validation.yaml | 14 + .../gateway-configuration-check/README.md | 9 + .../resources.json | 220 + .../gateway-configuration-check/tests.yaml | 15 + .../validation.yaml | 63 + .../validations/istio/healthcheck/README.md | 9 + .../istio/healthcheck/resources.json | 407 + .../validations/istio/healthcheck/tests.yaml | 15 + .../istio/healthcheck/validation.yaml | 62 + .../istio/ingress-traffic-encrypted/README.md | 9 + .../ingress-traffic-encrypted/resources.json | 220 + .../ingress-traffic-encrypted/tests.yaml | 15 + .../ingress-traffic-encrypted/validation.yaml | 74 + .../metrics-logging-configured/README.md | 9 + .../metrics-logging-configured/resources.json | 28 + .../metrics-logging-configured/tests.yaml | 15 + .../validation.yaml | 44 + .../README.md | 9 + .../resources.json | 25428 ++++++++++++++++ .../tests.yaml | 10 + .../validation.yaml | 60 + .../istio/rbac-enforcement-check/README.md | 9 + .../rbac-enforcement-check/resources.json | 177 + .../istio/rbac-enforcement-check/tests.yaml | 10 + .../rbac-enforcement-check/validation.yaml | 42 + .../rbac-for-approved-personnel/README.md | 9 + .../validation.yaml | 14 + .../README.md | 9 + .../resources.json | 212 + .../tests.yaml | 25 + .../validation.yaml | 86 + .../README.md | 9 + .../resources.json | 4751 +++ .../tests.yaml | 25 + .../validation.yaml | 67 + .../istio/tls-origination-at-egress/README.md | 9 + .../tls-origination-at-egress/validation.yaml | 17 + .../istio/tracing-logging-support/README.md | 9 + .../tracing-logging-support/resources.json | 23 + .../istio/tracing-logging-support/tests.yaml | 10 + .../tracing-logging-support/validation.yaml | 45 + src/istio/oscal-component.yaml | 1482 +- 80 files changed, 59051 insertions(+), 3027 deletions(-) create mode 100644 compliance/validations/istio/all-namespaces-istio-injected/README.md create mode 100644 compliance/validations/istio/all-namespaces-istio-injected/resources.json create mode 100644 compliance/validations/istio/all-namespaces-istio-injected/tests.yaml create mode 100644 compliance/validations/istio/all-namespaces-istio-injected/validation.yaml create mode 100644 compliance/validations/istio/all-pods-istio-injected/README.md create mode 100644 compliance/validations/istio/all-pods-istio-injected/resources.json create mode 100644 compliance/validations/istio/all-pods-istio-injected/tests.yaml create mode 100644 compliance/validations/istio/all-pods-istio-injected/validation.yaml create mode 100644 compliance/validations/istio/authorization-policies-require-authentication-DEPRECATED/README.md create mode 100644 compliance/validations/istio/authorization-policies-require-authentication-DEPRECATED/resources.json create mode 100644 compliance/validations/istio/authorization-policies-require-authentication-DEPRECATED/tests.yaml create mode 100644 compliance/validations/istio/authorization-policies-require-authentication-DEPRECATED/validation.yaml create mode 100644 compliance/validations/istio/authorized-keycloak-access/README.md create mode 100644 compliance/validations/istio/authorized-keycloak-access/resources.json create mode 100644 compliance/validations/istio/authorized-keycloak-access/tests.yaml create mode 100644 compliance/validations/istio/authorized-keycloak-access/validation.yaml create mode 100644 compliance/validations/istio/authorized-traffic-egress/README.md create mode 100644 compliance/validations/istio/authorized-traffic-egress/validation.yaml create mode 100644 compliance/validations/istio/check-istio-admin-gateway-and-usage/README.md create mode 100644 compliance/validations/istio/check-istio-admin-gateway-and-usage/resources.json create mode 100644 compliance/validations/istio/check-istio-admin-gateway-and-usage/tests.yaml create mode 100644 compliance/validations/istio/check-istio-admin-gateway-and-usage/validation.yaml create mode 100644 compliance/validations/istio/check-istio-logging-all-traffic/README.md create mode 100644 compliance/validations/istio/check-istio-logging-all-traffic/resources.json create mode 100644 compliance/validations/istio/check-istio-logging-all-traffic/tests.yaml create mode 100644 compliance/validations/istio/check-istio-logging-all-traffic/validation.yaml create mode 100644 compliance/validations/istio/communications-terminated-after-inactivity/README.md create mode 100644 compliance/validations/istio/communications-terminated-after-inactivity/validation.yaml create mode 100644 compliance/validations/istio/egress-gateway-exists-and-configured/README.md create mode 100644 compliance/validations/istio/egress-gateway-exists-and-configured/validation.yaml create mode 100644 compliance/validations/istio/enforce-mtls-strict/README.md create mode 100644 compliance/validations/istio/enforce-mtls-strict/resources.json create mode 100644 compliance/validations/istio/enforce-mtls-strict/tests.yaml create mode 100644 compliance/validations/istio/enforce-mtls-strict/validation.yaml create mode 100644 compliance/validations/istio/external-traffic-managed/README.md create mode 100644 compliance/validations/istio/external-traffic-managed/validation.yaml create mode 100644 compliance/validations/istio/fips-evaluation/README.md create mode 100644 compliance/validations/istio/fips-evaluation/validation.yaml create mode 100644 compliance/validations/istio/gateway-configuration-check/README.md create mode 100644 compliance/validations/istio/gateway-configuration-check/resources.json create mode 100644 compliance/validations/istio/gateway-configuration-check/tests.yaml create mode 100644 compliance/validations/istio/gateway-configuration-check/validation.yaml create mode 100644 compliance/validations/istio/healthcheck/README.md create mode 100644 compliance/validations/istio/healthcheck/resources.json create mode 100644 compliance/validations/istio/healthcheck/tests.yaml create mode 100644 compliance/validations/istio/healthcheck/validation.yaml create mode 100644 compliance/validations/istio/ingress-traffic-encrypted/README.md create mode 100644 compliance/validations/istio/ingress-traffic-encrypted/resources.json create mode 100644 compliance/validations/istio/ingress-traffic-encrypted/tests.yaml create mode 100644 compliance/validations/istio/ingress-traffic-encrypted/validation.yaml create mode 100644 compliance/validations/istio/metrics-logging-configured/README.md create mode 100644 compliance/validations/istio/metrics-logging-configured/resources.json create mode 100644 compliance/validations/istio/metrics-logging-configured/tests.yaml create mode 100644 compliance/validations/istio/metrics-logging-configured/validation.yaml create mode 100644 compliance/validations/istio/prometheus-annotations-validation/README.md create mode 100644 compliance/validations/istio/prometheus-annotations-validation/resources.json create mode 100644 compliance/validations/istio/prometheus-annotations-validation/tests.yaml create mode 100644 compliance/validations/istio/prometheus-annotations-validation/validation.yaml create mode 100644 compliance/validations/istio/rbac-enforcement-check/README.md create mode 100644 compliance/validations/istio/rbac-enforcement-check/resources.json create mode 100644 compliance/validations/istio/rbac-enforcement-check/tests.yaml create mode 100644 compliance/validations/istio/rbac-enforcement-check/validation.yaml create mode 100644 compliance/validations/istio/rbac-for-approved-personnel/README.md create mode 100644 compliance/validations/istio/rbac-for-approved-personnel/validation.yaml create mode 100644 compliance/validations/istio/request-authentication-and-auth-policies-configured-DEPRECATED/README.md create mode 100644 compliance/validations/istio/request-authentication-and-auth-policies-configured-DEPRECATED/resources.json create mode 100644 compliance/validations/istio/request-authentication-and-auth-policies-configured-DEPRECATED/tests.yaml create mode 100644 compliance/validations/istio/request-authentication-and-auth-policies-configured-DEPRECATED/validation.yaml create mode 100644 compliance/validations/istio/secure-communication-with-istiod/README.md create mode 100644 compliance/validations/istio/secure-communication-with-istiod/resources.json create mode 100644 compliance/validations/istio/secure-communication-with-istiod/tests.yaml create mode 100644 compliance/validations/istio/secure-communication-with-istiod/validation.yaml create mode 100644 compliance/validations/istio/tls-origination-at-egress/README.md create mode 100644 compliance/validations/istio/tls-origination-at-egress/validation.yaml create mode 100644 compliance/validations/istio/tracing-logging-support/README.md create mode 100644 compliance/validations/istio/tracing-logging-support/resources.json create mode 100644 compliance/validations/istio/tracing-logging-support/tests.yaml create mode 100644 compliance/validations/istio/tracing-logging-support/validation.yaml diff --git a/compliance/oscal-assessment-results.yaml b/compliance/oscal-assessment-results.yaml index 7593fb5f2..55dc29871 100644 --- a/compliance/oscal-assessment-results.yaml +++ b/compliance/oscal-assessment-results.yaml @@ -1,33 +1,29 @@ -# Copyright 2024 Defense Unicorns -# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial - assessment-results: import-ap: href: "" metadata: - last-modified: 2024-08-06T02:58:07.217393214Z + last-modified: 2024-10-16T20:13:51.735141137Z oscal-version: 1.1.2 published: 2024-06-30T22:27:28.032093229Z remarks: Assessment Results generated from Lula title: '[System Name] Security Assessment Results (SAR)' version: 0.0.1 results: - - description: Assessment results for performing Validations with Lula version v0.4.5 + - description: Assessment results for performing Validations with Lula version v0.9.1 findings: - description: | - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: c8c03abd-244d-4813-a966-3feece1bad6a - # Control Implementation - Istio implements with service to service and provides authorization policies that require authentication to access any non-public features. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 41c51dc3-7db1-4717-b071-83e57897f478 + Istio implements with service to service and provides authorization policies that require authentication to access any non-public features. related-observations: - - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 - - observation-uuid: 3b856533-2206-4ebd-932e-645886b20b10 + - observation-uuid: eb3200f0-0b42-4bab-9987-673684f62d82 + - observation-uuid: 9d69895a-0eed-4052-8102-ff9070d66851 target: status: state: satisfied target-id: ac-14 type: objective-id title: 'Validation Result - Control: ac-14' - uuid: 0bebe1ce-f13d-4bbc-ba5b-a0d92ad5b6fa + uuid: 6bcf8d54-c497-483a-8b02-257d3ad14a13 - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 069521de-43bc-4dce-ac4e-4adc9a559c3f # Control Description "a. Define and document the types of accounts allowed and specifically prohibited for use within the system; b. Assign account managers; c. Require [Assignment: organization-defined prerequisites and criteria] for group and role membership; d. Specify: 1. Authorized users of the system; 2. Group and role membership; and 3. Access authorizations (i.e., privileges) and [Assignment: organization-defined attributes (as required)] for each account; e. Require approvals by [Assignment: organization-defined personnel or roles] for requests to create accounts; f. Create, enable, modify, disable, and remove accounts in accordance with [Assignment: organization-defined policy, procedures, prerequisites, and criteria]; g. Monitor the use of accounts; h. Notify account managers and [Assignment: organization-defined personnel or roles] within: 1. [Assignment: twenty-four (24) hours] when accounts are no longer required; 2. [Assignment: eight (8) hours] when users are terminated or transferred; and 3. [Assignment: eight (8) hours] when system usage or need-to-know changes for an individual; i. Authorize access to the system based on: 1. A valid access authorization; 2. Intended system usage; and 3. [Assignment: organization-defined attributes (as required)]; j. Review accounts for compliance with account management requirements [Assignment: monthly for privileged accessed, every six (6) months for non-privileged access]; k. Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and l. Align account management processes with personnel termination and transfer processes." @@ -38,7 +34,7 @@ assessment-results: target-id: ac-2 type: objective-id title: 'Validation Result - Control: ac-2' - uuid: 57fb27fd-82c5-43d3-8813-7fcc2ceab0ca + uuid: 94067e2e-ca10-4798-8077-c4128c8ad4f2 - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: bf59763a-0c22-4046-ab00-1d2b47dad8df # Control Description Support the management of system accounts using [Assignment: organization-defined automated mechanisms]. @@ -49,7 +45,7 @@ assessment-results: target-id: ac-2.1 type: objective-id title: 'Validation Result - Control: ac-2.1' - uuid: d263ec5d-4ee8-43b2-9705-b0afa44758b5 + uuid: 4c4f8dc5-9be1-44fe-a04b-e369943af6c0 - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 051af8b7-75aa-4c26-9132-0cb46d5965aa # Control Description Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. @@ -60,55 +56,37 @@ assessment-results: target-id: ac-3 type: objective-id title: 'Validation Result - Control: ac-3' - uuid: 10d347a7-e12a-4b05-85e2-77ed4f542fdd + uuid: bd6ddf39-0886-4922-b9d5-8ee80f03fcf4 - description: | - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 9e158525-96bd-4d4f-a674-7e3eab9aea7a - # Control Implementation - Istio encrypts all in-mesh communication at runtime using FIPS verified mTLS in addition to ingress and egress gateways for controlling communication. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 210f730b-7fed-42dd-99b4-42466951b080 + Istio encrypts all in-mesh communication at runtime using FIPS verified mTLS in addition to ingress and egress gateways for controlling communication. related-observations: - - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 - - observation-uuid: dbc9b893-9847-4ffa-8a91-7642f18f9784 - - observation-uuid: 435f54e2-3606-4250-9e16-79326844e82e - - observation-uuid: ff67f994-802a-4668-a261-f0cbfb7982d5 + - observation-uuid: eb3200f0-0b42-4bab-9987-673684f62d82 + - observation-uuid: adb9497f-436d-4862-8043-6691bce1352c + - observation-uuid: f10278ec-5f1b-4307-8709-a3745bf12d36 + - observation-uuid: a9c35339-fc94-4e59-bdf1-a89c1664bac0 target: status: state: satisfied target-id: ac-4 type: objective-id title: 'Validation Result - Control: ac-4' - uuid: 1e16362c-0987-4314-bc1f-a1696344df0e + uuid: 66a85471-6739-4958-ac74-007040a6df48 - description: | - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 6e32feb5-ce43-465f-9422-e3ef3276bf5d - # Control Implementation - Istio is configured to use ingress and egress gateways to provide logical flow separation. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: ee9e5fae-1c95-46c7-9265-dc0035e2bb05 + Istio is configured to use ingress and egress gateways to provide logical flow separation. related-observations: - - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 - - observation-uuid: f25d32b1-4bbd-4309-a96e-99fb8f484c88 - - observation-uuid: 362043c5-ea38-4c11-83e3-35d34b79c938 - - observation-uuid: 610a3b9c-269e-47c7-8b2c-9412bc822e80 + - observation-uuid: eb3200f0-0b42-4bab-9987-673684f62d82 + - observation-uuid: 2c61853a-96af-4195-8dc9-f3313f6035f1 + - observation-uuid: 20f98c91-2308-4356-837b-c253353d7479 + - observation-uuid: 4e1e697c-4a92-4c57-ae95-c75ba272dc1d target: status: state: not-satisfied target-id: ac-4.21 type: objective-id title: 'Validation Result - Control: ac-4.21' - uuid: 00f7dff8-8e83-414b-ab38-6a580e4c9de2 - - description: | - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: c3e13abc-3c19-4f08-a2f8-40fcbef5daa7 - # Control Implementation - All encrypted HTTPS connections are terminated at the Istio ingress gateway. - related-observations: - - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 - - observation-uuid: dbc9b893-9847-4ffa-8a91-7642f18f9784 - - observation-uuid: 435f54e2-3606-4250-9e16-79326844e82e - - observation-uuid: ff67f994-802a-4668-a261-f0cbfb7982d5 - target: - status: - state: satisfied - target-id: ac-4.4 - type: objective-id - title: 'Validation Result - Control: ac-4.4' - uuid: 5d800b2f-1f1e-4b3c-b3ac-7d808f8a175d + uuid: eadbe4cd-7f8b-4ff3-bfd9-beaac5eae67f - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 386fb410-27e5-413d-8e6d-607afa86bb72 # Control Description "a. Identify and document [Assignment: organization-defined duties of individuals requiring separation]; and b. Define system access authorizations to support separation of duties." @@ -119,7 +97,7 @@ assessment-results: target-id: ac-5 type: objective-id title: 'Validation Result - Control: ac-5' - uuid: 688258f8-7f62-4592-858f-08b7c0c3ecc1 + uuid: 5d48147b-ff9e-4752-b015-3588cec166a6 - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 60ad5f60-3852-49a1-961b-b6454edb8319 # Control Description Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks. @@ -133,7 +111,7 @@ assessment-results: target-id: ac-6 type: objective-id title: 'Validation Result - Control: ac-6' - uuid: 390a213d-c344-4f93-8605-3f6552f594c3 + uuid: c24dc3af-b777-4d89-9569-cd57de7981dc - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: f1b66def-f822-4859-a448-5d5f77cd6f75 # Control Description "Authorize access for [Assignment: organization-defined individuals or roles] to: (a) [Assignment: organization-defined all functions not publicly accessible]; and (b) [Assignment: organization-defined all security-relevant information not publicly available]." @@ -147,38 +125,32 @@ assessment-results: target-id: ac-6.1 type: objective-id title: 'Validation Result - Control: ac-6.1' - uuid: bbc392e9-030f-45e4-a400-36e3866d22f4 + uuid: 0016a2a5-efcf-493f-a816-e1fd880c6e41 - description: | - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: e196edcd-fd88-42c2-9a99-0e67e2ba8919 - # Control Description Prevent non-privileged users from executing privileged functions. - # Control Implementation NeuVector supports mapping internal user accounts and roles in addition to LDAP and SSO roles or groups for providing RBAC access. Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: d0ffa50d-d91f-4dc3-8827-24e0f84b49d2 # Control Description Prevent non-privileged users from executing privileged functions. # Control Implementation Loki layers an additional RBAC layer that prohibits non-privileged users from executing privileged functions. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: e196edcd-fd88-42c2-9a99-0e67e2ba8919 + # Control Description Prevent non-privileged users from executing privileged functions. + # Control Implementation NeuVector supports mapping internal user accounts and roles in addition to LDAP and SSO roles or groups for providing RBAC access. target: status: state: not-satisfied target-id: ac-6.10 type: objective-id title: 'Validation Result - Control: ac-6.10' - uuid: 7a22b227-29de-4ab5-a813-0faa2f816709 + uuid: f03df0d2-9c46-420d-9eb0-925367a8e9ce - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 0b3faf98-8a76-4b49-8e4b-c785cf26cfbe # Control Description Authorize network access to [Assignment: all privileged commands] only for [Assignment: organization-defined compelling operational needs] and document the rationale for such access in the security plan for the system. # Control Implementation NeuVector supports mapping internal user accounts and roles in addition to LDAP and SSO roles or groups for providing RBAC access. - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 0081f95a-3233-4e07-a6cd-95cb1905c318 - # Control Implementation - Configured with an "admin" gateway to restrict access to applications that only need administrative access. - related-observations: - - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 - - observation-uuid: 362043c5-ea38-4c11-83e3-35d34b79c938 target: status: state: not-satisfied target-id: ac-6.3 type: objective-id title: 'Validation Result - Control: ac-6.3' - uuid: 18fe653e-eb66-4686-8f2d-6952aac69c6c + uuid: 5f634c21-9332-4242-ae7d-d315cbc8e6fe - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 954ba9c8-452c-4503-a43f-c880a01b828d # Control Description @@ -186,35 +158,34 @@ assessment-results: Auditing the use of privileged functions is one way to detect such misuse, and in doing so, help mitigate the risk from insider threats and the advanced persistent threat (APT). # Control Implementation - Promtail can be configured to collect all logs from Kubernetes and underlying operating systems, allowing the aggregation of privileged function calls. - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 6d8a6c80-2844-4bfd-bc9d-0f5a71e5c979 - # Control Implementation - Istio produces logs for all traffic in the information system. + Vector can be configured to collect all logs from Kubernetes and underlying operating systems, allowing the aggregation of privileged function calls. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: c6d9abd2-0136-468a-908d-181d9bd51962 + Istio produces logs for all traffic in the information system. Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 14db5706-570c-44a2-b430-29a8a8e2d249 # Control Description Log the execution of privileged functions. # Control Implementation Privileged events, including updating the deployment of an application, or use of privileged containers are collected as metrics by prometheus and displayed by Grafana. Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: e36ba9d5-f12d-4524-a777-a041a0203bb6 # Control Description Log the execution of privileged functions. # Control Implementation Privileged events that modify the application are logged in the application itself. - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 4d1f5291-8f3f-429c-af2f-b05455ef30f0 - # Control Description Log the execution of privileged functions. - # Control Implementation Privileged events, including updating the deployment of an application, or use of privileged containers are collected as metrics by prometheus and displayed by Grafana. Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 921ec1c7-923c-4a28-a4dd-b59c1d3d9998 # Control Description Log the execution of privileged functions. # Control Implementation NeuVector provides logging access related audit events. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 4d1f5291-8f3f-429c-af2f-b05455ef30f0 + # Control Description Log the execution of privileged functions. + # Control Implementation Privileged events, including updating the deployment of an application, or use of privileged containers are collected as metrics by prometheus and displayed by Grafana. related-observations: - - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 - - observation-uuid: 9e4a8aa7-2736-4aad-8b08-7fcee4fa2a68 - - observation-uuid: 435f54e2-3606-4250-9e16-79326844e82e - - observation-uuid: a1236290-6057-4695-b4bd-20dd2981d60d - - observation-uuid: af55317a-a3b8-42b9-8ba8-d859748635b5 + - observation-uuid: eb3200f0-0b42-4bab-9987-673684f62d82 + - observation-uuid: a858d60b-5192-41de-bac4-a79479a91f64 + - observation-uuid: f10278ec-5f1b-4307-8709-a3745bf12d36 + - observation-uuid: 39cf41d1-048e-4132-9681-f7274e4be4ea + - observation-uuid: 572f5829-517b-40d0-8b50-6d9bf9c54c77 target: status: state: not-satisfied target-id: ac-6.9 type: objective-id title: 'Validation Result - Control: ac-6.9' - uuid: 784d7def-b9de-495a-ba5d-93733e37a1eb + uuid: 1ee97cb7-b6d8-4319-b031-cd417e313f6f - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 20ecdb48-997e-4958-b74c-21f462049877 # Control Description Retain audit records for [Assignment: at least one (1) year] to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements. @@ -225,39 +196,49 @@ assessment-results: target-id: au-11 type: objective-id title: 'Validation Result - Control: au-11' - uuid: 7e7c4d5e-13be-4768-bf2c-31ca172865a0 + uuid: e4a8f249-89f4-4af5-9928-ab6eabfecdc3 - description: | - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 8f645835-6538-4327-a7aa-453b398f5ef4 - # Control Implementation - Istio provides audit record generation capabilities for a variety of event types, including session, connection, transaction, or activity durations, and the number of bytes received and sent. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 87f99f34-6980-49e1-91cf-c0264fa3407c + Istio provides audit record generation capabilities for a variety of event types, including session, connection, transaction, or activity durations, and the number of bytes received and sent. related-observations: - - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 - - observation-uuid: 9e4a8aa7-2736-4aad-8b08-7fcee4fa2a68 + - observation-uuid: eb3200f0-0b42-4bab-9987-673684f62d82 + - observation-uuid: a858d60b-5192-41de-bac4-a79479a91f64 target: status: state: satisfied target-id: au-12 type: objective-id title: 'Validation Result - Control: au-12' - uuid: 0a4cbea2-493f-4bc2-b0bf-4f88af93e4af + uuid: 527b3d8a-ce49-483d-956e-5931140eeca6 - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 58766714-a477-42b9-bae4-856f14b58cea # Control Description Compile audit records from [Assignment: all network, data storage, and computing devices] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail]. # Control Implementation Provides time-series event compilation capabilities. - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 301093ed-d023-4bf8-a915-e624589acadd - # Control Description Compile audit records from [Assignment: all network, data storage, and computing devices] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail]. - # Control Implementation Compatible metrics endpoints emitted from each application is compiled by Prometheus and displayed through Grafana with associated timestamps of when the data was collected. Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 41a6f729-7ab6-4ffe-8da1-cb60fd35dffd # Control Description Compile audit records from [Assignment: organization-defined system components] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail]. # Control Implementation Compatible metrics endpoints emitted from each application is compiled by Prometheus and displayed through Grafana with associated timestamps of when the data was collected + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 301093ed-d023-4bf8-a915-e624589acadd + # Control Description Compile audit records from [Assignment: all network, data storage, and computing devices] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail]. + # Control Implementation Compatible metrics endpoints emitted from each application is compiled by Prometheus and displayed through Grafana with associated timestamps of when the data was collected. target: status: state: not-satisfied target-id: au-12.1 type: objective-id title: 'Validation Result - Control: au-12.1' - uuid: 0091b443-4532-4b36-99e2-ec9cb1573812 + uuid: 77724c00-0dc6-493c-aed8-c3797f01e94a - description: | + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 49775d12-e0ba-4aa6-85e7-5aedd00e8fbc + # Control Description "a. Identify the types of events that the system is capable of logging in support of the audit function: [Assignment: successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes]; b. Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; c. Specify the following event types for logging within the system: [Assignment: organization-defined subset of the auditable events defined in AU-2a to be audited continually for each identified event.) along with the frequency of (or situation requiring) logging for each identified event type]; d. Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and e. Review and update the event types selected for logging [Assignment: annually or whenever there is a change in the threat environment]." + # Control Implementation API endpoints suitable for capturing application level metrics are present on each of the supported applications running as containers. In addition, system and cluster level metrics are emitted by containers with read only access to host level information. Metrics are captured and stored by Prometheus, an web server capable of scraping endpoints formatted in the appropriate dimensional data format. Metrics information is stored on disk in a time series data base, and later queried through a separate component providing a web interface for the query language: PromQL. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: fc829f66-2354-4546-8e5d-f1e5d0287200 + # Control Description "a. Identify the types of events that the system is capable of logging in support of the audit function: [Assignment: successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes]; b. Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; c. Specify the following event types for logging within the system: [Assignment: organization-defined subset of the auditable events defined in AU-2a to be audited continually for each identified event) along with the frequency of (or situation requiring) logging for each identified event type]; d. Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and e. Review and update the event types selected for logging [Assignment: annually or whenever there is a change in the threat environment]." + # Control Implementation NeuVector provides logging access related audit events. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: b3ed3dba-3164-4785-98db-ef22c96c7c62 + Istio logs all Istio event logs within the system's mesh network. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 7449f733-6809-4a0b-a6f9-7857f46a106e + # Control Description a. Identify the types of events that the system is capable of logging in support of the audit function: [Assignment: successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes]; b. Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; c. Specify the following event types for logging within the system: [Assignment: organization-defined event types (subset of the event types defined in AU-2a.) along with the frequency of (or situation requiring) logging for each identified event type]; d. Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and e. Review and update the event types selected for logging [Assignment: annually or whenever there is a change in the threat environment]. + # Control Implementation API endpoints suitable for capturing application level metrics are present on each of the supported applications running as containers. In addition, system and cluster level metrics are emitted by containers with read only access to host level information. Metrics are captured and stored by Prometheus, an web server capable of scraping endpoints formatted in the appropriate dimensional data format. Metrics information is stored on disk in a time series data base, and later queried through a separate component providing a web interface for the query language: PromQL. Metrics data can be displayed through a Grafana dashboard for visualization. Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 2a25a5a4-4fbc-4fbc-88e3-2e34ddc3fb0e # Control Description An event is any observable occurrence in an organizational information system. @@ -268,33 +249,21 @@ assessment-results: # Control Implementation Logging daemons are present on each node that BigBang is installed on. Out of the box, the following events are captured: - * all containers emitting to STDOUT or STDERR (captured by container runtime translating container logs to /var/log/containers). + * all containers emitting to STDOUT or STDERR (captured by container runtime creating containers logs under /var/log/pods). * all kubernetes api server requests. * all events emitted by the kubelet. - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: fc829f66-2354-4546-8e5d-f1e5d0287200 - # Control Description "a. Identify the types of events that the system is capable of logging in support of the audit function: [Assignment: successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes]; b. Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; c. Specify the following event types for logging within the system: [Assignment: organization-defined subset of the auditable events defined in AU-2a to be audited continually for each identified event) along with the frequency of (or situation requiring) logging for each identified event type]; d. Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and e. Review and update the event types selected for logging [Assignment: annually or whenever there is a change in the threat environment]." - # Control Implementation NeuVector provides logging access related audit events. - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 88f300a6-aa21-41b4-919d-29ef3e4381bb - # Control Implementation - Istio logs all Istio event logs within the system's mesh network. - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 7449f733-6809-4a0b-a6f9-7857f46a106e - # Control Description a. Identify the types of events that the system is capable of logging in support of the audit function: [Assignment: successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes]; b. Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; c. Specify the following event types for logging within the system: [Assignment: organization-defined event types (subset of the event types defined in AU-2a.) along with the frequency of (or situation requiring) logging for each identified event type]; d. Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and e. Review and update the event types selected for logging [Assignment: annually or whenever there is a change in the threat environment]. - # Control Implementation API endpoints suitable for capturing application level metrics are present on each of the supported applications running as containers. In addition, system and cluster level metrics are emitted by containers with read only access to host level information. Metrics are captured and stored by Prometheus, an web server capable of scraping endpoints formatted in the appropriate dimensional data format. Metrics information is stored on disk in a time series data base, and later queried through a separate component providing a web interface for the query language: PromQL. Metrics data can be displayed through a Grafana dashboard for visualization. - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 49775d12-e0ba-4aa6-85e7-5aedd00e8fbc - # Control Description "a. Identify the types of events that the system is capable of logging in support of the audit function: [Assignment: successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes]; b. Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; c. Specify the following event types for logging within the system: [Assignment: organization-defined subset of the auditable events defined in AU-2a to be audited continually for each identified event.) along with the frequency of (or situation requiring) logging for each identified event type]; d. Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and e. Review and update the event types selected for logging [Assignment: annually or whenever there is a change in the threat environment]." - # Control Implementation API endpoints suitable for capturing application level metrics are present on each of the supported applications running as containers. In addition, system and cluster level metrics are emitted by containers with read only access to host level information. Metrics are captured and stored by Prometheus, an web server capable of scraping endpoints formatted in the appropriate dimensional data format. Metrics information is stored on disk in a time series data base, and later queried through a separate component providing a web interface for the query language: PromQL. related-observations: - - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 - - observation-uuid: 9e4a8aa7-2736-4aad-8b08-7fcee4fa2a68 - - observation-uuid: a1236290-6057-4695-b4bd-20dd2981d60d - - observation-uuid: d265b5b6-9306-4c22-ad35-d6f00a41920e + - observation-uuid: 39cf41d1-048e-4132-9681-f7274e4be4ea + - observation-uuid: 0e3f9f2a-c596-4688-8841-0f9d2845f0a2 + - observation-uuid: eb3200f0-0b42-4bab-9987-673684f62d82 + - observation-uuid: a858d60b-5192-41de-bac4-a79479a91f64 target: status: state: not-satisfied target-id: au-2 type: objective-id title: 'Validation Result - Control: au-2' - uuid: 38b71df8-9beb-487d-afac-7d5df701bf0b + uuid: cb369876-9857-41d9-ab42-81d476d6f974 - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 762604db-77ec-415f-8728-c296873ab48b # Control Description @@ -302,66 +271,62 @@ assessment-results: Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the information system after the event occurred). # Control Implementation - Logs are captured by promtail from the node. The node logs will contain the necessary log data from all pods/applications inside the selected nodes. - Validating `logfmt` as the config.logFormat would be the goal. This is currently a secret mounted to /etc/promtail/promtail.yaml in the promtail container. We will ensure the promtail.yaml file is at a minimum the target config. - https://grafana.com/docs/loki/latest/send-data/promtail/stages/logfmt/ + Logs are captured by vector from the node. The node logs will contain the necessary log data from all pods/applications inside the selected nodes as well as Kubernetes audit logs. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 79dee0b0-5848-4b1e-826b-a2e4ec567b90 + Istio logs all Istio event logs within the system's mesh network. Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: e342a5af-b7d4-474b-9416-61e844083531 # Control Description "Ensure that audit records contain information that establishes the following: a. What type of event occurred; b. When the event occurred; c. Where the event occurred; d. Source of the event; e. Outcome of the event; and f. Identity of any individuals, subjects, or objects/entities associated with the event." # Control Implementation NeuVector provides logging access related audit events. - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 52756a01-6f5c-49b1-8a6b-972b74a01da4 - # Control Implementation - Istio logs all Istio event logs within the system's mesh network. related-observations: - - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 - - observation-uuid: 94477b5d-84b7-427c-88b3-71367c501528 - - observation-uuid: a1236290-6057-4695-b4bd-20dd2981d60d - - observation-uuid: 48a7c266-3ce0-4c63-b782-335c2461afc6 + - observation-uuid: eb3200f0-0b42-4bab-9987-673684f62d82 + - observation-uuid: ca312bc9-b8cd-4a30-9b72-50ffee51e828 + - observation-uuid: 39cf41d1-048e-4132-9681-f7274e4be4ea + - observation-uuid: e72b33d8-64ba-4871-ab47-2f0b1a5c18e7 target: status: state: not-satisfied target-id: au-3 type: objective-id title: 'Validation Result - Control: au-3' - uuid: c5a260a3-6fea-42c9-bb28-209ff9e5f9e5 + uuid: e914d51b-58ff-4693-abd5-ea62add986d0 - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: ee431ef9-3a99-42f4-b37c-6334660da2b2 # Control Description Generate audit records containing the following additional information: [Assignment: organizatiosession, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands]. # Control Implementation Grafana has pre-configured dashboards showing the audit records from Cluster Auditor saved in Prometheus. - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 16cc258e-d907-47bb-97d9-4e92677cf075 - # Control Implementation - Istio has been configured to implement event logging within our environment. This includes capturing metrics related to the duration of sessions, connections, transactions, or activities. Specifically, Istio's telemetry features are utilized to capture these metrics, which provide valuable data that can be used to infer the duration of sessions or connections. Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 6700f065-8e51-4224-a5a0-8d3aff9d8d96 # Control Description Generate audit records containing the following additional information: [Assignment: session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands]. # Control Implementation Grafana has pre-configured dashboards showing the audit records from Cluster Auditor saved in Prometheus. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: b855fff0-5f57-4ea0-b9a7-52973e81784d + Istio has been configured to implement event logging within our environment. This includes capturing metrics related to the duration of sessions, connections, transactions, or activities. Specifically, Istio's telemetry features are utilized to capture these metrics, which provide valuable data that can be used to infer the duration of sessions or connections. related-observations: - - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 - - observation-uuid: 06449da5-4cb5-4a5e-922d-5309d5c8f0c8 - - observation-uuid: 435f54e2-3606-4250-9e16-79326844e82e - - observation-uuid: a906a088-3147-44cb-8d7b-69058d1d8484 + - observation-uuid: eb3200f0-0b42-4bab-9987-673684f62d82 + - observation-uuid: 64a22438-eba3-4fcb-bfe8-68ed8bad61ba + - observation-uuid: f10278ec-5f1b-4307-8709-a3745bf12d36 + - observation-uuid: 6e9c7750-ccda-4f25-b8de-89e8e3e3d525 target: status: state: not-satisfied target-id: au-3.1 type: objective-id title: 'Validation Result - Control: au-3.1' - uuid: f7cd3c25-77ef-442c-ae8c-db0e6a4b8b2b + uuid: e645c9b0-2376-4d8c-9792-18a44c6dbdba - description: | - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 7562092e-d076-49f9-8f03-9e5e7908752c - # Control Description Allocate audit log storage capacity to accommodate [Assignment: organization-defined audit log retention requirements]. - # Control Implementation NeuVector can scale elastically based upon actual workload demands to allocate audit log storage capacity. Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 836408b9-1ae9-4c99-8510-6ee35a4d11e9 # Control Description Allocate audit log storage capacity to accommodate [Assignment: organization-defined audit log retention requirements]. # Control Implementation Loki uses scalable object storage. Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: d5d13192-3cae-4a88-8e64-cab44219ab2e # Control Description Allocate audit log storage capacity to accommodate [Assignment: organization-defined audit log retention requirements]. # Control Implementation Prometheus is the log aggregator for audit logs since it is used to scrape/collect violations from ClusterAuditor. The storage capability can be configured in prometheus to use PVCs to ensure metrics have log retention compliance with the org-defined audit-log retention requirements. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 7562092e-d076-49f9-8f03-9e5e7908752c + # Control Description Allocate audit log storage capacity to accommodate [Assignment: organization-defined audit log retention requirements]. + # Control Implementation NeuVector can scale elastically based upon actual workload demands to allocate audit log storage capacity. target: status: state: not-satisfied target-id: au-4 type: objective-id title: 'Validation Result - Control: au-4' - uuid: c4884585-6343-4ada-b034-fb97065b7f23 + uuid: f80f5478-4554-4906-b6e6-599f0847cad8 - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: e2e6d28f-bdf6-462c-8301-bdfa102671ee # Control Description Provide a warning to [Assignment: organization-defined personnel, roles, and/or locations] within [Assignment: organization-defined time period] when allocated audit log storage volume reaches [Assignment: organization-defined percentage] of repository maximum audit log storage capacity. @@ -375,7 +340,7 @@ assessment-results: target-id: au-5.1 type: objective-id title: 'Validation Result - Control: au-5.1' - uuid: c76a2661-2016-4bef-8bce-1194bb70b556 + uuid: 96eb22a4-5e88-431e-9bbf-2285afdecaa1 - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: bea82b61-fbb6-486b-a8fa-50053715b904 # Control Description Provide an alert within [Assignment: real-time] to [Assignment: service provider personnel with authority to address failed audit events] when the following audit failure events occur: [Assignment: audit failure events requiring real-time alerts, as defined by organization audit policy]. @@ -389,7 +354,7 @@ assessment-results: target-id: au-5.2 type: objective-id title: 'Validation Result - Control: au-5.2' - uuid: 92f112fd-db07-4d92-b7f8-95036f30b390 + uuid: 1b355cc0-7a5a-44a1-ae85-cf9079faf888 - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 25477ca3-4607-449e-9d33-a2a67ede0019 # Control Description "a. Review and analyze system audit records [Assignment: at least weekly] for indications of [Assignment: organization-defined inappropriate or unusual activity] and the potential impact of the inappropriate or unusual activity; b. Report findings to [Assignment: organization-defined personnel or roles]; and c. Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information." @@ -400,14 +365,14 @@ assessment-results: target-id: au-6 type: objective-id title: 'Validation Result - Control: au-6' - uuid: 103803bd-85a1-4ead-992c-e9cf6477b41f + uuid: 4114b048-0ef8-4863-9d2c-15ce9585badc - description: | - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 29fdcbbd-02cc-4db1-a24e-5a146cccc254 - # Control Description Integrate audit record review, analysis, and reporting processes using [Assignment: organization-defined automated mechanisms]. - # Control Implementation Provides audit record query and analysis capabilities. Organization will implement record review and analysis. Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 3f8f6178-4c57-4592-8c1c-df79507b21cd # Control Description Integrate audit record review, analysis, and reporting processes using [Assignment: organization-defined automated mechanisms]. # Control Implementation Cluster Auditor Events/Alerts could be exported from Prometheus to an external system. Integration for specific tooling would need to be completed by end user. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 29fdcbbd-02cc-4db1-a24e-5a146cccc254 + # Control Description Integrate audit record review, analysis, and reporting processes using [Assignment: organization-defined automated mechanisms]. + # Control Implementation Provides audit record query and analysis capabilities. Organization will implement record review and analysis. Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 042fae4b-2779-4cfb-b68d-6f2dcbaa10ad # Control Description Integrate audit record review, analysis, and reporting processes using [Assignment: organization-defined automated mechanisms]. # Control Implementation Cluster Auditor Events/Alerts could be exported from Prometheus to an external system. Integration for specific tooling would need to be completed by end user. Metrics data can be displayed through a Grafana dashboard for visualization. @@ -417,12 +382,12 @@ assessment-results: target-id: au-6.1 type: objective-id title: 'Validation Result - Control: au-6.1' - uuid: e9063577-4ee5-48a0-84fb-c052b3d24598 + uuid: 8c4e94bb-1143-4980-8531-c29eb700c13e - description: | - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: c79cf2fa-2081-4034-831f-2c8016a275da + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 35897d1f-3fcd-4a79-b235-f75e2bbd398a # Control Description Analyze and correlate audit records across different repositories to gain organization-wide situational awareness. # Control Implementation Aggregating cluster auditor events across multiple sources (clusters) is possible with a multi-cluster deployment of prometheus/grafana. - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 35897d1f-3fcd-4a79-b235-f75e2bbd398a + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: c79cf2fa-2081-4034-831f-2c8016a275da # Control Description Analyze and correlate audit records across different repositories to gain organization-wide situational awareness. # Control Implementation Aggregating cluster auditor events across multiple sources (clusters) is possible with a multi-cluster deployment of prometheus/grafana. target: @@ -431,35 +396,35 @@ assessment-results: target-id: au-6.3 type: objective-id title: 'Validation Result - Control: au-6.3' - uuid: 1dfdcc6b-92dd-4320-acb1-5efffd9b2bf1 + uuid: 580039a0-f7e7-4279-96cd-d7acb79f3bcf - description: | - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 80de1b87-8288-49ac-8a6b-fc71509df64b - # Control Description Integrate analysis of audit records with analysis of Selection (one or more): vulnerability scanning information; performance data; information system monitoring information; penetration test data; [Assignment: organization-defined data/information collected from other sources]] to further enhance the ability to identify inappropriate or unusual activity. - # Control Implementation Cluster Auditor's audit data is consolidated with system monitoring tooling (node exporters) for consolidated view to enhance inappropriate or unusual activity. Metrics data can be displayed through a Grafana dashboard for visualization. Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 6b0cd4b8-ab38-4012-b637-de2ca4bf5497 # Control Description Integrate analysis of audit records with analysis of [Selection (one or more): vulnerability scanning information; performance data; system monitoring information; [Assignment: organization-defined data/information collected from other sources]] to further enhance the ability to identify inappropriate or unusual activity. # Control Implementation Cluster Auditor's audit data is consolidated with system monitoring tooling (node exporters) for consolidated view to enhance inappropriate or unusual activity. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 80de1b87-8288-49ac-8a6b-fc71509df64b + # Control Description Integrate analysis of audit records with analysis of Selection (one or more): vulnerability scanning information; performance data; information system monitoring information; penetration test data; [Assignment: organization-defined data/information collected from other sources]] to further enhance the ability to identify inappropriate or unusual activity. + # Control Implementation Cluster Auditor's audit data is consolidated with system monitoring tooling (node exporters) for consolidated view to enhance inappropriate or unusual activity. Metrics data can be displayed through a Grafana dashboard for visualization. target: status: state: not-satisfied target-id: au-6.5 type: objective-id title: 'Validation Result - Control: au-6.5' - uuid: 1b5550c6-1891-4f76-8220-3919707110e7 + uuid: 62521aad-6089-45a5-991c-af39844fe2e6 - description: | - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: b8c17326-8821-4536-8409-64d571540e37 - # Control Description Correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity. - # Control Implementation Cluster Auditor data in prometheus would enable this, but would require prometheus to also obtain access to physical metrics. Metrics data can be displayed through a Grafana dashboard for visualization. Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: f6d4527a-d4b6-4141-9272-c2c211b1709f # Control Description Correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity. # Control Implementation Cluster Auditor data in prometheus would enable this, but would require prometheus to also obtain access to physical metrics. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: b8c17326-8821-4536-8409-64d571540e37 + # Control Description Correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity. + # Control Implementation Cluster Auditor data in prometheus would enable this, but would require prometheus to also obtain access to physical metrics. Metrics data can be displayed through a Grafana dashboard for visualization. target: status: state: not-satisfied target-id: au-6.6 type: objective-id title: 'Validation Result - Control: au-6.6' - uuid: 684c4386-ef88-4c58-811e-165172e6a29b + uuid: 05e4c2aa-5b83-415d-a529-c421db846827 - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 8abbc53e-0ec4-49c6-8ef1-a1c237695f96 # Control Description Provide and implement an audit record reduction and report generation capability that: a. Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and b. Does not alter the original content or time ordering of audit records. @@ -473,7 +438,7 @@ assessment-results: target-id: au-7 type: objective-id title: 'Validation Result - Control: au-7' - uuid: a274a97a-1c55-4a1b-9dac-f1849260ad16 + uuid: 22bb2862-f635-4d98-9d47-30d21d6fe72d - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 56d09aae-ab73-49d8-b2a4-1e81db2878eb # Control Description Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: [Assignment: organization-defined fields within audit records]. @@ -487,7 +452,7 @@ assessment-results: target-id: au-7.1 type: objective-id title: 'Validation Result - Control: au-7.1' - uuid: 89a7b3d0-954f-41d5-9230-56a774204c25 + uuid: d002dab9-22bf-471c-af83-98e5c21b567b - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 9ad7ddfb-4701-4c34-88f7-9d85abb13d60 # Control Description @@ -502,75 +467,73 @@ assessment-results: * time of the event (UTC). * source of event (pod, namespace, container id). Applications are responsible for providing all other information. - Validating `logfmt` as the config.logFormat would be the goal. This is currently a secret mounted to /etc/promtail/promtail.yaml in the promtail container. We will ensure the promtail.yaml file is at a minimum the target config. - https://grafana.com/docs/loki/latest/send-data/promtail/stages/logfmt/ - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 9be1e683-93e1-4769-aa7d-951e2c8f8627 - # Control Description a. Use internal system clocks to generate time stamps for audit records; and b. Record time stamps for audit records that meet [Assignment: one second granularity of time measurement] and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp. - # Control Implementation Prometheus stores all data as time-series data, so the timestamps of when those violations were present is part of the data-stream. Metrics data can be displayed through a Grafana dashboard for visualization. Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 689aa5d6-2b4b-40ca-a49f-51df0e220ec5 # Control Description "a. Use internal system clocks to generate time stamps for audit records; and b. Record time stamps for audit records that meet [Assignment: organization-defined granularity of time measurement] and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp." # Control Implementation Prometheus stores all data as time-series data, so the timestamps of when those violations were present is part of the data-stream. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 9be1e683-93e1-4769-aa7d-951e2c8f8627 + # Control Description a. Use internal system clocks to generate time stamps for audit records; and b. Record time stamps for audit records that meet [Assignment: one second granularity of time measurement] and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp. + # Control Implementation Prometheus stores all data as time-series data, so the timestamps of when those violations were present is part of the data-stream. Metrics data can be displayed through a Grafana dashboard for visualization. related-observations: - - observation-uuid: a1236290-6057-4695-b4bd-20dd2981d60d - - observation-uuid: 48a7c266-3ce0-4c63-b782-335c2461afc6 + - observation-uuid: 39cf41d1-048e-4132-9681-f7274e4be4ea + - observation-uuid: e72b33d8-64ba-4871-ab47-2f0b1a5c18e7 target: status: state: not-satisfied target-id: au-8 type: objective-id title: 'Validation Result - Control: au-8' - uuid: 184f3950-22d1-4a6e-a1ad-1d915468f28b + uuid: 09180600-c757-434e-93c5-028bdce2a2be - description: | - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 21879fc4-927e-4ad4-a049-c96cb581e260 + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: bfd070e8-d053-4e48-925a-baf9bcbd9335 # Control Description "a. Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and b. Alert [Assignment: organization-defined personnel or roles] upon detection of unauthorized access, modification, or deletion of audit information." - # Control Implementation Access to metrics can be restricted to org-defined personnel behind a private endpoint and not given to mission owners. + # Control Implementation Grafana has the ability to provide Role Based Access Control to limit the data sources that end users can view by leveraging an identity provider. Grafana can also limit users to subsets of metrics within a datasource by the use of Label Based Access Control when using Grafana Enterprise. Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: f800923b-6367-4468-9f42-1afae4b6d38d # Control Description a. Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and b. Alert [Assignment: organization-defined personnel or roles] upon detection of unauthorized access, modification, or deletion of audit information. # Control Implementation Grafana has the ability to provide Role Based Access Control to limit the data sources that end users can view by leveraging an identity provider. Grafana can also limit users to subsets of metrics within a datasource by the use of Label Based Access Control when using Grafana Enterprise. - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: bfd070e8-d053-4e48-925a-baf9bcbd9335 + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 21879fc4-927e-4ad4-a049-c96cb581e260 # Control Description "a. Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and b. Alert [Assignment: organization-defined personnel or roles] upon detection of unauthorized access, modification, or deletion of audit information." - # Control Implementation Grafana has the ability to provide Role Based Access Control to limit the data sources that end users can view by leveraging an identity provider. Grafana can also limit users to subsets of metrics within a datasource by the use of Label Based Access Control when using Grafana Enterprise. + # Control Implementation Access to metrics can be restricted to org-defined personnel behind a private endpoint and not given to mission owners. target: status: state: not-satisfied target-id: au-9 type: objective-id title: 'Validation Result - Control: au-9' - uuid: 2de6aeb1-66fd-4131-9c75-f376fb7544f6 + uuid: eef40459-0315-41a1-aaae-333cf89990d0 - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 3c4bf1e8-b873-4c43-a912-5f443fc0208f # Control Description Store audit records [Assignment: at least weekly] in a repository that is part of a physically different system or system component than the system or component being audited. # Control Implementation Prometheus can scrape external components outside of the system, but this configuration is not easily supported as part of the current big bang configuration of ClusterAuditor since external access to ClusterAuditor metrics is not exposed via Istio. Metrics data can be displayed through a Grafana dashboard for visualization. - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: b89edef2-5668-407b-b3d5-86ca68862536 - # Control Description Store audit records [Assignment: at least weekly] in a repository that is part of a physically different system or system component than the system or component being audited. - # Control Implementation Supports any object storage. Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 27f26f6a-706e-4514-97c0-45390d6fdf6a # Control Description Store audit records [Assignment: organization-defined frequency] in a repository that is part of a physically different system or system component than the system or component being audited. # Control Implementation Prometheus can scrape external components outside of the system, but this configuration is not easily supported as part of the current UDS Coreg configuration of ClusterAuditor since external access to ClusterAuditor metrics is not exposed via Istio. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: b89edef2-5668-407b-b3d5-86ca68862536 + # Control Description Store audit records [Assignment: at least weekly] in a repository that is part of a physically different system or system component than the system or component being audited. + # Control Implementation Supports any object storage. target: status: state: not-satisfied target-id: au-9.2 type: objective-id title: 'Validation Result - Control: au-9.2' - uuid: e0f75fca-cfe3-43ca-b8ec-c5eb44bde47d + uuid: 3f0dbc02-5d1e-48b9-bcdb-c8d569102724 - description: | + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: f3292e9a-1c10-45cd-9178-aeecbaec0283 + # Control Description Authorize access to management of audit logging functionality to only [Assignment: organization-defined subset of privileged users or roles]. + # Control Implementation Enterprise version (Loki) implements RBAC. Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 3c5ff037-ea46-4e41-b601-a9b223da30a8 # Control Description Authorize access to management of audit logging functionality to only [Assignment: organization-defined subset of privileged users or roles]. # Control Implementation Grafana has the ability to provide Role Based Access Control to limit the data sources that end users can view by leveraging an identity provider. Grafana can also limit users to subsets of metrics within a datasource by the use of Label Based Access Control when using Grafana Enterprise. Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 0fee5118-57c8-4617-97a1-76189bc69ea3 # Control Description Authorize access to management of audit logging functionality to only [Assignment: organization-defined subset of privileged users or roles]. # Control Implementation Grafana has the ability to provide Role Based Access Control to limit the data sources that end users can view by leveraging an identity provider. Grafana can also limit users to subsets of metrics within a datasource by the use of Label Based Access Control when using Grafana Enterprise. - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: f3292e9a-1c10-45cd-9178-aeecbaec0283 - # Control Description Authorize access to management of audit logging functionality to only [Assignment: organization-defined subset of privileged users or roles]. - # Control Implementation Enterprise version (Loki) implements RBAC. target: status: state: not-satisfied target-id: au-9.4 type: objective-id title: 'Validation Result - Control: au-9.4' - uuid: 7cedc012-a643-4097-a647-032c3be3d0ca + uuid: 49e846cc-e1e4-4770-b352-1a674ab7f6ef - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 973c9f19-8c96-4c84-925a-b69f28625962 # Control Description Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: [Assignment: organization-defined fields within audit records]. @@ -581,7 +544,7 @@ assessment-results: target-id: au7.1 type: objective-id title: 'Validation Result - Control: au7.1' - uuid: 4229dc83-0a33-4139-9e62-5d4da8dfc2ba + uuid: 599569ed-dfd0-4f91-b6c3-bd42dd759758 - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 9de67d41-1c18-4ebd-af55-cac2573aa77e # Control Description @@ -595,7 +558,7 @@ assessment-results: target-id: ca-2.2 type: objective-id title: 'Validation Result - Control: ca-2.2' - uuid: eda5cf2e-02ce-4b87-90d8-a321fe49860a + uuid: 76c192e1-0da1-48e9-bed4-26fd5ed64513 - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 2d771492-b5c8-4475-b258-0038287f29e6 # Control Description "Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: a. Establishing the following system-level metrics to be monitored: [Assignment: organization-defined system-level metrics]; b. Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness; c. Ongoing control assessments in accordance with the continuous monitoring strategy; d. Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy; e. Correlation and analysis of information generated by control assessments and monitoring; f. Response actions to address results of the analysis of control assessment and monitoring information; and g. Reporting the security and privacy status of the system to [Assignment: to include JAB/AO] [Assignment: organization-defined frequency]." @@ -606,22 +569,21 @@ assessment-results: target-id: ca-7 type: objective-id title: 'Validation Result - Control: ca-7' - uuid: fbc504e4-0441-4dc9-bdb0-f5ef99155ea1 + uuid: 3669e122-aa7f-4a62-9173-f5b750a091c7 - description: | - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 32e53a18-4b64-4a24-935c-11cbac2c62be - # Control Implementation - Istio enforces logical access restrictions associated with changes to the system. Istio's Role-Based Access Control (RBAC) features are used to define and enforce access controls, ensuring that only approved personnel can make changes to the system. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 80a456cf-c642-4b02-a0fb-18b416e90481 + Istio enforces logical access restrictions associated with changes to the system. Istio's Role-Based Access Control (RBAC) features are used to define and enforce access controls, ensuring that only approved personnel can make changes to the system. related-observations: - - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 - - observation-uuid: d517a52c-6742-4c6a-94f4-b6716aa64879 - - observation-uuid: 9da482e6-b1b4-47d5-b88c-ea78cb1a6089 + - observation-uuid: eb3200f0-0b42-4bab-9987-673684f62d82 + - observation-uuid: cf774c2c-17dc-48d2-ba4c-2ae6547ea8e0 + - observation-uuid: 1fc0d5bd-18e9-4244-a1a0-3c618aca8652 target: status: state: not-satisfied target-id: cm-5 type: objective-id title: 'Validation Result - Control: cm-5' - uuid: 0dc01260-0c79-4716-9766-f5fdf674042f + uuid: e3b8cf43-f476-44be-9f67-6b055afb67de - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 2fb488b2-f7f7-4db9-8fc8-3de7f3a9daba # Control Description "a. Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using [Assignment: oUnited States Government Configuration Baseline (USGCB)]; b. Implement the configuration settings; c. Identify, document, and approve any deviations from established configuration settings for [Assignment: organization-defined system components] based on [Assignment: organization-defined operational requirements]; and d. Monitor and control changes to the configuration settings in accordance with organizational policies and procedures." @@ -632,7 +594,7 @@ assessment-results: target-id: cm-6 type: objective-id title: 'Validation Result - Control: cm-6' - uuid: b2dca976-e07d-486e-893e-d87f7c91cfda + uuid: 89a6efb7-47b8-491a-a510-9679175322df - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: a9d92277-809d-440f-82c9-35c820ba00b8 # Control Description "a. Configure the system to provide only [Assignment: organization-defined mission essential capabilities]; and b. Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: [Assignment: organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services]." "CM-7 (b) Requirement: The service provider shall use the DoD STIGs or Center for Internet Security guidelines to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if USGCB is not available. CM-7 Guidance: Information on the USGCB checklists can be found at: https://csrc.nist.gov/projects/united-states-government-configuration-baseline." @@ -643,7 +605,7 @@ assessment-results: target-id: cm-7 type: objective-id title: 'Validation Result - Control: cm-7' - uuid: bba8e8dc-df3c-4664-9f4d-b69673496e72 + uuid: 7ad3be3a-696f-4fe8-a06a-d20ca88b0815 - description: | Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Implemented Requirement: 26B3D98B-0C9D-434B-8DE5-06CBBC46A38C Velero can restore application configuration/data from an approved cloud provider or on-premise location on-demand. @@ -653,7 +615,7 @@ assessment-results: target-id: cp-10 type: objective-id title: 'Validation Result - Control: cp-10' - uuid: 434837ff-2f2a-4bff-afcd-6f0ace60f6f5 + uuid: 833dd12f-c1a1-4790-b161-df244240fd59 - description: | Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Implemented Requirement: 3EA444B7-61ED-43DD-8B3D-24B55F286E59 Velero gives you tools to back up and restore your Kubernetes cluster resources and persistent volumes. You can run Velero with a cloud provider or on-premises. This includes: - System components/data. - User-level information/application metadata. - User-level storage/data. - Scheduled back-ups with configurable scopes. - Multi-cloud and on-premise support for availability of backup. @@ -663,7 +625,7 @@ assessment-results: target-id: cp-10.4 type: objective-id title: 'Validation Result - Control: cp-10.4' - uuid: e8178dd1-2e6b-43ce-b65c-6c3df60b264d + uuid: 8820d975-0a13-4068-a158-379efbdbd50e - description: | Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Implemented Requirement: 2ADA7512-E0D5-4CAE-81BC-C889C640AF93 Velero can take backups of your application configuration/data and store them off-site in either an approved cloud environment or on-premise location. @@ -673,7 +635,7 @@ assessment-results: target-id: cp-6 type: objective-id title: 'Validation Result - Control: cp-6' - uuid: cbbbd670-3e39-4625-82fb-45d762a6ea87 + uuid: 9b8d3f8d-acc6-490e-8571-6e716d8b1a8e - description: | Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Implemented Requirement: 6C3339A0-9636-4E35-8FA8-731CF900B326 Velero can take backups of your application configuration/data and store them off-site in either an approved cloud environment or on-premise location. @@ -683,7 +645,7 @@ assessment-results: target-id: cp-6.1 type: objective-id title: 'Validation Result - Control: cp-6.1' - uuid: baa8e2e7-054d-4c78-a5aa-0ec1f7573f35 + uuid: 463f79ec-a0d5-4372-b093-ffc9707d4b61 - description: | Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Implemented Requirement: 2799CCBF-C48D-4451-85BA-EBD9B949C361 Velero can restore application configuration/data from an approved cloud provider or on-premise location on-demand. @@ -693,7 +655,7 @@ assessment-results: target-id: cp-6.2 type: objective-id title: 'Validation Result - Control: cp-6.2' - uuid: c7c56dc6-9189-48e6-8153-541f8e7f129e + uuid: 7a97b30a-2246-4a2d-a069-d9a4c5518413 - description: | Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Implemented Requirement: 0AE59B43-50A7-4420-881B-E0635CCB8424 Velero supports back-ups to multiple cloud environments (including geo-separated locations for high availability) and on-premise environments in the event of an accessibility disruptions. @@ -703,7 +665,7 @@ assessment-results: target-id: cp-6.3 type: objective-id title: 'Validation Result - Control: cp-6.3' - uuid: d0fabced-345c-42fe-a52c-1ab67d72a0ce + uuid: fd1dcf1b-226a-4a46-afc8-9551a4c86ff9 - description: | Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Implemented Requirement: B11B38B8-8744-4DFD-8C1A-4A4EDD7F9574 Velero can restore application configuration/data from an approved cloud provider or on-premise location to an alternative deployment environment on-demand. @@ -713,7 +675,7 @@ assessment-results: target-id: cp-7 type: objective-id title: 'Validation Result - Control: cp-7' - uuid: 6cf300c3-516b-4864-8049-a5d423c5bddc + uuid: e64b4f34-9a67-4f53-9af5-010f7e23fa2f - description: | Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Implemented Requirement: D74C3A8C-E5B0-4F81-895D-FB2A318D723B Velero supports back-ups to and restores from multiple cloud environments (including geo-separated locations for high availability) and on-premise environments in the event of an accessibility disruptions. @@ -723,7 +685,7 @@ assessment-results: target-id: cp-7.1 type: objective-id title: 'Validation Result - Control: cp-7.1' - uuid: 003c98fa-877a-4571-9bb7-f8ad72b88768 + uuid: 3b91723b-8426-4de7-8e34-9fa9fb2623b1 - description: | Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Implemented Requirement: 72D7145F-7A3F-47AF-835F-7E3D6EFAE1CC Velero supports back-ups to and restores from multiple cloud environments (including geo-separated locations for high availability) and on-premise environments in the event of an accessibility disruptions. @@ -733,7 +695,7 @@ assessment-results: target-id: cp-7.2 type: objective-id title: 'Validation Result - Control: cp-7.2' - uuid: e36765c3-3e47-4c05-8998-03f1b9051917 + uuid: 3a18ef87-2d67-4fe1-a029-db52ff5a2416 - description: | Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Implemented Requirement: 5B0AA4CB-9C49-4D32-8242-5631788BD941 "Velero gives you tools to back up and restore your Kubernetes cluster resources and persistent volumes. You can run Velero with a cloud provider or on-premises. This includes: @@ -748,7 +710,7 @@ assessment-results: target-id: cp-9 type: objective-id title: 'Validation Result - Control: cp-9' - uuid: 12b7dad5-7d79-4be2-8050-fe7eef32365a + uuid: 93de1fe8-4652-4ad9-b558-7f6ae73ed529 - description: | Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Implemented Requirement: 8E5917F3-3E45-46C1-8585-48550E19AFFB Velero provides feedback/logging of back-up status for configuration/data via kubectl or the Velero CLI tool. Velero can restore your production configuration/data to validation environment to ensure reliability/integrity. @@ -758,7 +720,7 @@ assessment-results: target-id: cp-9.1 type: objective-id title: 'Validation Result - Control: cp-9.1' - uuid: 0b6e7933-5ad7-4659-94c8-4d39730208fd + uuid: 80715954-af49-4dee-90e1-1333f6c79610 - description: | Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Implemented Requirement: 51191D0E-0C7B-4D2D-861D-202AC8C505CF Velero can be configured to restore only certain components of a back-up when necessary. @@ -768,7 +730,7 @@ assessment-results: target-id: cp-9.2 type: objective-id title: 'Validation Result - Control: cp-9.2' - uuid: f4c55319-50b5-4219-bf6f-22c66421f441 + uuid: f70d34be-5cdf-404b-a160-ca35a8d8445f - description: | Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Implemented Requirement: C650411C-33FD-4B59-8899-AC34B43C860F Velero supports back-ups to multiple cloud environments (including geo-separated locations for high availability) and on-premise environments. @@ -778,7 +740,7 @@ assessment-results: target-id: cp-9.3 type: objective-id title: 'Validation Result - Control: cp-9.3' - uuid: 15eefc99-0cef-4652-9aea-9fe80a585b1e + uuid: cc3f593a-5138-4603-aaca-64248856b942 - description: | Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Implemented Requirement: 8AB09B17-301B-4836-835B-9CE22A9E2300 Velero gives you tools to back up and restore your Kubernetes cluster resources and persistent volumes. You can run Velero with a cloud provider or on-premises. This includes: - System components/data. - User-level information/application metadata. - User-level storage/data. - Scheduled back-ups with configurable scopes. - Multi-cloud and on-premise support for availability of backup. @@ -788,7 +750,7 @@ assessment-results: target-id: cp-9.5 type: objective-id title: 'Validation Result - Control: cp-9.5' - uuid: f44f374f-cbd4-4548-9e83-cfb7213e3438 + uuid: b4f84755-1e05-485e-8d08-12f81032183f - description: | Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Implemented Requirement: 7FACB782-C183-4585-8C0B-17824438FEA6 Velero supports encryption of backups via its supported providers' encryption support/mechanisms. @@ -798,7 +760,7 @@ assessment-results: target-id: cp-9.8 type: objective-id title: 'Validation Result - Control: cp-9.8' - uuid: 30ce1594-302b-4480-816e-f2b5b6cf729c + uuid: 2121fda9-ff81-434f-8add-3785ffa925f7 - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 8ef96f45-dfc4-41a8-999a-fc717e746966 # Control Description "a. Monitor and scan for vulnerabilities in the system and hosted applications [Assignment: monthly operating system/infrastructure; monthly web applications (including APIs) and databases] and when new vulnerabilities potentially affecting the system are identified and reported; b. Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: 1. Enumerating platforms, software flaws, and improper configurations; 2. Formatting checklists and test procedures; and 3. Measuring vulnerability impact; c. Analyze vulnerability scan reports and results from vulnerability monitoring; d. Remediate legitimate vulnerabilities [Assignment: high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery] in accordance with an organizational assessment of risk; e. Share information obtained from the vulnerability monitoring process and control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other systems; and f. Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned." @@ -809,7 +771,7 @@ assessment-results: target-id: ra-5 type: objective-id title: 'Validation Result - Control: ra-5' - uuid: 2b4a5a81-e527-4aac-b5d2-6e0c39cd68ca + uuid: d2939750-cb5c-44bd-8b2f-36fd734bd546 - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 760dde06-de0b-4575-8575-95a5835f97c0 # Control Description Update the system vulnerabilities to be scanned [prior to a new scan]; prior to a new scan; when new vulnerabilities are identified and reported]. @@ -820,7 +782,7 @@ assessment-results: target-id: ra-5.2 type: objective-id title: 'Validation Result - Control: ra-5.2' - uuid: f45a41e4-33ea-4f43-9c81-1b4b09630fc2 + uuid: 04546660-1b4a-428f-8f20-1f3575957efb - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 621595cd-f998-4f55-b68e-f765db48b332 # Control Description Define the breadth and depth of vulnerability scanning coverage. @@ -831,7 +793,7 @@ assessment-results: target-id: ra-5.3 type: objective-id title: 'Validation Result - Control: ra-5.3' - uuid: d97d6d08-19b7-4aec-990c-c885e9c52a15 + uuid: 498d8b43-30e0-4f94-9915-abc0233d6104 - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 994b03df-8320-4987-887b-fac8088bd944 # Control Description Implement privileged access authorization to [Assignment: all components that support authentication] for [Assignment: all scans]. @@ -842,7 +804,7 @@ assessment-results: target-id: ra-5.5 type: objective-id title: 'Validation Result - Control: ra-5.5' - uuid: 22531ec8-b5ca-4eb1-80f7-8c690d40211b + uuid: 881b2fec-7ae0-4a9a-9329-e202e10a75c6 - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 5a7bddc2-f94c-46c8-a15a-1e2f4d4ab948 # Control Description "Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to: a. Develop and implement a plan for ongoing security and privacy control assessments; b. Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation [Assignment: organization-defined frequency] at [Assignment: organization-defined depth and coverage]; c. Produce evidence of the execution of the assessment plan and the results of the testing and evaluation; d. Implement a verifiable flaw remediation process; and e. Correct flaws identified during testing and evaluation." @@ -853,7 +815,7 @@ assessment-results: target-id: sa-11 type: objective-id title: 'Validation Result - Control: sa-11' - uuid: a1b36d70-93cc-4dac-b0ee-07a83fcd7fc9 + uuid: ef49e421-c79a-4ebf-a963-2d3a94561836 - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: b6f194ad-bde3-479f-8a77-0ec4c9a5a77d # Control Description Require the developer of the system, system component, or system service to employ static code analysis tools to identify common flaws and document the results of the analysis. Static code analysis provides a technology and methodology for security reviews and includes checking for weaknesses in the code as well as for the incorporation of libraries or other included code with known vulnerabilities or that are out-of-date and not supported. Static code analysis can be used to identify vulnerabilities and enforce secure coding practices. It is most effective when used early in the development process, when each code change can automatically be scanned for potential weaknesses. Static code analysis can provide clear remediation guidance and identify defects for developers to fix. Evidence of the correct implementation of static analysis can include aggregate defect density for critical defect types, evidence that defects were inspected by developers or security professionals, and evidence that defects were remediated. A high density of ignored findings, commonly referred to as false positives, indicates a potential problem with the analysis process or the analysis tool. In such cases, organizations weigh the validity of the evidence against evidence from other sources. @@ -864,96 +826,62 @@ assessment-results: target-id: sa-11.1 type: objective-id title: 'Validation Result - Control: sa-11.1' - uuid: 5fb26d2e-4dde-4a30-985f-8e5bd5f403f2 + uuid: 3a093444-2d9b-4465-97ed-8745ff1fa60f - description: | - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 169c9ad3-0a6c-46ee-80cd-cd8cef5eca5c - # Control Implementation - Istio is configured to manage network connections associated with specific communication sessions. It can be set up to automatically terminate these connections after periods of inactivity, providing an additional layer of security. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: ad919a09-d186-4edd-9234-ead04f959fff + Istio is configured to manage network connections associated with specific communication sessions. It can be set up to automatically terminate these connections after periods of inactivity, providing an additional layer of security. related-observations: - - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 - - observation-uuid: a05d03e1-4f9c-476b-a657-2607a0c86258 + - observation-uuid: eb3200f0-0b42-4bab-9987-673684f62d82 + - observation-uuid: 825da259-13c9-4b85-b890-75d107573c62 target: status: state: not-satisfied target-id: sc-10 type: objective-id title: 'Validation Result - Control: sc-10' - uuid: e12cb6f2-4521-47af-a106-ffbd13bd2a15 + uuid: cd9707b3-f417-4ed1-9f6d-2c49351ca2e2 - description: | - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 2bf5c525-af5f-4b8b-8349-3f6a91e0aab9 - # Control Implementation - Istio provides FIPS encryption in transit for all applications in the mesh, TLS termination at ingress, and TLS origination at egress. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 675c0823-8e94-4910-9f61-5266d7e7b38c + Istio provides FIPS encryption in transit for all applications in the mesh, TLS termination at ingress, and TLS origination at egress. related-observations: - - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 - - observation-uuid: dbc9b893-9847-4ffa-8a91-7642f18f9784 - - observation-uuid: ff67f994-802a-4668-a261-f0cbfb7982d5 - - observation-uuid: edc21e52-53cd-4a6a-9e29-1016a56e0cb5 - - observation-uuid: e12e332c-6a86-43e8-9403-94824b948f45 + - observation-uuid: eb3200f0-0b42-4bab-9987-673684f62d82 + - observation-uuid: adb9497f-436d-4862-8043-6691bce1352c + - observation-uuid: a9c35339-fc94-4e59-bdf1-a89c1664bac0 + - observation-uuid: 47e30ded-89cf-4862-bed8-b3c5c0b3a17f + - observation-uuid: 46fd0f63-fefa-40fe-9894-7c52bbce7f9b target: status: state: not-satisfied target-id: sc-13 type: objective-id title: 'Validation Result - Control: sc-13' - uuid: db406556-9aee-4655-8e37-f97662c642fd + uuid: b5ca4929-a54b-4bb9-9aff-7178e4f9b86b - description: | - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 625bfdc1-0b20-45f3-919b-91afbac77799 - # Control Implementation - Istio is configured to protect session authenticity, establishing confidence in the ongoing identities of other parties and the validity of transmitted information. This is achieved through Istio's mutual TLS, which ensures secure communication. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: dac01dde-3bdf-4e70-9d4d-4081c88de380 + Istio is configured to protect session authenticity, establishing confidence in the ongoing identities of other parties and the validity of transmitted information. This is achieved through Istio's mutual TLS, which ensures secure communication. related-observations: - - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 - - observation-uuid: dbc9b893-9847-4ffa-8a91-7642f18f9784 + - observation-uuid: eb3200f0-0b42-4bab-9987-673684f62d82 + - observation-uuid: adb9497f-436d-4862-8043-6691bce1352c target: status: state: satisfied target-id: sc-23 type: objective-id title: 'Validation Result - Control: sc-23' - uuid: d0fff818-c4b0-408b-995c-425323750c29 + uuid: 5843dd90-f9bf-46fe-aabd-b736cbc69496 - description: | - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 9e2894a3-2452-4f7a-b8a5-f72b89b23c87 - # Control Implementation - Namespaces, Istio gateways, and network policies collectively by providing resource isolation, secure traffic routing, and network segmentation to prevent unauthorized and unintended information transfer. - related-observations: - - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 - - observation-uuid: 362043c5-ea38-4c11-83e3-35d34b79c938 - - observation-uuid: 610a3b9c-269e-47c7-8b2c-9412bc822e80 - target: - status: - state: satisfied - target-id: sc-3 - type: objective-id - title: 'Validation Result - Control: sc-3' - uuid: 14e04260-d26f-4d27-ac44-3819d7849574 - - description: | - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: f972ef8d-1eb0-403b-8db8-e65a4f4e2aaa - # Control Implementation - Istio is configured to maintain separate execution domains for each executing process. This is achieved through Istio's sidecar proxy design, where each service in the mesh has its own dedicated sidecar proxy to handle its inbound and outbound traffic. This ensures that communication between processes is controlled and one process cannot modify the executing code of another process. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 0e72ca49-e9cb-4a74-8701-6f81091197b6 + Istio is configured to maintain separate execution domains for each executing process. This is achieved through Istio's sidecar proxy design, where each service in the mesh has its own dedicated sidecar proxy to handle its inbound and outbound traffic. This ensures that communication between processes is controlled and one process cannot modify the executing code of another process. related-observations: - - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 - - observation-uuid: 435f54e2-3606-4250-9e16-79326844e82e + - observation-uuid: eb3200f0-0b42-4bab-9987-673684f62d82 + - observation-uuid: f10278ec-5f1b-4307-8709-a3745bf12d36 target: status: state: satisfied target-id: sc-39 type: objective-id title: 'Validation Result - Control: sc-39' - uuid: 7e308fb9-473e-4695-a9f0-d716c8b2b47c - - description: | - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 86bc4fb7-f91b-4f2c-b914-65427951018c - # Control Implementation - Istio enforces outbound traffic goes through an Egress Gateway with a Network Policy. - related-observations: - - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 - - observation-uuid: daf64ecb-b110-4c6e-907f-7b4cd8831232 - - observation-uuid: 46256c29-c662-4f0c-a037-bf1c534dee59 - target: - status: - state: not-satisfied - target-id: sc-4 - type: objective-id - title: 'Validation Result - Control: sc-4' - uuid: 036754b0-047d-48cf-a8c5-fa87601994c5 + uuid: fb891c52-8267-4632-b8e8-e4543ce5b872 - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 82d3ab37-b934-4731-9198-56ced7d92708 # Control Description "a. Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system; b. Implement subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and c. Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture." @@ -964,117 +892,67 @@ assessment-results: target-id: sc-7 type: objective-id title: 'Validation Result - Control: sc-7' - uuid: 5d65f54a-91fd-4e77-9afa-8099bd131959 - - description: | - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 30b49a3e-ad38-441d-8c07-5a9018848a02 - # Control Implementation - Istio is configured to dynamically isolate certain internal system components when necessary. This is achieved through Istio's network policies, which allow us to partition or separate system components - related-observations: - - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 - - observation-uuid: dbc9b893-9847-4ffa-8a91-7642f18f9784 - - observation-uuid: 435f54e2-3606-4250-9e16-79326844e82e - target: - status: - state: satisfied - target-id: sc-7.20 - type: objective-id - title: 'Validation Result - Control: sc-7.20' - uuid: 80ffa744-8c84-4b5e-9188-722b4f6542ca - - description: | - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: c9a1e9bc-3caa-44ce-a300-ecd722487987 - # Control Implementation - Istio is configured to isolate system components that perform different mission or business functions. This is achieved through Istio's network policies and mutual TLS, which allow us to control information flows and provide enhanced protection. - related-observations: - - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 - - observation-uuid: dbc9b893-9847-4ffa-8a91-7642f18f9784 - - observation-uuid: 435f54e2-3606-4250-9e16-79326844e82e - target: - status: - state: satisfied - target-id: sc-7.21 - type: objective-id - title: 'Validation Result - Control: sc-7.21' - uuid: 7d23eb48-f3ea-4d3c-9971-68cf25c62ba0 + uuid: abd6a4b8-c69f-40ec-b127-1597db93bd36 - description: | - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 85df9e6c-3d94-4c60-9a20-8c481831f1e0 - # Control Implementation - Istio is configured to provide managed interfaces for external telecommunication services, establish traffic flow policies, and protect the confidentiality and integrity of transmitted information. It also prevents unauthorized exchange of control plane traffic and filters unauthorized control plane traffic. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: a5bac410-d674-431d-b5fc-2f904842c29c + Istio is configured to provide managed interfaces for external telecommunication services, establish traffic flow policies, and protect the confidentiality and integrity of transmitted information. It also prevents unauthorized exchange of control plane traffic and filters unauthorized control plane traffic. related-observations: - - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 - - observation-uuid: 73aaf428-603c-447a-ad38-8ce66b7795f1 - - observation-uuid: 3b856533-2206-4ebd-932e-645886b20b10 - - observation-uuid: 610a3b9c-269e-47c7-8b2c-9412bc822e80 + - observation-uuid: eb3200f0-0b42-4bab-9987-673684f62d82 + - observation-uuid: ceb8c9fa-058a-4223-91f9-8361c84e359f + - observation-uuid: 9d69895a-0eed-4052-8102-ff9070d66851 + - observation-uuid: 4e1e697c-4a92-4c57-ae95-c75ba272dc1d target: status: state: satisfied target-id: sc-7.4 type: objective-id title: 'Validation Result - Control: sc-7.4' - uuid: 4edd983b-bb0a-4c16-a0f8-d827f52d39fc + uuid: 48fe83c1-ec77-4f79-bcc1-e233978571cc - description: | - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 4b930af3-ae84-43ff-b751-448fe1c2eec8 - # Control Implementation - is configured to route internal communications traffic to external networks through authenticated proxy servers at managed interfaces, using its Egress Gateway. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 3f409103-880e-4180-81e7-54f85a6143ae + Istio is configured to route internal communications traffic to external networks through authenticated proxy servers at managed interfaces, using its Egress Gateway. related-observations: - - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 - - observation-uuid: 46256c29-c662-4f0c-a037-bf1c534dee59 - - observation-uuid: 20db9c5e-e962-47ca-a0ab-c43b52d7b56e + - observation-uuid: eb3200f0-0b42-4bab-9987-673684f62d82 + - observation-uuid: 8cb4f8c0-cade-41b4-9a01-06a14888d13a + - observation-uuid: d831dc82-53da-438f-b7ff-a6b579bdb3ef target: status: state: not-satisfied target-id: sc-7.8 type: objective-id title: 'Validation Result - Control: sc-7.8' - uuid: f810556d-285b-4e75-b6ec-971235a3ffaa + uuid: b5761b5a-4afb-45ef-8050-d8768f8bc362 - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 132fb1ff-8b58-4cfd-8ad4-c01605d89f24 # Control Description Protect the [confidentiality AND integrity] of transmitted information. # Control Implementation Data in transit is protected using a TLS connection and secured between components within the data center using an internal certificate until it is terminated at the application node. This ensures that data in transit is encrypted using SSL. - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 7548b4ee-e4a3-4e3c-a34b-95eccad45f92 - # Control Implementation - Istio is configured to protect the confidentiality and integrity of transmitted information across both internal and external networks. This is achieved through Istio's mutual TLS, which encrypts service-to-service communication, ensuring that data in transit is not exposed to the possibility of interception and modification. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: e97a451e-44c7-4240-a7a7-adaadd26f01c + Istio is configured to protect the confidentiality and integrity of transmitted information across both internal and external networks. This is achieved through Istio's mutual TLS, which encrypts service-to-service communication, ensuring that data in transit is not exposed to the possibility of interception and modification. related-observations: - - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 - - observation-uuid: dbc9b893-9847-4ffa-8a91-7642f18f9784 - - observation-uuid: 435f54e2-3606-4250-9e16-79326844e82e + - observation-uuid: eb3200f0-0b42-4bab-9987-673684f62d82 + - observation-uuid: adb9497f-436d-4862-8043-6691bce1352c + - observation-uuid: f10278ec-5f1b-4307-8709-a3745bf12d36 target: status: state: not-satisfied target-id: sc-8 type: objective-id title: 'Validation Result - Control: sc-8' - uuid: a43fb38e-2aa9-4cc2-b7a7-103202c1ed5d + uuid: 9d7a4bdc-53f2-4a42-b30b-88c5a2c607ac - description: | - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 69415B92-0490-4A14-9E0F-E1EE61951F9C - # Control Implementation - Istio is configured to protect the confidentiality and integrity of transmitted information across both internal and external networks. This is achieved through Istio's mutual TLS, which encrypts service-to-service communication, ensuring that data in transit is not exposed to the possibility of interception and modification. + Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: f3b38f79-9bf7-4024-a1b2-00befd67fda7 + Istio is configured to protect the confidentiality and integrity of transmitted information across both internal and external networks. This is achieved through Istio's mutual TLS, which encrypts service-to-service communication, ensuring that data in transit is not exposed to the possibility of interception and modification. related-observations: - - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 - - observation-uuid: dbc9b893-9847-4ffa-8a91-7642f18f9784 - - observation-uuid: 435f54e2-3606-4250-9e16-79326844e82e + - observation-uuid: eb3200f0-0b42-4bab-9987-673684f62d82 + - observation-uuid: adb9497f-436d-4862-8043-6691bce1352c + - observation-uuid: f10278ec-5f1b-4307-8709-a3745bf12d36 target: status: state: satisfied target-id: sc-8.1 type: objective-id title: 'Validation Result - Control: sc-8.1' - uuid: 60aafba4-0b1b-41f1-bb67-11bf0a54f83a - - description: | - Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: c158b75a-cefc-4794-b124-f1e56ff5646d - # Control Implementation - Istio implements with global configuration. - related-observations: - - observation-uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 - - observation-uuid: dbc9b893-9847-4ffa-8a91-7642f18f9784 - - observation-uuid: 435f54e2-3606-4250-9e16-79326844e82e - - observation-uuid: 3b856533-2206-4ebd-932e-645886b20b10 - target: - status: - state: satisfied - target-id: sc-8.2 - type: objective-id - title: 'Validation Result - Control: sc-8.2' - uuid: e588b254-b0df-4115-849d-5ad7d250acf1 + uuid: 28aec3a5-8f40-409d-bf88-9a83c476d0a3 - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 9b4c7011-aa35-4f61-ade2-7c070bb51767 # Control Description "a. Generate error messages that provide information necessary for corrective actions without revealing information that could be exploited; and b. Reveal error messages only to [Assignment: organization-defined personnel or roles]." @@ -1085,7 +963,7 @@ assessment-results: target-id: si-11 type: objective-id title: 'Validation Result - Control: si-11' - uuid: 901febde-3027-47e6-97b4-ed8ee9ed29da + uuid: f0008256-c408-442d-86f3-3a56c8177874 - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 4faa4029-52bc-4d7f-9896-e43c6731d5e5 # Control Description "(a) Measure the time between flaw identification and flaw remediation; and (b) Establish the following benchmarks for taking corrective actions: [Assignment: organization-defined benchmarks]." @@ -1096,7 +974,7 @@ assessment-results: target-id: si-2.3 type: objective-id title: 'Validation Result - Control: si-2.3' - uuid: 123c7cb2-309d-4f95-832b-3476367d80df + uuid: c4cde847-c1ac-4962-aec2-84f2e373405e - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: c83fdce5-53f5-4860-a586-242d044efaa9 # Control Description "a. Monitor the system to detect: 1. Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [Assignment: organization-defined monitoring objectives]; and 2. Unauthorized local, network, and remote connections; b. Identify unauthorized use of the system through the following techniques and methods: [Assignment: organization-defined techniques and methods]; c. Invoke internal monitoring capabilities or deploy monitoring devices: 1. Strategically within the system to collect organization-determined essential information; and 2. At ad hoc locations within the system to track specific types of transactions of interest to the organization; d. Analyze detected events and anomalies; e. Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation; f. Obtain legal opinion regarding system monitoring activities; and g. Provide [Assignment: organization-defined system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]]." @@ -1107,7 +985,7 @@ assessment-results: target-id: si-4 type: objective-id title: 'Validation Result - Control: si-4' - uuid: af7893bd-83c9-4318-9ed0-dd50582609d5 + uuid: 16c943ed-c12f-417b-8d90-21788f3349a5 - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: ac61e461-5fb8-4cf1-89ff-36d002056fda # Control Description "a. Receive system security alerts, advisories, and directives from [Assignment: o include US-CERT] on an ongoing basis; b. Generate internal security alerts, advisories, and directives as deemed necessary; c. Disseminate security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-defined personnel or roles]; to include system security personnel and administrators with configuration/patch-management responsibilities and d. Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance." @@ -1118,7 +996,7 @@ assessment-results: target-id: si-5 type: objective-id title: 'Validation Result - Control: si-5' - uuid: d75021f4-afad-46ca-a3e0-f5164db3147f + uuid: 970ac268-cdf4-44a2-8d86-3b10915f0a32 - description: | Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Implemented Requirement: 80552838-9db8-41f7-9603-d91f884aa7bb # Control Description "a. Verify the correct operation of [Assignment: organization-defined security and privacy functions]; b. Perform the verification of the functions specified in SI-6a [Selection (one or more): [Assignment: to include upon system startup and/or restart]; upon command by user with appropriate privilege; [Assignment: at least monthly]]; c. Alert [Assignment: to include system administrators and security personnel] to failed security and privacy verification tests; and d. [Selection (one or more): Shut the system down; Restart the system; [Assignment: organization-defined alternative action (s)]] when anomalies are discovered." @@ -1129,291 +1007,271 @@ assessment-results: target-id: si-6 type: objective-id title: 'Validation Result - Control: si-6' - uuid: 8f936748-3181-4885-b5d4-519cffa1d992 + uuid: 33305746-ba60-43cd-8ed3-9f50fd279f0c observations: - - collected: 2024-08-06T02:58:06.749191822Z + - collected: 2024-10-16T20:13:50.57177773Z description: | - [TEST]: 663f5e92-6db4-4042-8b5a-eba3ebe5a622 - lula-validation-error + [TEST]: f345c359-3208-46fb-9348-959bd628301e - istio-prometheus-annotations-validation methods: - TEST relevant-evidence: - description: | - Result: not-satisfied + Result: satisfied remarks: | - Error getting Lula validation #663f5e92-6db4-4042-8b5a-eba3ebe5a622: validation failed: [{/required file:///home/runner/work/uds-core/uds-core/compliance/validation#/required missing properties: 'domain' }] - uuid: a05d03e1-4f9c-476b-a657-2607a0c86258 - - collected: 2024-08-06T02:58:06.749221207Z + validate.msg: All pods have correct prometheus annotations. + validate.msg_exempted_namespaces: istio-system, kube-system, uds-dev-stack, zarf + uuid: 6e9c7750-ccda-4f25-b8de-89e8e3e3d525 + - collected: 2024-10-16T20:13:50.571902333Z description: | - [TEST]: ecdb90c7-971a-4442-8f29-a8b0f6076bc9 - lula-validation-error + [TEST]: c3b022eb-19a5-4711-8099-da4a90c9dd5d - egress-gateway-exists-and-configured-PLACEHOLDER methods: - TEST relevant-evidence: - description: | Result: not-satisfied remarks: | - Error getting Lula validation #ecdb90c7-971a-4442-8f29-a8b0f6076bc9: validation failed: [{/required file:///home/runner/work/uds-core/uds-core/compliance/validation#/required missing properties: 'domain', 'provider' }] - uuid: 46256c29-c662-4f0c-a037-bf1c534dee59 - - collected: 2024-08-06T02:58:06.749255782Z + Error running validation: provider Evaluate error: opa validation not performed - no resources to validate + uuid: 8cb4f8c0-cade-41b4-9a01-06a14888d13a + - collected: 2024-10-16T20:13:50.681017055Z description: | - [TEST]: fbe5855d-b4ea-4ff5-9f0d-5901d620577a - lula-validation-error + [TEST]: 1761ac07-80dd-47d2-947e-09f67943b986 - all-pods-istio-injected methods: - TEST relevant-evidence: - description: | - Result: not-satisfied + Result: satisfied remarks: | - Error getting Lula validation #fbe5855d-b4ea-4ff5-9f0d-5901d620577a: validation failed: [{/required file:///home/runner/work/uds-core/uds-core/compliance/validation#/required missing properties: 'domain', 'provider' }] - uuid: af55317a-a3b8-42b9-8ba8-d859748635b5 - - collected: 2024-08-06T02:58:06.85546841Z + validate.msg_exempt_namespaces: istio-admin-gateway, istio-passthrough-gateway, istio-system, istio-tenant-gateway, kube-system, uds-dev-stack, zarf + validate.msg: All pods have Istio sidecar proxy. + uuid: f10278ec-5f1b-4307-8709-a3745bf12d36 + - collected: 2024-10-16T20:13:50.689844666Z description: | - [TEST]: 1761ac07-80dd-47d2-947e-09f67943b986 - all-pods-istio-injected + [TEST]: 0da39859-a91a-4ca6-bd8b-9b117689188f - all-namespaces-istio-injected methods: - TEST relevant-evidence: - description: | - Result: satisfied + Result: not-satisfied remarks: | - validate.exempt_namespaces_msg: Exempted Namespaces: istio-admin-gateway, istio-passthrough-gateway, istio-system, istio-tenant-gateway, kube-system, uds-dev-stack, zarf - validate.msg: All pods have Istio sidecar proxy. - uuid: 435f54e2-3606-4250-9e16-79326844e82e - - collected: 2024-08-06T02:58:06.861988088Z + validate.msg: Non-Istio-injected namespaces: {"authservice-test-app", "podinfo", "test-admin-app", "test-tenant-app"} + validate.msg_exempt_namespaces: default, istio-admin-gateway, istio-passthrough-gateway, istio-system, istio-tenant-gateway, kube-node-lease, kube-public, kube-system, uds-crds, uds-dev-stack, uds-policy-exemptions, zarf + uuid: 2c61853a-96af-4195-8dc9-f3313f6035f1 + - collected: 2024-10-16T20:13:50.693177593Z description: | - [TEST]: ca49ac97-487a-446a-a0b7-92b20e2c83cb - enforce-mtls-strict + [TEST]: 90738c86-6315-450a-ac69-cc50eb4859cc - check-istio-logging-all-traffic methods: - TEST relevant-evidence: - description: | Result: satisfied remarks: | - validate.msg: All PeerAuthentications have mtls mode set to STRICT. - uuid: dbc9b893-9847-4ffa-8a91-7642f18f9784 - - collected: 2024-08-06T02:58:06.868755824Z + validate.msg: Istio is logging all traffic. + uuid: a858d60b-5192-41de-bac4-a79479a91f64 + - collected: 2024-10-16T20:13:50.697120548Z description: | - [TEST]: fd071676-6b92-4e1c-a4f0-4c8d2bd55aed - ingress-traffic-encrypted + [TEST]: fbd877c8-d6b6-4d88-8685-2c4aaaab02a1 - istio-enforces-authorized-keycloak-access methods: - TEST relevant-evidence: - description: | Result: satisfied remarks: | - validate.msg: All gateways encrypt ingress traffic - validate.msg_exempt: Exempted Gateways: istio-passthrough-gateway/passthrough-gateway - uuid: ff67f994-802a-4668-a261-f0cbfb7982d5 - - collected: 2024-08-06T02:58:06.868804496Z + validate.msg: AuthorizationPolicy restricts access to Keycloak admin. + uuid: 9d69895a-0eed-4052-8102-ff9070d66851 + - collected: 2024-10-16T20:13:50.697182945Z description: | - [TEST]: 73434890-2751-4894-b7b2-7e583b4a8977 - lula-validation-error + [TEST]: fbe5855d-b4ea-4ff5-9f0d-5901d620577a - lula-validation-error methods: - TEST relevant-evidence: - description: | Result: not-satisfied remarks: | - Error getting Lula validation #73434890-2751-4894-b7b2-7e583b4a8977: validation failed: [{/required file:///home/runner/work/uds-core/uds-core/compliance/validation#/required missing properties: 'domain', 'provider' }] - uuid: e12e332c-6a86-43e8-9403-94824b948f45 - - collected: 2024-08-06T02:58:06.868833069Z + Error getting Lula validation #fbe5855d-b4ea-4ff5-9f0d-5901d620577a: schema is invalid: [{/required "missing properties 'domain', 'provider'" }] + uuid: 572f5829-517b-40d0-8b50-6d9bf9c54c77 + - collected: 2024-10-16T20:13:50.697270528Z description: | - [TEST]: 9bfc68e0-381a-4006-9f68-c293e3b20cee - lula-validation-error + [TEST]: 663f5e92-6db4-4042-8b5a-eba3ebe5a622 - communications-terminated-after-inactivity-PLACEHOLDER methods: - TEST relevant-evidence: - description: | Result: not-satisfied remarks: | - Error getting Lula validation #9bfc68e0-381a-4006-9f68-c293e3b20cee: validation failed: [{/required file:///home/runner/work/uds-core/uds-core/compliance/validation#/required missing properties: 'domain', 'provider' }] - uuid: 48a7c266-3ce0-4c63-b782-335c2461afc6 - - collected: 2024-08-06T02:58:06.875936601Z + Error running validation: provider Evaluate error: opa validation not performed - no resources to validate + uuid: 825da259-13c9-4b85-b890-75d107573c62 + - collected: 2024-10-16T20:13:50.697333466Z description: | - [TEST]: b0a8f21e-b12f-47ea-a967-2f4a3ec69e44 - gateway-configuration-check + [TEST]: 19faf69a-de74-4b78-a628-64a9f244ae13 - external-traffic-managed-PLACEHOLDER methods: - TEST relevant-evidence: - description: | - Result: satisfied + Result: not-satisfied remarks: | - validate.msg: Only allowed gateways found. All gateway types found. - validate.msg_existing_gateways: istio-admin-gateway/admin-gateway, istio-passthrough-gateway/passthrough-gateway, istio-tenant-gateway/tenant-gateway - validate.msg_allowed_gateways: admin, passthrough, tenant - uuid: 610a3b9c-269e-47c7-8b2c-9412bc822e80 - - collected: 2024-08-06T02:58:06.880031826Z + Error running validation: provider Evaluate error: opa validation not performed - no resources to validate + uuid: d831dc82-53da-438f-b7ff-a6b579bdb3ef + - collected: 2024-10-16T20:13:50.730168322Z description: | - [TEST]: 7b045b2a-106f-4c8c-85d9-ae3d7a8e0e28 - istio-rbac-enforcement-check + [TEST]: 570e2dc7-e6c2-4ad5-8ea3-f07974f59747 - secure-communication-with-istiod methods: - TEST relevant-evidence: - description: | Result: satisfied remarks: | - validate.msg: Istio RBAC enforced - validate.msg_authPolicies: Authorization Policies: keycloak/keycloak-block-admin-access-from-public-gateway - uuid: d517a52c-6742-4c6a-94f4-b6716aa64879 - - collected: 2024-08-06T02:58:06.880074886Z + validate.msg: NetworkPolicies correctly configured for istiod in required namespaces. + validate.msg_expected_istiod: Expected Istiod port: 15012, protocol: TCP. + validate.msg_required_namespaces: authservice, grafana, keycloak, loki, metrics-server, monitoring, neuvector, uds-runtime, vector, velero + uuid: ceb8c9fa-058a-4223-91f9-8361c84e359f + - collected: 2024-10-16T20:13:50.730223946Z description: | - [TEST]: 9b361d7b-4e07-40db-8b86-3854ed499a4b - lula-validation-error + [TEST]: 9bfc68e0-381a-4006-9f68-c293e3b20cee - lula-validation-error methods: - TEST relevant-evidence: - description: | Result: not-satisfied remarks: | - Error getting Lula validation #9b361d7b-4e07-40db-8b86-3854ed499a4b: validation failed: [{/required file:///home/runner/work/uds-core/uds-core/compliance/validation#/required missing properties: 'domain', 'provider' }] - uuid: 9da482e6-b1b4-47d5-b88c-ea78cb1a6089 - - collected: 2024-08-06T02:58:06.888036681Z + Error getting Lula validation #9bfc68e0-381a-4006-9f68-c293e3b20cee: schema is invalid: [{/required "missing properties 'domain', 'provider'" }] + uuid: e72b33d8-64ba-4871-ab47-2f0b1a5c18e7 + - collected: 2024-10-16T20:13:50.730273639Z description: | - [TEST]: 67456ae8-4505-4c93-b341-d977d90cb125 - istio-health-check + [TEST]: 8be1601e-5870-4573-ab4f-c1c199944815 - tls-origination-at-egress-PLACEHOLDER methods: - TEST relevant-evidence: - description: | - Result: satisfied + Result: not-satisfied remarks: | - istiohealth.deployment_message: All deployment conditions are true. - istiohealth.hpa_message: HPA has sufficient replicas. - uuid: 1cc8559c-f4df-46bc-9adb-7f5923a9de91 - - collected: 2024-08-06T02:58:06.986972859Z + Error running validation: provider Evaluate error: opa validation not performed - no resources to validate + uuid: 47e30ded-89cf-4862-bed8-b3c5c0b3a17f + - collected: 2024-10-16T20:13:50.738968965Z description: | - [TEST]: f345c359-3208-46fb-9348-959bd628301e - istio-prometheus-annotations-validation + [TEST]: 67456ae8-4505-4c93-b341-d977d90cb125 - istio-health-check methods: - TEST relevant-evidence: - description: | Result: satisfied remarks: | - validate.msg: All pods have correct prometheus annotations. - validate.exempt_namespaces_msg: Exempted Namespaces: istio-system, kube-system, uds-dev-stack, zarf - uuid: a906a088-3147-44cb-8d7b-69058d1d8484 - - collected: 2024-08-06T02:58:06.987037129Z + validate.msg: Istiod Deployment is healthy. HPA has sufficient replicas. + uuid: eb3200f0-0b42-4bab-9987-673684f62d82 + - collected: 2024-10-16T20:13:50.745123247Z description: | - [TEST]: 8be1601e-5870-4573-ab4f-c1c199944815 - lula-validation-error + [TEST]: ca49ac97-487a-446a-a0b7-92b20e2c83cb - enforce-mtls-strict methods: - TEST relevant-evidence: - description: | - Result: not-satisfied + Result: satisfied remarks: | - Error getting Lula validation #8be1601e-5870-4573-ab4f-c1c199944815: validation failed: [{/required file:///home/runner/work/uds-core/uds-core/compliance/validation#/required missing properties: 'domain' } {/properties/provider/$ref/properties/opa-spec/$ref/properties/rego/pattern file:///home/runner/work/uds-core/uds-core/compliance/validation#/definitions/opaSpec/properties/rego/pattern /provider/opa-spec/rego does not match pattern '.*\\S\\s\\n.*' package validate - default validate := false - # How to prove TLS origination is configured at egress - # DestinationRule? - }] - uuid: edc21e52-53cd-4a6a-9e29-1016a56e0cb5 - - collected: 2024-08-06T02:58:07.017260415Z + validate.msg: All PeerAuthentications have mtls mode set to STRICT. + uuid: adb9497f-436d-4862-8043-6691bce1352c + - collected: 2024-10-16T20:13:50.754286064Z description: | - [TEST]: 570e2dc7-e6c2-4ad5-8ea3-f07974f59747 - secure-communication-with-istiod + [TEST]: c6c9daf1-4196-406d-8679-312c0512ab2e - check-istio-admin-gateway-and-usage methods: - TEST relevant-evidence: - description: | Result: satisfied remarks: | - validate.msg_correct: NetworkPolicies correctly configured for istiod in namespaces: authservice, grafana, keycloak, loki, metrics-server, monitoring, neuvector, promtail, velero. - validate.msg_incorrect: No incorrect istiod NetworkPolicies found. - uuid: 73aaf428-603c-447a-ad38-8ce66b7795f1 - - collected: 2024-08-06T02:58:07.017384197Z + validate.msg: Admin gateway exists: istio-admin-gateway/admin-gateway. Admin virtual services are using admin gateway. + uuid: 20f98c91-2308-4356-837b-c253353d7479 + - collected: 2024-10-16T20:13:50.754326089Z description: | - [TEST]: 19faf69a-de74-4b78-a628-64a9f244ae13 - lula-validation-error + [TEST]: 98b97ec9-a9ce-4444-83d8-71066270a424 - lula-validation-error methods: - TEST relevant-evidence: - description: | Result: not-satisfied remarks: | - Error getting Lula validation #19faf69a-de74-4b78-a628-64a9f244ae13: validation failed: [{/required file:///home/runner/work/uds-core/uds-core/compliance/validation#/required missing properties: 'domain' } {/properties/provider/$ref/properties/opa-spec/$ref/properties/rego/pattern file:///home/runner/work/uds-core/uds-core/compliance/validation#/definitions/opaSpec/properties/rego/pattern /provider/opa-spec/rego does not match pattern '.*\\S\\s\\n.*' package validate - default validate := false - # This policy could check meshConfig.outboundTrafficPolicy.mode (default is ALLOW_ANY) - # Possibly would need a ServiceEntry(?) - # (https://istio.io/latest/docs/tasks/traffic-management/egress/egress-control/#envoy-passthrough-to-external-services) - }] - uuid: 20db9c5e-e962-47ca-a0ab-c43b52d7b56e - - collected: 2024-08-06T02:58:07.025304675Z + Error getting Lula validation #98b97ec9-a9ce-4444-83d8-71066270a424: schema is invalid: [{/required "missing properties 'domain', 'provider'" }] + uuid: 39cf41d1-048e-4132-9681-f7274e4be4ea + - collected: 2024-10-16T20:13:50.868647184Z description: | - [TEST]: 0da39859-a91a-4ca6-bd8b-9b117689188f - all-namespaces-istio-injected + [TEST]: 7b045b2a-106f-4c8c-85d9-ae3d7a8e0e28 - istio-rbac-enforcement-check methods: - TEST relevant-evidence: - description: | - Result: not-satisfied + Result: satisfied remarks: | - validate.msg: Non-Istio-injected namespaces: {"authservice-test-app", "podinfo", "test-admin-app", "test-tenant-app"} - validate.exempted_namespaces_msg: Exempted Namespaces: default, istio-admin-gateway, istio-passthrough-gateway, istio-system, istio-tenant-gateway, kube-node-lease, kube-public, kube-system, uds-crds, uds-dev-stack, uds-policy-exemptions, zarf - uuid: f25d32b1-4bbd-4309-a96e-99fb8f484c88 - - collected: 2024-08-06T02:58:07.025349479Z + validate.msg: Istio RBAC enforced + validate.msg_all_auth_policies: keycloak/keycloak-block-admin-access-from-public-gateway, uds-runtime/runtime-authservice, uds-runtime/runtime-jwt-authz + uuid: cf774c2c-17dc-48d2-ba4c-2ae6547ea8e0 + - collected: 2024-10-16T20:13:50.868740227Z description: | - [TEST]: 7455f86d-b79c-4226-9ce3-f3fb7d9348c8 - lula-validation-error + [TEST]: 9b361d7b-4e07-40db-8b86-3854ed499a4b - istio-rbac-for-approved-personnel-PLACEHOLDER methods: - TEST relevant-evidence: - description: | Result: not-satisfied remarks: | - Error getting Lula validation #7455f86d-b79c-4226-9ce3-f3fb7d9348c8: validation failed: [{/required file:///home/runner/work/uds-core/uds-core/compliance/validation#/required missing properties: 'domain', 'provider' }] - uuid: daf64ecb-b110-4c6e-907f-7b4cd8831232 - - collected: 2024-08-06T02:58:07.03317813Z - description: | - [TEST]: 90738c86-6315-450a-ac69-cc50eb4859cc - check-istio-logging-all-traffic - methods: - - TEST - relevant-evidence: - - description: | - Result: satisfied - remarks: | - validate.msg: Istio is logging all traffic - uuid: 9e4a8aa7-2736-4aad-8b08-7fcee4fa2a68 - - collected: 2024-08-06T02:58:07.041938066Z + Error running validation: provider Evaluate error: opa validation not performed - no resources to validate + uuid: 1fc0d5bd-18e9-4244-a1a0-3c618aca8652 + - collected: 2024-10-16T20:13:51.070408027Z description: | - [TEST]: 70d99754-2918-400c-ac9a-319f874fff90 - istio-metrics-logging-configured + [TEST]: b0a8f21e-b12f-47ea-a967-2f4a3ec69e44 - gateway-configuration-check methods: - TEST relevant-evidence: - description: | Result: satisfied remarks: | - validate.msg: Metrics logging supported. - uuid: 06449da5-4cb5-4a5e-922d-5309d5c8f0c8 - - collected: 2024-08-06T02:58:07.0520707Z + validate.msg_existing_gateways: istio-admin-gateway/admin-gateway, istio-passthrough-gateway/passthrough-gateway, istio-tenant-gateway/tenant-gateway + validate.msg_allowed_gateways: admin, passthrough, tenant + validate.msg: Only allowed gateways found. All gateway types found. + uuid: 4e1e697c-4a92-4c57-ae95-c75ba272dc1d + - collected: 2024-10-16T20:13:51.266003971Z description: | - [TEST]: c6c9daf1-4196-406d-8679-312c0512ab2e - check-istio-admin-gateway-and-usage + [TEST]: f346b797-be35-40a8-a93a-585db6fd56ec - istio-tracing-logging-support methods: - TEST relevant-evidence: - description: | - Result: satisfied + Result: not-satisfied remarks: | - validate.msg: Admin gateway exists. Admin virtual services are using admin gateway. - uuid: 362043c5-ea38-4c11-83e3-35d34b79c938 - - collected: 2024-08-06T02:58:07.056306187Z + validate.msg: Tracing logging not supported. + uuid: ca312bc9-b8cd-4a30-9b72-50ffee51e828 + - collected: 2024-10-16T20:13:51.470751962Z description: | - [TEST]: fbd877c8-d6b6-4d88-8685-2c4aaaab02a1 - istio-enforces-authorized-keycloak-access + [TEST]: fd071676-6b92-4e1c-a4f0-4c8d2bd55aed - ingress-traffic-encrypted methods: - TEST relevant-evidence: - description: | Result: satisfied remarks: | - validate.msg: AuthorizationPolicy restricts access to Keycloak admin. - uuid: 3b856533-2206-4ebd-932e-645886b20b10 - - collected: 2024-08-06T02:58:07.064560781Z + validate.msg: All gateways encrypt ingress traffic + validate.msg_exempted_gateways: istio-passthrough-gateway/passthrough-gateway + uuid: a9c35339-fc94-4e59-bdf1-a89c1664bac0 + - collected: 2024-10-16T20:13:51.47086859Z description: | - [TEST]: f346b797-be35-40a8-a93a-585db6fd56ec - istio-tracing-logging-support + [TEST]: 73434890-2751-4894-b7b2-7e583b4a8977 - fips-evaluation-PLACEHOLDER methods: - TEST relevant-evidence: - description: | Result: not-satisfied remarks: | - validate.msg: Tracing logging not supported. - uuid: 94477b5d-84b7-427c-88b3-71367c501528 - - collected: 2024-08-06T02:58:07.0646133Z + Error running validation: provider Evaluate error: opa validation not performed - no resources to validate + uuid: 46fd0f63-fefa-40fe-9894-7c52bbce7f9b + - collected: 2024-10-16T20:13:51.665120832Z description: | - [TEST]: 98b97ec9-a9ce-4444-83d8-71066270a424 - lula-validation-error + [TEST]: 70d99754-2918-400c-ac9a-319f874fff90 - istio-metrics-logging-configured methods: - TEST relevant-evidence: - description: | - Result: not-satisfied + Result: satisfied remarks: | - Error getting Lula validation #98b97ec9-a9ce-4444-83d8-71066270a424: validation failed: [{/required file:///home/runner/work/uds-core/uds-core/compliance/validation#/required missing properties: 'domain', 'provider' }] - uuid: a1236290-6057-4695-b4bd-20dd2981d60d - - collected: 2024-08-06T02:58:07.064634109Z + validate.msg: Metrics logging supported. + uuid: 64a22438-eba3-4fcb-bfe8-68ed8bad61ba + - collected: 2024-10-16T20:13:51.665185653Z description: | [TEST]: 0be7345d-e9d3-4248-9c14-5fed8e7bfa01 - lula-validation-error methods: @@ -1422,8 +1280,8 @@ assessment-results: - description: | Result: not-satisfied remarks: | - Error getting Lula validation #0be7345d-e9d3-4248-9c14-5fed8e7bfa01: validation failed: [{/required file:///home/runner/work/uds-core/uds-core/compliance/validation#/required missing properties: 'domain', 'provider' }] - uuid: d265b5b6-9306-4c22-ad35-d6f00a41920e + Error getting Lula validation #0be7345d-e9d3-4248-9c14-5fed8e7bfa01: schema is invalid: [{/required "missing properties 'domain', 'provider'" }] + uuid: 0e3f9f2a-c596-4688-8841-0f9d2845f0a2 props: - name: threshold ns: https://docs.lula.dev/oscal/ns @@ -1441,1282 +1299,6 @@ assessment-results: - control-id: ac-3 - control-id: ac-4 - control-id: ac-4.21 - - control-id: ac-4.4 - - control-id: ac-5 - - control-id: ac-6 - - control-id: ac-6.1 - - control-id: ac-6.10 - - control-id: ac-6.3 - - control-id: ac-6.9 - - control-id: au-11 - - control-id: au-12 - - control-id: au-12.1 - - control-id: au-2 - - control-id: au-3 - - control-id: au-3.1 - - control-id: au-4 - - control-id: au-5.1 - - control-id: au-5.2 - - control-id: au-6 - - control-id: au-6.1 - - control-id: au-6.3 - - control-id: au-6.5 - - control-id: au-6.6 - - control-id: au-7 - - control-id: au-7.1 - - control-id: au-8 - - control-id: au-9 - - control-id: au-9.2 - - control-id: au-9.4 - - control-id: au7.1 - - control-id: ca-2.2 - - control-id: ca-7 - - control-id: cm-5 - - control-id: cm-6 - - control-id: cm-7 - - control-id: cp-10 - - control-id: cp-10.4 - - control-id: cp-6 - - control-id: cp-6.1 - - control-id: cp-6.2 - - control-id: cp-6.3 - - control-id: cp-7 - - control-id: cp-7.1 - - control-id: cp-7.2 - - control-id: cp-9 - - control-id: cp-9.1 - - control-id: cp-9.2 - - control-id: cp-9.3 - - control-id: cp-9.5 - - control-id: cp-9.8 - - control-id: ra-5 - - control-id: ra-5.2 - - control-id: ra-5.3 - - control-id: ra-5.5 - - control-id: sa-11 - - control-id: sa-11.1 - - control-id: sc-10 - - control-id: sc-13 - - control-id: sc-23 - - control-id: sc-3 - - control-id: sc-39 - - control-id: sc-4 - - control-id: sc-7 - - control-id: sc-7.20 - - control-id: sc-7.21 - - control-id: sc-7.4 - - control-id: sc-7.8 - - control-id: sc-8 - - control-id: sc-8.1 - - control-id: sc-8.2 - - control-id: si-11 - - control-id: si-2.3 - - control-id: si-4 - - control-id: si-5 - - control-id: si-6 - description: Controls validated - remarks: Validation performed may indicate full or partial satisfaction - start: 2024-08-06T02:58:07.070919511Z - title: Lula Validation Result - uuid: f246b0cb-f71a-41b0-a2fe-7ef03c16c754 - - description: Assessment results for performing Validations with Lula version v0.4.1 - findings: - - description: |- - # Control Implementation - Istio implements with service to service and provides authorization policies that require authentication to access any non-public features. - related-observations: - - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead - - observation-uuid: 31654aca-4189-447d-b5e6-4928c5acc603 - target: - status: - state: satisfied - target-id: ac-14 - type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-14' - uuid: d61c76bb-7552-492f-a39e-e7da0748e84c - - description: |- - # Control Description "a. Define and document the types of accounts allowed and specifically prohibited for use within the system; b. Assign account managers; c. Require [Assignment: organization-defined prerequisites and criteria] for group and role membership; d. Specify: 1. Authorized users of the system; 2. Group and role membership; and 3. Access authorizations (i.e., privileges) and [Assignment: organization-defined attributes (as required)] for each account; e. Require approvals by [Assignment: organization-defined personnel or roles] for requests to create accounts; f. Create, enable, modify, disable, and remove accounts in accordance with [Assignment: organization-defined policy, procedures, prerequisites, and criteria]; g. Monitor the use of accounts; h. Notify account managers and [Assignment: organization-defined personnel or roles] within: 1. [Assignment: twenty-four (24) hours] when accounts are no longer required; 2. [Assignment: eight (8) hours] when users are terminated or transferred; and 3. [Assignment: eight (8) hours] when system usage or need-to-know changes for an individual; i. Authorize access to the system based on: 1. A valid access authorization; 2. Intended system usage; and 3. [Assignment: organization-defined attributes (as required)]; j. Review accounts for compliance with account management requirements [Assignment: monthly for privileged accessed, every six (6) months for non-privileged access]; k. Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and l. Align account management processes with personnel termination and transfer processes." - # Control Implementation NeuVector supports internal user accounts and roles in addition to LDAP and SSO for providing RBAC access. - target: - status: - state: not-satisfied - target-id: ac-2 - type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-2' - uuid: 35b172fc-505d-441c-a498-358eb777ed24 - - description: |- - # Control Description Support the management of system accounts using [Assignment: organization-defined automated mechanisms]. - # Control Implementation NeuVector supports internal user accounts and roles in addition to LDAP and SSO for providing RBAC access. - target: - status: - state: not-satisfied - target-id: ac-2.1 - type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-2.1' - uuid: 0a50cb43-5018-4190-a89a-f8aca2005186 - - description: |- - # Control Description Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. - # Control Implementation NeuVector supports internal user accounts and roles in addition to LDAP and SSO for providing RBAC access. - target: - status: - state: not-satisfied - target-id: ac-3 - type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-3' - uuid: 574305f1-0e70-4cc7-85c3-fcfa94943753 - - description: |- - # Control Implementation - Istio encrypts all in-mesh communication at runtime using FIPS verified mTLS in addition to ingress and egress gateways for controlling communication. - related-observations: - - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead - - observation-uuid: f6a130b1-bdb8-41de-8921-c1c373023f59 - - observation-uuid: 3d86e5f1-bf50-43c1-a3d8-4f9d26311481 - - observation-uuid: 60ff69f7-6d6f-4b92-a0a4-4ecd2df24b52 - target: - status: - state: satisfied - target-id: ac-4 - type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-4' - uuid: 86b4aa9e-cdb4-499d-b93a-8f0a76ac4c6b - - description: |- - # Control Implementation - Istio is configured to use ingress and egress gateways to provide logical flow separation. - related-observations: - - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead - - observation-uuid: 4df2137a-de64-4d02-8121-1911fc9dedab - - observation-uuid: 4e69dd7e-0ba5-489c-82fd-bdfdd3d80afd - - observation-uuid: 2639ccbf-1a94-440e-b820-90e957f6987c - target: - status: - state: not-satisfied - target-id: ac-4.21 - type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-4.21' - uuid: 5b7406b7-334a-4a50-8013-bd63b566c391 - - description: |- - # Control Implementation - All encrypted HTTPS connections are terminated at the Istio ingress gateway. - related-observations: - - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead - - observation-uuid: f6a130b1-bdb8-41de-8921-c1c373023f59 - - observation-uuid: 3d86e5f1-bf50-43c1-a3d8-4f9d26311481 - - observation-uuid: 60ff69f7-6d6f-4b92-a0a4-4ecd2df24b52 - target: - status: - state: satisfied - target-id: ac-4.4 - type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-4.4' - uuid: d24258c7-b611-4c00-b387-518682e288a5 - - description: |- - # Control Description "a. Identify and document [Assignment: organization-defined duties of individuals requiring separation]; and b. Define system access authorizations to support separation of duties." - # Control Implementation Loki implements RBAC to define system authorization and separation of duties. - target: - status: - state: not-satisfied - target-id: ac-5 - type: objective-id - title: 'Validation Result - Component:a735b5a4-aabd-482d-b335-60ddcd4b1c00 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-5' - uuid: 98b4b967-b087-4514-af76-47fbdd301940 - - description: |- - # Control Description Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks. - # Control Implementation NeuVector supports mapping internal user accounts and roles in addition to LDAP and SSO roles or groups for providing RBAC access. - target: - status: - state: not-satisfied - target-id: ac-6 - type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-6' - uuid: 425a62e9-d211-4b56-9ed3-ae145e4bda7a - - description: |- - # Control Description "Authorize access for [Assignment: organization-defined individuals or roles] to: (a) [Assignment: organization-defined all functions not publicly accessible]; and (b) [Assignment: organization-defined all security-relevant information not publicly available]." - # Control Implementation NeuVector supports mapping internal user accounts and roles in addition to LDAP and SSO roles or groups for providing RBAC access. - target: - status: - state: not-satisfied - target-id: ac-6.1 - type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-6.1' - uuid: e0522516-4f01-4319-963c-b61ffc714e5d - - description: |- - # Control Description Prevent non-privileged users from executing privileged functions. - # Control Implementation Loki layers an additional RBAC layer that prohibits non-privileged users from executing privileged functions. - target: - status: - state: not-satisfied - target-id: ac-6.10 - type: objective-id - title: 'Validation Result - Component:a735b5a4-aabd-482d-b335-60ddcd4b1c00 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-6.10' - uuid: 1fdec6d5-12a6-4400-bb86-65811be00806 - - description: |- - # Control Implementation - Configured with an "admin" gateway to restrict access to applications that only need administrative access. - related-observations: - - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead - - observation-uuid: 4e69dd7e-0ba5-489c-82fd-bdfdd3d80afd - target: - status: - state: not-satisfied - target-id: ac-6.3 - type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-6.3' - uuid: 02a7b8e8-c6cf-4263-ad16-65d64957169f - - description: |- - # Control Description Log the execution of privileged functions. - # Control Implementation Privileged events, including updating the deployment of an application, or use of privileged containers are collected as metrics by prometheus and displayed by Grafana. - related-observations: - - observation-uuid: 053bdc9e-654d-4287-adf1-02c14e77ece1 - - observation-uuid: c18cb484-a3d7-4f1b-9de2-bc40675ebef6 - target: - status: - state: not-satisfied - target-id: ac-6.9 - type: objective-id - title: 'Validation Result - Component:375f8171-3eb9-48d6-be3c-c8f1c0fe05fa / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ac-6.9' - uuid: b5e568c2-539e-45f2-9aa6-b31dd4ddf30b - - description: |- - # Control Description Retain audit records for [Assignment: at least one (1) year] to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements. - # Control Implementation Can configure audit record storage retention policy for defined periods of time via the store(s) Loki is configured to use. - target: - status: - state: not-satisfied - target-id: au-11 - type: objective-id - title: 'Validation Result - Component:a735b5a4-aabd-482d-b335-60ddcd4b1c00 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-11' - uuid: 1133f9d6-790b-4f66-ba94-89ce6cf7ed26 - - description: |- - # Control Implementation - Istio provides audit record generation capabilities for a variety of event types, including session, connection, transaction, or activity durations, and the number of bytes received and sent. - related-observations: - - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead - - observation-uuid: 337f9bea-6f8e-4c89-8142-4474083105e6 - target: - status: - state: satisfied - target-id: au-12 - type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-12' - uuid: f0b63c33-bdbd-43bb-9a36-4a386e4567eb - - description: |- - # Control Description Compile audit records from [Assignment: all network, data storage, and computing devices] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail]. - # Control Implementation Compatible metrics endpoints emitted from each application is compiled by Prometheus and displayed through Grafana with associated timestamps of when the data was collected. - target: - status: - state: not-satisfied - target-id: au-12.1 - type: objective-id - title: 'Validation Result - Component:375f8171-3eb9-48d6-be3c-c8f1c0fe05fa / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-12.1' - uuid: 832e1041-64e8-4455-8331-48025d4cdfbc - - description: |- - # Control Description a. Identify the types of events that the system is capable of logging in support of the audit function: [Assignment: successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes]; b. Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; c. Specify the following event types for logging within the system: [Assignment: organization-defined event types (subset of the event types defined in AU-2a.) along with the frequency of (or situation requiring) logging for each identified event type]; d. Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and e. Review and update the event types selected for logging [Assignment: annually or whenever there is a change in the threat environment]. - # Control Implementation API endpoints suitable for capturing application level metrics are present on each of the supported applications running as containers. In addition, system and cluster level metrics are emitted by containers with read only access to host level information. Metrics are captured and stored by Prometheus, an web server capable of scraping endpoints formatted in the appropriate dimensional data format. Metrics information is stored on disk in a time series data base, and later queried through a separate component providing a web interface for the query language: PromQL. Metrics data can be displayed through a Grafana dashboard for visualization. - related-observations: - - observation-uuid: 053bdc9e-654d-4287-adf1-02c14e77ece1 - - observation-uuid: 65c62b95-df70-4723-bf3b-46799d0536ad - target: - status: - state: not-satisfied - target-id: au-2 - type: objective-id - title: 'Validation Result - Component:375f8171-3eb9-48d6-be3c-c8f1c0fe05fa / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-2' - uuid: ae5e79ac-3535-48f0-b306-fe9cd1f34736 - - description: |- - # Control Description - Audit record content that may be necessary to satisfy the requirement of this control, includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. - Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the information system after the event occurred). - - # Control Implementation - Logs are captured by promtail from the node. The node logs will contain the necessary log data from all pods/applications inside the selected nodes. - Validating `logfmt` as the config.logFormat would be the goal. This is currently a secret mounted to /etc/promtail/promtail.yaml in the promtail container. We will ensure the promtail.yaml file is at a minimum the target config. - https://grafana.com/docs/loki/latest/send-data/promtail/stages/logfmt/ - related-observations: - - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead - - observation-uuid: b8c97e5c-a953-44f1-9868-42abdb5f36d3 - target: - status: - state: not-satisfied - target-id: au-3 - type: objective-id - title: 'Validation Result - Component:3ca1e9a3-a566-48d1-93af-200abd1245e3 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-3' - uuid: 661fde7a-25f7-4d8f-8673-d95a570001ff - - description: |- - # Control Implementation - Istio has been configured to implement event logging within our environment. This includes capturing metrics related to the duration of sessions, connections, transactions, or activities. Specifically, Istio's telemetry features are utilized to capture these metrics, which provide valuable data that can be used to infer the duration of sessions or connections. - related-observations: - - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead - - observation-uuid: d6de0a77-9d2c-4332-9ab0-3c97c8b5234c - - observation-uuid: 3d86e5f1-bf50-43c1-a3d8-4f9d26311481 - - observation-uuid: 6fb0ef76-86ad-4629-9e9d-a725ddbf3373 - target: - status: - state: not-satisfied - target-id: au-3.1 - type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-3.1' - uuid: 612c395f-5036-444a-bfe4-2f9ab941622a - - description: |- - # Control Description Allocate audit log storage capacity to accommodate [Assignment: organization-defined audit log retention requirements]. - # Control Implementation NeuVector can scale elastically based upon actual workload demands to allocate audit log storage capacity. - target: - status: - state: not-satisfied - target-id: au-4 - type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-4' - uuid: 92598581-3f72-478e-a8f2-33aaeccd56db - - description: |- - # Control Description Provide a warning to [Assignment: organization-defined personnel, roles, and/or locations] within [Assignment: organization-defined time period] when allocated audit log storage volume reaches [Assignment: organization-defined percentage] of repository maximum audit log storage capacity. - # Control Implementation Alertmanager has pre-built alerts for PVC storage thresholds that would fire for PVCs supporting prometheus metrics storage. Metrics data can be displayed through a Grafana dashboard for visualization. - target: - status: - state: not-satisfied - target-id: au-5.1 - type: objective-id - title: 'Validation Result - Component:375f8171-3eb9-48d6-be3c-c8f1c0fe05fa / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-5.1' - uuid: f0e9a25c-2440-4299-8a32-1e9274b98f87 - - description: |- - # Control Description Provide an alert within [Assignment: real-time] to [Assignment: service provider personnel with authority to address failed audit events] when the following audit failure events occur: [Assignment: audit failure events requiring real-time alerts, as defined by organization audit policy]. - # Control Implementation Alertmanager has pre-built alerts for failed pods that would show when ClusterAuditor is not processing events, or prometheus is unable to scrape events. Prometheus also has a deadman's alert to ensure end users are seeing events from prometheus as part of its configuration. Data can be displayed through a Grafana dashboard for visualization. - target: - status: - state: not-satisfied - target-id: au-5.2 - type: objective-id - title: 'Validation Result - Component:375f8171-3eb9-48d6-be3c-c8f1c0fe05fa / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-5.2' - uuid: 4c6f58e6-d210-45a3-bede-b0b758c685de - - description: |- - # Control Description "a. Review and analyze system audit records [Assignment: at least weekly] for indications of [Assignment: organization-defined inappropriate or unusual activity] and the potential impact of the inappropriate or unusual activity; b. Report findings to [Assignment: organization-defined personnel or roles]; and c. Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information." - # Control Implementation Provides audit record query and analysis capabilities. Organization will implement record review and analysis. - target: - status: - state: not-satisfied - target-id: au-6 - type: objective-id - title: 'Validation Result - Component:a735b5a4-aabd-482d-b335-60ddcd4b1c00 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-6' - uuid: 086b37df-eae0-46d5-a525-ead6453af43f - - description: |- - # Control Description Integrate audit record review, analysis, and reporting processes using [Assignment: organization-defined automated mechanisms]. - # Control Implementation Provides audit record query and analysis capabilities. Organization will implement record review and analysis. - target: - status: - state: not-satisfied - target-id: au-6.1 - type: objective-id - title: 'Validation Result - Component:a735b5a4-aabd-482d-b335-60ddcd4b1c00 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-6.1' - uuid: ec6c6e31-e5df-4836-b5e6-f114d61d1081 - - description: |- - # Control Description Analyze and correlate audit records across different repositories to gain organization-wide situational awareness. - # Control Implementation Aggregating cluster auditor events across multiple sources (clusters) is possible with a multi-cluster deployment of prometheus/grafana. - target: - status: - state: not-satisfied - target-id: au-6.3 - type: objective-id - title: 'Validation Result - Component:375f8171-3eb9-48d6-be3c-c8f1c0fe05fa / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-6.3' - uuid: 5a9912e9-c2e1-4fad-a651-9f84d351bea1 - - description: |- - # Control Description Integrate analysis of audit records with analysis of [Selection (one or more): vulnerability scanning information; performance data; system monitoring information; [Assignment: organization-defined data/information collected from other sources]] to further enhance the ability to identify inappropriate or unusual activity. - # Control Implementation Cluster Auditor's audit data is consolidated with system monitoring tooling (node exporters) for consolidated view to enhance inappropriate or unusual activity. - target: - status: - state: not-satisfied - target-id: au-6.5 - type: objective-id - title: 'Validation Result - Component:108c78a9-5494-4abc-a1e7-f046da419687 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-6.5' - uuid: 66c039ce-0453-481a-a754-0c8ca7e5a4c0 - - description: |- - # Control Description Correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity. - # Control Implementation Cluster Auditor data in prometheus would enable this, but would require prometheus to also obtain access to physical metrics. - target: - status: - state: not-satisfied - target-id: au-6.6 - type: objective-id - title: 'Validation Result - Component:108c78a9-5494-4abc-a1e7-f046da419687 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-6.6' - uuid: 8d2a5829-ee96-4a38-b3b9-a7931b551b02 - - description: |- - # Control Description "Provide and implement an audit record reduction and report generation capability that: a. Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and b. Does not alter the original content or time ordering of audit records." - # Control Implementation Grafana is configured with a pre-built dashboard for policy violations that displays data collected by Cluster Auditor. - target: - status: - state: not-satisfied - target-id: au-7 - type: objective-id - title: 'Validation Result - Component:108c78a9-5494-4abc-a1e7-f046da419687 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-7' - uuid: 958794eb-a1a5-4c29-b42c-ddfbabd544d9 - - description: |- - # Control Description Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: [Assignment: organization-defined fields within audit records]. - # Control Implementation Grafana is configured with a pre-built dashboard for policy violations that displays data collected by Cluster Auditor. - target: - status: - state: not-satisfied - target-id: au-7.1 - type: objective-id - title: 'Validation Result - Component:375f8171-3eb9-48d6-be3c-c8f1c0fe05fa / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-7.1' - uuid: d42a6865-6869-4961-a90e-6d82eee7c561 - - description: |- - # Control Description - Time stamps generated by the information system include date and time. - Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. - Granularity of time measurements refers to the degree of synchronization between information system clocks and reference clocks, for example, clocks synchronizing within hundreds of milliseconds or within tens of milliseconds. - Organizations may define different time granularities for different system components. - Time service can also be critical to other security capabilities such as access control and identification and authentication, depending on the nature of the mechanisms used to support those capabilities. - - # Control Implementation - Records captured by the logging daemon are enriched to ensure the following are always present: - * time of the event (UTC). - * source of event (pod, namespace, container id). - Applications are responsible for providing all other information. - Validating `logfmt` as the config.logFormat would be the goal. This is currently a secret mounted to /etc/promtail/promtail.yaml in the promtail container. We will ensure the promtail.yaml file is at a minimum the target config. - https://grafana.com/docs/loki/latest/send-data/promtail/stages/logfmt/ - related-observations: - - observation-uuid: 053bdc9e-654d-4287-adf1-02c14e77ece1 - - observation-uuid: fa62278d-a485-40ec-a660-51845c227040 - target: - status: - state: not-satisfied - target-id: au-8 - type: objective-id - title: 'Validation Result - Component:3ca1e9a3-a566-48d1-93af-200abd1245e3 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-8' - uuid: 0c87ccd3-8a4f-48a9-9be0-69034e18885f - - description: |- - # Control Description a. Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and b. Alert [Assignment: organization-defined personnel or roles] upon detection of unauthorized access, modification, or deletion of audit information. - # Control Implementation Grafana has the ability to provide Role Based Access Control to limit the data sources that end users can view by leveraging an identity provider. Grafana can also limit users to subsets of metrics within a datasource by the use of Label Based Access Control when using Grafana Enterprise. - target: - status: - state: not-satisfied - target-id: au-9 - type: objective-id - title: 'Validation Result - Component:375f8171-3eb9-48d6-be3c-c8f1c0fe05fa / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-9' - uuid: 826cb8c0-8297-4f90-b2b2-d0bc95531db1 - - description: |- - # Control Description Store audit records [Assignment: at least weekly] in a repository that is part of a physically different system or system component than the system or component being audited. - # Control Implementation Prometheus can scrape external components outside of the system, but this configuration is not easily supported as part of the current big bang configuration of ClusterAuditor since external access to ClusterAuditor metrics is not exposed via Istio. Metrics data can be displayed through a Grafana dashboard for visualization. - target: - status: - state: not-satisfied - target-id: au-9.2 - type: objective-id - title: 'Validation Result - Component:375f8171-3eb9-48d6-be3c-c8f1c0fe05fa / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-9.2' - uuid: f970ff94-5aef-4521-bd62-2e71ed0e5c70 - - description: |- - # Control Description Authorize access to management of audit logging functionality to only [Assignment: organization-defined subset of privileged users or roles]. - # Control Implementation Grafana has the ability to provide Role Based Access Control to limit the data sources that end users can view by leveraging an identity provider. Grafana can also limit users to subsets of metrics within a datasource by the use of Label Based Access Control when using Grafana Enterprise. - target: - status: - state: not-satisfied - target-id: au-9.4 - type: objective-id - title: 'Validation Result - Component:108c78a9-5494-4abc-a1e7-f046da419687 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au-9.4' - uuid: 28f0e109-6c62-405d-b11c-8623f6829dad - - description: |- - # Control Description Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: [Assignment: organization-defined fields within audit records]. - # Control Implementation Loki provides an API for retrieving and filtering logs. - target: - status: - state: not-satisfied - target-id: au7.1 - type: objective-id - title: 'Validation Result - Component:a735b5a4-aabd-482d-b335-60ddcd4b1c00 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: au7.1' - uuid: 3c9b6412-0808-48b6-889b-54fefa4dcdb1 - - description: |- - # Control Description - Include as part of control assessments, [Assignment: at least annually], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; security instrumentation; automated security test cases; vulnerability scanning; malicious - user testing; insider threat assessment; performance and load testing; data leakage or data loss assessment; [Assignment: organization-defined other forms of assessment]]. - - # Control Implementation NeuVector continually monitors kubernetes environments and container images to detect misconfigurations, advanced network threats, and vulnerable hosts with all attempts to exploit a vulnerability is documented. - target: - status: - state: not-satisfied - target-id: ca-2.2 - type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ca-2.2' - uuid: c4dadea0-3628-4444-b493-85fe4f44a9a2 - - description: |- - # Control Description "Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: a. Establishing the following system-level metrics to be monitored: [Assignment: organization-defined system-level metrics]; b. Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness; c. Ongoing control assessments in accordance with the continuous monitoring strategy; d. Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy; e. Correlation and analysis of information generated by control assessments and monitoring; f. Response actions to address results of the analysis of control assessment and monitoring information; and g. Reporting the security and privacy status of the system to [Assignment: to include JAB/AO] [Assignment: organization-defined frequency]." - # Control Implementation NeuVector continually monitors kubernetes environments and container images to detect misconfigurations, advanced network threats, and vulnerable hosts with all attempts to exploit a vulnerability is documented. - target: - status: - state: not-satisfied - target-id: ca-7 - type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ca-7' - uuid: f90d9d08-6cd9-463a-a606-c1359e00e1fe - - description: |- - # Control Implementation - Istio enforces logical access restrictions associated with changes to the system. Istio's Role-Based Access Control (RBAC) features are used to define and enforce access controls, ensuring that only approved personnel can make changes to the system. - related-observations: - - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead - - observation-uuid: f3ff3fbb-16d9-4a92-90e1-d8b7a020bccc - - observation-uuid: 41637e36-95ee-4c89-b332-80ca2d006620 - target: - status: - state: not-satisfied - target-id: cm-5 - type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: cm-5' - uuid: 7741992f-299d-4e30-ac94-f7797f95a661 - - description: |- - # Control Description "a. Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using [Assignment: oUnited States Government Configuration Baseline (USGCB)]; b. Implement the configuration settings; c. Identify, document, and approve any deviations from established configuration settings for [Assignment: organization-defined system components] based on [Assignment: organization-defined operational requirements]; and d. Monitor and control changes to the configuration settings in accordance with organizational policies and procedures." - # Control Implementation NeuVector is configured using Helm Charts. Default settings can be found. - target: - status: - state: not-satisfied - target-id: cm-6 - type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: cm-6' - uuid: 279d19b1-4297-43a9-a631-168431b3c0cd - - description: |- - # Control Description "a. Configure the system to provide only [Assignment: organization-defined mission essential capabilities]; and b. Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: [Assignment: organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services]." "CM-7 (b) Requirement: The service provider shall use the DoD STIGs or Center for Internet Security guidelines to establish list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if USGCB is not available. CM-7 Guidance: Information on the USGCB checklists can be found at: https://csrc.nist.gov/projects/united-states-government-configuration-baseline." - # Control Implementation NeuVector is configured securely and only access to required ports are available. - target: - status: - state: not-satisfied - target-id: cm-7 - type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: cm-7' - uuid: 4bcaa46e-66ab-4b3e-8414-92e28955d4d8 - - description: Velero can restore application configuration/data from an approved cloud provider or on-premise location on-demand. - target: - status: - state: not-satisfied - target-id: cp-10 - type: objective-id - title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-10' - uuid: db12a70d-960a-4bcc-bef2-d765371bc641 - - description: 'Velero gives you tools to back up and restore your Kubernetes cluster resources and persistent volumes. You can run Velero with a cloud provider or on-premises. This includes: - System components/data. - User-level information/application metadata. - User-level storage/data. - Scheduled back-ups with configurable scopes. - Multi-cloud and on-premise support for availability of backup.' - target: - status: - state: not-satisfied - target-id: cp-10.4 - type: objective-id - title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-10.4' - uuid: 4866acda-188f-40b1-8af4-ad3812060ef2 - - description: Velero can take backups of your application configuration/data and store them off-site in either an approved cloud environment or on-premise location. - target: - status: - state: not-satisfied - target-id: cp-6 - type: objective-id - title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-6' - uuid: fa78499f-12e1-4ded-86a1-1ce785cd7cbd - - description: Velero can take backups of your application configuration/data and store them off-site in either an approved cloud environment or on-premise location. - target: - status: - state: not-satisfied - target-id: cp-6.1 - type: objective-id - title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-6.1' - uuid: 38c5c57c-e4fa-40c0-a371-519f922ce751 - - description: Velero can restore application configuration/data from an approved cloud provider or on-premise location on-demand. - target: - status: - state: not-satisfied - target-id: cp-6.2 - type: objective-id - title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-6.2' - uuid: fde3d548-4c98-451e-8ad1-08ebf918ec1f - - description: Velero supports back-ups to multiple cloud environments (including geo-separated locations for high availability) and on-premise environments in the event of an accessibility disruptions. - target: - status: - state: not-satisfied - target-id: cp-6.3 - type: objective-id - title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-6.3' - uuid: c0659b8c-36b9-4d6d-8e94-48343ff6d57b - - description: Velero can restore application configuration/data from an approved cloud provider or on-premise location to an alternative deployment environment on-demand. - target: - status: - state: not-satisfied - target-id: cp-7 - type: objective-id - title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-7' - uuid: 30788898-87df-4185-ab1c-9becdee50f6c - - description: Velero supports back-ups to and restores from multiple cloud environments (including geo-separated locations for high availability) and on-premise environments in the event of an accessibility disruptions. - target: - status: - state: not-satisfied - target-id: cp-7.1 - type: objective-id - title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-7.1' - uuid: a718a683-1df0-4cac-9b9e-f61792134683 - - description: Velero supports back-ups to and restores from multiple cloud environments (including geo-separated locations for high availability) and on-premise environments in the event of an accessibility disruptions. - target: - status: - state: not-satisfied - target-id: cp-7.2 - type: objective-id - title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-7.2' - uuid: 90a09f38-2e0f-496a-94a0-4fcbbd79b308 - - description: |- - "Velero gives you tools to back up and restore your Kubernetes cluster resources and persistent volumes. You can run Velero with a cloud provider or on-premises. This includes: - - System components/data. - - User-level information/application metadata. - - User-level storage/data. - - Scheduled back-ups with configurable scopes. - - Multi-cloud and on-premise support for availability of backup." - target: - status: - state: not-satisfied - target-id: cp-9 - type: objective-id - title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-9' - uuid: 67397dd3-5693-4223-8015-5755325d5bf8 - - description: Velero provides feedback/logging of back-up status for configuration/data via kubectl or the Velero CLI tool. Velero can restore your production configuration/data to validation environment to ensure reliability/integrity. - target: - status: - state: not-satisfied - target-id: cp-9.1 - type: objective-id - title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-9.1' - uuid: 751a260d-f6c8-4ace-ad71-7aef30c0b9f0 - - description: Velero can be configured to restore only certain components of a back-up when necessary. - target: - status: - state: not-satisfied - target-id: cp-9.2 - type: objective-id - title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-9.2' - uuid: 2134ba61-df24-4258-80fc-a406ee86e4df - - description: Velero supports back-ups to multiple cloud environments (including geo-separated locations for high availability) and on-premise environments. - target: - status: - state: not-satisfied - target-id: cp-9.3 - type: objective-id - title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-9.3' - uuid: 76b44e70-4f34-44f1-a8ee-72cb642dedfe - - description: 'Velero gives you tools to back up and restore your Kubernetes cluster resources and persistent volumes. You can run Velero with a cloud provider or on-premises. This includes: - System components/data. - User-level information/application metadata. - User-level storage/data. - Scheduled back-ups with configurable scopes. - Multi-cloud and on-premise support for availability of backup.' - target: - status: - state: not-satisfied - target-id: cp-9.5 - type: objective-id - title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-9.5' - uuid: de04bf59-4529-4906-a829-a078dbcf74bf - - description: Velero supports encryption of backups via its supported providers' encryption support/mechanisms. - target: - status: - state: not-satisfied - target-id: cp-9.8 - type: objective-id - title: 'Validation Result - Component:3127D34A-517B-473B-83B0-6536179ABE38 / Control Implementation: 5108E5FC-C45F-477B-8542-9C5611A92485 / Control: cp-9.8' - uuid: cc050937-d5e7-4696-8f25-9b86b62c0d07 - - description: |- - # Control Description "a. Monitor and scan for vulnerabilities in the system and hosted applications [Assignment: monthly operating system/infrastructure; monthly web applications (including APIs) and databases] and when new vulnerabilities potentially affecting the system are identified and reported; b. Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: 1. Enumerating platforms, software flaws, and improper configurations; 2. Formatting checklists and test procedures; and 3. Measuring vulnerability impact; c. Analyze vulnerability scan reports and results from vulnerability monitoring; d. Remediate legitimate vulnerabilities [Assignment: high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery] in accordance with an organizational assessment of risk; e. Share information obtained from the vulnerability monitoring process and control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other systems; and f. Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned." - # Control Implementation NeuVector is Kubernetes and container security tool. NeuVector will scan containers for vulnerabilities in addition to continuous monitoring for active threats. - target: - status: - state: not-satisfied - target-id: ra-5 - type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ra-5' - uuid: 3eca257e-9609-41fd-b21f-1aaee5b3d433 - - description: |- - # Control Description Update the system vulnerabilities to be scanned [prior to a new scan]; prior to a new scan; when new vulnerabilities are identified and reported]. - # Control Implementation NeuVector container scanning vulnerability database is updated frequently. - target: - status: - state: not-satisfied - target-id: ra-5.2 - type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ra-5.2' - uuid: 2b6daa85-9fdf-408c-9176-75a45ef22ea4 - - description: |- - # Control Description Define the breadth and depth of vulnerability scanning coverage. - # Control Implementation NeuVector container scanning configurations depth can be modified. - target: - status: - state: not-satisfied - target-id: ra-5.3 - type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ra-5.3' - uuid: 10f8b813-c6f3-4265-9eb6-475cc7cbc636 - - description: |- - # Control Description Implement privileged access authorization to [Assignment: all components that support authentication] for [Assignment: all scans]. - # Control Implementation NeuVector supports mapping internal user accounts and roles in addition to LDAP and SSO roles or groups for providing RBAC access. - target: - status: - state: not-satisfied - target-id: ra-5.5 - type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: ra-5.5' - uuid: b2e08e6b-16b3-4a00-ac9f-c8c9bdee64ce - - description: |- - # Control Description "Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to: a. Develop and implement a plan for ongoing security and privacy control assessments; b. Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation [Assignment: organization-defined frequency] at [Assignment: organization-defined depth and coverage]; c. Produce evidence of the execution of the assessment plan and the results of the testing and evaluation; d. Implement a verifiable flaw remediation process; and e. Correct flaws identified during testing and evaluation." - # Control Implementation NeuVector continually monitors kubernetes environments and container images to detect misconfigurations, advanced network threats, and vulnerable hosts with all attempts to exploit a vulnerability is documented. - target: - status: - state: not-satisfied - target-id: sa-11 - type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sa-11' - uuid: ac49e0de-7653-4be5-8005-331927322ec2 - - description: |- - # Control Description Require the developer of the system, system component, or system service to employ static code analysis tools to identify common flaws and document the results of the analysis. Static code analysis provides a technology and methodology for security reviews and includes checking for weaknesses in the code as well as for the incorporation of libraries or other included code with known vulnerabilities or that are out-of-date and not supported. Static code analysis can be used to identify vulnerabilities and enforce secure coding practices. It is most effective when used early in the development process, when each code change can automatically be scanned for potential weaknesses. Static code analysis can provide clear remediation guidance and identify defects for developers to fix. Evidence of the correct implementation of static analysis can include aggregate defect density for critical defect types, evidence that defects were inspected by developers or security professionals, and evidence that defects were remediated. A high density of ignored findings, commonly referred to as false positives, indicates a potential problem with the analysis process or the analysis tool. In such cases, organizations weigh the validity of the evidence against evidence from other sources. - # Control Implementation NeuVector continually monitors kubernetes environments and container images to detect misconfigurations, advanced network threats, and vulnerable hosts with all attempts to exploit a vulnerability is documented. - target: - status: - state: not-satisfied - target-id: sa-11.1 - type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sa-11.1' - uuid: 0af42784-0963-4f76-90ef-c6d98ca5fee6 - - description: |- - # Control Implementation - Istio is configured to manage network connections associated with specific communication sessions. It can be set up to automatically terminate these connections after periods of inactivity, providing an additional layer of security. - related-observations: - - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead - - observation-uuid: 6a1961d3-8819-4db9-b052-e3998d29f94c - target: - status: - state: not-satisfied - target-id: sc-10 - type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-10' - uuid: 5f4f6691-affd-4acc-89f6-d3055b2f2481 - - description: |- - # Control Implementation - Istio provides FIPS encryption in transit for all applications in the mesh, TLS termination at ingress, and TLS origination at egress. - related-observations: - - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead - - observation-uuid: f6a130b1-bdb8-41de-8921-c1c373023f59 - - observation-uuid: 60ff69f7-6d6f-4b92-a0a4-4ecd2df24b52 - - observation-uuid: bf2a95fb-c40e-425a-a1a3-ec1307343179 - - observation-uuid: 31044f2f-75fd-4472-b624-1d918be32f40 - target: - status: - state: not-satisfied - target-id: sc-13 - type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-13' - uuid: 3df66b7f-1dec-4ab7-b76e-56023c2881a1 - - description: |- - # Control Implementation - Istio is configured to protect session authenticity, establishing confidence in the ongoing identities of other parties and the validity of transmitted information. This is achieved through Istio's mutual TLS, which ensures secure communication. - related-observations: - - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead - - observation-uuid: f6a130b1-bdb8-41de-8921-c1c373023f59 - target: - status: - state: satisfied - target-id: sc-23 - type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-23' - uuid: c39917b0-8de0-4497-808a-a186ee2d9583 - - description: |- - # Control Implementation - Namespaces, Istio gateways, and network policies collectively by providing resource isolation, secure traffic routing, and network segmentation to prevent unauthorized and unintended information transfer. - related-observations: - - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead - - observation-uuid: 4e69dd7e-0ba5-489c-82fd-bdfdd3d80afd - - observation-uuid: 2639ccbf-1a94-440e-b820-90e957f6987c - target: - status: - state: satisfied - target-id: sc-3 - type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-3' - uuid: 693835f8-466c-4437-9e95-1968070df3a9 - - description: |- - # Control Implementation - Istio is configured to maintain separate execution domains for each executing process. This is achieved through Istio's sidecar proxy design, where each service in the mesh has its own dedicated sidecar proxy to handle its inbound and outbound traffic. This ensures that communication between processes is controlled and one process cannot modify the executing code of another process. - related-observations: - - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead - - observation-uuid: 3d86e5f1-bf50-43c1-a3d8-4f9d26311481 - target: - status: - state: satisfied - target-id: sc-39 - type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-39' - uuid: c0a6d960-0976-4e3c-b539-00c36bf8565a - - description: |- - # Control Implementation - Istio enforces outbound traffic goes through an Egress Gateway with a Network Policy. - related-observations: - - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead - - observation-uuid: 35470a10-7ec9-4663-980b-c31ad61e08eb - - observation-uuid: f9e01aee-c30f-4df5-a4c7-0af351cef153 - target: - status: - state: not-satisfied - target-id: sc-4 - type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-4' - uuid: 29bf18cb-9d9a-4b5a-9708-38fb4cb63563 - - description: |- - # Control Description "a. Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system; b. Implement subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and c. Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture." - # Control Implementation NeuVector monitors all communications to external interfaces by only connecting to external networks through managed interfaces and utilizes whitelists and blacklists for rules at Layer 7. - target: - status: - state: not-satisfied - target-id: sc-7 - type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-7' - uuid: bbea5abc-37ef-461c-a912-7118ea5618ca - - description: |- - # Control Implementation - Istio is configured to dynamically isolate certain internal system components when necessary. This is achieved through Istio's network policies, which allow us to partition or separate system components - related-observations: - - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead - - observation-uuid: f6a130b1-bdb8-41de-8921-c1c373023f59 - - observation-uuid: 3d86e5f1-bf50-43c1-a3d8-4f9d26311481 - target: - status: - state: satisfied - target-id: sc-7.20 - type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-7.20' - uuid: 782db436-d52a-461f-acd0-25b215fc3c3e - - description: |- - # Control Implementation - Istio is configured to isolate system components that perform different mission or business functions. This is achieved through Istio's network policies and mutual TLS, which allow us to control information flows and provide enhanced protection. - related-observations: - - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead - - observation-uuid: f6a130b1-bdb8-41de-8921-c1c373023f59 - - observation-uuid: 3d86e5f1-bf50-43c1-a3d8-4f9d26311481 - target: - status: - state: satisfied - target-id: sc-7.21 - type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-7.21' - uuid: 5d59c939-fb61-4aea-8ef2-39ff71fd6756 - - description: |- - # Control Implementation - Istio is configured to provide managed interfaces for external telecommunication services, establish traffic flow policies, and protect the confidentiality and integrity of transmitted information. It also prevents unauthorized exchange of control plane traffic and filters unauthorized control plane traffic. - related-observations: - - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead - - observation-uuid: a7867fed-93d7-457c-8886-6dae4459c5b2 - - observation-uuid: b2b0c4c3-8b3d-42a6-9ba4-ce36f198e15c - - observation-uuid: 2639ccbf-1a94-440e-b820-90e957f6987c - target: - status: - state: satisfied - target-id: sc-7.4 - type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-7.4' - uuid: 87d6ff85-4067-442b-b2d3-c82cbddda0c3 - - description: |- - # Control Implementation - is configured to route internal communications traffic to external networks through authenticated proxy servers at managed interfaces, using its Egress Gateway. - related-observations: - - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead - - observation-uuid: f9e01aee-c30f-4df5-a4c7-0af351cef153 - - observation-uuid: 76674b13-a05d-40ba-b6ac-99aafe1c916e - target: - status: - state: not-satisfied - target-id: sc-7.8 - type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-7.8' - uuid: ac90c141-2e83-4bfa-8833-dde2808592f1 - - description: |- - # Control Implementation - Istio is configured to protect the confidentiality and integrity of transmitted information across both internal and external networks. This is achieved through Istio's mutual TLS, which encrypts service-to-service communication, ensuring that data in transit is not exposed to the possibility of interception and modification. - related-observations: - - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead - - observation-uuid: f6a130b1-bdb8-41de-8921-c1c373023f59 - - observation-uuid: 3d86e5f1-bf50-43c1-a3d8-4f9d26311481 - target: - status: - state: not-satisfied - target-id: sc-8 - type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-8' - uuid: 13dfdcfd-d77b-4649-ae0f-b9ebaeaa0549 - - description: |- - # Control Implementation - Istio is configured to protect the confidentiality and integrity of transmitted information across both internal and external networks. This is achieved through Istio's mutual TLS, which encrypts service-to-service communication, ensuring that data in transit is not exposed to the possibility of interception and modification. - related-observations: - - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead - - observation-uuid: f6a130b1-bdb8-41de-8921-c1c373023f59 - - observation-uuid: 3d86e5f1-bf50-43c1-a3d8-4f9d26311481 - target: - status: - state: satisfied - target-id: sc-8.1 - type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-8.1' - uuid: f10e5f70-81c4-4b00-a8c3-29e3cd97527c - - description: |- - # Control Implementation - Istio implements with global configuration. - related-observations: - - observation-uuid: f920e554-a7c0-4315-89ec-037e7e971ead - - observation-uuid: f6a130b1-bdb8-41de-8921-c1c373023f59 - - observation-uuid: 3d86e5f1-bf50-43c1-a3d8-4f9d26311481 - - observation-uuid: b2b0c4c3-8b3d-42a6-9ba4-ce36f198e15c - target: - status: - state: satisfied - target-id: sc-8.2 - type: objective-id - title: 'Validation Result - Component:81f6ec5d-9b8d-408f-8477-f8a04f493690 / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: sc-8.2' - uuid: 3e58bd7b-2e7d-4e85-bb8e-fc4e8b83f282 - - description: |- - # Control Description "a. Generate error messages that provide information necessary for corrective actions without revealing information that could be exploited; and b. Reveal error messages only to [Assignment: organization-defined personnel or roles]." - # Control Implementation NeuVector correlates configuration data and network traffic for error tracking to provide context around misconfigurations and threats in the form of actionable alerts. - target: - status: - state: not-satisfied - target-id: si-11 - type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: si-11' - uuid: e82d6f63-db19-460b-bf7d-3c46dcf1e38c - - description: |- - # Control Description "(a) Measure the time between flaw identification and flaw remediation; and (b) Establish the following benchmarks for taking corrective actions: [Assignment: organization-defined benchmarks]." - # Control Implementation NeuVector continually monitors your Kubernetes environments to detect misconfigurations, advanced network threats, and vulnerable hosts with all attempts to exploit a vulnerability is documented. - target: - status: - state: not-satisfied - target-id: si-2.3 - type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: si-2.3' - uuid: 5da35a6e-9526-4864-b153-dcd851e98a51 - - description: |- - # Control Description "a. Monitor the system to detect: 1. Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [Assignment: organization-defined monitoring objectives]; and 2. Unauthorized local, network, and remote connections; b. Identify unauthorized use of the system through the following techniques and methods: [Assignment: organization-defined techniques and methods]; c. Invoke internal monitoring capabilities or deploy monitoring devices: 1. Strategically within the system to collect organization-determined essential information; and 2. At ad hoc locations within the system to track specific types of transactions of interest to the organization; d. Analyze detected events and anomalies; e. Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation; f. Obtain legal opinion regarding system monitoring activities; and g. Provide [Assignment: organization-defined system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]]." - # Control Implementation NeuVector continually monitors your Kubernetes environments to detect misconfigurations, advanced network threats, and vulnerable hosts with all attempts to exploit a vulnerability is documented. - target: - status: - state: not-satisfied - target-id: si-4 - type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: si-4' - uuid: 6452a578-b1b8-4a1c-9ff8-6f05821ca37d - - description: |- - # Control Description "a. Receive system security alerts, advisories, and directives from [Assignment: o include US-CERT] on an ongoing basis; b. Generate internal security alerts, advisories, and directives as deemed necessary; c. Disseminate security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-defined personnel or roles]; to include system security personnel and administrators with configuration/patch-management responsibilities and d. Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance." - # Control Implementation NeuVector correlates configuration data with user behavior and network traffic to provide context around misconfigurations and threats in the form of actionable alerts. - target: - status: - state: not-satisfied - target-id: si-5 - type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: si-5' - uuid: a8b3553e-e9af-4781-83ac-400ea1d77b77 - - description: |- - # Control Description "a. Verify the correct operation of [Assignment: organization-defined security and privacy functions]; b. Perform the verification of the functions specified in SI-6a [Selection (one or more): [Assignment: to include upon system startup and/or restart]; upon command by user with appropriate privilege; [Assignment: at least monthly]]; c. Alert [Assignment: to include system administrators and security personnel] to failed security and privacy verification tests; and d. [Selection (one or more): Shut the system down; Restart the system; [Assignment: organization-defined alternative action (s)]] when anomalies are discovered." - # Control Implementation NeuVector correlates configuration data and network traffic to provide context around verification in the form of actionable alerts. - target: - status: - state: not-satisfied - target-id: si-6 - type: objective-id - title: 'Validation Result - Component:b2fae6f6-aaa1-4929-b453-3c64398a054e / Control Implementation: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c / Control: si-6' - uuid: 6628f225-60a5-47a1-90f8-b4ea78dc72ef - observations: - - collected: 2024-07-09T03:24:38.473729311Z - description: | - [TEST]: 98b97ec9-a9ce-4444-83d8-71066270a424 - lula-validation-error - methods: - - TEST - relevant-evidence: - - description: | - Result: not-satisfied - remarks: | - Error getting Lula validation #98b97ec9-a9ce-4444-83d8-71066270a424: required domain is nil - uuid: 053bdc9e-654d-4287-adf1-02c14e77ece1 - - collected: 2024-07-09T03:24:38.489004016Z - description: | - [TEST]: b0a8f21e-b12f-47ea-a967-2f4a3ec69e44 - gateway-configuration-check - methods: - - TEST - relevant-evidence: - - description: | - Result: satisfied - remarks: | - validate.msg: Only allowed gateways found. All gateway types found. - validate.msg_existing_gateways: istio-admin-gateway/admin-gateway, istio-passthrough-gateway/passthrough-gateway, istio-tenant-gateway/tenant-gateway - validate.msg_allowed_gateways: admin, passthrough, tenant - uuid: 2639ccbf-1a94-440e-b820-90e957f6987c - - collected: 2024-07-09T03:24:38.489063617Z - description: | - [TEST]: 0be7345d-e9d3-4248-9c14-5fed8e7bfa01 - lula-validation-error - methods: - - TEST - relevant-evidence: - - description: | - Result: not-satisfied - remarks: | - Error getting Lula validation #0be7345d-e9d3-4248-9c14-5fed8e7bfa01: required domain is nil - uuid: 65c62b95-df70-4723-bf3b-46799d0536ad - - collected: 2024-07-09T03:24:38.489091198Z - description: | - [TEST]: 9b361d7b-4e07-40db-8b86-3854ed499a4b - lula-validation-error - methods: - - TEST - relevant-evidence: - - description: | - Result: not-satisfied - remarks: | - Error getting Lula validation #9b361d7b-4e07-40db-8b86-3854ed499a4b: required domain is nil - uuid: 41637e36-95ee-4c89-b332-80ca2d006620 - - collected: 2024-07-09T03:24:38.48912419Z - description: | - [TEST]: ecdb90c7-971a-4442-8f29-a8b0f6076bc9 - lula-validation-error - methods: - - TEST - relevant-evidence: - - description: | - Result: not-satisfied - remarks: | - Error getting Lula validation #ecdb90c7-971a-4442-8f29-a8b0f6076bc9: required domain is nil - uuid: f9e01aee-c30f-4df5-a4c7-0af351cef153 - - collected: 2024-07-09T03:24:38.497116991Z - description: | - [TEST]: 70d99754-2918-400c-ac9a-319f874fff90 - istio-metrics-logging-configured - methods: - - TEST - relevant-evidence: - - description: | - Result: satisfied - remarks: | - validate.msg: Metrics logging supported. - uuid: d6de0a77-9d2c-4332-9ab0-3c97c8b5234c - - collected: 2024-07-09T03:24:38.594646609Z - description: | - [TEST]: f345c359-3208-46fb-9348-959bd628301e - istio-prometheus-annotations-validation - methods: - - TEST - relevant-evidence: - - description: | - Result: satisfied - remarks: | - validate.msg: All pods have correct prometheus annotations. - validate.exempt_namespaces_msg: Exempted Namespaces: istio-system, kube-system, uds-dev-stack, zarf - uuid: 6fb0ef76-86ad-4629-9e9d-a725ddbf3373 - - collected: 2024-07-09T03:24:38.594709567Z - description: | - [TEST]: 8be1601e-5870-4573-ab4f-c1c199944815 - lula-validation-error - methods: - - TEST - relevant-evidence: - - description: | - Result: not-satisfied - remarks: | - Error getting Lula validation #8be1601e-5870-4573-ab4f-c1c199944815: required domain is nil - uuid: bf2a95fb-c40e-425a-a1a3-ec1307343179 - - collected: 2024-07-09T03:24:38.594743009Z - description: | - [TEST]: 73434890-2751-4894-b7b2-7e583b4a8977 - lula-validation-error - methods: - - TEST - relevant-evidence: - - description: | - Result: not-satisfied - remarks: | - Error getting Lula validation #73434890-2751-4894-b7b2-7e583b4a8977: required domain is nil - uuid: 31044f2f-75fd-4472-b624-1d918be32f40 - - collected: 2024-07-09T03:24:38.594778174Z - description: | - [TEST]: 9bfc68e0-381a-4006-9f68-c293e3b20cee - lula-validation-error - methods: - - TEST - relevant-evidence: - - description: | - Result: not-satisfied - remarks: | - Error getting Lula validation #9bfc68e0-381a-4006-9f68-c293e3b20cee: required domain is nil - uuid: fa62278d-a485-40ec-a660-51845c227040 - - collected: 2024-07-09T03:24:38.602916174Z - description: | - [TEST]: f346b797-be35-40a8-a93a-585db6fd56ec - istio-tracing-logging-support - methods: - - TEST - relevant-evidence: - - description: | - Result: not-satisfied - remarks: | - validate.msg: Tracing logging not supported. - uuid: b8c97e5c-a953-44f1-9868-42abdb5f36d3 - - collected: 2024-07-09T03:24:38.611569524Z - description: | - [TEST]: 67456ae8-4505-4c93-b341-d977d90cb125 - istio-health-check - methods: - - TEST - relevant-evidence: - - description: | - Result: satisfied - remarks: | - istiohealth.deployment_message: All deployment conditions are true. - istiohealth.hpa_message: HPA has sufficient replicas. - uuid: f920e554-a7c0-4315-89ec-037e7e971ead - - collected: 2024-07-09T03:24:38.611623214Z - description: | - [TEST]: fbe5855d-b4ea-4ff5-9f0d-5901d620577a - lula-validation-error - methods: - - TEST - relevant-evidence: - - description: | - Result: not-satisfied - remarks: | - Error getting Lula validation #fbe5855d-b4ea-4ff5-9f0d-5901d620577a: required domain is nil - uuid: c18cb484-a3d7-4f1b-9de2-bc40675ebef6 - - collected: 2024-07-09T03:24:38.621193684Z - description: | - [TEST]: c6c9daf1-4196-406d-8679-312c0512ab2e - check-istio-admin-gateway-and-usage - methods: - - TEST - relevant-evidence: - - description: | - Result: satisfied - remarks: | - validate.msg: Admin gateway exists. Admin virtual services are using admin gateway. - uuid: 4e69dd7e-0ba5-489c-82fd-bdfdd3d80afd - - collected: 2024-07-09T03:24:38.719799848Z - description: | - [TEST]: 1761ac07-80dd-47d2-947e-09f67943b986 - all-pods-istio-injected - methods: - - TEST - relevant-evidence: - - description: | - Result: satisfied - remarks: | - validate.msg: All pods have Istio sidecar proxy. - validate.exempt_namespaces_msg: Exempted Namespaces: istio-system, kube-system, uds-dev-stack, zarf - uuid: 3d86e5f1-bf50-43c1-a3d8-4f9d26311481 - - collected: 2024-07-09T03:24:38.729154607Z - description: | - [TEST]: 0da39859-a91a-4ca6-bd8b-9b117689188f - all-namespaces-istio-injected - methods: - - TEST - relevant-evidence: - - description: | - Result: not-satisfied - remarks: | - validate.msg: Non-Istio-injected namespaces: {"exempted-app", "podinfo", "test-admin-app", "test-tenant-app"} - validate.exempted_namespaces_msg: Exempted Namespaces: default, istio-admin-gateway, istio-passthrough-gateway, istio-system, istio-tenant-gateway, kube-node-lease, kube-public, kube-system, uds-crds, uds-dev-stack, uds-policy-exemptions, zarf - uuid: 4df2137a-de64-4d02-8121-1911fc9dedab - - collected: 2024-07-09T03:24:38.751849467Z - description: | - [TEST]: 570e2dc7-e6c2-4ad5-8ea3-f07974f59747 - secure-communication-with-istiod - methods: - - TEST - relevant-evidence: - - description: | - Result: satisfied - remarks: | - validate.msg_correct: NetworkPolicies correctly configured for istiod in namespaces: authservice, grafana, keycloak, loki, metrics-server, monitoring, neuvector, promtail, velero. - validate.msg_incorrect: No incorrect istiod NetworkPolicies found. - uuid: a7867fed-93d7-457c-8886-6dae4459c5b2 - - collected: 2024-07-09T03:24:38.751895453Z - description: | - [TEST]: 663f5e92-6db4-4042-8b5a-eba3ebe5a622 - lula-validation-error - methods: - - TEST - relevant-evidence: - - description: | - Result: not-satisfied - remarks: | - Error getting Lula validation #663f5e92-6db4-4042-8b5a-eba3ebe5a622: required domain is nil - uuid: 6a1961d3-8819-4db9-b052-e3998d29f94c - - collected: 2024-07-09T03:24:38.75191546Z - description: | - [TEST]: 19faf69a-de74-4b78-a628-64a9f244ae13 - lula-validation-error - methods: - - TEST - relevant-evidence: - - description: | - Result: not-satisfied - remarks: | - Error getting Lula validation #19faf69a-de74-4b78-a628-64a9f244ae13: required domain is nil - uuid: 76674b13-a05d-40ba-b6ac-99aafe1c916e - - collected: 2024-07-09T03:24:38.757825399Z - description: | - [TEST]: ca49ac97-487a-446a-a0b7-92b20e2c83cb - enforce-mtls-strict - methods: - - TEST - relevant-evidence: - - description: | - Result: satisfied - remarks: | - validate.msg: All PeerAuthentications have mtls mode set to STRICT. - uuid: f6a130b1-bdb8-41de-8921-c1c373023f59 - - collected: 2024-07-09T03:24:38.766341924Z - description: | - [TEST]: 90738c86-6315-450a-ac69-cc50eb4859cc - check-istio-logging-all-traffic - methods: - - TEST - relevant-evidence: - - description: | - Result: satisfied - remarks: | - validate.msg: Istio is logging all traffic - uuid: 337f9bea-6f8e-4c89-8142-4474083105e6 - - collected: 2024-07-09T03:24:38.772656748Z - description: | - [TEST]: fd071676-6b92-4e1c-a4f0-4c8d2bd55aed - ingress-traffic-encrypted - methods: - - TEST - relevant-evidence: - - description: | - Result: satisfied - remarks: | - validate.msg: All gateways encrypt ingress traffic - validate.msg_exempt: Exempted Gateways: istio-passthrough-gateway/passthrough-gateway - uuid: 60ff69f7-6d6f-4b92-a0a4-4ecd2df24b52 - - collected: 2024-07-09T03:24:38.776561899Z - description: | - [TEST]: e38c0695-10f6-40b6-b246-fa58b26ccd25 - istio-authorization-policies-require-authentication - methods: - - TEST - relevant-evidence: - - description: | - Result: satisfied - remarks: | - validate.msg: Authorization Policy requires authentication for keycloak - uuid: 31654aca-4189-447d-b5e6-4928c5acc603 - - collected: 2024-07-09T03:24:38.781059357Z - description: | - [TEST]: 7b045b2a-106f-4c8c-85d9-ae3d7a8e0e28 - istio-rbac-enforcement-check - methods: - - TEST - relevant-evidence: - - description: | - Result: satisfied - remarks: | - validate.msg: Istio RBAC enforced - validate.msg_authPolicies: Authorization Policies: istio-system/authservice, istio-system/jwt-authz, keycloak/keycloak-block-admin-access-from-public-gateway - uuid: f3ff3fbb-16d9-4a92-90e1-d8b7a020bccc - - collected: 2024-07-09T03:24:38.791675282Z - description: | - [TEST]: 3e217577-930e-4469-a999-1a5704b5cecb - request-authenication-and-auth-policies-configured - methods: - - TEST - relevant-evidence: - - description: | - Result: satisfied - remarks: | - validate.msg: All AuthorizationPolicies properly configured. All RequestAuthentications properly configured. - uuid: b2b0c4c3-8b3d-42a6-9ba4-ce36f198e15c - - collected: 2024-07-09T03:24:38.79173886Z - description: | - [TEST]: 7455f86d-b79c-4226-9ce3-f3fb7d9348c8 - lula-validation-error - methods: - - TEST - relevant-evidence: - - description: | - Result: not-satisfied - remarks: | - Error getting Lula validation #7455f86d-b79c-4226-9ce3-f3fb7d9348c8: required domain is nil - uuid: 35470a10-7ec9-4663-980b-c31ad61e08eb - props: - - name: threshold - ns: https://docs.lula.dev/oscal/ns - value: "true" - reviewed-controls: - control-selections: - - description: Controls Assessed by Lula - include-controls: - - control-id: ac-14 - - control-id: ac-2 - - control-id: ac-2.1 - - control-id: ac-3 - - control-id: ac-4 - - control-id: ac-4.21 - - control-id: ac-4.4 - control-id: ac-5 - control-id: ac-6 - control-id: ac-6.1 @@ -2773,17 +1355,12 @@ assessment-results: - control-id: sc-10 - control-id: sc-13 - control-id: sc-23 - - control-id: sc-3 - control-id: sc-39 - - control-id: sc-4 - control-id: sc-7 - - control-id: sc-7.20 - - control-id: sc-7.21 - control-id: sc-7.4 - control-id: sc-7.8 - control-id: sc-8 - control-id: sc-8.1 - - control-id: sc-8.2 - control-id: si-11 - control-id: si-2.3 - control-id: si-4 @@ -2791,7 +1368,7 @@ assessment-results: - control-id: si-6 description: Controls validated remarks: Validation performed may indicate full or partial satisfaction - start: 2024-07-09T03:24:38.798446786Z + start: 2024-10-16T20:13:51.671525491Z title: Lula Validation Result - uuid: 5a0a9538-e734-48a5-a327-02e6aa6891b0 - uuid: bf456173-34f4-480b-a659-1aae77092ee6 + uuid: 2d3dad50-ee92-4dec-a73c-cc683e28c5a2 + uuid: 1f7a298e-29e3-4d62-92c0-e4f4b42078b4 diff --git a/compliance/validations/istio/all-namespaces-istio-injected/README.md b/compliance/validations/istio/all-namespaces-istio-injected/README.md new file mode 100644 index 000000000..821a4d081 --- /dev/null +++ b/compliance/validations/istio/all-namespaces-istio-injected/README.md @@ -0,0 +1,9 @@ +# README.md + +**NAME** - all-namespaces-istio-injected + +**INPUT** - Collects all namespaces in the Kubernetes cluster. + +**POLICY** - Checks that all namespaces are Istio-injected, except for a predefined list of exempted namespaces. + +**NOTES** - The exempted namespaces are: `istio-system`, `kube-system`, `default`, `istio-admin-gateway`, `istio-passthrough-gateway`, `istio-tenant-gateway`, `kube-node-lease`, `kube-public`, `uds-crds`, `uds-dev-stack`, `uds-policy-exemptions`, `zarf`. \ No newline at end of file diff --git a/compliance/validations/istio/all-namespaces-istio-injected/resources.json b/compliance/validations/istio/all-namespaces-istio-injected/resources.json new file mode 100644 index 000000000..17897f6d6 --- /dev/null +++ b/compliance/validations/istio/all-namespaces-istio-injected/resources.json @@ -0,0 +1,537 @@ +{ + "namespaces": [ + { + "apiVersion": "v1", + "kind": "Namespace", + "metadata": { + "creationTimestamp": "2024-04-22T14:00:42Z", + "labels": { + "kubernetes.io/metadata.name": "default", + "zarf.dev/agent": "ignore" + }, + "name": "default", + "resourceVersion": "680", + "uid": "0f317322-d4b2-49cf-9bdc-949b1760c7a0" + }, + "spec": { + "finalizers": [ + "kubernetes" + ] + }, + "status": { + "phase": "Active" + } + }, + { + "apiVersion": "v1", + "kind": "Namespace", + "metadata": { + "creationTimestamp": "2024-04-22T14:00:42Z", + "labels": { + "kubernetes.io/metadata.name": "kube-system", + "zarf.dev/agent": "ignore" + }, + "name": "kube-system", + "resourceVersion": "681", + "uid": "4b063c85-1386-4887-b391-a303532f586e" + }, + "spec": { + "finalizers": [ + "kubernetes" + ] + }, + "status": { + "phase": "Active" + } + }, + { + "apiVersion": "v1", + "kind": "Namespace", + "metadata": { + "creationTimestamp": "2024-04-22T14:00:42Z", + "labels": { + "kubernetes.io/metadata.name": "kube-public", + "zarf.dev/agent": "ignore" + }, + "name": "kube-public", + "resourceVersion": "683", + "uid": "5047265c-9614-4b52-8617-b20de9a1ae13" + }, + "spec": { + "finalizers": [ + "kubernetes" + ] + }, + "status": { + "phase": "Active" + } + }, + { + "apiVersion": "v1", + "kind": "Namespace", + "metadata": { + "creationTimestamp": "2024-04-22T14:00:42Z", + "labels": { + "kubernetes.io/metadata.name": "kube-node-lease", + "zarf.dev/agent": "ignore" + }, + "name": "kube-node-lease", + "resourceVersion": "684", + "uid": "ba53aa5c-2b5b-4302-8572-fed2efbb88d4" + }, + "spec": { + "finalizers": [ + "kubernetes" + ] + }, + "status": { + "phase": "Active" + } + }, + { + "apiVersion": "v1", + "kind": "Namespace", + "metadata": { + "creationTimestamp": "2024-04-22T14:01:05Z", + "labels": { + "app.kubernetes.io/managed-by": "zarf", + "kubernetes.io/metadata.name": "zarf", + "zarf.dev/agent": "ignore" + }, + "name": "zarf", + "resourceVersion": "685", + "uid": "80e207f5-5aab-414e-9ed4-e3f96b654920" + }, + "spec": { + "finalizers": [ + "kubernetes" + ] + }, + "status": { + "phase": "Active" + } + }, + { + "apiVersion": "v1", + "kind": "Namespace", + "metadata": { + "creationTimestamp": "2024-04-22T14:01:06Z", + "labels": { + "app.kubernetes.io/managed-by": "zarf", + "kubernetes.io/metadata.name": "uds-dev-stack", + "zarf.dev/agent": "ignore" + }, + "name": "uds-dev-stack", + "resourceVersion": "686", + "uid": "4967045b-0d5d-4d47-b221-b9f7c41f5fa9" + }, + "spec": { + "finalizers": [ + "kubernetes" + ] + }, + "status": { + "phase": "Active" + } + }, + { + "apiVersion": "v1", + "kind": "Namespace", + "metadata": { + "creationTimestamp": "2024-04-22T14:03:52Z", + "labels": { + "app.kubernetes.io/managed-by": "zarf", + "kubernetes.io/metadata.name": "uds-crds" + }, + "name": "uds-crds", + "resourceVersion": "949", + "uid": "20f83ea4-99bd-49e0-99c8-5f61a83271b2" + }, + "spec": { + "finalizers": [ + "kubernetes" + ] + }, + "status": { + "phase": "Active" + } + }, + { + "apiVersion": "v1", + "kind": "Namespace", + "metadata": { + "creationTimestamp": "2024-04-22T14:04:14Z", + "labels": { + "app.kubernetes.io/managed-by": "zarf", + "kubernetes.io/metadata.name": "istio-system" + }, + "name": "istio-system", + "resourceVersion": "1051", + "uid": "eadee776-a36e-448e-8ec7-e8649db8e181" + }, + "spec": { + "finalizers": [ + "kubernetes" + ] + }, + "status": { + "phase": "Active" + } + }, + { + "apiVersion": "v1", + "kind": "Namespace", + "metadata": { + "creationTimestamp": "2024-04-22T14:04:19Z", + "labels": { + "app.kubernetes.io/managed-by": "zarf", + "istio-injection": "enabled", + "kubernetes.io/metadata.name": "pepr-system", + "zarf-helm-release": "zarf-a102b532d6a523b085622665b606574b0cd82025" + }, + "name": "pepr-system", + "resourceVersion": "1128", + "uid": "6ff15b92-117f-4226-97aa-c334ce7a6d5d" + }, + "spec": { + "finalizers": [ + "kubernetes" + ] + }, + "status": { + "phase": "Active" + } + }, + { + "apiVersion": "v1", + "kind": "Namespace", + "metadata": { + "creationTimestamp": "2024-04-22T14:04:21Z", + "labels": { + "app.kubernetes.io/managed-by": "zarf", + "kubernetes.io/metadata.name": "istio-admin-gateway" + }, + "name": "istio-admin-gateway", + "resourceVersion": "1142", + "uid": "d66870cc-5b8e-4611-aeae-6f314f1e8076" + }, + "spec": { + "finalizers": [ + "kubernetes" + ] + }, + "status": { + "phase": "Active" + } + }, + { + "apiVersion": "v1", + "kind": "Namespace", + "metadata": { + "creationTimestamp": "2024-04-22T14:04:27Z", + "labels": { + "app.kubernetes.io/managed-by": "zarf", + "kubernetes.io/metadata.name": "istio-tenant-gateway" + }, + "name": "istio-tenant-gateway", + "resourceVersion": "1200", + "uid": "2e51a476-fe56-4aaf-a342-27efe1fe4ce0" + }, + "spec": { + "finalizers": [ + "kubernetes" + ] + }, + "status": { + "phase": "Active" + } + }, + { + "apiVersion": "v1", + "kind": "Namespace", + "metadata": { + "creationTimestamp": "2024-04-22T14:04:31Z", + "labels": { + "app.kubernetes.io/managed-by": "zarf", + "kubernetes.io/metadata.name": "istio-passthrough-gateway" + }, + "name": "istio-passthrough-gateway", + "resourceVersion": "1258", + "uid": "895505ba-3dd7-49db-8b6a-76a16220526d" + }, + "spec": { + "finalizers": [ + "kubernetes" + ] + }, + "status": { + "phase": "Active" + } + }, + { + "apiVersion": "v1", + "kind": "Namespace", + "metadata": { + "annotations": { + "uds.dev/original-istio-injection": "non-existent", + "uds.dev/pkg-metrics-server": "true" + }, + "creationTimestamp": "2024-04-22T14:04:54Z", + "labels": { + "app.kubernetes.io/managed-by": "zarf", + "istio-injection": "enabled", + "kubernetes.io/metadata.name": "metrics-server" + }, + "name": "metrics-server", + "resourceVersion": "1516", + "uid": "b98e6771-1752-46f9-9de8-dbab84ef3803" + }, + "spec": { + "finalizers": [ + "kubernetes" + ] + }, + "status": { + "phase": "Active" + } + }, + { + "apiVersion": "v1", + "kind": "Namespace", + "metadata": { + "annotations": { + "uds.dev/original-istio-injection": "non-existent", + "uds.dev/pkg-keycloak": "true" + }, + "creationTimestamp": "2024-04-22T14:05:21Z", + "labels": { + "app.kubernetes.io/managed-by": "zarf", + "istio-injection": "enabled", + "kubernetes.io/metadata.name": "keycloak" + }, + "name": "keycloak", + "resourceVersion": "1698", + "uid": "6560188f-4555-475b-aa5b-b3b0173d6e32" + }, + "spec": { + "finalizers": [ + "kubernetes" + ] + }, + "status": { + "phase": "Active" + } + }, + { + "apiVersion": "v1", + "kind": "Namespace", + "metadata": { + "creationTimestamp": "2024-04-22T14:06:37Z", + "labels": { + "app.kubernetes.io/managed-by": "zarf", + "kubernetes.io/metadata.name": "uds-policy-exemptions" + }, + "name": "uds-policy-exemptions", + "resourceVersion": "1903", + "uid": "f56bf67e-4c62-4b15-80c2-82639586bd35" + }, + "spec": { + "finalizers": [ + "kubernetes" + ] + }, + "status": { + "phase": "Active" + } + }, + { + "apiVersion": "v1", + "kind": "Namespace", + "metadata": { + "annotations": { + "uds.dev/original-istio-injection": "non-existent", + "uds.dev/pkg-neuvector": "true" + }, + "creationTimestamp": "2024-04-22T14:06:35Z", + "labels": { + "app.kubernetes.io/managed-by": "zarf", + "istio-injection": "enabled", + "kubernetes.io/metadata.name": "neuvector" + }, + "name": "neuvector", + "resourceVersion": "1940", + "uid": "b69f3003-abc4-4495-b3bb-79a3e12ab05f" + }, + "spec": { + "finalizers": [ + "kubernetes" + ] + }, + "status": { + "phase": "Active" + } + }, + { + "apiVersion": "v1", + "kind": "Namespace", + "metadata": { + "annotations": { + "uds.dev/original-istio-injection": "non-existent", + "uds.dev/pkg-loki": "true" + }, + "creationTimestamp": "2024-04-22T14:07:07Z", + "labels": { + "app.kubernetes.io/managed-by": "zarf", + "istio-injection": "enabled", + "kubernetes.io/metadata.name": "loki" + }, + "name": "loki", + "resourceVersion": "2421", + "uid": "e92842e6-2242-44d5-9473-83a97fdf0c3d" + }, + "spec": { + "finalizers": [ + "kubernetes" + ] + }, + "status": { + "phase": "Active" + } + }, + { + "apiVersion": "v1", + "kind": "Namespace", + "metadata": { + "annotations": { + "uds.dev/original-istio-injection": "non-existent", + "uds.dev/pkg-prometheus-stack": "true" + }, + "creationTimestamp": "2024-04-22T14:08:40Z", + "labels": { + "app.kubernetes.io/managed-by": "zarf", + "istio-injection": "enabled", + "kubernetes.io/metadata.name": "monitoring" + }, + "name": "monitoring", + "resourceVersion": "2915", + "uid": "ebb401c8-13ee-4636-8e36-b04a0a0e3cfb" + }, + "spec": { + "finalizers": [ + "kubernetes" + ] + }, + "status": { + "phase": "Active" + } + }, + { + "apiVersion": "v1", + "kind": "Namespace", + "metadata": { + "annotations": { + "uds.dev/original-istio-injection": "non-existent", + "uds.dev/pkg-promtail": "true" + }, + "creationTimestamp": "2024-04-22T14:09:19Z", + "labels": { + "app.kubernetes.io/managed-by": "zarf", + "istio-injection": "enabled", + "kubernetes.io/metadata.name": "promtail" + }, + "name": "promtail", + "resourceVersion": "3466", + "uid": "9ee64052-8c6c-4d4e-82fb-d5fe016f441e" + }, + "spec": { + "finalizers": [ + "kubernetes" + ] + }, + "status": { + "phase": "Active" + } + }, + { + "apiVersion": "v1", + "kind": "Namespace", + "metadata": { + "annotations": { + "uds.dev/original-istio-injection": "non-existent", + "uds.dev/pkg-grafana": "true" + }, + "creationTimestamp": "2024-04-22T14:07:07Z", + "labels": { + "app.kubernetes.io/managed-by": "zarf", + "istio-injection": "enabled", + "kubernetes.io/metadata.name": "grafana" + }, + "name": "grafana", + "resourceVersion": "3621", + "uid": "c8064cce-25f4-4fd4-a16c-9e5a4af869b5" + }, + "spec": { + "finalizers": [ + "kubernetes" + ] + }, + "status": { + "phase": "Active" + } + }, + { + "apiVersion": "v1", + "kind": "Namespace", + "metadata": { + "annotations": { + "uds.dev/original-istio-injection": "non-existent", + "uds.dev/pkg-authservice": "true" + }, + "creationTimestamp": "2024-04-22T14:10:05Z", + "labels": { + "app.kubernetes.io/managed-by": "zarf", + "istio-injection": "enabled", + "kubernetes.io/metadata.name": "authservice" + }, + "name": "authservice", + "resourceVersion": "3775", + "uid": "2c399f0d-f380-43b5-a717-edf4f19d2b17" + }, + "spec": { + "finalizers": [ + "kubernetes" + ] + }, + "status": { + "phase": "Active" + } + }, + { + "apiVersion": "v1", + "kind": "Namespace", + "metadata": { + "annotations": { + "uds.dev/original-istio-injection": "non-existent", + "uds.dev/pkg-velero": "true" + }, + "creationTimestamp": "2024-04-22T14:10:17Z", + "labels": { + "app.kubernetes.io/managed-by": "zarf", + "istio-injection": "enabled", + "kubernetes.io/metadata.name": "velero" + }, + "name": "velero", + "resourceVersion": "3857", + "uid": "e6a181f4-02b4-4625-8d9e-78656316fc35" + }, + "spec": { + "finalizers": [ + "kubernetes" + ] + }, + "status": { + "phase": "Active" + } + } + ] +} \ No newline at end of file diff --git a/compliance/validations/istio/all-namespaces-istio-injected/tests.yaml b/compliance/validations/istio/all-namespaces-istio-injected/tests.yaml new file mode 100644 index 000000000..0a7e4d8c4 --- /dev/null +++ b/compliance/validations/istio/all-namespaces-istio-injected/tests.yaml @@ -0,0 +1,10 @@ +pass: + - test: default + validation: validation.yaml + resources: resources.json + expected-validation: true + - test: grafana-no-istio-injection + validation: validation.yaml + resources: resources.json + permutation: '.namespaces |= map(if .metadata.name == "grafana" then del(.metadata.labels["istio-injection"]) else . end)' + expected-validation: false diff --git a/compliance/validations/istio/all-namespaces-istio-injected/validation.yaml b/compliance/validations/istio/all-namespaces-istio-injected/validation.yaml new file mode 100644 index 000000000..d32392e6c --- /dev/null +++ b/compliance/validations/istio/all-namespaces-istio-injected/validation.yaml @@ -0,0 +1,55 @@ +metadata: + name: all-namespaces-istio-injected + uuid: 0da39859-a91a-4ca6-bd8b-9b117689188f +domain: + type: kubernetes + kubernetes-spec: + resources: + - name: namespaces + resource-rule: + group: "" + version: v1 + resource: namespaces + namespaces: [] +provider: + type: opa + opa-spec: + rego: | + package validate + import rego.v1 + + # Default values + default validate := false + default msg := "Not evaluated" + + # Validation + validate if { + check_non_istio_injected_namespaces.result + } + msg = check_non_istio_injected_namespaces.msg + msg_exempt_namespaces = concat(", ", exempted_namespaces) + + # List of exempted namespaces + exempted_namespaces := {"istio-system", "kube-system", "default", "istio-admin-gateway", + "istio-passthrough-gateway", "istio-tenant-gateway", "kube-node-lease", "kube-public", "uds-crds", + "uds-dev-stack", "uds-policy-exemptions", "zarf"} + + # Collect non-Istio-injected namespaces + non_istio_injected_namespaces := {ns.metadata.name | + ns := input.namespaces[_] + ns.kind == "Namespace" + not ns.metadata.labels["istio-injection"] == "enabled" + not ns.metadata.name in exempted_namespaces + } + + # Check no non-Istio-injected namespaces + check_non_istio_injected_namespaces = { "result": true, "msg": "All namespaces are Istio-injected" } if { + count(non_istio_injected_namespaces) == 0 + } else = { "result": false, "msg": msg } if { + msg := sprintf("Non-Istio-injected namespaces: %v", [non_istio_injected_namespaces]) + } + output: + validation: validate.validate + observations: + - validate.msg + - validate.msg_exempt_namespaces diff --git a/compliance/validations/istio/all-pods-istio-injected/README.md b/compliance/validations/istio/all-pods-istio-injected/README.md new file mode 100644 index 000000000..fcacfe2b1 --- /dev/null +++ b/compliance/validations/istio/all-pods-istio-injected/README.md @@ -0,0 +1,9 @@ +# README.md + +**NAME** - all-pods-istio-injected + +**INPUT** - Collects all pods in the Kubernetes cluster. + +**POLICY** - Checks that all pods have an Istio sidecar proxy, except for pods in a predefined list of exempted namespaces. + +**NOTES** - The exempted namespaces are: `kube-system`, `istio-system`, `uds-dev-stack`, `zarf`, `istio-admin-gateway`, `istio-tenant-gateway`, `istio-passthrough-gateway`. \ No newline at end of file diff --git a/compliance/validations/istio/all-pods-istio-injected/resources.json b/compliance/validations/istio/all-pods-istio-injected/resources.json new file mode 100644 index 000000000..a281dc426 --- /dev/null +++ b/compliance/validations/istio/all-pods-istio-injected/resources.json @@ -0,0 +1,24014 @@ +{ + "pods": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "creationTimestamp": "2024-07-15T19:21:06Z", + "generateName": "metallb-controller-665d96757f-", + "labels": { + "app.kubernetes.io/component": "controller", + "app.kubernetes.io/instance": "metallb", + "app.kubernetes.io/name": "metallb", + "pod-template-hash": "665d96757f" + }, + "name": "metallb-controller-665d96757f-s8hj5", + "namespace": "uds-dev-stack", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "metallb-controller-665d96757f", + "uid": "ccba3766-c585-46f7-9b64-b3b07d908e1e" + } + ], + "resourceVersion": "486", + "uid": "7795a37b-5d17-416f-aebc-13c82ea4162b" + }, + "spec": { + "containers": [ + { + "args": [ + "--port=7472", + "--log-level=info", + "--tls-min-version=VersionTLS12" + ], + "env": [ + { + "name": "METALLB_ML_SECRET_NAME", + "value": "metallb-memberlist" + }, + { + "name": "METALLB_DEPLOYMENT", + "value": "metallb-controller" + }, + { + "name": "METALLB_BGP_TYPE", + "value": "frr" + } + ], + "image": "quay.io/metallb/controller:v0.14.5", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/metrics", + "port": "monitoring", + "scheme": "HTTP" + }, + "initialDelaySeconds": 10, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "name": "controller", + "ports": [ + { + "containerPort": 7472, + "name": "monitoring", + "protocol": "TCP" + }, + { + "containerPort": 9443, + "name": "webhook-server", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/metrics", + "port": "monitoring", + "scheme": "HTTP" + }, + "initialDelaySeconds": 10, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": {}, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/tmp/k8s-webhook-server/serving-certs", + "name": "cert", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-pvfts", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "nodeName": "k3d-uds-server-0", + "nodeSelector": { + "kubernetes.io/os": "linux" + }, + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 65534, + "runAsNonRoot": true, + "runAsUser": 65534 + }, + "serviceAccount": "metallb-controller", + "serviceAccountName": "metallb-controller", + "terminationGracePeriodSeconds": 0, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "name": "cert", + "secret": { + "defaultMode": 420, + "secretName": "metallb-webhook-cert" + } + }, + { + "name": "kube-api-access-pvfts", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:10Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:06Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:27Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:27Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:06Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://e9dde122aac6ff1bc8137450616e137751f05f69a6ddd120d55b26745e3425d3", + "image": "quay.io/metallb/controller:v0.14.5", + "imageID": "quay.io/metallb/controller@sha256:3f776529447094c8d318baeb4f9efe024cf154859762ec3eefcd878b1fe8a01f", + "lastState": {}, + "name": "controller", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:21:10Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "phase": "Running", + "podIP": "10.42.0.3", + "podIPs": [ + { + "ip": "10.42.0.3" + } + ], + "qosClass": "BestEffort", + "startTime": "2024-07-15T19:21:06Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "creationTimestamp": "2024-07-15T19:21:29Z", + "generateName": "nginx-", + "labels": { + "controller-revision-hash": "796f655567", + "name": "nginx", + "pod-template-generation": "1", + "sidecar.istio.io/inject": "false" + }, + "name": "nginx-d6xdx", + "namespace": "uds-dev-stack", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "DaemonSet", + "name": "nginx", + "uid": "d27f737c-8eaa-4243-a7c8-c2a8331eef9f" + } + ], + "resourceVersion": "542", + "uid": "cca0b707-cf92-44be-9fdc-38159979f5f7" + }, + "spec": { + "affinity": { + "nodeAffinity": { + "requiredDuringSchedulingIgnoredDuringExecution": { + "nodeSelectorTerms": [ + { + "matchFields": [ + { + "key": "metadata.name", + "operator": "In", + "values": [ + "k3d-uds-server-0" + ] + } + ] + } + ] + } + } + }, + "containers": [ + { + "command": [ + "nginx", + "-g", + "daemon off;" + ], + "image": "ghcr.io/defenseunicorns/oss/uds-k3d-nginx:alpine-1.25.3", + "imagePullPolicy": "IfNotPresent", + "name": "nginx", + "ports": [ + { + "containerPort": 80, + "hostPort": 80, + "protocol": "TCP" + }, + { + "containerPort": 443, + "hostPort": 443, + "protocol": "TCP" + } + ], + "resources": {}, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/nginx/nginx.conf", + "name": "config-volume", + "subPath": "nginx.conf" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-485d9", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "serviceAccount": "default", + "serviceAccountName": "default", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists" + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/disk-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/memory-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/pid-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/unschedulable", + "operator": "Exists" + } + ], + "volumes": [ + { + "configMap": { + "defaultMode": 420, + "name": "nginx-config" + }, + "name": "config-volume" + }, + { + "name": "kube-api-access-485d9", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:32Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:29Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:32Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:32Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:29Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://f1e5591d3cca12a7e9ffbdc3e90373b0d740324ba785e41e52dcb645c06066cb", + "image": "ghcr.io/defenseunicorns/oss/uds-k3d-nginx:alpine-1.25.3", + "imageID": "ghcr.io/defenseunicorns/oss/uds-k3d-nginx@sha256:a59278fd22a9d411121e190b8cec8aa57b306aa3332459197777583beb728f59", + "lastState": {}, + "name": "nginx", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:21:32Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "phase": "Running", + "podIP": "10.42.0.4", + "podIPs": [ + { + "ip": "10.42.0.4" + } + ], + "qosClass": "BestEffort", + "startTime": "2024-07-15T19:21:29Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "creationTimestamp": "2024-07-15T19:21:29Z", + "generateName": "local-path-provisioner-6d9d9b57c9-", + "labels": { + "app": "local-path-provisioner", + "pod-template-hash": "6d9d9b57c9" + }, + "name": "local-path-provisioner-6d9d9b57c9-hcv5w", + "namespace": "uds-dev-stack", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "local-path-provisioner-6d9d9b57c9", + "uid": "6fec9ac8-cdef-4052-bbe5-2325eed27917" + } + ], + "resourceVersion": "544", + "uid": "f13000c3-ec5d-46e8-96c2-1b3f800dd95e" + }, + "spec": { + "containers": [ + { + "command": [ + "local-path-provisioner", + "--debug", + "start", + "--config", + "/etc/config/config.json" + ], + "env": [ + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + } + ], + "image": "rancher/local-path-provisioner:v0.0.26", + "imagePullPolicy": "IfNotPresent", + "name": "local-path-provisioner", + "resources": {}, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/config/", + "name": "config-volume" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-jcpzb", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "serviceAccount": "local-path-provisioner-service-account", + "serviceAccountName": "local-path-provisioner-service-account", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "configMap": { + "defaultMode": 420, + "name": "local-path-config" + }, + "name": "config-volume" + }, + { + "name": "kube-api-access-jcpzb", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:32Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:29Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:32Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:32Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:29Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://469d27a57d2c8d0193d1a6bd41455b443f50df8befd66d6f90365fb41a108ca2", + "image": "docker.io/rancher/local-path-provisioner:v0.0.26", + "imageID": "docker.io/rancher/local-path-provisioner@sha256:aee53cadc62bd023911e7f077877d047c5b3c269f9bba25724d558654f43cea0", + "lastState": {}, + "name": "local-path-provisioner", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:21:31Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "phase": "Running", + "podIP": "10.42.0.6", + "podIPs": [ + { + "ip": "10.42.0.6" + } + ], + "qosClass": "BestEffort", + "startTime": "2024-07-15T19:21:29Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "creationTimestamp": "2024-07-15T19:21:29Z", + "generateName": "ensure-machine-id-", + "labels": { + "controller-revision-hash": "555967fc7b", + "name": "ensure-machine-id", + "pod-template-generation": "1" + }, + "name": "ensure-machine-id-r9dqh", + "namespace": "uds-dev-stack", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "DaemonSet", + "name": "ensure-machine-id", + "uid": "80ab6077-003d-4be2-860d-8a17372b226d" + } + ], + "resourceVersion": "594", + "uid": "fe2ebb8c-fee8-4a5b-a79b-f5d733756d8f" + }, + "spec": { + "affinity": { + "nodeAffinity": { + "requiredDuringSchedulingIgnoredDuringExecution": { + "nodeSelectorTerms": [ + { + "matchFields": [ + { + "key": "metadata.name", + "operator": "In", + "values": [ + "k3d-uds-server-0" + ] + } + ] + } + ] + } + } + }, + "containers": [ + { + "image": "registry.k8s.io/pause:3.9", + "imagePullPolicy": "IfNotPresent", + "name": "pause", + "resources": { + "limits": { + "cpu": "100m", + "memory": "50Mi" + }, + "requests": { + "cpu": "100m", + "memory": "50Mi" + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-29ltk", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "hostPID": true, + "initContainers": [ + { + "args": [ + "echo \"B0D07F1F43F246409516ADBDCCC86FCE\" \u003e /mnt/host/etc/machine-id;" + ], + "command": [ + "/bin/sh", + "-c" + ], + "image": "cgr.dev/chainguard/wolfi-base:latest", + "imagePullPolicy": "Always", + "name": "generate-machine-id", + "resources": {}, + "securityContext": { + "privileged": true, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/mnt/host/etc", + "name": "machine-id" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-29ltk", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "serviceAccount": "default", + "serviceAccountName": "default", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists" + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/disk-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/memory-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/pid-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/unschedulable", + "operator": "Exists" + } + ], + "volumes": [ + { + "hostPath": { + "path": "/etc", + "type": "" + }, + "name": "machine-id" + }, + { + "name": "kube-api-access-29ltk", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:33Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:33Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:35Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:35Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:29Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://4961e8b7180b5117d23ec0ea1a9336a6bcf20cb1b7a413ccb130ba7554f18e7a", + "image": "registry.k8s.io/pause:3.9", + "imageID": "registry.k8s.io/pause@sha256:7031c1b283388d2c2e09b57badb803c05ebed362dc88d84b480cc47f72a21097", + "lastState": {}, + "name": "pause", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:21:35Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://de664030a331e49795fdd67d1bd689ad074d54c401d5d14b72bd18f3ef9bfc87", + "image": "cgr.dev/chainguard/wolfi-base:latest", + "imageID": "cgr.dev/chainguard/wolfi-base@sha256:d6b37317ae7cb5c0864189e9e5acd825386ae226a413e7c19370f5f87d150f92", + "lastState": {}, + "name": "generate-machine-id", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://de664030a331e49795fdd67d1bd689ad074d54c401d5d14b72bd18f3ef9bfc87", + "exitCode": 0, + "finishedAt": "2024-07-15T19:21:32Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:21:32Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.5", + "podIPs": [ + { + "ip": "10.42.0.5" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:21:29Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "creationTimestamp": "2024-07-15T19:21:06Z", + "generateName": "metallb-speaker-", + "labels": { + "app.kubernetes.io/component": "speaker", + "app.kubernetes.io/instance": "metallb", + "app.kubernetes.io/name": "metallb", + "controller-revision-hash": "6c7b58bfd7", + "pod-template-generation": "1" + }, + "name": "metallb-speaker-8gb22", + "namespace": "uds-dev-stack", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "DaemonSet", + "name": "metallb-speaker", + "uid": "c6d8e3b1-cbf3-4880-bad7-96b393df14f5" + } + ], + "resourceVersion": "610", + "uid": "5b51dfe0-90b9-4337-86a9-6d8ea087b5cb" + }, + "spec": { + "affinity": { + "nodeAffinity": { + "requiredDuringSchedulingIgnoredDuringExecution": { + "nodeSelectorTerms": [ + { + "matchFields": [ + { + "key": "metadata.name", + "operator": "In", + "values": [ + "k3d-uds-server-0" + ] + } + ] + } + ] + } + } + }, + "containers": [ + { + "args": [ + "--port=7472", + "--log-level=info" + ], + "env": [ + { + "name": "METALLB_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "METALLB_HOST", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "METALLB_ML_BIND_ADDR", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "METALLB_ML_LABELS", + "value": "app.kubernetes.io/name=metallb,app.kubernetes.io/component=speaker" + }, + { + "name": "METALLB_ML_BIND_PORT", + "value": "7946" + }, + { + "name": "METALLB_ML_SECRET_KEY_PATH", + "value": "/etc/ml_secret_key" + }, + { + "name": "FRR_CONFIG_FILE", + "value": "/etc/frr_reloader/frr.conf" + }, + { + "name": "FRR_RELOADER_PID_FILE", + "value": "/etc/frr_reloader/reloader.pid" + }, + { + "name": "METALLB_BGP_TYPE", + "value": "frr" + } + ], + "image": "quay.io/metallb/speaker:v0.14.5", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/metrics", + "port": "monitoring", + "scheme": "HTTP" + }, + "initialDelaySeconds": 10, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "name": "speaker", + "ports": [ + { + "containerPort": 7472, + "hostPort": 7472, + "name": "monitoring", + "protocol": "TCP" + }, + { + "containerPort": 7946, + "hostPort": 7946, + "name": "memberlist-tcp", + "protocol": "TCP" + }, + { + "containerPort": 7946, + "hostPort": 7946, + "name": "memberlist-udp", + "protocol": "UDP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/metrics", + "port": "monitoring", + "scheme": "HTTP" + }, + "initialDelaySeconds": 10, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": {}, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/ml_secret_key", + "name": "memberlist" + }, + { + "mountPath": "/etc/frr_reloader", + "name": "reloader" + }, + { + "mountPath": "/etc/metallb", + "name": "metallb-excludel2" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-fknxr", + "readOnly": true + } + ] + }, + { + "command": [ + "/bin/sh", + "-c", + "/sbin/tini -- /usr/lib/frr/docker-start \u0026\nattempts=0\nuntil [[ -f /etc/frr/frr.log || $attempts -eq 60 ]]; do\n sleep 1\n attempts=$(( $attempts + 1 ))\ndone\ntail -f /etc/frr/frr.log\n" + ], + "env": [ + { + "name": "TINI_SUBREAPER", + "value": "true" + } + ], + "image": "quay.io/frrouting/frr:9.0.2", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "livez", + "port": 7473, + "scheme": "HTTP" + }, + "initialDelaySeconds": 10, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "name": "frr", + "resources": {}, + "securityContext": { + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW", + "SYS_ADMIN", + "NET_BIND_SERVICE" + ] + } + }, + "startupProbe": { + "failureThreshold": 30, + "httpGet": { + "path": "/livez", + "port": 7473, + "scheme": "HTTP" + }, + "periodSeconds": 5, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/frr", + "name": "frr-sockets" + }, + { + "mountPath": "/etc/frr", + "name": "frr-conf" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-fknxr", + "readOnly": true + } + ] + }, + { + "command": [ + "/etc/frr_reloader/frr-reloader.sh" + ], + "image": "quay.io/frrouting/frr:9.0.2", + "imagePullPolicy": "IfNotPresent", + "name": "reloader", + "resources": {}, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/frr", + "name": "frr-sockets" + }, + { + "mountPath": "/etc/frr", + "name": "frr-conf" + }, + { + "mountPath": "/etc/frr_reloader", + "name": "reloader" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-fknxr", + "readOnly": true + } + ] + }, + { + "args": [ + "--metrics-port=7473" + ], + "command": [ + "/etc/frr_metrics/frr-metrics" + ], + "image": "quay.io/frrouting/frr:9.0.2", + "imagePullPolicy": "IfNotPresent", + "name": "frr-metrics", + "ports": [ + { + "containerPort": 7473, + "hostPort": 7473, + "name": "monitoring", + "protocol": "TCP" + } + ], + "resources": {}, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/frr", + "name": "frr-sockets" + }, + { + "mountPath": "/etc/frr", + "name": "frr-conf" + }, + { + "mountPath": "/etc/frr_metrics", + "name": "metrics" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-fknxr", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "hostNetwork": true, + "initContainers": [ + { + "command": [ + "/bin/sh", + "-c", + "cp -rLf /tmp/frr/* /etc/frr/" + ], + "image": "quay.io/frrouting/frr:9.0.2", + "imagePullPolicy": "IfNotPresent", + "name": "cp-frr-files", + "resources": {}, + "securityContext": { + "runAsGroup": 101, + "runAsUser": 100 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/tmp/frr", + "name": "frr-startup" + }, + { + "mountPath": "/etc/frr", + "name": "frr-conf" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-fknxr", + "readOnly": true + } + ] + }, + { + "command": [ + "/bin/sh", + "-c", + "cp -f /frr-reloader.sh /etc/frr_reloader/" + ], + "image": "quay.io/metallb/speaker:v0.14.5", + "imagePullPolicy": "IfNotPresent", + "name": "cp-reloader", + "resources": {}, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/frr_reloader", + "name": "reloader" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-fknxr", + "readOnly": true + } + ] + }, + { + "command": [ + "/bin/sh", + "-c", + "cp -f /frr-metrics /etc/frr_metrics/" + ], + "image": "quay.io/metallb/speaker:v0.14.5", + "imagePullPolicy": "IfNotPresent", + "name": "cp-metrics", + "resources": {}, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/frr_metrics", + "name": "metrics" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-fknxr", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "nodeSelector": { + "kubernetes.io/os": "linux" + }, + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "serviceAccount": "metallb-speaker", + "serviceAccountName": "metallb-speaker", + "shareProcessNamespace": true, + "terminationGracePeriodSeconds": 0, + "tolerations": [ + { + "effect": "NoSchedule", + "key": "node-role.kubernetes.io/master", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node-role.kubernetes.io/control-plane", + "operator": "Exists" + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists" + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/disk-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/memory-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/pid-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/unschedulable", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/network-unavailable", + "operator": "Exists" + } + ], + "volumes": [ + { + "name": "memberlist", + "secret": { + "defaultMode": 420, + "secretName": "metallb-memberlist" + } + }, + { + "configMap": { + "defaultMode": 256, + "name": "metallb-excludel2" + }, + "name": "metallb-excludel2" + }, + { + "emptyDir": {}, + "name": "frr-sockets" + }, + { + "configMap": { + "defaultMode": 420, + "name": "metallb-frr-startup" + }, + "name": "frr-startup" + }, + { + "emptyDir": {}, + "name": "frr-conf" + }, + { + "emptyDir": {}, + "name": "reloader" + }, + { + "emptyDir": {}, + "name": "metrics" + }, + { + "name": "kube-api-access-fknxr", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:18Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:22Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:40Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:40Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:06Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://206d74412d6f746852ed33e9448b100ae2762ba6a722e94a04e3e5aa7f03260c", + "image": "quay.io/frrouting/frr:9.0.2", + "imageID": "quay.io/frrouting/frr@sha256:086acb1278fe86118345f456a1fbfafb80c34d03f7bca9137da0729a1aee5e9c", + "lastState": {}, + "name": "frr", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:21:22Z" + } + } + }, + { + "containerID": "containerd://9407b90e38fba202082dfa4a550efde6f3d16250ebc32c87b8431ed735e1430a", + "image": "quay.io/frrouting/frr:9.0.2", + "imageID": "quay.io/frrouting/frr@sha256:086acb1278fe86118345f456a1fbfafb80c34d03f7bca9137da0729a1aee5e9c", + "lastState": {}, + "name": "frr-metrics", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:21:22Z" + } + } + }, + { + "containerID": "containerd://d7541882f85936e252f33d0130b123a08d8316655b0aba281276429eb479c7af", + "image": "quay.io/frrouting/frr:9.0.2", + "imageID": "quay.io/frrouting/frr@sha256:086acb1278fe86118345f456a1fbfafb80c34d03f7bca9137da0729a1aee5e9c", + "lastState": {}, + "name": "reloader", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:21:22Z" + } + } + }, + { + "containerID": "containerd://05a490aad7458d0127e70c256ee4c0e9ee56b793620a499f6d8196b38bad0583", + "image": "quay.io/metallb/speaker:v0.14.5", + "imageID": "quay.io/metallb/speaker@sha256:34e9cc2db6d83ca3ad4d92a6e2eadaf6b78be65621798e90827041749898acc0", + "lastState": {}, + "name": "speaker", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:21:22Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://ec00aef71a7110a1899d7b6fbf965b93bc8004cec9f9f7002e320b1c5ad8dd29", + "image": "quay.io/frrouting/frr:9.0.2", + "imageID": "quay.io/frrouting/frr@sha256:086acb1278fe86118345f456a1fbfafb80c34d03f7bca9137da0729a1aee5e9c", + "lastState": {}, + "name": "cp-frr-files", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://ec00aef71a7110a1899d7b6fbf965b93bc8004cec9f9f7002e320b1c5ad8dd29", + "exitCode": 0, + "finishedAt": "2024-07-15T19:21:17Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:21:17Z" + } + } + }, + { + "containerID": "containerd://ba979b36684e75411bbcc2ba4af20dc1ce3e2ef2321ac4e72fcd5139fb737dc3", + "image": "quay.io/metallb/speaker:v0.14.5", + "imageID": "quay.io/metallb/speaker@sha256:34e9cc2db6d83ca3ad4d92a6e2eadaf6b78be65621798e90827041749898acc0", + "lastState": {}, + "name": "cp-reloader", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://ba979b36684e75411bbcc2ba4af20dc1ce3e2ef2321ac4e72fcd5139fb737dc3", + "exitCode": 0, + "finishedAt": "2024-07-15T19:21:21Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:21:21Z" + } + } + }, + { + "containerID": "containerd://7381fb10b9989113eaabf5ca8bcb4344519725c0a5111e8e796f2e6383d790f1", + "image": "quay.io/metallb/speaker:v0.14.5", + "imageID": "quay.io/metallb/speaker@sha256:34e9cc2db6d83ca3ad4d92a6e2eadaf6b78be65621798e90827041749898acc0", + "lastState": {}, + "name": "cp-metrics", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://7381fb10b9989113eaabf5ca8bcb4344519725c0a5111e8e796f2e6383d790f1", + "exitCode": 0, + "finishedAt": "2024-07-15T19:21:21Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:21:21Z" + } + } + } + ], + "phase": "Running", + "podIP": "172.19.0.3", + "podIPs": [ + { + "ip": "172.19.0.3" + } + ], + "qosClass": "BestEffort", + "startTime": "2024-07-15T19:21:06Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "checksum/config": "25ba5a36ee6bd1887b73590eee26c55e5673fbf1ef59d3f2e380255cea24fc78", + "checksum/secrets": "9b856ae77a7f70b2d03ee838d91fc2f61b9dc5f9140837fd2f14aa3a0631eb6a" + }, + "creationTimestamp": "2024-07-15T19:21:33Z", + "generateName": "minio-6c8d84fc7f-", + "labels": { + "app": "minio", + "pod-template-hash": "6c8d84fc7f", + "release": "minio" + }, + "name": "minio-6c8d84fc7f-zw9dv", + "namespace": "uds-dev-stack", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "minio-6c8d84fc7f", + "uid": "1cbd7b49-530e-4864-be2d-bfa8765649fc" + } + ], + "resourceVersion": "615", + "uid": "08e134cb-f32d-44f3-a858-a46d5709c9ba" + }, + "spec": { + "containers": [ + { + "command": [ + "/bin/sh", + "-ce", + "/usr/bin/docker-entrypoint.sh minio server /export -S /etc/minio/certs/ --address :9000 --console-address :9001" + ], + "env": [ + { + "name": "MINIO_ROOT_USER", + "valueFrom": { + "secretKeyRef": { + "key": "rootUser", + "name": "minio" + } + } + }, + { + "name": "MINIO_ROOT_PASSWORD", + "valueFrom": { + "secretKeyRef": { + "key": "rootPassword", + "name": "minio" + } + } + }, + { + "name": "MINIO_PROMETHEUS_AUTH_TYPE", + "value": "public" + } + ], + "image": "quay.io/minio/minio:RELEASE.2024-04-18T19-09-19Z", + "imagePullPolicy": "IfNotPresent", + "name": "minio", + "ports": [ + { + "containerPort": 9000, + "name": "http", + "protocol": "TCP" + }, + { + "containerPort": 9001, + "name": "http-console", + "protocol": "TCP" + } + ], + "resources": { + "requests": { + "cpu": "150m", + "memory": "256Mi" + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/tmp/credentials", + "name": "minio-user", + "readOnly": true + }, + { + "mountPath": "/export", + "name": "export" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-xwwsx", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 1000, + "fsGroupChangePolicy": "OnRootMismatch", + "runAsGroup": 1000, + "runAsUser": 1000 + }, + "serviceAccount": "minio-sa", + "serviceAccountName": "minio-sa", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "name": "export", + "persistentVolumeClaim": { + "claimName": "minio" + } + }, + { + "name": "minio-user", + "secret": { + "defaultMode": 420, + "secretName": "minio" + } + }, + { + "name": "kube-api-access-xwwsx", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:42Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:38Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:42Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:42Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:38Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://db32566b2641bbc63592030e260f7964ef49292aee694752b7a344d0b31e0fcd", + "image": "quay.io/minio/minio:RELEASE.2024-04-18T19-09-19Z", + "imageID": "quay.io/minio/minio@sha256:036a068d7d6b69400da6bc07a480bee1e241ef3c341c41d988ed11f520f85124", + "lastState": {}, + "name": "minio", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:21:42Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "phase": "Running", + "podIP": "10.42.0.8", + "podIPs": [ + { + "ip": "10.42.0.8" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:21:38Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "kubectl.kubernetes.io/restartedAt": "2024-07-15T15:21:50-04:00" + }, + "creationTimestamp": "2024-07-15T19:21:50Z", + "generateName": "coredns-67cddc4fb4-", + "labels": { + "k8s-app": "kube-dns", + "pod-template-hash": "67cddc4fb4" + }, + "name": "coredns-67cddc4fb4-5fsgn", + "namespace": "kube-system", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "coredns-67cddc4fb4", + "uid": "fecf9a0b-1ff7-4fbc-a0b4-2d027e838a5d" + } + ], + "resourceVersion": "689", + "uid": "dee39420-a2ab-4ec3-a7ae-d13c251b8910" + }, + "spec": { + "containers": [ + { + "args": [ + "-conf", + "/etc/coredns/Corefile" + ], + "image": "rancher/mirrored-coredns-coredns:1.10.1", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/health", + "port": 8080, + "scheme": "HTTP" + }, + "initialDelaySeconds": 60, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "name": "coredns", + "ports": [ + { + "containerPort": 53, + "name": "dns", + "protocol": "UDP" + }, + { + "containerPort": 53, + "name": "dns-tcp", + "protocol": "TCP" + }, + { + "containerPort": 9153, + "name": "metrics", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/ready", + "port": 8181, + "scheme": "HTTP" + }, + "periodSeconds": 2, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": { + "limits": { + "memory": "170Mi" + }, + "requests": { + "cpu": "100m", + "memory": "70Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_BIND_SERVICE" + ], + "drop": [ + "all" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/coredns", + "name": "config-volume", + "readOnly": true + }, + { + "mountPath": "/etc/coredns/custom", + "name": "custom-config-volume", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-7bjqt", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "Default", + "enableServiceLinks": true, + "nodeName": "k3d-uds-server-0", + "nodeSelector": { + "kubernetes.io/os": "linux" + }, + "preemptionPolicy": "PreemptLowerPriority", + "priority": 2000000000, + "priorityClassName": "system-cluster-critical", + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "serviceAccount": "coredns", + "serviceAccountName": "coredns", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "key": "CriticalAddonsOnly", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node-role.kubernetes.io/control-plane", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node-role.kubernetes.io/master", + "operator": "Exists" + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "topologySpreadConstraints": [ + { + "labelSelector": { + "matchLabels": { + "k8s-app": "kube-dns" + } + }, + "maxSkew": 1, + "topologyKey": "kubernetes.io/hostname", + "whenUnsatisfiable": "DoNotSchedule" + } + ], + "volumes": [ + { + "configMap": { + "defaultMode": 420, + "items": [ + { + "key": "Corefile", + "path": "Corefile" + }, + { + "key": "NodeHosts", + "path": "NodeHosts" + } + ], + "name": "coredns" + }, + "name": "config-volume" + }, + { + "configMap": { + "defaultMode": 420, + "name": "coredns-custom", + "optional": true + }, + "name": "custom-config-volume" + }, + { + "name": "kube-api-access-7bjqt", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:51Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:50Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:51Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:51Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:21:50Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://8ec9910459f9fde24c470d4d30c08fcc0cc8b6578e9025a59136396ab91e2ea8", + "image": "docker.io/rancher/mirrored-coredns-coredns:1.10.1", + "imageID": "docker.io/rancher/mirrored-coredns-coredns@sha256:a11fafae1f8037cbbd66c5afa40ba2423936b72b4fd50a7034a7e8b955163594", + "lastState": {}, + "name": "coredns", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:21:51Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "phase": "Running", + "podIP": "10.42.0.10", + "podIPs": [ + { + "ip": "10.42.0.10" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:21:50Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "checksum/secret": "5944c97d04b79de507bf45171f9cc5a207b0edbfe79b85beed66145312c9a6d5" + }, + "creationTimestamp": "2024-07-15T19:22:43Z", + "generateName": "zarf-docker-registry-5df7748994-", + "labels": { + "app": "docker-registry", + "pod-template-hash": "5df7748994", + "release": "zarf-docker-registry", + "zarf.dev/agent": "ignore" + }, + "name": "zarf-docker-registry-5df7748994-wv45k", + "namespace": "zarf", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "zarf-docker-registry-5df7748994", + "uid": "d0616098-3a93-4a57-a8f3-0214bcfcdaf3" + } + ], + "resourceVersion": "877", + "uid": "5edae467-72ca-46d7-924f-de8c81cdfc88" + }, + "spec": { + "affinity": { + "podAffinity": { + "preferredDuringSchedulingIgnoredDuringExecution": [ + { + "podAffinityTerm": { + "labelSelector": { + "matchExpressions": [ + { + "key": "app", + "operator": "In", + "values": [ + "docker-registry" + ] + } + ] + }, + "topologyKey": "kubernetes.io/hostname" + }, + "weight": 100 + } + ] + } + }, + "containers": [ + { + "command": [ + "/bin/registry", + "serve", + "/etc/docker/registry/config.yml" + ], + "env": [ + { + "name": "REGISTRY_AUTH", + "value": "htpasswd" + }, + { + "name": "REGISTRY_AUTH_HTPASSWD_REALM", + "value": "Registry Realm" + }, + { + "name": "REGISTRY_AUTH_HTPASSWD_PATH", + "value": "/etc/docker/registry/htpasswd" + }, + { + "name": "REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY", + "value": "/var/lib/registry" + }, + { + "name": "REGISTRY_STORAGE_DELETE_ENABLED", + "value": "true" + } + ], + "image": "127.0.0.1:31999/library/registry:2.8.3", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/", + "port": 5000, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "name": "docker-registry", + "ports": [ + { + "containerPort": 5000, + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/", + "port": 5000, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": { + "limits": { + "cpu": "3", + "memory": "2Gi" + }, + "requests": { + "cpu": "100m", + "memory": "256Mi" + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/lib/registry/", + "name": "data" + }, + { + "mountPath": "/etc/docker/registry", + "name": "config" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-htsj8", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 2000001000, + "priorityClassName": "system-node-critical", + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 1000, + "runAsUser": 1000 + }, + "serviceAccount": "default", + "serviceAccountName": "default", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "name": "config", + "secret": { + "defaultMode": 420, + "items": [ + { + "key": "configData", + "path": "config.yml" + }, + { + "key": "htpasswd", + "path": "htpasswd" + } + ], + "secretName": "zarf-docker-registry-secret" + } + }, + { + "name": "data", + "persistentVolumeClaim": { + "claimName": "zarf-docker-registry" + } + }, + { + "name": "kube-api-access-htsj8", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:22:44Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:22:43Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:22:44Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:22:44Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:22:43Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://ad7e03c72e45aadd7a7e04fef67e8c0b71558b061540549c949ff1c8062ed91d", + "image": "127.0.0.1:31999/library/registry:2.8.3", + "imageID": "127.0.0.1:31999/library/registry@sha256:53ee3286cf0400c2ec957e31594c77439ec959e26ca00c8264c5ce521f7859ac", + "lastState": {}, + "name": "docker-registry", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:22:44Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "phase": "Running", + "podIP": "10.42.0.14", + "podIPs": [ + { + "ip": "10.42.0.14" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:22:43Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "creationTimestamp": "2024-07-15T19:22:48Z", + "generateName": "agent-hook-59ffcd5dc9-", + "labels": { + "app": "agent-hook", + "pod-template-hash": "59ffcd5dc9", + "zarf.dev/agent": "ignore" + }, + "name": "agent-hook-59ffcd5dc9-psr4z", + "namespace": "zarf", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "agent-hook-59ffcd5dc9", + "uid": "9a754d33-1d43-493e-b103-ec5e2b424813" + } + ], + "resourceVersion": "951", + "uid": "3cef1be4-d010-4241-abdf-980cd35a4545" + }, + "spec": { + "containers": [ + { + "image": "127.0.0.1:31999/defenseunicorns/zarf/agent:v0.35.0", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/healthz", + "port": 8443, + "scheme": "HTTPS" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "name": "server", + "ports": [ + { + "containerPort": 8443, + "protocol": "TCP" + } + ], + "resources": { + "limits": { + "cpu": "500m", + "memory": "128Mi" + }, + "requests": { + "cpu": "100m", + "memory": "32Mi" + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/certs", + "name": "tls-certs", + "readOnly": true + }, + { + "mountPath": "/.config", + "name": "config" + }, + { + "mountPath": "/etc/xdg", + "name": "xdg" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-x875g", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 2000001000, + "priorityClassName": "system-node-critical", + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "serviceAccount": "zarf", + "serviceAccountName": "zarf", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "name": "tls-certs", + "secret": { + "defaultMode": 420, + "secretName": "agent-hook-tls" + } + }, + { + "emptyDir": {}, + "name": "config" + }, + { + "emptyDir": {}, + "name": "xdg" + }, + { + "name": "kube-api-access-x875g", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:22:50Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:22:49Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:22:50Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:22:50Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:22:48Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://9cc795de2a2bf1670e605802314bec0fe06349ede9d8f223fe7b5ad88aab4c61", + "image": "127.0.0.1:31999/defenseunicorns/zarf/agent:v0.35.0", + "imageID": "127.0.0.1:31999/defenseunicorns/zarf/agent@sha256:790f5523474c1e468177cec8095897c24fa4f6b44fe4b3c170ead4efccb33deb", + "lastState": {}, + "name": "server", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:22:50Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "phase": "Running", + "podIP": "10.42.0.16", + "podIPs": [ + { + "ip": "10.42.0.16" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:22:49Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "creationTimestamp": "2024-07-15T19:22:48Z", + "generateName": "agent-hook-59ffcd5dc9-", + "labels": { + "app": "agent-hook", + "pod-template-hash": "59ffcd5dc9", + "zarf.dev/agent": "ignore" + }, + "name": "agent-hook-59ffcd5dc9-km2n7", + "namespace": "zarf", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "agent-hook-59ffcd5dc9", + "uid": "9a754d33-1d43-493e-b103-ec5e2b424813" + } + ], + "resourceVersion": "955", + "uid": "a97ce80c-e562-46f3-929b-4b2f90cb4781" + }, + "spec": { + "containers": [ + { + "image": "127.0.0.1:31999/defenseunicorns/zarf/agent:v0.35.0", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/healthz", + "port": 8443, + "scheme": "HTTPS" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "name": "server", + "ports": [ + { + "containerPort": 8443, + "protocol": "TCP" + } + ], + "resources": { + "limits": { + "cpu": "500m", + "memory": "128Mi" + }, + "requests": { + "cpu": "100m", + "memory": "32Mi" + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/certs", + "name": "tls-certs", + "readOnly": true + }, + { + "mountPath": "/.config", + "name": "config" + }, + { + "mountPath": "/etc/xdg", + "name": "xdg" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-kwrgm", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 2000001000, + "priorityClassName": "system-node-critical", + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "serviceAccount": "zarf", + "serviceAccountName": "zarf", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "name": "tls-certs", + "secret": { + "defaultMode": 420, + "secretName": "agent-hook-tls" + } + }, + { + "emptyDir": {}, + "name": "config" + }, + { + "emptyDir": {}, + "name": "xdg" + }, + { + "name": "kube-api-access-kwrgm", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:22:50Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:22:49Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:22:50Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:22:50Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:22:49Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://765eb72b9f732ad82195fa111ffc842a7327afd22e3ca36cb0764abf9cb5e30b", + "image": "127.0.0.1:31999/defenseunicorns/zarf/agent:v0.35.0", + "imageID": "127.0.0.1:31999/defenseunicorns/zarf/agent@sha256:790f5523474c1e468177cec8095897c24fa4f6b44fe4b3c170ead4efccb33deb", + "lastState": {}, + "name": "server", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:22:50Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "phase": "Running", + "podIP": "10.42.0.15", + "podIPs": [ + { + "ip": "10.42.0.15" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:22:49Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "prometheus.io/port": "15014", + "prometheus.io/scrape": "true", + "sidecar.istio.io/inject": "false" + }, + "creationTimestamp": "2024-07-15T19:23:10Z", + "generateName": "istiod-65d755df65-", + "labels": { + "app": "istiod", + "install.operator.istio.io/owning-resource": "unknown", + "istio": "pilot", + "istio.io/dataplane-mode": "none", + "istio.io/rev": "default", + "operator.istio.io/component": "Pilot", + "pod-template-hash": "65d755df65", + "sidecar.istio.io/inject": "false", + "zarf-agent": "patched" + }, + "name": "istiod-65d755df65-wqqv4", + "namespace": "istio-system", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "istiod-65d755df65", + "uid": "8c0fcf4c-a8a6-457e-a746-213fe5b10d14" + } + ], + "resourceVersion": "1137", + "uid": "f2441ec0-38ba-4b6c-94f7-f0e6023facf9" + }, + "spec": { + "containers": [ + { + "args": [ + "discovery", + "--monitoringAddr=:15014", + "--log_output_level=default:info", + "--domain", + "cluster.local", + "--keepaliveMaxServerConnectionAge", + "30m" + ], + "env": [ + { + "name": "REVISION", + "value": "default" + }, + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "KUBECONFIG", + "value": "/var/run/secrets/remote/config" + }, + { + "name": "PILOT_JWT_ENABLE_REMOTE_JWKS", + "value": "hybrid" + }, + { + "name": "PILOT_TRACE_SAMPLING", + "value": "1" + }, + { + "name": "PILOT_ENABLE_ANALYSIS", + "value": "false" + }, + { + "name": "CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PLATFORM" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-pilot-fips:1.22.2-zarf-1946820730", + "imagePullPolicy": "IfNotPresent", + "name": "discovery", + "ports": [ + { + "containerPort": 8080, + "protocol": "TCP" + }, + { + "containerPort": 15010, + "protocol": "TCP" + }, + { + "containerPort": 15017, + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/ready", + "port": 8080, + "scheme": "HTTP" + }, + "initialDelaySeconds": 1, + "periodSeconds": 3, + "successThreshold": 1, + "timeoutSeconds": 5 + }, + "resources": { + "requests": { + "cpu": "500m", + "memory": "2Gi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true, + "runAsNonRoot": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/istio-dns", + "name": "local-certs" + }, + { + "mountPath": "/etc/cacerts", + "name": "cacerts", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/remote", + "name": "istio-kubeconfig", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/istiod/tls", + "name": "istio-csr-dns-cert", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/istiod/ca", + "name": "istio-csr-ca-configmap", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-s75s7", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "serviceAccount": "istiod", + "serviceAccountName": "istiod", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "key": "cni.istio.io/not-ready", + "operator": "Exists" + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": { + "medium": "Memory" + }, + "name": "local-certs" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "name": "cacerts", + "secret": { + "defaultMode": 420, + "optional": true, + "secretName": "cacerts" + } + }, + { + "name": "istio-kubeconfig", + "secret": { + "defaultMode": 420, + "optional": true, + "secretName": "istio-kubeconfig" + } + }, + { + "name": "istio-csr-dns-cert", + "secret": { + "defaultMode": 420, + "optional": true, + "secretName": "istiod-tls" + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert", + "optional": true + }, + "name": "istio-csr-ca-configmap" + }, + { + "name": "kube-api-access-s75s7", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:11Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:10Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:12Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:12Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:10Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://8b2948f7be4e06016ba417ebb0b567cca7fe3b22c8463bea0cf070b19ef7fe6a", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-pilot-fips:1.22.2-zarf-1946820730", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-pilot-fips@sha256:d62df1d72be6182a41ecb7259b195e6b7bd28c0301fe7f46126187e6601f5f20", + "lastState": {}, + "name": "discovery", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:23:11Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "phase": "Running", + "podIP": "10.42.0.17", + "podIPs": [ + { + "ip": "10.42.0.17" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:23:10Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "inject.istio.io/templates": "gateway", + "istio.io/rev": "default", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "proxy.istio.io/overrides": "{\"containers\":[{\"name\":\"istio-proxy\",\"ports\":[{\"name\":\"http-envoy-prom\",\"containerPort\":15090,\"protocol\":\"TCP\"}],\"resources\":{\"limits\":{\"cpu\":\"2\",\"memory\":\"1Gi\"},\"requests\":{\"cpu\":\"100m\",\"memory\":\"128Mi\"}},\"volumeMounts\":[{\"name\":\"kube-api-access-48f5b\",\"readOnly\":true,\"mountPath\":\"/var/run/secrets/kubernetes.io/serviceaccount\"}],\"terminationMessagePath\":\"/dev/termination-log\",\"terminationMessagePolicy\":\"File\",\"imagePullPolicy\":\"Always\",\"securityContext\":{\"capabilities\":{\"drop\":[\"ALL\"]},\"privileged\":false,\"runAsUser\":1337,\"runAsGroup\":1337,\"runAsNonRoot\":true,\"readOnlyRootFilesystem\":true,\"allowPrivilegeEscalation\":false}}]}", + "sidecar.istio.io/inject": "true", + "sidecar.istio.io/status": "{\"initContainers\":null,\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}" + }, + "creationTimestamp": "2024-07-15T19:23:17Z", + "generateName": "admin-ingressgateway-65c568569f-", + "labels": { + "app": "admin-ingressgateway", + "istio": "admin-ingressgateway", + "pod-template-hash": "65c568569f", + "service.istio.io/canonical-name": "admin-ingressgateway", + "service.istio.io/canonical-revision": "latest", + "sidecar.istio.io/inject": "true", + "zarf-agent": "patched" + }, + "name": "admin-ingressgateway-65c568569f-nssjx", + "namespace": "istio-admin-gateway", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "admin-ingressgateway-65c568569f", + "uid": "4807fa82-ff07-41b5-bba9-e9aa4433dd38" + } + ], + "resourceVersion": "1211", + "uid": "b390a7ed-b997-4236-80dc-d7c2d3b1ead3" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "router", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http-envoy-prom\",\"containerPort\":15090,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_APP_CONTAINERS" + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "admin-ingressgateway" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/istio-admin-gateway/deployments/admin-ingressgateway" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "Always", + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-48f5b", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "sysctls": [ + { + "name": "net.ipv4.ip_unprivileged_port_start", + "value": "0" + } + ] + }, + "serviceAccount": "admin-ingressgateway", + "serviceAccountName": "admin-ingressgateway", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "kube-api-access-48f5b", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:18Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:17Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:19Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:19Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:17Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://4aeab66391eea771294a630f113c82c039de7b48bc70cb502bc03aabda8624b7", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:23:18Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "phase": "Running", + "podIP": "10.42.0.18", + "podIPs": [ + { + "ip": "10.42.0.18" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:23:17Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "inject.istio.io/templates": "gateway", + "istio.io/rev": "default", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "proxy.istio.io/overrides": "{\"containers\":[{\"name\":\"istio-proxy\",\"ports\":[{\"name\":\"http-envoy-prom\",\"containerPort\":15090,\"protocol\":\"TCP\"}],\"resources\":{\"limits\":{\"cpu\":\"2\",\"memory\":\"1Gi\"},\"requests\":{\"cpu\":\"100m\",\"memory\":\"128Mi\"}},\"volumeMounts\":[{\"name\":\"kube-api-access-2smgd\",\"readOnly\":true,\"mountPath\":\"/var/run/secrets/kubernetes.io/serviceaccount\"}],\"terminationMessagePath\":\"/dev/termination-log\",\"terminationMessagePolicy\":\"File\",\"imagePullPolicy\":\"Always\",\"securityContext\":{\"capabilities\":{\"drop\":[\"ALL\"]},\"privileged\":false,\"runAsUser\":1337,\"runAsGroup\":1337,\"runAsNonRoot\":true,\"readOnlyRootFilesystem\":true,\"allowPrivilegeEscalation\":false}}]}", + "sidecar.istio.io/inject": "true", + "sidecar.istio.io/status": "{\"initContainers\":null,\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}" + }, + "creationTimestamp": "2024-07-15T19:23:23Z", + "generateName": "tenant-ingressgateway-79d5d77d67-", + "labels": { + "app": "tenant-ingressgateway", + "istio": "tenant-ingressgateway", + "pod-template-hash": "79d5d77d67", + "service.istio.io/canonical-name": "tenant-ingressgateway", + "service.istio.io/canonical-revision": "latest", + "sidecar.istio.io/inject": "true", + "zarf-agent": "patched" + }, + "name": "tenant-ingressgateway-79d5d77d67-fdcrk", + "namespace": "istio-tenant-gateway", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "tenant-ingressgateway-79d5d77d67", + "uid": "4e8436d1-1a72-48c2-8401-029d6a88e0be" + } + ], + "resourceVersion": "1266", + "uid": "be7b37b2-96ba-41d3-a5f9-6b546cedd6c0" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "router", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http-envoy-prom\",\"containerPort\":15090,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_APP_CONTAINERS" + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "tenant-ingressgateway" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/istio-tenant-gateway/deployments/tenant-ingressgateway" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "Always", + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-2smgd", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "sysctls": [ + { + "name": "net.ipv4.ip_unprivileged_port_start", + "value": "0" + } + ] + }, + "serviceAccount": "tenant-ingressgateway", + "serviceAccountName": "tenant-ingressgateway", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "kube-api-access-2smgd", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:23Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:23Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:24Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:24Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:23Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://9411159858b495e26067084207456676f7b2182273670876fdce8ff2770a5e55", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:23:23Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "phase": "Running", + "podIP": "10.42.0.19", + "podIPs": [ + { + "ip": "10.42.0.19" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:23:23Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "inject.istio.io/templates": "gateway", + "istio.io/rev": "default", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "proxy.istio.io/overrides": "{\"containers\":[{\"name\":\"istio-proxy\",\"ports\":[{\"name\":\"http-envoy-prom\",\"containerPort\":15090,\"protocol\":\"TCP\"}],\"resources\":{\"limits\":{\"cpu\":\"2\",\"memory\":\"1Gi\"},\"requests\":{\"cpu\":\"100m\",\"memory\":\"128Mi\"}},\"volumeMounts\":[{\"name\":\"kube-api-access-d8nvq\",\"readOnly\":true,\"mountPath\":\"/var/run/secrets/kubernetes.io/serviceaccount\"}],\"terminationMessagePath\":\"/dev/termination-log\",\"terminationMessagePolicy\":\"File\",\"imagePullPolicy\":\"Always\",\"securityContext\":{\"capabilities\":{\"drop\":[\"ALL\"]},\"privileged\":false,\"runAsUser\":1337,\"runAsGroup\":1337,\"runAsNonRoot\":true,\"readOnlyRootFilesystem\":true,\"allowPrivilegeEscalation\":false}}]}", + "sidecar.istio.io/inject": "true", + "sidecar.istio.io/status": "{\"initContainers\":null,\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}" + }, + "creationTimestamp": "2024-07-15T19:23:27Z", + "generateName": "passthrough-ingressgateway-77f78c89b5-", + "labels": { + "app": "passthrough-ingressgateway", + "istio": "passthrough-ingressgateway", + "pod-template-hash": "77f78c89b5", + "service.istio.io/canonical-name": "passthrough-ingressgateway", + "service.istio.io/canonical-revision": "latest", + "sidecar.istio.io/inject": "true", + "zarf-agent": "patched" + }, + "name": "passthrough-ingressgateway-77f78c89b5-pm8qs", + "namespace": "istio-passthrough-gateway", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "passthrough-ingressgateway-77f78c89b5", + "uid": "78cc1423-b80a-4b9c-8f1b-3d59b7f75c53" + } + ], + "resourceVersion": "1329", + "uid": "f7217d2e-6486-4eaf-8629-2912fd29a340" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "router", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http-envoy-prom\",\"containerPort\":15090,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_APP_CONTAINERS" + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "passthrough-ingressgateway" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/istio-passthrough-gateway/deployments/passthrough-ingressgateway" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "Always", + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-d8nvq", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "sysctls": [ + { + "name": "net.ipv4.ip_unprivileged_port_start", + "value": "0" + } + ] + }, + "serviceAccount": "passthrough-ingressgateway", + "serviceAccountName": "passthrough-ingressgateway", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "kube-api-access-d8nvq", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:27Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:27Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:29Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:29Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:27Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://7b990fded25b108e98eb26bedf084d992082372b787056fb359418047b26777e", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:23:27Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "phase": "Running", + "podIP": "10.42.0.20", + "podIPs": [ + { + "ip": "10.42.0.20" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:23:27Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "buildTimestamp": "1721071155270", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "server", + "kubectl.kubernetes.io/default-logs-container": "server", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}" + }, + "creationTimestamp": "2024-07-15T19:23:31Z", + "generateName": "pepr-uds-core-5c765b95fc-", + "labels": { + "app": "pepr-uds-core", + "pepr.dev/controller": "admission", + "pod-template-hash": "5c765b95fc", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "pepr-uds-core", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "pepr-uds-core-5c765b95fc-cfkkk", + "namespace": "pepr-system", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "pepr-uds-core-5c765b95fc", + "uid": "0a1532c3-713f-43e5-a524-162af59e0d07" + } + ], + "resourceVersion": "1482", + "uid": "a2ac1d4c-cee9-4329-8d30-c0843aae66c1" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"containerPort\":3000,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "server" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "pepr-uds-core" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/pepr-system/deployments/pepr-uds-core" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/server/livez\":{\"httpGet\":{\"path\":\"/healthz\",\"port\":3000,\"scheme\":\"HTTPS\"},\"timeoutSeconds\":1},\"/app-health/server/readyz\":{\"httpGet\":{\"path\":\"/healthz\",\"port\":3000,\"scheme\":\"HTTPS\"},\"timeoutSeconds\":1}}" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-tzqh9", + "readOnly": true + } + ] + }, + { + "command": [ + "node", + "/app/node_modules/pepr/dist/controller.js", + "835918263d02780c552f9239598a5cb88b1b630ef35cec16e2886ab5e64ee9e9" + ], + "env": [ + { + "name": "PEPR_WATCH_MODE", + "value": "false" + }, + { + "name": "PEPR_PRETTY_LOG", + "value": "false" + }, + { + "name": "LOG_LEVEL", + "value": "info" + }, + { + "name": "UDS_DOMAIN", + "value": "uds.dev" + }, + { + "name": "UDS_CA_CERT" + }, + { + "name": "UDS_ALLOW_ALL_NS_EXEMPTIONS", + "value": "###ZARF_VAR_ALLOW_ALL_NS_EXEMPTIONS###" + }, + { + "name": "UDS_SINGLE_TEST", + "value": "###ZARF_VAR_UDS_SINGLE_TEST###" + }, + { + "name": "UDS_LOG_LEVEL", + "value": "###ZARF_VAR_UDS_LOG_LEVEL###" + } + ], + "image": "127.0.0.1:31999/defenseunicorns/pepr/controller:v0.32.6-zarf-804409620", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/server/livez", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "name": "server", + "ports": [ + { + "containerPort": 3000, + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/server/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": { + "limits": { + "cpu": "500m", + "memory": "256Mi" + }, + "requests": { + "cpu": "100m", + "memory": "64Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "runAsGroup": 65532, + "runAsNonRoot": true, + "runAsUser": 65532 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/certs", + "name": "tls-certs", + "readOnly": true + }, + { + "mountPath": "/app/api-token", + "name": "api-token", + "readOnly": true + }, + { + "mountPath": "/app/load", + "name": "module", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-tzqh9", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-tzqh9", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 2000001000, + "priorityClassName": "system-node-critical", + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 65532, + "runAsGroup": 65532, + "runAsNonRoot": true, + "runAsUser": 65532 + }, + "serviceAccount": "pepr-uds-core", + "serviceAccountName": "pepr-uds-core", + "terminationGracePeriodSeconds": 5, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "tls-certs", + "secret": { + "defaultMode": 420, + "secretName": "pepr-uds-core-tls" + } + }, + { + "name": "api-token", + "secret": { + "defaultMode": 420, + "secretName": "pepr-uds-core-api-token" + } + }, + { + "name": "module", + "secret": { + "defaultMode": 420, + "secretName": "pepr-uds-core-module" + } + }, + { + "name": "kube-api-access-tzqh9", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:33Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:33Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:39Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:39Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:31Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://159d6f4b88ac8016e5a92934206b51f21c0061c500bce0c153b4e82a7ad8bf4d", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:23:33Z" + } + } + }, + { + "containerID": "containerd://6b1f6abf4bc9fbe85a28145ac16c4f5bf3f3e1479c039b5eff81426c826e60b0", + "image": "127.0.0.1:31999/defenseunicorns/pepr/controller:v0.32.6-zarf-804409620", + "imageID": "127.0.0.1:31999/defenseunicorns/pepr/controller@sha256:9beb7acd16dbae3d14b10faa0e6f74efb755481025f0b970f160a53a773e1668", + "lastState": {}, + "name": "server", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:23:35Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://7a8f7f63cf2f2c10e696e21bd6256c496789edfd01d785ea77d7468ab0db4826", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://7a8f7f63cf2f2c10e696e21bd6256c496789edfd01d785ea77d7468ab0db4826", + "exitCode": 0, + "finishedAt": "2024-07-15T19:23:32Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:23:32Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.23", + "podIPs": [ + { + "ip": "10.42.0.23" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:23:31Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "buildTimestamp": "1721071155270", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "watcher", + "kubectl.kubernetes.io/default-logs-container": "watcher", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}" + }, + "creationTimestamp": "2024-07-15T19:23:31Z", + "generateName": "pepr-uds-core-watcher-66b655ddf4-", + "labels": { + "app": "pepr-uds-core-watcher", + "pepr.dev/controller": "watcher", + "pod-template-hash": "66b655ddf4", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "pepr-uds-core-watcher", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "pepr-uds-core-watcher-66b655ddf4-bpq9g", + "namespace": "pepr-system", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "pepr-uds-core-watcher-66b655ddf4", + "uid": "ae364113-5898-474f-bcd1-286861bb69fe" + } + ], + "resourceVersion": "1490", + "uid": "84585c9d-6165-4901-bde2-9f98761d74cd" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"containerPort\":3000,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "watcher" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "pepr-uds-core-watcher" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/pepr-system/deployments/pepr-uds-core-watcher" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/watcher/livez\":{\"httpGet\":{\"path\":\"/healthz\",\"port\":3000,\"scheme\":\"HTTPS\"},\"timeoutSeconds\":1},\"/app-health/watcher/readyz\":{\"httpGet\":{\"path\":\"/healthz\",\"port\":3000,\"scheme\":\"HTTPS\"},\"timeoutSeconds\":1}}" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-8kh7x", + "readOnly": true + } + ] + }, + { + "command": [ + "node", + "/app/node_modules/pepr/dist/controller.js", + "835918263d02780c552f9239598a5cb88b1b630ef35cec16e2886ab5e64ee9e9" + ], + "env": [ + { + "name": "PEPR_WATCH_MODE", + "value": "true" + }, + { + "name": "PEPR_PRETTY_LOG", + "value": "false" + }, + { + "name": "LOG_LEVEL", + "value": "info" + }, + { + "name": "UDS_DOMAIN", + "value": "uds.dev" + }, + { + "name": "UDS_CA_CERT" + }, + { + "name": "UDS_ALLOW_ALL_NS_EXEMPTIONS", + "value": "###ZARF_VAR_ALLOW_ALL_NS_EXEMPTIONS###" + }, + { + "name": "UDS_SINGLE_TEST", + "value": "###ZARF_VAR_UDS_SINGLE_TEST###" + }, + { + "name": "UDS_LOG_LEVEL", + "value": "###ZARF_VAR_UDS_LOG_LEVEL###" + } + ], + "image": "127.0.0.1:31999/defenseunicorns/pepr/controller:v0.32.6-zarf-804409620", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/watcher/livez", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "name": "watcher", + "ports": [ + { + "containerPort": 3000, + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/watcher/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": { + "limits": { + "cpu": "500m", + "memory": "256Mi" + }, + "requests": { + "cpu": "100m", + "memory": "64Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "runAsGroup": 65532, + "runAsNonRoot": true, + "runAsUser": 65532 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/certs", + "name": "tls-certs", + "readOnly": true + }, + { + "mountPath": "/app/load", + "name": "module", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-8kh7x", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-8kh7x", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 65532, + "runAsGroup": 65532, + "runAsNonRoot": true, + "runAsUser": 65532 + }, + "serviceAccount": "pepr-uds-core", + "serviceAccountName": "pepr-uds-core", + "terminationGracePeriodSeconds": 5, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "tls-certs", + "secret": { + "defaultMode": 420, + "secretName": "pepr-uds-core-tls" + } + }, + { + "name": "module", + "secret": { + "defaultMode": 420, + "secretName": "pepr-uds-core-module" + } + }, + { + "name": "kube-api-access-8kh7x", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:33Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:33Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:42Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:42Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:31Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://85d64001599c5308e7c2e71ca09ef22053485a6289acba3ea4769a8354ef6e4b", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:23:33Z" + } + } + }, + { + "containerID": "containerd://a862028611efdf0c258a1b76c8c5cbd3604dc1b5a83699d6ec92839e151260df", + "image": "127.0.0.1:31999/defenseunicorns/pepr/controller:v0.32.6-zarf-804409620", + "imageID": "127.0.0.1:31999/defenseunicorns/pepr/controller@sha256:9beb7acd16dbae3d14b10faa0e6f74efb755481025f0b970f160a53a773e1668", + "lastState": {}, + "name": "watcher", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:23:35Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://71e6351114992f381e3e8b171786010b883e76b800d597adb1f3258de12c9f84", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://71e6351114992f381e3e8b171786010b883e76b800d597adb1f3258de12c9f84", + "exitCode": 0, + "finishedAt": "2024-07-15T19:23:32Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:23:32Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.21", + "podIPs": [ + { + "ip": "10.42.0.21" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:23:31Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "buildTimestamp": "1721071155270", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "server", + "kubectl.kubernetes.io/default-logs-container": "server", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}" + }, + "creationTimestamp": "2024-07-15T19:23:31Z", + "generateName": "pepr-uds-core-5c765b95fc-", + "labels": { + "app": "pepr-uds-core", + "pepr.dev/controller": "admission", + "pod-template-hash": "5c765b95fc", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "pepr-uds-core", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "pepr-uds-core-5c765b95fc-67xnv", + "namespace": "pepr-system", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "pepr-uds-core-5c765b95fc", + "uid": "0a1532c3-713f-43e5-a524-162af59e0d07" + } + ], + "resourceVersion": "1494", + "uid": "369da40a-d38b-4d0c-97ef-727debbd0746" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"containerPort\":3000,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "server" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "pepr-uds-core" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/pepr-system/deployments/pepr-uds-core" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/server/livez\":{\"httpGet\":{\"path\":\"/healthz\",\"port\":3000,\"scheme\":\"HTTPS\"},\"timeoutSeconds\":1},\"/app-health/server/readyz\":{\"httpGet\":{\"path\":\"/healthz\",\"port\":3000,\"scheme\":\"HTTPS\"},\"timeoutSeconds\":1}}" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-vm8xd", + "readOnly": true + } + ] + }, + { + "command": [ + "node", + "/app/node_modules/pepr/dist/controller.js", + "835918263d02780c552f9239598a5cb88b1b630ef35cec16e2886ab5e64ee9e9" + ], + "env": [ + { + "name": "PEPR_WATCH_MODE", + "value": "false" + }, + { + "name": "PEPR_PRETTY_LOG", + "value": "false" + }, + { + "name": "LOG_LEVEL", + "value": "info" + }, + { + "name": "UDS_DOMAIN", + "value": "uds.dev" + }, + { + "name": "UDS_CA_CERT" + }, + { + "name": "UDS_ALLOW_ALL_NS_EXEMPTIONS", + "value": "###ZARF_VAR_ALLOW_ALL_NS_EXEMPTIONS###" + }, + { + "name": "UDS_SINGLE_TEST", + "value": "###ZARF_VAR_UDS_SINGLE_TEST###" + }, + { + "name": "UDS_LOG_LEVEL", + "value": "###ZARF_VAR_UDS_LOG_LEVEL###" + } + ], + "image": "127.0.0.1:31999/defenseunicorns/pepr/controller:v0.32.6-zarf-804409620", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/server/livez", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "name": "server", + "ports": [ + { + "containerPort": 3000, + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/server/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": { + "limits": { + "cpu": "500m", + "memory": "256Mi" + }, + "requests": { + "cpu": "100m", + "memory": "64Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "runAsGroup": 65532, + "runAsNonRoot": true, + "runAsUser": 65532 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/certs", + "name": "tls-certs", + "readOnly": true + }, + { + "mountPath": "/app/api-token", + "name": "api-token", + "readOnly": true + }, + { + "mountPath": "/app/load", + "name": "module", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-vm8xd", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-vm8xd", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 2000001000, + "priorityClassName": "system-node-critical", + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 65532, + "runAsGroup": 65532, + "runAsNonRoot": true, + "runAsUser": 65532 + }, + "serviceAccount": "pepr-uds-core", + "serviceAccountName": "pepr-uds-core", + "terminationGracePeriodSeconds": 5, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "tls-certs", + "secret": { + "defaultMode": 420, + "secretName": "pepr-uds-core-tls" + } + }, + { + "name": "api-token", + "secret": { + "defaultMode": 420, + "secretName": "pepr-uds-core-api-token" + } + }, + { + "name": "module", + "secret": { + "defaultMode": 420, + "secretName": "pepr-uds-core-module" + } + }, + { + "name": "kube-api-access-vm8xd", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:33Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:33Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:42Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:42Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:31Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://52bc399613ee525613fafce8448b2730eac0057149186f0d384d32df86da986e", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:23:33Z" + } + } + }, + { + "containerID": "containerd://e1999cff8e62631cd329f06102304e60a0d628d306b75af300981b2f9bc86ef4", + "image": "127.0.0.1:31999/defenseunicorns/pepr/controller:v0.32.6-zarf-804409620", + "imageID": "127.0.0.1:31999/defenseunicorns/pepr/controller@sha256:9beb7acd16dbae3d14b10faa0e6f74efb755481025f0b970f160a53a773e1668", + "lastState": {}, + "name": "server", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:23:35Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://82d343ee90dcedec09af8c07d37a7b9d8821cc2ae8a7ff3c09101da41238e40f", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://82d343ee90dcedec09af8c07d37a7b9d8821cc2ae8a7ff3c09101da41238e40f", + "exitCode": 0, + "finishedAt": "2024-07-15T19:23:32Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:23:32Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.22", + "podIPs": [ + { + "ip": "10.42.0.22" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:23:31Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "metrics-server", + "kubectl.kubernetes.io/default-logs-container": "metrics-server", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-07-15T19:23:46Z", + "generateName": "metrics-server-6bcc744c5f-", + "labels": { + "app.kubernetes.io/instance": "metrics-server", + "app.kubernetes.io/name": "metrics-server", + "pod-template-hash": "6bcc744c5f", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "metrics-server", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "metrics-server-6bcc744c5f-mbrrc", + "namespace": "metrics-server", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "metrics-server-6bcc744c5f", + "uid": "2d94087c-2ea1-4028-8ca6-936caad2069a" + } + ], + "resourceVersion": "1610", + "uid": "0ad94ed4-3b0d-4cb8-a75e-d00843f62f51" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"https\",\"containerPort\":10250,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "metrics-server" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "metrics-server" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/metrics-server/deployments/metrics-server" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/metrics-server/livez\":{\"httpGet\":{\"path\":\"/livez\",\"port\":10250,\"scheme\":\"HTTPS\"},\"timeoutSeconds\":1},\"/app-health/metrics-server/readyz\":{\"httpGet\":{\"path\":\"/readyz\",\"port\":10250,\"scheme\":\"HTTPS\"},\"timeoutSeconds\":1}}" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-q52dc", + "readOnly": true + } + ] + }, + { + "args": [ + "--secure-port=10250", + "--cert-dir=/tmp", + "--kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname", + "--kubelet-use-node-status-port", + "--metric-resolution=15s", + "--authorization-always-allow-paths=/metrics" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/metrics-server-fips:0.7.1-zarf-2411220177", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/metrics-server/livez", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "name": "metrics-server", + "ports": [ + { + "containerPort": 10250, + "name": "https", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 5, + "httpGet": { + "path": "/app-health/metrics-server/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 10, + "periodSeconds": 5, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": { + "requests": { + "cpu": "100m", + "memory": "200Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true, + "runAsNonRoot": true, + "runAsUser": 1000, + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/tmp", + "name": "tmp" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-q52dc", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-q52dc", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 2000000000, + "priorityClassName": "system-cluster-critical", + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "runAsGroup": 1000, + "runAsNonRoot": true, + "runAsUser": 1000 + }, + "serviceAccount": "metrics-server", + "serviceAccountName": "metrics-server", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "emptyDir": {}, + "name": "tmp" + }, + { + "name": "kube-api-access-q52dc", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:47Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:48Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:24:01Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:24:01Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:23:46Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://553557fcf02f2346baa5f4929a879fc18655109c0330da309876921b309fe5ff", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:23:48Z" + } + } + }, + { + "containerID": "containerd://abad4d35d31bae601c8308445e98f5e8f28141815cee4f519523058ede4126f4", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/metrics-server-fips:0.7.1-zarf-2411220177", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/metrics-server-fips@sha256:9803ec7418a3c45dcc3841f796cca2d64e35e5efa383109411b6f161d38e451a", + "lastState": {}, + "name": "metrics-server", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:23:49Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://eb242f86d299ce544be7544c712a261c6bed0c615f1f0511aba4a391bf79a003", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://eb242f86d299ce544be7544c712a261c6bed0c615f1f0511aba4a391bf79a003", + "exitCode": 0, + "finishedAt": "2024-07-15T19:23:46Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:23:46Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.24", + "podIPs": [ + { + "ip": "10.42.0.24" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:23:46Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "keycloak", + "kubectl.kubernetes.io/default-logs-container": "keycloak", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-07-15T19:24:10Z", + "generateName": "keycloak-", + "labels": { + "app.kubernetes.io/instance": "keycloak", + "app.kubernetes.io/name": "keycloak", + "apps.kubernetes.io/pod-index": "0", + "controller-revision-hash": "keycloak-8595d86f46", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "keycloak", + "service.istio.io/canonical-revision": "latest", + "statefulset.kubernetes.io/pod-name": "keycloak-0", + "zarf-agent": "patched" + }, + "name": "keycloak-0", + "namespace": "keycloak", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "StatefulSet", + "name": "keycloak", + "uid": "a347223a-fa63-48a3-9d8e-e6e13759b313" + } + ], + "resourceVersion": "1827", + "uid": "eb5b770d-ae1b-4ea1-8990-837776913210" + }, + "spec": { + "affinity": { + "podAntiAffinity": { + "preferredDuringSchedulingIgnoredDuringExecution": [ + { + "podAffinityTerm": { + "labelSelector": { + "matchExpressions": [ + { + "key": "app.kubernetes.io/component", + "operator": "NotIn", + "values": [ + "test" + ] + } + ], + "matchLabels": { + "app.kubernetes.io/instance": "keycloak", + "app.kubernetes.io/name": "keycloak" + } + }, + "topologyKey": "failure-domain.beta.kubernetes.io/zone" + }, + "weight": 100 + } + ] + } + }, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http\",\"containerPort\":8080,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "keycloak" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "keycloak" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/keycloak/statefulsets/keycloak" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/keycloak/livez\":{\"httpGet\":{\"path\":\"/health/live\",\"port\":8080,\"scheme\":\"HTTP\"},\"timeoutSeconds\":2},\"/app-health/keycloak/readyz\":{\"httpGet\":{\"path\":\"/health/ready\",\"port\":8080,\"scheme\":\"HTTP\"},\"timeoutSeconds\":2}}" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-9jxj5", + "readOnly": true + } + ] + }, + { + "args": [ + "start-dev", + "--spi-theme-static-max-age=-1", + "--spi-theme-cache-themes=false", + "--spi-theme-cache-templates=false", + "--import-realm", + "--features=preview" + ], + "command": [ + "/opt/keycloak/bin/kc.sh" + ], + "env": [ + { + "name": "UDS_DOMAIN", + "value": "uds.dev" + }, + { + "name": "KC_HEALTH_ENABLED", + "value": "true" + }, + { + "name": "KC_METRICS_ENABLED", + "value": "true" + }, + { + "name": "QUARKUS_HTTP_ACCESS_LOG_ENABLED", + "value": "true" + }, + { + "name": "KC_HOSTNAME_STRICT", + "value": "false" + }, + { + "name": "KC_HOSTNAME_STRICT_HTTPS", + "value": "false" + }, + { + "name": "KC_PROXY", + "value": "edge" + }, + { + "name": "KC_HTTPS_CLIENT_AUTH", + "value": "request" + }, + { + "name": "KC_SPI_X509CERT_LOOKUP_PROVIDER", + "value": "nginx" + }, + { + "name": "KC_SPI_X509CERT_LOOKUP_NGINX_SSL_CLIENT_CERT", + "value": "istio-mtls-client-certificate" + }, + { + "name": "KC_SPI_X509CERT_LOOKUP_NGINX_SSL_CLIENT_CERT_CHAIN_PREFIX", + "value": "UNUSED" + }, + { + "name": "KC_LOG_LEVEL", + "value": "DEBUG" + }, + { + "name": "QUARKUS_LOG_CATEGORY__ORG_APACHE_HTTP__LEVEL", + "value": "DEBUG" + }, + { + "name": "QUARKUS_LOG_CATEGORY__ORG_KEYCLOAK_SERVICES_X509__LEVEL", + "value": "TRACE" + } + ], + "envFrom": [ + { + "secretRef": { + "name": "keycloak-realm-env" + } + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/keycloak:24.0.5-zarf-1424829975", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 15, + "httpGet": { + "path": "/app-health/keycloak/livez", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 10, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 2 + }, + "name": "keycloak", + "ports": [ + { + "containerPort": 8080, + "name": "http", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 15, + "httpGet": { + "path": "/app-health/keycloak/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 10, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 2 + }, + "resources": { + "limits": { + "cpu": "1", + "memory": "1Gi" + }, + "requests": { + "cpu": "500m", + "memory": "512Mi" + } + }, + "securityContext": { + "capabilities": { + "drop": [ + "ALL" + ] + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/opt/keycloak/providers", + "name": "providers" + }, + { + "mountPath": "/opt/keycloak/data", + "name": "data" + }, + { + "mountPath": "/opt/keycloak/themes", + "name": "themes" + }, + { + "mountPath": "/opt/keycloak/conf", + "name": "conf", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-9jxj5", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "hostname": "keycloak-0", + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "image": "127.0.0.1:31999/defenseunicorns/uds/identity-config:0.5.0-zarf-1934043158", + "imagePullPolicy": "IfNotPresent", + "name": "uds-config", + "resources": { + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "capabilities": { + "drop": [ + "ALL" + ] + }, + "runAsGroup": 65532, + "runAsUser": 65532 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/opt/keycloak/providers", + "name": "providers" + }, + { + "mountPath": "/opt/keycloak/data", + "name": "data" + }, + { + "mountPath": "/opt/keycloak/themes", + "name": "themes" + }, + { + "mountPath": "/opt/keycloak/conf", + "name": "conf" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-9jxj5", + "readOnly": true + } + ] + }, + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-9jxj5", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "runAsGroup": 1000, + "runAsNonRoot": true, + "runAsUser": 1000 + }, + "serviceAccount": "default", + "serviceAccountName": "default", + "subdomain": "keycloak-headless", + "terminationGracePeriodSeconds": 5, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "emptyDir": {}, + "name": "providers" + }, + { + "emptyDir": {}, + "name": "conf" + }, + { + "name": "data", + "persistentVolumeClaim": { + "claimName": "keycloak-data" + } + }, + { + "name": "themes", + "persistentVolumeClaim": { + "claimName": "keycloak-themes" + } + }, + { + "name": "kube-api-access-9jxj5", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:24:15Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:24:16Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:04Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:04Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:24:13Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://ae3724785974b617c1f36902ea3abba0a3126c1069e5ec3a8e4a7e30840962ec", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:24:16Z" + } + } + }, + { + "containerID": "containerd://f737fb0172a0f37a4165b986e3049b0cc970ecabf54f6bcd636728741d7cc1ee", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/keycloak:24.0.5-zarf-1424829975", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/keycloak@sha256:4b7c5429b47d7b1dba30698780526d1ea00a8789d16b0e82a04a8e6448d99d61", + "lastState": {}, + "name": "keycloak", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:24:19Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://a13545650387343f80245555fb1c08af87426cc594d202df571afe7bf661a7e9", + "image": "127.0.0.1:31999/defenseunicorns/uds/identity-config:0.5.0-zarf-1934043158", + "imageID": "127.0.0.1:31999/defenseunicorns/uds/identity-config@sha256:8daeedba128c1154c278332d45378062e490344bb5fc8274fcce92a43d7a11e9", + "lastState": {}, + "name": "uds-config", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://a13545650387343f80245555fb1c08af87426cc594d202df571afe7bf661a7e9", + "exitCode": 0, + "finishedAt": "2024-07-15T19:24:14Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:24:14Z" + } + } + }, + { + "containerID": "containerd://ec3f96e0eb0287bcacddc293236530b778c4d7455da522e404160c149dcabc6e", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://ec3f96e0eb0287bcacddc293236530b778c4d7455da522e404160c149dcabc6e", + "exitCode": 0, + "finishedAt": "2024-07-15T19:24:15Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:24:15Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.27", + "podIPs": [ + { + "ip": "10.42.0.27" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:24:13Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "neuvector-scanner-pod", + "kubectl.kubernetes.io/default-logs-container": "neuvector-scanner-pod", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-07-15T19:25:28Z", + "generateName": "neuvector-scanner-pod-64d5b96b4d-", + "labels": { + "app": "neuvector-scanner-pod", + "pod-template-hash": "64d5b96b4d", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "neuvector-scanner-pod", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "neuvector-scanner-pod-64d5b96b4d-zrpj6", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "neuvector-scanner-pod-64d5b96b4d", + "uid": "70858f0e-37c2-44bf-814b-bc2e9bb5df4a" + } + ], + "resourceVersion": "2209", + "uid": "7de9842a-fb74-42b7-b942-02b39440062f" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "neuvector-scanner-pod" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "neuvector-scanner-pod" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/neuvector/deployments/neuvector-scanner-pod" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-jrgz2", + "readOnly": true + } + ] + }, + { + "env": [ + { + "name": "CLUSTER_JOIN_ADDR", + "value": "neuvector-svc-controller.neuvector" + } + ], + "image": "127.0.0.1:31999/neuvector/scanner:latest-zarf-3299389045", + "imagePullPolicy": "Always", + "name": "neuvector-scanner-pod", + "resources": {}, + "securityContext": { + "capabilities": { + "drop": [ + "ALL" + ] + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-jrgz2", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-jrgz2", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "runAsGroup": 1000, + "runAsNonRoot": true, + "runAsUser": 1000 + }, + "serviceAccount": "scanner", + "serviceAccountName": "scanner", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "kube-api-access-jrgz2", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:30Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:30Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:37Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:37Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:29Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://ffca5c8b96f0e2f0dcb1cd113e9a934f4e0c843fe00da2d84ae9d4d46d2a4f77", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:25:30Z" + } + } + }, + { + "containerID": "containerd://af0a3a7241fd9b7565778315afa787df090c1cf395650e41015447a9f9dc48d9", + "image": "127.0.0.1:31999/neuvector/scanner:latest-zarf-3299389045", + "imageID": "127.0.0.1:31999/neuvector/scanner@sha256:fb29fb99baf64c41a8c53bfa32d855730f00b392c7f1457947e354bce9fad9a2", + "lastState": {}, + "name": "neuvector-scanner-pod", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:25:35Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://2e99e7a72800546f79f76de7ab33ccb7e8e7c41c9b2ca21bf4f565b4818c054d", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://2e99e7a72800546f79f76de7ab33ccb7e8e7c41c9b2ca21bf4f565b4818c054d", + "exitCode": 0, + "finishedAt": "2024-07-15T19:25:29Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:25:29Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.30", + "podIPs": [ + { + "ip": "10.42.0.30" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:25:29Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "neuvector-scanner-pod", + "kubectl.kubernetes.io/default-logs-container": "neuvector-scanner-pod", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-07-15T19:25:29Z", + "generateName": "neuvector-scanner-pod-64d5b96b4d-", + "labels": { + "app": "neuvector-scanner-pod", + "pod-template-hash": "64d5b96b4d", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "neuvector-scanner-pod", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "neuvector-scanner-pod-64d5b96b4d-d552k", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "neuvector-scanner-pod-64d5b96b4d", + "uid": "70858f0e-37c2-44bf-814b-bc2e9bb5df4a" + } + ], + "resourceVersion": "2213", + "uid": "b2a7f732-e96c-4bf7-9adc-9a1c6b21d008" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "neuvector-scanner-pod" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "neuvector-scanner-pod" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/neuvector/deployments/neuvector-scanner-pod" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-xph4g", + "readOnly": true + } + ] + }, + { + "env": [ + { + "name": "CLUSTER_JOIN_ADDR", + "value": "neuvector-svc-controller.neuvector" + } + ], + "image": "127.0.0.1:31999/neuvector/scanner:latest-zarf-3299389045", + "imagePullPolicy": "Always", + "name": "neuvector-scanner-pod", + "resources": {}, + "securityContext": { + "capabilities": { + "drop": [ + "ALL" + ] + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-xph4g", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-xph4g", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "runAsGroup": 1000, + "runAsNonRoot": true, + "runAsUser": 1000 + }, + "serviceAccount": "scanner", + "serviceAccountName": "scanner", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "kube-api-access-xph4g", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:30Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:30Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:37Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:37Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:29Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://23eeca63405b9da57e951b821f8a52b29667cb733a757ab1f0b0f62f30b22a6f", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:25:30Z" + } + } + }, + { + "containerID": "containerd://92bf9526301abf67918bd0ebe43486aaa5b6a4377f4c63d85bebf9dae98703fb", + "image": "127.0.0.1:31999/neuvector/scanner:latest-zarf-3299389045", + "imageID": "127.0.0.1:31999/neuvector/scanner@sha256:fb29fb99baf64c41a8c53bfa32d855730f00b392c7f1457947e354bce9fad9a2", + "lastState": {}, + "name": "neuvector-scanner-pod", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:25:35Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://101bd4f33f7595af504d6663348b92338d233b0228abc8c0c6a3d53afe4c819f", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://101bd4f33f7595af504d6663348b92338d233b0228abc8c0c6a3d53afe4c819f", + "exitCode": 0, + "finishedAt": "2024-07-15T19:25:29Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:25:29Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.33", + "podIPs": [ + { + "ip": "10.42.0.33" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:25:29Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "neuvector-scanner-pod", + "kubectl.kubernetes.io/default-logs-container": "neuvector-scanner-pod", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-07-15T19:25:29Z", + "generateName": "neuvector-scanner-pod-64d5b96b4d-", + "labels": { + "app": "neuvector-scanner-pod", + "pod-template-hash": "64d5b96b4d", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "neuvector-scanner-pod", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "neuvector-scanner-pod-64d5b96b4d-c4nkm", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "neuvector-scanner-pod-64d5b96b4d", + "uid": "70858f0e-37c2-44bf-814b-bc2e9bb5df4a" + } + ], + "resourceVersion": "2219", + "uid": "ebdab16c-9794-4e04-a511-6702c1026016" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "neuvector-scanner-pod" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "neuvector-scanner-pod" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/neuvector/deployments/neuvector-scanner-pod" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-b6rxb", + "readOnly": true + } + ] + }, + { + "env": [ + { + "name": "CLUSTER_JOIN_ADDR", + "value": "neuvector-svc-controller.neuvector" + } + ], + "image": "127.0.0.1:31999/neuvector/scanner:latest-zarf-3299389045", + "imagePullPolicy": "Always", + "name": "neuvector-scanner-pod", + "resources": {}, + "securityContext": { + "capabilities": { + "drop": [ + "ALL" + ] + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-b6rxb", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-b6rxb", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "runAsGroup": 1000, + "runAsNonRoot": true, + "runAsUser": 1000 + }, + "serviceAccount": "scanner", + "serviceAccountName": "scanner", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "kube-api-access-b6rxb", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:30Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:30Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:37Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:37Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:29Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://5ee5f403ed5a5b0858e295976e83bac42b2b337b096366cb2d633bc792f6b0df", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:25:30Z" + } + } + }, + { + "containerID": "containerd://b2cea19404ab8f8d94539101c27a42d7808e4f6babb40f8251df30dd6d3e2c16", + "image": "127.0.0.1:31999/neuvector/scanner:latest-zarf-3299389045", + "imageID": "127.0.0.1:31999/neuvector/scanner@sha256:fb29fb99baf64c41a8c53bfa32d855730f00b392c7f1457947e354bce9fad9a2", + "lastState": {}, + "name": "neuvector-scanner-pod", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:25:35Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://f6a7edde1ba8903da923a07a8971595cbdd4cad0112cd54d90cf022fa1cd37f4", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://f6a7edde1ba8903da923a07a8971595cbdd4cad0112cd54d90cf022fa1cd37f4", + "exitCode": 0, + "finishedAt": "2024-07-15T19:25:29Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:25:29Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.32", + "podIPs": [ + { + "ip": "10.42.0.32" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:25:29Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "neuvector-enforcer-pod", + "kubectl.kubernetes.io/default-logs-container": "neuvector-enforcer-pod", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/uds-core-policies": "succeeded", + "uds-core.pepr.dev/uds-core-policies.DisallowHostNamespaces": "exempted", + "uds-core.pepr.dev/uds-core-policies.DisallowPrivileged": "exempted", + "uds-core.pepr.dev/uds-core-policies.DropAllCapabilities": "exempted", + "uds-core.pepr.dev/uds-core-policies.RequireNonRootUser": "exempted", + "uds-core.pepr.dev/uds-core-policies.RestrictHostPathWrite": "exempted", + "uds-core.pepr.dev/uds-core-policies.RestrictVolumeTypes": "exempted" + }, + "creationTimestamp": "2024-07-15T19:25:28Z", + "generateName": "neuvector-enforcer-pod-", + "labels": { + "app": "neuvector-enforcer-pod", + "controller-revision-hash": "6bff578d6b", + "pod-template-generation": "1", + "release": "core", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "neuvector-enforcer-pod", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "neuvector-enforcer-pod-jzhh5", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "DaemonSet", + "name": "neuvector-enforcer-pod", + "uid": "183e282a-5df5-43cf-ba2f-1d8580b519aa" + } + ], + "resourceVersion": "2223", + "uid": "1a2d41a3-cb47-4255-9a81-99a87f3c9cb8" + }, + "spec": { + "affinity": { + "nodeAffinity": { + "requiredDuringSchedulingIgnoredDuringExecution": { + "nodeSelectorTerms": [ + { + "matchFields": [ + { + "key": "metadata.name", + "operator": "In", + "values": [ + "k3d-uds-server-0" + ] + } + ] + } + ] + } + } + }, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "neuvector-enforcer-pod" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "neuvector-enforcer-pod" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/neuvector/daemonsets/neuvector-enforcer-pod" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-r548n", + "readOnly": true + } + ] + }, + { + "env": [ + { + "name": "CLUSTER_JOIN_ADDR", + "value": "neuvector-svc-controller.neuvector" + }, + { + "name": "CLUSTER_ADVERTISED_ADDR", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "CLUSTER_BIND_ADDR", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + } + ], + "image": "127.0.0.1:31999/neuvector/enforcer:5.3.3-zarf-2886042343", + "imagePullPolicy": "IfNotPresent", + "name": "neuvector-enforcer-pod", + "resources": {}, + "securityContext": { + "privileged": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/lib/modules", + "name": "modules-vol", + "readOnly": true + }, + { + "mountPath": "/var/nv_debug", + "name": "nv-debug" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-r548n", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "hostPID": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-r548n", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "serviceAccount": "enforcer", + "serviceAccountName": "enforcer", + "terminationGracePeriodSeconds": 1200, + "tolerations": [ + { + "effect": "NoSchedule", + "key": "node-role.kubernetes.io/master" + }, + { + "effect": "NoSchedule", + "key": "node-role.kubernetes.io/control-plane" + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists" + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/disk-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/memory-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/pid-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/unschedulable", + "operator": "Exists" + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "hostPath": { + "path": "/lib/modules", + "type": "" + }, + "name": "modules-vol" + }, + { + "hostPath": { + "path": "/var/nv_debug", + "type": "" + }, + "name": "nv-debug" + }, + { + "name": "kube-api-access-r548n", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:29Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:30Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:37Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:37Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:29Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://8a5f914091f6f48b6ce72bd070d1643fafcecf90a4cca81b35a6aa3bdb0a4390", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:25:30Z" + } + } + }, + { + "containerID": "containerd://418d8bbc2f40259804deb019fd35763f2b14eb91ee50273a9058b1cfc5466e7c", + "image": "127.0.0.1:31999/neuvector/enforcer:5.3.3-zarf-2886042343", + "imageID": "127.0.0.1:31999/neuvector/enforcer@sha256:c958223f49d5aebc24af798c168c1643d3aa88caeb1ee741df8beb0b93d14b5a", + "lastState": {}, + "name": "neuvector-enforcer-pod", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:25:36Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://d71b8ff850816baf5c50983a3a8659e21e2371497c98f4d3ff99bca7186409a2", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://d71b8ff850816baf5c50983a3a8659e21e2371497c98f4d3ff99bca7186409a2", + "exitCode": 0, + "finishedAt": "2024-07-15T19:25:29Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:25:29Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.28", + "podIPs": [ + { + "ip": "10.42.0.28" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:25:29Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "neuvector-manager-pod", + "kubectl.kubernetes.io/default-logs-container": "neuvector-manager-pod", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-07-15T19:25:29Z", + "generateName": "neuvector-manager-pod-59679458cf-", + "labels": { + "app": "neuvector-manager-pod", + "pod-template-hash": "59679458cf", + "release": "core", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "neuvector-manager-pod", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "neuvector-manager-pod-59679458cf-zppj8", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "neuvector-manager-pod-59679458cf", + "uid": "ebf4e397-bb65-4f4b-bb6c-b1b31e8eb980" + } + ], + "resourceVersion": "2236", + "uid": "0612d87f-55f9-4a47-b518-6131ae94d340" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http\",\"containerPort\":8443,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "neuvector-manager-pod" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "neuvector-manager-pod" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/neuvector/deployments/neuvector-manager-pod" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-cs2w9", + "readOnly": true + } + ] + }, + { + "env": [ + { + "name": "CTRL_SERVER_IP", + "value": "neuvector-svc-controller.neuvector" + }, + { + "name": "MANAGER_SSL", + "value": "off" + } + ], + "image": "127.0.0.1:31999/neuvector/manager:5.3.3-zarf-1801671909", + "imagePullPolicy": "IfNotPresent", + "name": "neuvector-manager-pod", + "ports": [ + { + "containerPort": 8443, + "name": "http", + "protocol": "TCP" + } + ], + "resources": {}, + "securityContext": { + "capabilities": { + "drop": [ + "ALL" + ] + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-cs2w9", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-cs2w9", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "runAsGroup": 1000, + "runAsNonRoot": true, + "runAsUser": 1000 + }, + "serviceAccount": "basic", + "serviceAccountName": "basic", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "kube-api-access-cs2w9", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:29Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:30Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:39Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:39Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:29Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://a14260911a5bd949ee7dcda513bc485f5501728b93819fcad9a1a82e0a6f4d49", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:25:30Z" + } + } + }, + { + "containerID": "containerd://b0c7a8f870291e3ff2d3f496b993594cc2ee8bbe58086f6fcf4f9e54792c1a51", + "image": "127.0.0.1:31999/neuvector/manager:5.3.3-zarf-1801671909", + "imageID": "127.0.0.1:31999/neuvector/manager@sha256:2125c2c8ae4bb2684e8a18089ebbaa369727a230c61de1314e884ad30f3e5b91", + "lastState": {}, + "name": "neuvector-manager-pod", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:25:37Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://4a135c4771ffce5ed1f2f7a8f6ebcac7f9285277611abd4f83fd8725fe6124de", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://4a135c4771ffce5ed1f2f7a8f6ebcac7f9285277611abd4f83fd8725fe6124de", + "exitCode": 0, + "finishedAt": "2024-07-15T19:25:29Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:25:29Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.29", + "podIPs": [ + { + "ip": "10.42.0.29" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:25:29Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "checksum/config": "bb09a05e33c5aa2966debe5a0953fc44b5d234893a981c66172e001bbccbaf07", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "nginx", + "kubectl.kubernetes.io/default-logs-container": "nginx", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-07-15T19:25:51Z", + "generateName": "loki-gateway-64756ffb74-", + "labels": { + "app.kubernetes.io/component": "gateway", + "app.kubernetes.io/instance": "loki", + "app.kubernetes.io/name": "loki", + "pod-template-hash": "64756ffb74", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "loki", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "loki-gateway-64756ffb74-fbwkb", + "namespace": "loki", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "loki-gateway-64756ffb74", + "uid": "43aed466-1137-4e55-8d1e-ce0a748d6a9d" + } + ], + "resourceVersion": "2646", + "uid": "d432b488-0f71-4fe3-8ad4-9d20274bad34" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http\",\"containerPort\":8080,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "nginx" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "loki-gateway" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/loki/deployments/loki-gateway" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/nginx/readyz\":{\"httpGet\":{\"path\":\"/\",\"port\":8080,\"scheme\":\"HTTP\"},\"timeoutSeconds\":1}}" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-299m5", + "readOnly": true + } + ] + }, + { + "image": "127.0.0.1:31999/du-uds-defenseunicorns/nginx-fips:1.27.0-zarf-2401993313", + "imagePullPolicy": "IfNotPresent", + "name": "nginx", + "ports": [ + { + "containerPort": 8080, + "name": "http", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/nginx/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 15, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": {}, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/nginx", + "name": "config" + }, + { + "mountPath": "/tmp", + "name": "tmp" + }, + { + "mountPath": "/docker-entrypoint.d", + "name": "docker-entrypoint-d-override" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-299m5", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-299m5", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 101, + "runAsGroup": 101, + "runAsNonRoot": true, + "runAsUser": 101 + }, + "serviceAccount": "loki", + "serviceAccountName": "loki", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "configMap": { + "defaultMode": 420, + "name": "loki-gateway" + }, + "name": "config" + }, + { + "emptyDir": {}, + "name": "tmp" + }, + { + "emptyDir": {}, + "name": "docker-entrypoint-d-override" + }, + { + "name": "kube-api-access-299m5", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:52Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:53Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:26:12Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:26:12Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:51Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://a5f24572c70a654f9e97680b65936358371a079065168dae9358ed7eafb9bbbb", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:25:54Z" + } + } + }, + { + "containerID": "containerd://29972bf8a5ff4aa33b7a1cf2a0c4b340a76e4e1132ef528306f34501b59aaea4", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/nginx-fips:1.27.0-zarf-2401993313", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/nginx-fips@sha256:9b8deffcaf1d566a7409cab03cc2db67feff596dfcd582d8ff11d472025123bf", + "lastState": {}, + "name": "nginx", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:25:57Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://eebdc230652e421f376b30889ca8c2209290ab5ac9d145e6704c946c4f06029b", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://eebdc230652e421f376b30889ca8c2209290ab5ac9d145e6704c946c4f06029b", + "exitCode": 0, + "finishedAt": "2024-07-15T19:25:52Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:25:52Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.38", + "podIPs": [ + { + "ip": "10.42.0.38" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:25:51Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "checksum/init-configmap": "09739169a4cac1b76e349f92d75fe6b9900b484f897d017597195d07b8c25048", + "checksum/uds-sso-secret": "", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "neuvector-controller-pod", + "kubectl.kubernetes.io/default-logs-container": "neuvector-controller-pod", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/uds-core-policies": "succeeded", + "uds-core.pepr.dev/uds-core-policies.DisallowPrivileged": "exempted", + "uds-core.pepr.dev/uds-core-policies.DropAllCapabilities": "exempted", + "uds-core.pepr.dev/uds-core-policies.RequireNonRootUser": "exempted", + "uds-core.pepr.dev/uds-core-policies.RestrictHostPathWrite": "exempted", + "uds-core.pepr.dev/uds-core-policies.RestrictVolumeTypes": "exempted" + }, + "creationTimestamp": "2024-07-15T19:25:46Z", + "generateName": "neuvector-controller-pod-5dccb6c44f-", + "labels": { + "app": "neuvector-controller-pod", + "pod-template-hash": "5dccb6c44f", + "release": "core", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "neuvector-controller-pod", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "neuvector-controller-pod-5dccb6c44f-ch8cx", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "neuvector-controller-pod-5dccb6c44f", + "uid": "8e887e07-0945-4e20-ad12-b1c40f529e1a" + } + ], + "resourceVersion": "2667", + "uid": "e06cbc18-9ac5-41d1-871e-2a1bf7ef614e" + }, + "spec": { + "affinity": { + "podAntiAffinity": { + "preferredDuringSchedulingIgnoredDuringExecution": [ + { + "podAffinityTerm": { + "labelSelector": { + "matchExpressions": [ + { + "key": "app", + "operator": "In", + "values": [ + "neuvector-controller-pod" + ] + } + ] + }, + "topologyKey": "kubernetes.io/hostname" + }, + "weight": 100 + } + ] + } + }, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "neuvector-controller-pod" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "neuvector-controller-pod" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/neuvector/deployments/neuvector-controller-pod" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-x7v72", + "readOnly": true + } + ] + }, + { + "env": [ + { + "name": "CLUSTER_JOIN_ADDR", + "value": "neuvector-svc-controller.neuvector" + }, + { + "name": "CLUSTER_ADVERTISED_ADDR", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "CLUSTER_BIND_ADDR", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "NO_DEFAULT_ADMIN", + "value": "1" + } + ], + "image": "127.0.0.1:31999/neuvector/controller:5.3.3-zarf-4157091163", + "imagePullPolicy": "IfNotPresent", + "name": "neuvector-controller-pod", + "readinessProbe": { + "exec": { + "command": [ + "cat", + "/tmp/ready" + ] + }, + "failureThreshold": 3, + "initialDelaySeconds": 5, + "periodSeconds": 5, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": {}, + "securityContext": { + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/config", + "name": "config-volume", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-x7v72", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-x7v72", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "serviceAccount": "controller", + "serviceAccountName": "controller", + "terminationGracePeriodSeconds": 300, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "config-volume", + "projected": { + "defaultMode": 420, + "sources": [ + { + "configMap": { + "name": "neuvector-init", + "optional": true + } + }, + { + "secret": { + "name": "neuvector-init", + "optional": true + } + }, + { + "secret": { + "name": "neuvector-secret", + "optional": true + } + } + ] + } + }, + { + "name": "kube-api-access-x7v72", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:47Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:47Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:26:22Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:26:22Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:46Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://f922695d22170eeb364ed8a2bbfbd155f83915dff412653dddfe80b9c3fe572c", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:25:47Z" + } + } + }, + { + "containerID": "containerd://58d73000b5bc33689b0be74a8ae5d69c207ec8c6badf7489018f8a0906a72861", + "image": "127.0.0.1:31999/neuvector/controller:5.3.3-zarf-4157091163", + "imageID": "127.0.0.1:31999/neuvector/controller@sha256:1102321e8ed5bd3aad26e3d2c3b9a3ddc5aa82c2949fc2600b9350c7e951950e", + "lastState": {}, + "name": "neuvector-controller-pod", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:25:49Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://3b769c791af5ec78bf87e0c9f8c3392886921d20c37511591649685aa0d2a238", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://3b769c791af5ec78bf87e0c9f8c3392886921d20c37511591649685aa0d2a238", + "exitCode": 0, + "finishedAt": "2024-07-15T19:25:47Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:25:47Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.36", + "podIPs": [ + { + "ip": "10.42.0.36" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:25:46Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "checksum/config": "71aa2e600a166ff5ea6680da3a366f438955dff125cf135db83a10d2e4281565", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "loki", + "kubectl.kubernetes.io/default-logs-container": "loki", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-07-15T19:25:51Z", + "generateName": "loki-read-648f4564f8-", + "labels": { + "app.kubernetes.io/component": "read", + "app.kubernetes.io/instance": "loki", + "app.kubernetes.io/name": "loki", + "app.kubernetes.io/part-of": "memberlist", + "pod-template-hash": "648f4564f8", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "loki", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "loki-read-648f4564f8-svncd", + "namespace": "loki", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "loki-read-648f4564f8", + "uid": "08e0e0d6-4d15-47ed-9c3a-3093ec6cdf9f" + } + ], + "resourceVersion": "2689", + "uid": "132c9371-c71c-4744-a8ed-95573395076e" + }, + "spec": { + "automountServiceAccountToken": true, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http-metrics\",\"containerPort\":3100,\"protocol\":\"TCP\"}\n ,{\"name\":\"grpc\",\"containerPort\":9095,\"protocol\":\"TCP\"}\n ,{\"name\":\"http-memberlist\",\"containerPort\":7946,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "loki" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "loki-read" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/loki/deployments/loki-read" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/loki/readyz\":{\"httpGet\":{\"path\":\"/ready\",\"port\":3100,\"scheme\":\"HTTP\"},\"timeoutSeconds\":1}}" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-bthg5", + "readOnly": true + } + ] + }, + { + "args": [ + "-config.file=/etc/loki/config/config.yaml", + "-target=read", + "-legacy-read-mode=false", + "-common.compactor-grpc-address=loki-backend.loki.svc.cluster.local:9095" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/loki:2.9.8-zarf-777750453", + "imagePullPolicy": "IfNotPresent", + "name": "loki", + "ports": [ + { + "containerPort": 3100, + "name": "http-metrics", + "protocol": "TCP" + }, + { + "containerPort": 9095, + "name": "grpc", + "protocol": "TCP" + }, + { + "containerPort": 7946, + "name": "http-memberlist", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/loki/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 30, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": {}, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/loki/config", + "name": "config" + }, + { + "mountPath": "/etc/loki/runtime-config", + "name": "runtime-config" + }, + { + "mountPath": "/tmp", + "name": "tmp" + }, + { + "mountPath": "/var/loki", + "name": "data" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-bthg5", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-bthg5", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 10001, + "runAsGroup": 10001, + "runAsNonRoot": true, + "runAsUser": 10001 + }, + "serviceAccount": "loki", + "serviceAccountName": "loki", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "emptyDir": {}, + "name": "tmp" + }, + { + "emptyDir": {}, + "name": "data" + }, + { + "configMap": { + "defaultMode": 420, + "items": [ + { + "key": "config.yaml", + "path": "config.yaml" + } + ], + "name": "loki" + }, + "name": "config" + }, + { + "configMap": { + "defaultMode": 420, + "name": "loki-runtime" + }, + "name": "runtime-config" + }, + { + "name": "kube-api-access-bthg5", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:53Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:53Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:26:32Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:26:32Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:51Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://54fd909651fdad1f06d924b87f57fe4219ac384faa627e6372314af448f00f6e", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:25:54Z" + } + } + }, + { + "containerID": "containerd://05018bc860d48b89b94118774e8615772e1dd5fd004c23feefb4be25bdb7cda3", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/loki:2.9.8-zarf-777750453", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/loki@sha256:0343efe09e351e9b943e4854bd0543684dd4614d3394b4e77a13fc717a6fab49", + "lastState": {}, + "name": "loki", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:25:57Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://98fa4a1b5029d9c00f5c05d9f462238333cf87e5549e5f3c44c90c62658fb2d9", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://98fa4a1b5029d9c00f5c05d9f462238333cf87e5549e5f3c44c90c62658fb2d9", + "exitCode": 0, + "finishedAt": "2024-07-15T19:25:52Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:25:52Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.40", + "podIPs": [ + { + "ip": "10.42.0.40" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:25:51Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "checksum/config": "71aa2e600a166ff5ea6680da3a366f438955dff125cf135db83a10d2e4281565", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "loki", + "kubectl.kubernetes.io/default-logs-container": "loki", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-07-15T19:25:51Z", + "generateName": "loki-backend-", + "labels": { + "app.kubernetes.io/component": "backend", + "app.kubernetes.io/instance": "loki", + "app.kubernetes.io/name": "loki", + "app.kubernetes.io/part-of": "memberlist", + "apps.kubernetes.io/pod-index": "0", + "controller-revision-hash": "loki-backend-585d56dcd5", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "loki", + "service.istio.io/canonical-revision": "latest", + "statefulset.kubernetes.io/pod-name": "loki-backend-0", + "zarf-agent": "patched" + }, + "name": "loki-backend-0", + "namespace": "loki", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "StatefulSet", + "name": "loki-backend", + "uid": "3e167792-57f8-4d4b-8f99-ea676f0dcfe3" + } + ], + "resourceVersion": "2706", + "uid": "f90ba134-9478-45fa-89aa-b10156ae45e9" + }, + "spec": { + "automountServiceAccountToken": true, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http-metrics\",\"containerPort\":3100,\"protocol\":\"TCP\"}\n ,{\"name\":\"grpc\",\"containerPort\":9095,\"protocol\":\"TCP\"}\n ,{\"name\":\"http-memberlist\",\"containerPort\":7946,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "loki" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "loki-backend" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/loki/statefulsets/loki-backend" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/loki/readyz\":{\"httpGet\":{\"path\":\"/ready\",\"port\":3100,\"scheme\":\"HTTP\"},\"timeoutSeconds\":1}}" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-682tw", + "readOnly": true + } + ] + }, + { + "args": [ + "-config.file=/etc/loki/config/config.yaml", + "-target=backend", + "-legacy-read-mode=false" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/loki:2.9.8-zarf-777750453", + "imagePullPolicy": "IfNotPresent", + "name": "loki", + "ports": [ + { + "containerPort": 3100, + "name": "http-metrics", + "protocol": "TCP" + }, + { + "containerPort": 9095, + "name": "grpc", + "protocol": "TCP" + }, + { + "containerPort": 7946, + "name": "http-memberlist", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/loki/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 30, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": {}, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/loki/config", + "name": "config" + }, + { + "mountPath": "/etc/loki/runtime-config", + "name": "runtime-config" + }, + { + "mountPath": "/tmp", + "name": "tmp" + }, + { + "mountPath": "/var/loki", + "name": "data" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-682tw", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "hostname": "loki-backend-0", + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-682tw", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 10001, + "runAsGroup": 10001, + "runAsNonRoot": true, + "runAsUser": 10001 + }, + "serviceAccount": "loki", + "serviceAccountName": "loki", + "subdomain": "loki-backend-headless", + "terminationGracePeriodSeconds": 300, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "data", + "persistentVolumeClaim": { + "claimName": "data-loki-backend-0" + } + }, + { + "emptyDir": {}, + "name": "tmp" + }, + { + "configMap": { + "defaultMode": 420, + "items": [ + { + "key": "config.yaml", + "path": "config.yaml" + } + ], + "name": "loki" + }, + "name": "config" + }, + { + "configMap": { + "defaultMode": 420, + "name": "loki-runtime" + }, + "name": "runtime-config" + }, + { + "name": "kube-api-access-682tw", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:59Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:59Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:26:38Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:26:38Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:58Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://34d70ffe9b0446ffc0b10193674018ba36884e98aa56a27a3f219b2300b4c8d6", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:25:59Z" + } + } + }, + { + "containerID": "containerd://b10d21503a1b0852e44ab2eee34d4b949e115fc44d703ca828dd09ee39e93baa", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/loki:2.9.8-zarf-777750453", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/loki@sha256:0343efe09e351e9b943e4854bd0543684dd4614d3394b4e77a13fc717a6fab49", + "lastState": {}, + "name": "loki", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:26:02Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://67990cc461fdb5b8fe8b2ff6feed18182349281c7ca6356921dd2811c7ae9384", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://67990cc461fdb5b8fe8b2ff6feed18182349281c7ca6356921dd2811c7ae9384", + "exitCode": 0, + "finishedAt": "2024-07-15T19:25:59Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:25:58Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.43", + "podIPs": [ + { + "ip": "10.42.0.43" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:25:58Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "checksum/config": "71aa2e600a166ff5ea6680da3a366f438955dff125cf135db83a10d2e4281565", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "loki", + "kubectl.kubernetes.io/default-logs-container": "loki", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-07-15T19:25:51Z", + "generateName": "loki-write-", + "labels": { + "app.kubernetes.io/component": "write", + "app.kubernetes.io/instance": "loki", + "app.kubernetes.io/name": "loki", + "app.kubernetes.io/part-of": "memberlist", + "apps.kubernetes.io/pod-index": "0", + "controller-revision-hash": "loki-write-6bcf4bcf7", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "loki", + "service.istio.io/canonical-revision": "latest", + "statefulset.kubernetes.io/pod-name": "loki-write-0", + "zarf-agent": "patched" + }, + "name": "loki-write-0", + "namespace": "loki", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "StatefulSet", + "name": "loki-write", + "uid": "29bd3ccc-185d-442f-b604-11ac7b6891d3" + } + ], + "resourceVersion": "2739", + "uid": "a007ced9-645b-4297-9062-5c4b91a6a417" + }, + "spec": { + "automountServiceAccountToken": true, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http-metrics\",\"containerPort\":3100,\"protocol\":\"TCP\"}\n ,{\"name\":\"grpc\",\"containerPort\":9095,\"protocol\":\"TCP\"}\n ,{\"name\":\"http-memberlist\",\"containerPort\":7946,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "loki" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "loki-write" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/loki/statefulsets/loki-write" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/loki/readyz\":{\"httpGet\":{\"path\":\"/ready\",\"port\":3100,\"scheme\":\"HTTP\"},\"timeoutSeconds\":1}}" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-v797b", + "readOnly": true + } + ] + }, + { + "args": [ + "-config.file=/etc/loki/config/config.yaml", + "-target=write" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/loki:2.9.8-zarf-777750453", + "imagePullPolicy": "IfNotPresent", + "name": "loki", + "ports": [ + { + "containerPort": 3100, + "name": "http-metrics", + "protocol": "TCP" + }, + { + "containerPort": 9095, + "name": "grpc", + "protocol": "TCP" + }, + { + "containerPort": 7946, + "name": "http-memberlist", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/loki/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 30, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": {}, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/loki/config", + "name": "config" + }, + { + "mountPath": "/etc/loki/runtime-config", + "name": "runtime-config" + }, + { + "mountPath": "/var/loki", + "name": "data" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-v797b", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "hostname": "loki-write-0", + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-v797b", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 10001, + "runAsGroup": 10001, + "runAsNonRoot": true, + "runAsUser": 10001 + }, + "serviceAccount": "loki", + "serviceAccountName": "loki", + "subdomain": "loki-write-headless", + "terminationGracePeriodSeconds": 300, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "data", + "persistentVolumeClaim": { + "claimName": "data-loki-write-0" + } + }, + { + "configMap": { + "defaultMode": 420, + "items": [ + { + "key": "config.yaml", + "path": "config.yaml" + } + ], + "name": "loki" + }, + "name": "config" + }, + { + "configMap": { + "defaultMode": 420, + "name": "loki-runtime" + }, + "name": "runtime-config" + }, + { + "name": "kube-api-access-v797b", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:57Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:58Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:26:57Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:26:57Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:25:57Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://0e6e439d422c8623288eb811a4cf3ac34bf23686c1a5ddd9023b62dd110a8228", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:25:58Z" + } + } + }, + { + "containerID": "containerd://c54daa5c2b2e6ab51bdad5a94fe7dd2fb3f90c35cb96da58bd6729e547912c5a", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/loki:2.9.8-zarf-777750453", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/loki@sha256:0343efe09e351e9b943e4854bd0543684dd4614d3394b4e77a13fc717a6fab49", + "lastState": {}, + "name": "loki", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:26:01Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://9164f9a3c879133f04086c4a4f389a7592ef5deed86ac824e1b1ff7851667e21", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://9164f9a3c879133f04086c4a4f389a7592ef5deed86ac824e1b1ff7851667e21", + "exitCode": 0, + "finishedAt": "2024-07-15T19:25:57Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:25:57Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.42", + "podIPs": [ + { + "ip": "10.42.0.42" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:25:57Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "kube-prometheus-stack", + "kubectl.kubernetes.io/default-logs-container": "kube-prometheus-stack", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-07-15T19:27:19Z", + "generateName": "kube-prometheus-stack-operator-5db8867bcd-", + "labels": { + "app": "kube-prometheus-stack-operator", + "app.kubernetes.io/component": "prometheus-operator", + "app.kubernetes.io/instance": "kube-prometheus-stack", + "app.kubernetes.io/managed-by": "Helm", + "app.kubernetes.io/name": "kube-prometheus-stack-prometheus-operator", + "app.kubernetes.io/part-of": "kube-prometheus-stack", + "app.kubernetes.io/version": "58.7.2", + "chart": "kube-prometheus-stack-58.7.2", + "heritage": "Helm", + "pod-template-hash": "5db8867bcd", + "release": "kube-prometheus-stack", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "kube-prometheus-stack-prometheus-operator", + "service.istio.io/canonical-revision": "58.7.2", + "zarf-agent": "patched" + }, + "name": "kube-prometheus-stack-operator-5db8867bcd-8xdrk", + "namespace": "monitoring", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "kube-prometheus-stack-operator-5db8867bcd", + "uid": "5e00df34-8e47-48f2-af44-2d020d4c14a3" + } + ], + "resourceVersion": "3162", + "uid": "b82eebac-189d-4163-8d05-bb3b7f80c581" + }, + "spec": { + "automountServiceAccountToken": true, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"https\",\"containerPort\":10250,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "kube-prometheus-stack" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "kube-prometheus-stack-operator" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/monitoring/deployments/kube-prometheus-stack-operator" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-btm2b", + "readOnly": true + } + ] + }, + { + "args": [ + "--kubelet-service=kube-system/kube-prometheus-stack-kubelet", + "--localhost=127.0.0.1", + "--prometheus-config-reloader=cgr.dev/du-uds-defenseunicorns/prometheus-config-reloader-fips:0.74.0", + "--config-reloader-cpu-request=50m", + "--config-reloader-cpu-limit=100m", + "--config-reloader-memory-request=128Mi", + "--config-reloader-memory-limit=128Mi", + "--thanos-default-base-image=quay.io/thanos/thanos:v0.35.0", + "--secret-field-selector=type!=kubernetes.io/dockercfg,type!=kubernetes.io/service-account-token,type!=helm.sh/release.v1", + "--web.enable-tls=true", + "--web.cert-file=/cert/cert", + "--web.key-file=/cert/key", + "--web.listen-address=:10250", + "--web.tls-min-version=VersionTLS13" + ], + "env": [ + { + "name": "GOGC", + "value": "30" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/prometheus-operator-fips:0.74.0-zarf-1504306260", + "imagePullPolicy": "IfNotPresent", + "name": "kube-prometheus-stack", + "ports": [ + { + "containerPort": 10250, + "name": "https", + "protocol": "TCP" + } + ], + "resources": { + "limits": { + "cpu": "500m", + "memory": "512Mi" + }, + "requests": { + "cpu": "100m", + "memory": "512Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/cert", + "name": "tls-secret", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-btm2b", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-btm2b", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 65534, + "runAsGroup": 65534, + "runAsNonRoot": true, + "runAsUser": 65534, + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "serviceAccount": "kube-prometheus-stack-operator", + "serviceAccountName": "kube-prometheus-stack-operator", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "tls-secret", + "secret": { + "defaultMode": 420, + "secretName": "kube-prometheus-stack-admission" + } + }, + { + "name": "kube-api-access-btm2b", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:21Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:21Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:25Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:25Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:19Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://239885f17c04c8b246371200107438e5bff7f826f6fc9ccf451d6db5fcb2c9ab", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:27:21Z" + } + } + }, + { + "containerID": "containerd://f6ed0e29bbd438bda64dda1db0f4518a24f25d737a72a835ed9a415570baad68", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/prometheus-operator-fips:0.74.0-zarf-1504306260", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/prometheus-operator-fips@sha256:dcbe22a321af6fc999d87bd1cc5afaabf0d7804d96e0d7dffa827caae03e1db8", + "lastState": {}, + "name": "kube-prometheus-stack", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:27:24Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://4a38570d788f69b2fb806332d4a6de8b475779ce06a153e9827b0eb0b014b885", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://4a38570d788f69b2fb806332d4a6de8b475779ce06a153e9827b0eb0b014b885", + "exitCode": 0, + "finishedAt": "2024-07-15T19:27:20Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:27:20Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.45", + "podIPs": [ + { + "ip": "10.42.0.45" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:27:19Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "cluster-autoscaler.kubernetes.io/safe-to-evict": "true", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "node-exporter", + "kubectl.kubernetes.io/default-logs-container": "node-exporter", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded", + "uds-core.pepr.dev/uds-core-policies.RestrictVolumeTypes": "exempted" + }, + "creationTimestamp": "2024-07-15T19:27:19Z", + "generateName": "kube-prometheus-stack-prometheus-node-exporter-", + "labels": { + "app.kubernetes.io/component": "metrics", + "app.kubernetes.io/instance": "kube-prometheus-stack", + "app.kubernetes.io/managed-by": "Helm", + "app.kubernetes.io/name": "prometheus-node-exporter", + "app.kubernetes.io/part-of": "prometheus-node-exporter", + "app.kubernetes.io/version": "1.8.0", + "controller-revision-hash": "566d74f9", + "helm.sh/chart": "prometheus-node-exporter-4.34.0", + "jobLabel": "node-exporter", + "pod-template-generation": "1", + "release": "kube-prometheus-stack", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "prometheus-node-exporter", + "service.istio.io/canonical-revision": "1.8.0", + "zarf-agent": "patched" + }, + "name": "kube-prometheus-stack-prometheus-node-exporter-wqwtp", + "namespace": "monitoring", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "DaemonSet", + "name": "kube-prometheus-stack-prometheus-node-exporter", + "uid": "7b074804-cb7c-4052-b4f6-70501284db8a" + } + ], + "resourceVersion": "3166", + "uid": "6f9ab7a7-2798-43e2-965b-2d257f7ec2be" + }, + "spec": { + "affinity": { + "nodeAffinity": { + "requiredDuringSchedulingIgnoredDuringExecution": { + "nodeSelectorTerms": [ + { + "matchFields": [ + { + "key": "metadata.name", + "operator": "In", + "values": [ + "k3d-uds-server-0" + ] + } + ] + } + ] + } + } + }, + "automountServiceAccountToken": false, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http-metrics\",\"containerPort\":9100,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "node-exporter" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "kube-prometheus-stack-prometheus-node-exporter" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/monitoring/daemonsets/kube-prometheus-stack-prometheus-node-exporter" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/node-exporter/livez\":{\"httpGet\":{\"path\":\"/\",\"port\":9100,\"scheme\":\"HTTP\"},\"timeoutSeconds\":1},\"/app-health/node-exporter/readyz\":{\"httpGet\":{\"path\":\"/\",\"port\":9100,\"scheme\":\"HTTP\"},\"timeoutSeconds\":1}}" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + } + ] + }, + { + "args": [ + "--path.procfs=/host/proc", + "--path.sysfs=/host/sys", + "--path.rootfs=/host/root", + "--path.udev.data=/host/root/run/udev/data", + "--web.listen-address=[$(HOST_IP)]:9100", + "--collector.filesystem.mount-points-exclude=^/(dev|proc|sys|var/lib/docker/.+|var/lib/kubelet/.+)($|/)", + "--collector.filesystem.fs-types-exclude=^(autofs|binfmt_misc|bpf|cgroup2?|configfs|debugfs|devpts|devtmpfs|fusectl|hugetlbfs|iso9660|mqueue|nsfs|overlay|proc|procfs|pstore|rpc_pipefs|securityfs|selinuxfs|squashfs|sysfs|tracefs)$" + ], + "env": [ + { + "name": "HOST_IP", + "value": "0.0.0.0" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/prometheus-node-exporter-fips:1.8.1-zarf-1988696916", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/node-exporter/livez", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "name": "node-exporter", + "ports": [ + { + "containerPort": 9100, + "name": "http-metrics", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/node-exporter/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": {}, + "securityContext": { + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/host/proc", + "name": "proc", + "readOnly": true + }, + { + "mountPath": "/host/sys", + "name": "sys", + "readOnly": true + }, + { + "mountPath": "/host/root", + "mountPropagation": "HostToContainer", + "name": "root", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File" + } + ], + "nodeName": "k3d-uds-server-0", + "nodeSelector": { + "kubernetes.io/os": "linux" + }, + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 65534, + "runAsGroup": 65534, + "runAsNonRoot": true, + "runAsUser": 65534 + }, + "serviceAccount": "kube-prometheus-stack-prometheus-node-exporter", + "serviceAccountName": "kube-prometheus-stack-prometheus-node-exporter", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoSchedule", + "operator": "Exists" + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists" + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/disk-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/memory-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/pid-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/unschedulable", + "operator": "Exists" + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "hostPath": { + "path": "/proc", + "type": "" + }, + "name": "proc" + }, + { + "hostPath": { + "path": "/sys", + "type": "" + }, + "name": "sys" + }, + { + "hostPath": { + "path": "/", + "type": "" + }, + "name": "root" + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:21Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:21Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:25Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:25Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:19Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://b657fbdd1fc99c1ded1d9d22cfa169b018d12a168ed53d1ce5fa3b8313d1f614", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:27:21Z" + } + } + }, + { + "containerID": "containerd://17c54ba7ddf572d50059d1ad0f4c56729aa3e96627749f3de03b1b09c31335bf", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/prometheus-node-exporter-fips:1.8.1-zarf-1988696916", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/prometheus-node-exporter-fips@sha256:b4159d47db5b20a3a862f9f0cb4bebf6a779de99293492c6a56d4f3cbae9591d", + "lastState": {}, + "name": "node-exporter", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:27:23Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://50173dbc18c5590318a173cc57625a0bb67dcf5cad6471e089a79dd5cbe236c1", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://50173dbc18c5590318a173cc57625a0bb67dcf5cad6471e089a79dd5cbe236c1", + "exitCode": 0, + "finishedAt": "2024-07-15T19:27:20Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:27:20Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.47", + "podIPs": [ + { + "ip": "10.42.0.47" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:27:19Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "kube-state-metrics", + "kubectl.kubernetes.io/default-logs-container": "kube-state-metrics", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-07-15T19:27:19Z", + "generateName": "kube-prometheus-stack-kube-state-metrics-7dd586f546-", + "labels": { + "app.kubernetes.io/component": "metrics", + "app.kubernetes.io/instance": "kube-prometheus-stack", + "app.kubernetes.io/managed-by": "Helm", + "app.kubernetes.io/name": "kube-state-metrics", + "app.kubernetes.io/part-of": "kube-state-metrics", + "app.kubernetes.io/version": "2.12.0", + "helm.sh/chart": "kube-state-metrics-5.19.0", + "pod-template-hash": "7dd586f546", + "release": "kube-prometheus-stack", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "kube-state-metrics", + "service.istio.io/canonical-revision": "2.12.0", + "zarf-agent": "patched" + }, + "name": "kube-prometheus-stack-kube-state-metrics-7dd586f546-6hzx8", + "namespace": "monitoring", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "kube-prometheus-stack-kube-state-metrics-7dd586f546", + "uid": "f339332a-634a-4fca-9465-7ea983fb79eb" + } + ], + "resourceVersion": "3220", + "uid": "3f97176a-a231-47e3-8918-b766492be550" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http\",\"containerPort\":8080,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "kube-state-metrics" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "kube-prometheus-stack-kube-state-metrics" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/monitoring/deployments/kube-prometheus-stack-kube-state-metrics" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/kube-state-metrics/livez\":{\"httpGet\":{\"path\":\"/healthz\",\"port\":8080,\"scheme\":\"HTTP\"},\"timeoutSeconds\":5},\"/app-health/kube-state-metrics/readyz\":{\"httpGet\":{\"path\":\"/\",\"port\":8080,\"scheme\":\"HTTP\"},\"timeoutSeconds\":5}}" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-ghcgm", + "readOnly": true + } + ] + }, + { + "args": [ + "--port=8080", + "--resources=certificatesigningrequests,configmaps,cronjobs,daemonsets,deployments,endpoints,horizontalpodautoscalers,ingresses,jobs,leases,limitranges,mutatingwebhookconfigurations,namespaces,networkpolicies,nodes,persistentvolumeclaims,persistentvolumes,poddisruptionbudgets,pods,replicasets,replicationcontrollers,resourcequotas,secrets,services,statefulsets,storageclasses,validatingwebhookconfigurations,volumeattachments" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/kube-state-metrics-fips:2.12.0-zarf-3880197347", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/kube-state-metrics/livez", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 5, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 5 + }, + "name": "kube-state-metrics", + "ports": [ + { + "containerPort": 8080, + "name": "http", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/kube-state-metrics/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 5, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 5 + }, + "resources": {}, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-ghcgm", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-ghcgm", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 65532, + "runAsGroup": 65532, + "runAsNonRoot": true, + "runAsUser": 65532, + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "serviceAccount": "kube-prometheus-stack-kube-state-metrics", + "serviceAccountName": "kube-prometheus-stack-kube-state-metrics", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "kube-api-access-ghcgm", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:21Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:21Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:29Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:29Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:19Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://0367d52d8fa6f43d049926dda9356a01ba7fd022feec7165ad9fcfb1428d20e5", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:27:21Z" + } + } + }, + { + "containerID": "containerd://aa8b5f6145373edd19f91748c8d3e7e8e6140b043dd869dddc2a48ea38cd9815", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/kube-state-metrics-fips:2.12.0-zarf-3880197347", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/kube-state-metrics-fips@sha256:b3ba196c56ac3ab713ad13bfbf14c97bac616c3d9529d06a8d42a2628491e1cc", + "lastState": {}, + "name": "kube-state-metrics", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:27:23Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://ba55f9d20f4c9f56312035237b371988c9443ffe6357783d20e7f641d549265e", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://ba55f9d20f4c9f56312035237b371988c9443ffe6357783d20e7f641d549265e", + "exitCode": 0, + "finishedAt": "2024-07-15T19:27:20Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:27:20Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.46", + "podIPs": [ + { + "ip": "10.42.0.46" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:27:19Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "alertmanager", + "kubectl.kubernetes.io/default-logs-container": "alertmanager", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-07-15T19:27:24Z", + "generateName": "alertmanager-kube-prometheus-stack-alertmanager-", + "labels": { + "alertmanager": "kube-prometheus-stack-alertmanager", + "app.kubernetes.io/instance": "kube-prometheus-stack-alertmanager", + "app.kubernetes.io/managed-by": "prometheus-operator", + "app.kubernetes.io/name": "alertmanager", + "app.kubernetes.io/version": "0.27.0", + "apps.kubernetes.io/pod-index": "0", + "controller-revision-hash": "alertmanager-kube-prometheus-stack-alertmanager-86df757d96", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "alertmanager", + "service.istio.io/canonical-revision": "0.27.0", + "statefulset.kubernetes.io/pod-name": "alertmanager-kube-prometheus-stack-alertmanager-0", + "zarf-agent": "patched" + }, + "name": "alertmanager-kube-prometheus-stack-alertmanager-0", + "namespace": "monitoring", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "StatefulSet", + "name": "alertmanager-kube-prometheus-stack-alertmanager", + "uid": "61db9157-af82-4a9a-a74c-1fc4071df013" + } + ], + "resourceVersion": "3274", + "uid": "6acfc084-1f52-47d5-875c-23593ca23342" + }, + "spec": { + "automountServiceAccountToken": true, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http-web\",\"containerPort\":9093,\"protocol\":\"TCP\"}\n ,{\"name\":\"mesh-tcp\",\"containerPort\":9094,\"protocol\":\"TCP\"}\n ,{\"name\":\"mesh-udp\",\"containerPort\":9094,\"protocol\":\"UDP\"}\n ,{\"name\":\"reloader-web\",\"containerPort\":8080,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "alertmanager,config-reloader" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "alertmanager-kube-prometheus-stack-alertmanager" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/monitoring/statefulsets/alertmanager-kube-prometheus-stack-alertmanager" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/alertmanager/livez\":{\"httpGet\":{\"path\":\"/-/healthy\",\"port\":9093,\"scheme\":\"HTTP\"},\"timeoutSeconds\":3},\"/app-health/alertmanager/readyz\":{\"httpGet\":{\"path\":\"/-/ready\",\"port\":9093,\"scheme\":\"HTTP\"},\"timeoutSeconds\":3}}" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-ftq4l", + "readOnly": true + } + ] + }, + { + "args": [ + "--config.file=/etc/alertmanager/config_out/alertmanager.env.yaml", + "--storage.path=/alertmanager", + "--data.retention=120h", + "--cluster.listen-address=", + "--web.listen-address=:9093", + "--web.external-url=http://kube-prometheus-stack-alertmanager.monitoring:9093", + "--web.route-prefix=/", + "--cluster.label=monitoring/kube-prometheus-stack-alertmanager", + "--cluster.peer=alertmanager-kube-prometheus-stack-alertmanager-0.alertmanager-operated:9094", + "--cluster.reconnect-timeout=5m", + "--web.config.file=/etc/alertmanager/web_config/web-config.yaml" + ], + "env": [ + { + "name": "POD_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/prometheus-alertmanager-fips:0.27.0-zarf-3083929401", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 10, + "httpGet": { + "path": "/app-health/alertmanager/livez", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "name": "alertmanager", + "ports": [ + { + "containerPort": 9093, + "name": "http-web", + "protocol": "TCP" + }, + { + "containerPort": 9094, + "name": "mesh-tcp", + "protocol": "TCP" + }, + { + "containerPort": 9094, + "name": "mesh-udp", + "protocol": "UDP" + } + ], + "readinessProbe": { + "failureThreshold": 10, + "httpGet": { + "path": "/app-health/alertmanager/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 3, + "periodSeconds": 5, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "requests": { + "memory": "200Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "FallbackToLogsOnError", + "volumeMounts": [ + { + "mountPath": "/etc/alertmanager/config", + "name": "config-volume" + }, + { + "mountPath": "/etc/alertmanager/config_out", + "name": "config-out", + "readOnly": true + }, + { + "mountPath": "/etc/alertmanager/certs", + "name": "tls-assets", + "readOnly": true + }, + { + "mountPath": "/alertmanager", + "name": "alertmanager-kube-prometheus-stack-alertmanager-db" + }, + { + "mountPath": "/etc/alertmanager/web_config/web-config.yaml", + "name": "web-config", + "readOnly": true, + "subPath": "web-config.yaml" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-ftq4l", + "readOnly": true + } + ] + }, + { + "args": [ + "--listen-address=:8080", + "--reload-url=http://127.0.0.1:9093/-/reload", + "--config-file=/etc/alertmanager/config/alertmanager.yaml.gz", + "--config-envsubst-file=/etc/alertmanager/config_out/alertmanager.env.yaml", + "--watched-dir=/etc/alertmanager/config" + ], + "command": [ + "/bin/prometheus-config-reloader" + ], + "env": [ + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "SHARD", + "value": "-1" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/prometheus-config-reloader-fips:0.74.0-zarf-2650362023", + "imagePullPolicy": "IfNotPresent", + "name": "config-reloader", + "ports": [ + { + "containerPort": 8080, + "name": "reloader-web", + "protocol": "TCP" + } + ], + "resources": { + "limits": { + "cpu": "100m", + "memory": "128Mi" + }, + "requests": { + "cpu": "50m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "FallbackToLogsOnError", + "volumeMounts": [ + { + "mountPath": "/etc/alertmanager/config", + "name": "config-volume", + "readOnly": true + }, + { + "mountPath": "/etc/alertmanager/config_out", + "name": "config-out" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-ftq4l", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "hostname": "alertmanager-kube-prometheus-stack-alertmanager-0", + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "--watch-interval=0", + "--listen-address=:8080", + "--config-file=/etc/alertmanager/config/alertmanager.yaml.gz", + "--config-envsubst-file=/etc/alertmanager/config_out/alertmanager.env.yaml", + "--watched-dir=/etc/alertmanager/config" + ], + "command": [ + "/bin/prometheus-config-reloader" + ], + "env": [ + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "SHARD", + "value": "-1" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/prometheus-config-reloader-fips:0.74.0-zarf-2650362023", + "imagePullPolicy": "IfNotPresent", + "name": "init-config-reloader", + "ports": [ + { + "containerPort": 8080, + "name": "reloader-web", + "protocol": "TCP" + } + ], + "resources": { + "limits": { + "cpu": "100m", + "memory": "128Mi" + }, + "requests": { + "cpu": "50m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "FallbackToLogsOnError", + "volumeMounts": [ + { + "mountPath": "/etc/alertmanager/config", + "name": "config-volume", + "readOnly": true + }, + { + "mountPath": "/etc/alertmanager/config_out", + "name": "config-out" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-ftq4l", + "readOnly": true + } + ] + }, + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-ftq4l", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 2000, + "runAsGroup": 2000, + "runAsNonRoot": true, + "runAsUser": 1000, + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "serviceAccount": "kube-prometheus-stack-alertmanager", + "serviceAccountName": "kube-prometheus-stack-alertmanager", + "subdomain": "alertmanager-operated", + "terminationGracePeriodSeconds": 120, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "config-volume", + "secret": { + "defaultMode": 420, + "secretName": "alertmanager-kube-prometheus-stack-alertmanager-generated" + } + }, + { + "name": "tls-assets", + "projected": { + "defaultMode": 420, + "sources": [ + { + "secret": { + "name": "alertmanager-kube-prometheus-stack-alertmanager-tls-assets-0" + } + } + ] + } + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "config-out" + }, + { + "name": "web-config", + "secret": { + "defaultMode": 420, + "secretName": "alertmanager-kube-prometheus-stack-alertmanager-web-config" + } + }, + { + "emptyDir": {}, + "name": "alertmanager-kube-prometheus-stack-alertmanager-db" + }, + { + "name": "kube-api-access-ftq4l", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:26Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:28Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:33Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:33Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:24Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://d37730fa66a607f62d31ead0d659e107a229ebbc32c0201cb6f90cbd1c66040c", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/prometheus-alertmanager-fips:0.27.0-zarf-3083929401", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/prometheus-alertmanager-fips@sha256:2a06bfa891e766f4e6df9ce310cdbf9ef7cc203a06c037af8e91ae3d8f8ac74d", + "lastState": {}, + "name": "alertmanager", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:27:30Z" + } + } + }, + { + "containerID": "containerd://0986cc37144cc9354295ac587fccf064e23a66988727e3bd836d957332123c90", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/prometheus-config-reloader-fips:0.74.0-zarf-2650362023", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/prometheus-config-reloader-fips@sha256:82a53ed83f67ecec7419a57f7bdb906bbd4d126902a9f958b59df19c56a8ddfc", + "lastState": {}, + "name": "config-reloader", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:27:30Z" + } + } + }, + { + "containerID": "containerd://ac24cf7cf1219306cc29eab003b700e3b2eef8a0773ce4e6e35025d8a1b8c30d", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:27:28Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://8a837b1154bf109328f3aac1b60852072235a7aaeddb440db72149be2c09a001", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/prometheus-config-reloader-fips:0.74.0-zarf-2650362023", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/prometheus-config-reloader-fips@sha256:82a53ed83f67ecec7419a57f7bdb906bbd4d126902a9f958b59df19c56a8ddfc", + "lastState": {}, + "name": "init-config-reloader", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://8a837b1154bf109328f3aac1b60852072235a7aaeddb440db72149be2c09a001", + "exitCode": 0, + "finishedAt": "2024-07-15T19:27:26Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:27:25Z" + } + } + }, + { + "containerID": "containerd://21db31430fbcc9e339e63b65dee79ac4de47bf6cf799fdaff895a61ac1463472", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://21db31430fbcc9e339e63b65dee79ac4de47bf6cf799fdaff895a61ac1463472", + "exitCode": 0, + "finishedAt": "2024-07-15T19:27:27Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:27:27Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.49", + "podIPs": [ + { + "ip": "10.42.0.49" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:27:24Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "checksum/init-configmap": "09739169a4cac1b76e349f92d75fe6b9900b484f897d017597195d07b8c25048", + "checksum/uds-sso-secret": "", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "neuvector-controller-pod", + "kubectl.kubernetes.io/default-logs-container": "neuvector-controller-pod", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/uds-core-policies": "succeeded", + "uds-core.pepr.dev/uds-core-policies.DisallowPrivileged": "exempted", + "uds-core.pepr.dev/uds-core-policies.DropAllCapabilities": "exempted", + "uds-core.pepr.dev/uds-core-policies.RequireNonRootUser": "exempted", + "uds-core.pepr.dev/uds-core-policies.RestrictHostPathWrite": "exempted", + "uds-core.pepr.dev/uds-core-policies.RestrictVolumeTypes": "exempted" + }, + "creationTimestamp": "2024-07-15T19:27:22Z", + "generateName": "neuvector-controller-pod-5dccb6c44f-", + "labels": { + "app": "neuvector-controller-pod", + "pod-template-hash": "5dccb6c44f", + "release": "core", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "neuvector-controller-pod", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "neuvector-controller-pod-5dccb6c44f-w488m", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "neuvector-controller-pod-5dccb6c44f", + "uid": "8e887e07-0945-4e20-ad12-b1c40f529e1a" + } + ], + "resourceVersion": "3315", + "uid": "4559ff09-1ccc-4a8d-9efe-2f7154ef2dc1" + }, + "spec": { + "affinity": { + "podAntiAffinity": { + "preferredDuringSchedulingIgnoredDuringExecution": [ + { + "podAffinityTerm": { + "labelSelector": { + "matchExpressions": [ + { + "key": "app", + "operator": "In", + "values": [ + "neuvector-controller-pod" + ] + } + ] + }, + "topologyKey": "kubernetes.io/hostname" + }, + "weight": 100 + } + ] + } + }, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "neuvector-controller-pod" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "neuvector-controller-pod" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/neuvector/deployments/neuvector-controller-pod" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-lc5t2", + "readOnly": true + } + ] + }, + { + "env": [ + { + "name": "CLUSTER_JOIN_ADDR", + "value": "neuvector-svc-controller.neuvector" + }, + { + "name": "CLUSTER_ADVERTISED_ADDR", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "CLUSTER_BIND_ADDR", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "NO_DEFAULT_ADMIN", + "value": "1" + } + ], + "image": "127.0.0.1:31999/neuvector/controller:5.3.3-zarf-4157091163", + "imagePullPolicy": "IfNotPresent", + "name": "neuvector-controller-pod", + "readinessProbe": { + "exec": { + "command": [ + "cat", + "/tmp/ready" + ] + }, + "failureThreshold": 3, + "initialDelaySeconds": 5, + "periodSeconds": 5, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": {}, + "securityContext": { + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/config", + "name": "config-volume", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-lc5t2", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-lc5t2", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "serviceAccount": "controller", + "serviceAccountName": "controller", + "terminationGracePeriodSeconds": 300, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "config-volume", + "projected": { + "defaultMode": 420, + "sources": [ + { + "configMap": { + "name": "neuvector-init", + "optional": true + } + }, + { + "secret": { + "name": "neuvector-init", + "optional": true + } + }, + { + "secret": { + "name": "neuvector-secret", + "optional": true + } + } + ] + } + }, + { + "name": "kube-api-access-lc5t2", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:23Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:23Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:37Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:37Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:22Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://dc1e70bb091ae6da52e6ad66d5c9ea7523da8564e1cf75b46a852432cc3410ed", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:27:23Z" + } + } + }, + { + "containerID": "containerd://107261771dee580ff42ade832aa0caf7ebbdcfb3c7cb7d1eccf22ae0131739c5", + "image": "127.0.0.1:31999/neuvector/controller:5.3.3-zarf-4157091163", + "imageID": "127.0.0.1:31999/neuvector/controller@sha256:1102321e8ed5bd3aad26e3d2c3b9a3ddc5aa82c2949fc2600b9350c7e951950e", + "lastState": {}, + "name": "neuvector-controller-pod", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:27:25Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://c1a58429dad4aad9b4d9aebde10c4b181d3021914849a3d9878a0e763f9b3f80", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://c1a58429dad4aad9b4d9aebde10c4b181d3021914849a3d9878a0e763f9b3f80", + "exitCode": 0, + "finishedAt": "2024-07-15T19:27:22Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:27:22Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.48", + "podIPs": [ + { + "ip": "10.42.0.48" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:27:22Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "prometheus", + "kubectl.kubernetes.io/default-logs-container": "prometheus", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "proxy.istio.io/config": "proxyMetadata:\n OUTPUT_CERTS: /etc/istio-output-certs\n", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "sidecar.istio.io/userVolumeMount": "[{\"name\": \"istio-certs\", \"mountPath\": \"/etc/istio-output-certs\"}]", + "traffic.sidecar.istio.io/includeOutboundIPRanges": "", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded", + "uds-core.pepr.dev/uds-core-policies.RestrictHostPathWrite": "exempted", + "uds-core.pepr.dev/uds-core-policies.RestrictVolumeTypes": "exempted" + }, + "creationTimestamp": "2024-07-15T19:27:24Z", + "generateName": "prometheus-kube-prometheus-stack-prometheus-", + "labels": { + "app": "prometheus", + "app.kubernetes.io/instance": "kube-prometheus-stack-prometheus", + "app.kubernetes.io/managed-by": "prometheus-operator", + "app.kubernetes.io/name": "prometheus", + "app.kubernetes.io/version": "2.52.0", + "apps.kubernetes.io/pod-index": "0", + "controller-revision-hash": "prometheus-kube-prometheus-stack-prometheus-8784b54db", + "operator.prometheus.io/name": "kube-prometheus-stack-prometheus", + "operator.prometheus.io/shard": "0", + "prometheus": "kube-prometheus-stack-prometheus", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "prometheus", + "service.istio.io/canonical-revision": "2.52.0", + "statefulset.kubernetes.io/pod-name": "prometheus-kube-prometheus-stack-prometheus-0", + "zarf-agent": "patched" + }, + "name": "prometheus-kube-prometheus-stack-prometheus-0", + "namespace": "monitoring", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "StatefulSet", + "name": "prometheus-kube-prometheus-stack-prometheus", + "uid": "03a11223-c17f-4abd-bff8-35e67bbc478f" + } + ], + "resourceVersion": "3406", + "uid": "c7e56a77-3e1e-4c38-908e-eeaae798dd49" + }, + "spec": { + "automountServiceAccountToken": true, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"proxyMetadata\":{\"OUTPUT_CERTS\":\"/etc/istio-output-certs\"},\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http-web\",\"containerPort\":9090,\"protocol\":\"TCP\"}\n ,{\"name\":\"reloader-web\",\"containerPort\":8080,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "prometheus,config-reloader" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "prometheus-kube-prometheus-stack-prometheus" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/monitoring/statefulsets/prometheus-kube-prometheus-stack-prometheus" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "OUTPUT_CERTS", + "value": "/etc/istio-output-certs" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/prometheus/livez\":{\"httpGet\":{\"path\":\"/-/healthy\",\"port\":9090,\"scheme\":\"HTTP\"},\"timeoutSeconds\":3},\"/app-health/prometheus/readyz\":{\"httpGet\":{\"path\":\"/-/ready\",\"port\":9090,\"scheme\":\"HTTP\"},\"timeoutSeconds\":3},\"/app-health/prometheus/startupz\":{\"httpGet\":{\"path\":\"/-/ready\",\"port\":9090,\"scheme\":\"HTTP\"},\"timeoutSeconds\":3}}" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/etc/istio-output-certs", + "name": "istio-certs" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-v4jgm", + "readOnly": true + } + ] + }, + { + "args": [ + "--web.console.templates=/etc/prometheus/consoles", + "--web.console.libraries=/etc/prometheus/console_libraries", + "--config.file=/etc/prometheus/config_out/prometheus.env.yaml", + "--web.enable-lifecycle", + "--enable-feature=remote-write-receiver", + "--web.external-url=http://kube-prometheus-stack-prometheus.monitoring:9090", + "--web.route-prefix=/", + "--storage.tsdb.retention.time=10d", + "--storage.tsdb.path=/prometheus", + "--storage.tsdb.wal-compression", + "--web.config.file=/etc/prometheus/web_config/web-config.yaml" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/prometheus-fips:2.52.0-zarf-1514605890", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 6, + "httpGet": { + "path": "/app-health/prometheus/livez", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 5, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "name": "prometheus", + "ports": [ + { + "containerPort": 9090, + "name": "http-web", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/prometheus/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 5, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "300m", + "memory": "2Gi" + }, + "requests": { + "cpu": "100m", + "memory": "512Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "startupProbe": { + "failureThreshold": 60, + "httpGet": { + "path": "/app-health/prometheus/startupz", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "FallbackToLogsOnError", + "volumeMounts": [ + { + "mountPath": "/etc/prometheus/config_out", + "name": "config-out", + "readOnly": true + }, + { + "mountPath": "/etc/prometheus/certs", + "name": "tls-assets", + "readOnly": true + }, + { + "mountPath": "/prometheus", + "name": "prometheus-kube-prometheus-stack-prometheus-db", + "subPath": "prometheus-db" + }, + { + "mountPath": "/etc/prom-certs/", + "name": "istio-certs" + }, + { + "mountPath": "/etc/prometheus/rules/prometheus-kube-prometheus-stack-prometheus-rulefiles-0", + "name": "prometheus-kube-prometheus-stack-prometheus-rulefiles-0" + }, + { + "mountPath": "/etc/prometheus/web_config/web-config.yaml", + "name": "web-config", + "readOnly": true, + "subPath": "web-config.yaml" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-v4jgm", + "readOnly": true + } + ] + }, + { + "args": [ + "--listen-address=:8080", + "--reload-url=http://127.0.0.1:9090/-/reload", + "--config-file=/etc/prometheus/config/prometheus.yaml.gz", + "--config-envsubst-file=/etc/prometheus/config_out/prometheus.env.yaml", + "--watched-dir=/etc/prometheus/rules/prometheus-kube-prometheus-stack-prometheus-rulefiles-0" + ], + "command": [ + "/bin/prometheus-config-reloader" + ], + "env": [ + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "SHARD", + "value": "0" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/prometheus-config-reloader-fips:0.74.0-zarf-2650362023", + "imagePullPolicy": "IfNotPresent", + "name": "config-reloader", + "ports": [ + { + "containerPort": 8080, + "name": "reloader-web", + "protocol": "TCP" + } + ], + "resources": { + "limits": { + "cpu": "100m", + "memory": "128Mi" + }, + "requests": { + "cpu": "50m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "FallbackToLogsOnError", + "volumeMounts": [ + { + "mountPath": "/etc/prometheus/config", + "name": "config" + }, + { + "mountPath": "/etc/prometheus/config_out", + "name": "config-out" + }, + { + "mountPath": "/etc/prometheus/rules/prometheus-kube-prometheus-stack-prometheus-rulefiles-0", + "name": "prometheus-kube-prometheus-stack-prometheus-rulefiles-0" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-v4jgm", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "hostname": "prometheus-kube-prometheus-stack-prometheus-0", + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "--watch-interval=0", + "--listen-address=:8080", + "--config-file=/etc/prometheus/config/prometheus.yaml.gz", + "--config-envsubst-file=/etc/prometheus/config_out/prometheus.env.yaml", + "--watched-dir=/etc/prometheus/rules/prometheus-kube-prometheus-stack-prometheus-rulefiles-0" + ], + "command": [ + "/bin/prometheus-config-reloader" + ], + "env": [ + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "SHARD", + "value": "0" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/prometheus-config-reloader-fips:0.74.0-zarf-2650362023", + "imagePullPolicy": "IfNotPresent", + "name": "init-config-reloader", + "ports": [ + { + "containerPort": 8080, + "name": "reloader-web", + "protocol": "TCP" + } + ], + "resources": { + "limits": { + "cpu": "100m", + "memory": "128Mi" + }, + "requests": { + "cpu": "50m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "FallbackToLogsOnError", + "volumeMounts": [ + { + "mountPath": "/etc/prometheus/config", + "name": "config" + }, + { + "mountPath": "/etc/prometheus/config_out", + "name": "config-out" + }, + { + "mountPath": "/etc/prometheus/rules/prometheus-kube-prometheus-stack-prometheus-rulefiles-0", + "name": "prometheus-kube-prometheus-stack-prometheus-rulefiles-0" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-v4jgm", + "readOnly": true + } + ] + }, + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "OUTPUT_CERTS", + "value": "/etc/istio-output-certs" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-v4jgm", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 2000, + "runAsGroup": 2000, + "runAsNonRoot": true, + "runAsUser": 1000, + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "serviceAccount": "kube-prometheus-stack-prometheus", + "serviceAccountName": "kube-prometheus-stack-prometheus", + "shareProcessNamespace": false, + "subdomain": "prometheus-operated", + "terminationGracePeriodSeconds": 600, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "prometheus-kube-prometheus-stack-prometheus-db", + "persistentVolumeClaim": { + "claimName": "prometheus-kube-prometheus-stack-prometheus-db-prometheus-kube-prometheus-stack-prometheus-0" + } + }, + { + "name": "config", + "secret": { + "defaultMode": 420, + "secretName": "prometheus-kube-prometheus-stack-prometheus" + } + }, + { + "name": "tls-assets", + "projected": { + "defaultMode": 420, + "sources": [ + { + "secret": { + "name": "prometheus-kube-prometheus-stack-prometheus-tls-assets-0" + } + } + ] + } + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "config-out" + }, + { + "configMap": { + "defaultMode": 420, + "name": "prometheus-kube-prometheus-stack-prometheus-rulefiles-0" + }, + "name": "prometheus-kube-prometheus-stack-prometheus-rulefiles-0" + }, + { + "name": "web-config", + "secret": { + "defaultMode": 420, + "secretName": "prometheus-kube-prometheus-stack-prometheus-web-config" + } + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-certs" + }, + { + "name": "kube-api-access-v4jgm", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:29Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:31Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:44Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:44Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:28Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://7ddf638cfaa67d0ab3f278759b14345d85c2782133169db145e04a0a07654360", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/prometheus-config-reloader-fips:0.74.0-zarf-2650362023", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/prometheus-config-reloader-fips@sha256:82a53ed83f67ecec7419a57f7bdb906bbd4d126902a9f958b59df19c56a8ddfc", + "lastState": {}, + "name": "config-reloader", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:27:34Z" + } + } + }, + { + "containerID": "containerd://60305c47a10238f9c0562c8f8a4b9ac54420a40d46d78f4d3c45dc535e23bdff", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:27:31Z" + } + } + }, + { + "containerID": "containerd://3ed3b243647230506614c9b6a0149f98f989eebded1778f39adbaba85000c51f", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/prometheus-fips:2.52.0-zarf-1514605890", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/prometheus-fips@sha256:25cbfab089f562bd8a9768bbda98a89a8b8b38c0e38f98ec9e0734ec10e11a04", + "lastState": {}, + "name": "prometheus", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:27:34Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://50ee9a05401029ef85c6458ce8ae25e3e7f673e9d12846c0b87991315db93da4", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/prometheus-config-reloader-fips:0.74.0-zarf-2650362023", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/prometheus-config-reloader-fips@sha256:82a53ed83f67ecec7419a57f7bdb906bbd4d126902a9f958b59df19c56a8ddfc", + "lastState": {}, + "name": "init-config-reloader", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://50ee9a05401029ef85c6458ce8ae25e3e7f673e9d12846c0b87991315db93da4", + "exitCode": 0, + "finishedAt": "2024-07-15T19:27:29Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:27:29Z" + } + } + }, + { + "containerID": "containerd://68736b4e1593c0c2f3917cfad22a679b5d1bd99188b0afa7e9c2a92f0509f049", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://68736b4e1593c0c2f3917cfad22a679b5d1bd99188b0afa7e9c2a92f0509f049", + "exitCode": 0, + "finishedAt": "2024-07-15T19:27:30Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:27:30Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.51", + "podIPs": [ + { + "ip": "10.42.0.51" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:27:28Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "checksum/config": "a54b4b978607806a73c1e79d416367816e4d9407c7f1cffa13519cfc40a654fc", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "promtail", + "kubectl.kubernetes.io/default-logs-container": "promtail", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded", + "uds-core.pepr.dev/uds-core-policies.DisallowPrivileged": "exempted", + "uds-core.pepr.dev/uds-core-policies.RequireNonRootUser": "exempted", + "uds-core.pepr.dev/uds-core-policies.RestrictHostPathWrite": "exempted", + "uds-core.pepr.dev/uds-core-policies.RestrictSELinuxType": "exempted", + "uds-core.pepr.dev/uds-core-policies.RestrictVolumeTypes": "exempted" + }, + "creationTimestamp": "2024-07-15T19:27:43Z", + "generateName": "promtail-", + "labels": { + "app.kubernetes.io/instance": "promtail", + "app.kubernetes.io/name": "promtail", + "controller-revision-hash": "8658478dbf", + "pod-template-generation": "1", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "promtail", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "promtail-d5dtx", + "namespace": "promtail", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "DaemonSet", + "name": "promtail", + "uid": "a6f37285-cfa8-4b8f-b07e-ee51a798e525" + } + ], + "resourceVersion": "3510", + "uid": "ce1b3f37-4983-4fff-b0a2-4c50bc6dbac8" + }, + "spec": { + "affinity": { + "nodeAffinity": { + "requiredDuringSchedulingIgnoredDuringExecution": { + "nodeSelectorTerms": [ + { + "matchFields": [ + { + "key": "metadata.name", + "operator": "In", + "values": [ + "k3d-uds-server-0" + ] + } + ] + } + ] + } + } + }, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http-metrics\",\"containerPort\":3101,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "promtail" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "promtail" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/promtail/daemonsets/promtail" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/promtail/readyz\":{\"httpGet\":{\"path\":\"/ready\",\"port\":3101,\"scheme\":\"HTTP\"},\"timeoutSeconds\":1}}" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-9t52k", + "readOnly": true + } + ] + }, + { + "args": [ + "-config.file=/etc/promtail/promtail.yaml", + "-config.expand-env=true" + ], + "env": [ + { + "name": "HOSTNAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "NODE_HOSTNAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/promtail:3.1.0-zarf-1953805084", + "imagePullPolicy": "IfNotPresent", + "name": "promtail", + "ports": [ + { + "containerPort": 3101, + "name": "http-metrics", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 5, + "httpGet": { + "path": "/app-health/promtail/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 10, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": { + "limits": { + "cpu": "500m", + "memory": "750Mi" + }, + "requests": { + "cpu": "100m", + "memory": "256Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsUser": 0, + "seLinuxOptions": { + "type": "spc_t" + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/promtail", + "name": "config" + }, + { + "mountPath": "/run/promtail", + "name": "run" + }, + { + "mountPath": "/var/lib/docker/containers", + "name": "containers", + "readOnly": true + }, + { + "mountPath": "/var/log/pods", + "name": "pods", + "readOnly": true + }, + { + "mountPath": "/var/log", + "name": "varlog", + "readOnly": true + }, + { + "mountPath": "/etc/machine-id", + "name": "machine-id", + "readOnly": true, + "subPath": "machine-id" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-9t52k", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-9t52k", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "runAsGroup": 0, + "runAsUser": 0 + }, + "serviceAccount": "promtail", + "serviceAccountName": "promtail", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoSchedule", + "key": "node-role.kubernetes.io/master", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node-role.kubernetes.io/control-plane", + "operator": "Exists" + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists" + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/disk-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/memory-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/pid-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/unschedulable", + "operator": "Exists" + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "config", + "secret": { + "defaultMode": 420, + "secretName": "promtail" + } + }, + { + "hostPath": { + "path": "/run/promtail", + "type": "" + }, + "name": "run" + }, + { + "hostPath": { + "path": "/var/lib/docker/containers", + "type": "" + }, + "name": "containers" + }, + { + "hostPath": { + "path": "/var/log/pods", + "type": "" + }, + "name": "pods" + }, + { + "hostPath": { + "path": "/var/log", + "type": "" + }, + "name": "varlog" + }, + { + "hostPath": { + "path": "/etc", + "type": "" + }, + "name": "machine-id" + }, + { + "name": "kube-api-access-9t52k", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:44Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:44Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:28:03Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:28:03Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:43Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://7c78e49d88146054d56028666a64566f9ad9269b9d8d40c12a02492f0e2e4e07", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:27:44Z" + } + } + }, + { + "containerID": "containerd://403fd9b05ed7c9fe2e7a45b50738d7af1d830dc8bfd77d2286bd7bf6850f3146", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/promtail:3.1.0-zarf-1953805084", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/promtail@sha256:8339c37daa94d90d4453d165423dc4a46075fbcbb38786aa76355db18a305b65", + "lastState": {}, + "name": "promtail", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:27:46Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://68e093c428ff18b83bff504a1d5b1e2b7b3aa55c815a10e1c0fecef1e92f3763", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://68e093c428ff18b83bff504a1d5b1e2b7b3aa55c815a10e1c0fecef1e92f3763", + "exitCode": 0, + "finishedAt": "2024-07-15T19:27:43Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:27:43Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.53", + "podIPs": [ + { + "ip": "10.42.0.53" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:27:43Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "checksum/config": "9d9bced621e77ec20a9bf42da6b31a13ce3e48b53bb44c0e021e0bfe99128c73", + "checksum/sc-dashboard-provider-config": "e70bf6a851099d385178a76de9757bb0bef8299da6d8443602590e44f05fdf24", + "checksum/secret": "110ea712f39f96f61d507e11b774e2e0f90fce1d1cfa234a759ed7840ff7e238", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "grafana", + "kubectl.kubernetes.io/default-logs-container": "grafana-sc-dashboard", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-07-15T19:27:52Z", + "generateName": "grafana-647c794798-", + "labels": { + "app.kubernetes.io/instance": "grafana", + "app.kubernetes.io/name": "grafana", + "pod-template-hash": "647c794798", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "grafana", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "grafana-647c794798-w8nmq", + "namespace": "grafana", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "grafana-647c794798", + "uid": "f3b8df0e-6c56-4358-b027-54281acdeec5" + } + ], + "resourceVersion": "3535", + "uid": "2e22ddcc-e870-4423-8ffe-590060566326" + }, + "spec": { + "automountServiceAccountToken": true, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"grafana\",\"containerPort\":3000,\"protocol\":\"TCP\"}\n ,{\"name\":\"gossip-tcp\",\"containerPort\":9094,\"protocol\":\"TCP\"}\n ,{\"name\":\"gossip-udp\",\"containerPort\":9094,\"protocol\":\"UDP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "grafana-sc-dashboard,grafana-sc-datasources,grafana" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "grafana" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/grafana/deployments/grafana" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/grafana/livez\":{\"httpGet\":{\"path\":\"/api/health\",\"port\":3000,\"scheme\":\"HTTP\"},\"timeoutSeconds\":30},\"/app-health/grafana/readyz\":{\"httpGet\":{\"path\":\"/api/health\",\"port\":3000,\"scheme\":\"HTTP\"},\"timeoutSeconds\":1}}" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-fhzqj", + "readOnly": true + } + ] + }, + { + "env": [ + { + "name": "METHOD", + "value": "WATCH" + }, + { + "name": "LABEL", + "value": "grafana_dashboard" + }, + { + "name": "FOLDER", + "value": "/tmp/dashboards" + }, + { + "name": "RESOURCE", + "value": "both" + }, + { + "name": "NAMESPACE", + "value": "ALL" + }, + { + "name": "REQ_USERNAME", + "valueFrom": { + "secretKeyRef": { + "key": "admin-user", + "name": "grafana" + } + } + }, + { + "name": "REQ_PASSWORD", + "valueFrom": { + "secretKeyRef": { + "key": "admin-password", + "name": "grafana" + } + } + }, + { + "name": "REQ_URL", + "value": "http://localhost:3000/api/admin/provisioning/dashboards/reload" + }, + { + "name": "REQ_METHOD", + "value": "POST" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/k8s-sidecar-fips:1.27.4-zarf-132651805", + "imagePullPolicy": "IfNotPresent", + "name": "grafana-sc-dashboard", + "resources": {}, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/tmp/dashboards", + "name": "sc-dashboard-volume" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-fhzqj", + "readOnly": true + } + ] + }, + { + "env": [ + { + "name": "METHOD", + "value": "WATCH" + }, + { + "name": "LABEL", + "value": "grafana_datasource" + }, + { + "name": "FOLDER", + "value": "/etc/grafana/provisioning/datasources" + }, + { + "name": "RESOURCE", + "value": "both" + }, + { + "name": "REQ_USERNAME", + "valueFrom": { + "secretKeyRef": { + "key": "admin-user", + "name": "grafana" + } + } + }, + { + "name": "REQ_PASSWORD", + "valueFrom": { + "secretKeyRef": { + "key": "admin-password", + "name": "grafana" + } + } + }, + { + "name": "REQ_URL", + "value": "http://localhost:3000/api/admin/provisioning/datasources/reload" + }, + { + "name": "REQ_METHOD", + "value": "POST" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/k8s-sidecar-fips:1.27.4-zarf-132651805", + "imagePullPolicy": "IfNotPresent", + "name": "grafana-sc-datasources", + "resources": {}, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/grafana/provisioning/datasources", + "name": "sc-datasources-volume" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-fhzqj", + "readOnly": true + } + ] + }, + { + "env": [ + { + "name": "POD_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "GF_SECURITY_ADMIN_USER", + "valueFrom": { + "secretKeyRef": { + "key": "admin-user", + "name": "grafana" + } + } + }, + { + "name": "GF_SECURITY_ADMIN_PASSWORD", + "valueFrom": { + "secretKeyRef": { + "key": "admin-password", + "name": "grafana" + } + } + }, + { + "name": "GF_PATHS_DATA", + "value": "/var/lib/grafana/" + }, + { + "name": "GF_PATHS_LOGS", + "value": "/var/log/grafana" + }, + { + "name": "GF_PATHS_PLUGINS", + "value": "/var/lib/grafana/plugins" + }, + { + "name": "GF_PATHS_PROVISIONING", + "value": "/etc/grafana/provisioning" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/grafana-fips:11.1.0-zarf-4028590474", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 10, + "httpGet": { + "path": "/app-health/grafana/livez", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 60, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 30 + }, + "name": "grafana", + "ports": [ + { + "containerPort": 3000, + "name": "grafana", + "protocol": "TCP" + }, + { + "containerPort": 9094, + "name": "gossip-tcp", + "protocol": "TCP" + }, + { + "containerPort": 9094, + "name": "gossip-udp", + "protocol": "UDP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/grafana/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": {}, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/grafana/grafana.ini", + "name": "config", + "subPath": "grafana.ini" + }, + { + "mountPath": "/var/lib/grafana", + "name": "storage" + }, + { + "mountPath": "/tmp/dashboards", + "name": "sc-dashboard-volume" + }, + { + "mountPath": "/etc/grafana/provisioning/dashboards/sc-dashboardproviders.yaml", + "name": "sc-dashboard-provider", + "subPath": "provider.yaml" + }, + { + "mountPath": "/etc/grafana/provisioning/datasources", + "name": "sc-datasources-volume" + }, + { + "mountPath": "/etc/secrets/auth_generic_oauth", + "name": "auth-generic-oauth-secret-mount", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-fhzqj", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-fhzqj", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 472, + "runAsGroup": 472, + "runAsNonRoot": true, + "runAsUser": 472 + }, + "serviceAccount": "grafana", + "serviceAccountName": "grafana", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "configMap": { + "defaultMode": 420, + "name": "grafana" + }, + "name": "config" + }, + { + "emptyDir": {}, + "name": "storage" + }, + { + "emptyDir": {}, + "name": "sc-dashboard-volume" + }, + { + "configMap": { + "defaultMode": 420, + "name": "grafana-config-dashboards" + }, + "name": "sc-dashboard-provider" + }, + { + "emptyDir": {}, + "name": "sc-datasources-volume" + }, + { + "name": "auth-generic-oauth-secret-mount", + "secret": { + "defaultMode": 288, + "secretName": "sso-client-uds-core-admin-grafana" + } + }, + { + "name": "kube-api-access-fhzqj", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:28:01Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:28:01Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:28:09Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:28:09Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:27:52Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://884a0dd9ad6f9478686f4f15eb2cc44851f6ab681b8e9d0599e6046567c7693e", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/grafana-fips:11.1.0-zarf-4028590474", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/grafana-fips@sha256:a7cc925119dced9bc77019a738db07bdcfddd0b38eac36f4590a27dbbf5763bb", + "lastState": {}, + "name": "grafana", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:28:06Z" + } + } + }, + { + "containerID": "containerd://f798d9e35f707b90b8f0b5358d193ca8fd4af9d52907e1c6edb099874d9ac608", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/k8s-sidecar-fips:1.27.4-zarf-132651805", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/k8s-sidecar-fips@sha256:1cbdec9527ffe75aa3de0e03a6e8cabb81ca9f94768b5b83eb452787f6d366b4", + "lastState": {}, + "name": "grafana-sc-dashboard", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:28:03Z" + } + } + }, + { + "containerID": "containerd://242ae3d5d11f58a864adf3d378781f5e35235bc107b201f35ffbd95d7e3e7982", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/k8s-sidecar-fips:1.27.4-zarf-132651805", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/k8s-sidecar-fips@sha256:1cbdec9527ffe75aa3de0e03a6e8cabb81ca9f94768b5b83eb452787f6d366b4", + "lastState": {}, + "name": "grafana-sc-datasources", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:28:04Z" + } + } + }, + { + "containerID": "containerd://7c9514989ad600e18d8aef46cfc96b19967e35b21266337d1327fb35bc1def5e", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:28:01Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://85ae00c6ce13f8cc11729ebc19605a70e5195efa00466682d84a0fe381e71a09", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://85ae00c6ce13f8cc11729ebc19605a70e5195efa00466682d84a0fe381e71a09", + "exitCode": 0, + "finishedAt": "2024-07-15T19:28:00Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:28:00Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.54", + "podIPs": [ + { + "ip": "10.42.0.54" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:27:52Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "checksum/init-configmap": "09739169a4cac1b76e349f92d75fe6b9900b484f897d017597195d07b8c25048", + "checksum/uds-sso-secret": "", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "neuvector-controller-pod", + "kubectl.kubernetes.io/default-logs-container": "neuvector-controller-pod", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/uds-core-policies": "succeeded", + "uds-core.pepr.dev/uds-core-policies.DisallowPrivileged": "exempted", + "uds-core.pepr.dev/uds-core-policies.DropAllCapabilities": "exempted", + "uds-core.pepr.dev/uds-core-policies.RequireNonRootUser": "exempted", + "uds-core.pepr.dev/uds-core-policies.RestrictHostPathWrite": "exempted", + "uds-core.pepr.dev/uds-core-policies.RestrictVolumeTypes": "exempted" + }, + "creationTimestamp": "2024-07-15T19:28:37Z", + "generateName": "neuvector-controller-pod-5dccb6c44f-", + "labels": { + "app": "neuvector-controller-pod", + "pod-template-hash": "5dccb6c44f", + "release": "core", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "neuvector-controller-pod", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "neuvector-controller-pod-5dccb6c44f-q9wqn", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "neuvector-controller-pod-5dccb6c44f", + "uid": "8e887e07-0945-4e20-ad12-b1c40f529e1a" + } + ], + "resourceVersion": "3926", + "uid": "e8e4f4ed-d1f9-44ba-91df-a4d59058d026" + }, + "spec": { + "affinity": { + "podAntiAffinity": { + "preferredDuringSchedulingIgnoredDuringExecution": [ + { + "podAffinityTerm": { + "labelSelector": { + "matchExpressions": [ + { + "key": "app", + "operator": "In", + "values": [ + "neuvector-controller-pod" + ] + } + ] + }, + "topologyKey": "kubernetes.io/hostname" + }, + "weight": 100 + } + ] + } + }, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "neuvector-controller-pod" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "neuvector-controller-pod" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/neuvector/deployments/neuvector-controller-pod" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-cvrxs", + "readOnly": true + } + ] + }, + { + "env": [ + { + "name": "CLUSTER_JOIN_ADDR", + "value": "neuvector-svc-controller.neuvector" + }, + { + "name": "CLUSTER_ADVERTISED_ADDR", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "CLUSTER_BIND_ADDR", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "NO_DEFAULT_ADMIN", + "value": "1" + } + ], + "image": "127.0.0.1:31999/neuvector/controller:5.3.3-zarf-4157091163", + "imagePullPolicy": "IfNotPresent", + "name": "neuvector-controller-pod", + "readinessProbe": { + "exec": { + "command": [ + "cat", + "/tmp/ready" + ] + }, + "failureThreshold": 3, + "initialDelaySeconds": 5, + "periodSeconds": 5, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": {}, + "securityContext": { + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/config", + "name": "config-volume", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-cvrxs", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-cvrxs", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "serviceAccount": "controller", + "serviceAccountName": "controller", + "terminationGracePeriodSeconds": 300, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "config-volume", + "projected": { + "defaultMode": 420, + "sources": [ + { + "configMap": { + "name": "neuvector-init", + "optional": true + } + }, + { + "secret": { + "name": "neuvector-init", + "optional": true + } + }, + { + "secret": { + "name": "neuvector-secret", + "optional": true + } + } + ] + } + }, + { + "name": "kube-api-access-cvrxs", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:28:38Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:28:38Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:28:52Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:28:52Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:28:37Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://9adc37b3be62e06e5fb876586ea41b936edca829a40c55f70edb78a6af4e6436", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:28:38Z" + } + } + }, + { + "containerID": "containerd://407913f08e9a8e27c17597d5444da17066dcc8dad799e47c85e2172942406f4b", + "image": "127.0.0.1:31999/neuvector/controller:5.3.3-zarf-4157091163", + "imageID": "127.0.0.1:31999/neuvector/controller@sha256:1102321e8ed5bd3aad26e3d2c3b9a3ddc5aa82c2949fc2600b9350c7e951950e", + "lastState": {}, + "name": "neuvector-controller-pod", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:28:40Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://2b63f034d6d41bc74ab16c64d251aab9f82676e985d31f4b6bff75431f705e64", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://2b63f034d6d41bc74ab16c64d251aab9f82676e985d31f4b6bff75431f705e64", + "exitCode": 0, + "finishedAt": "2024-07-15T19:28:38Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:28:38Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.58", + "podIPs": [ + { + "ip": "10.42.0.58" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:28:37Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "checksum/secret": "79f899ac6a4a76b043e67e4b17b25dfdf1b899526953bf3015fc1b4e41123ee5", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "velero", + "kubectl.kubernetes.io/default-logs-container": "velero", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-07-15T19:28:37Z", + "generateName": "velero-5544f6bfdf-", + "labels": { + "app.kubernetes.io/instance": "velero", + "app.kubernetes.io/managed-by": "Helm", + "app.kubernetes.io/name": "velero", + "helm.sh/chart": "velero-6.6.0", + "name": "velero", + "pod-template-hash": "5544f6bfdf", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "velero", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "velero-5544f6bfdf-rbjj4", + "namespace": "velero", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "velero-5544f6bfdf", + "uid": "eb1ee6ba-4d83-4f93-80ee-08fef38f5f4b" + } + ], + "resourceVersion": "3957", + "uid": "a187ebae-282f-4dd2-8bb8-388a9f4c78d9" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http-monitoring\",\"containerPort\":8085,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "velero" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "velero" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/velero/deployments/velero" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/velero/livez\":{\"httpGet\":{\"path\":\"/metrics\",\"port\":8085,\"scheme\":\"HTTP\"},\"timeoutSeconds\":5},\"/app-health/velero/readyz\":{\"httpGet\":{\"path\":\"/metrics\",\"port\":8085,\"scheme\":\"HTTP\"},\"timeoutSeconds\":5}}" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-4pblb", + "readOnly": true + } + ] + }, + { + "args": [ + "server", + "--uploader-type=kopia" + ], + "command": [ + "/velero" + ], + "env": [ + { + "name": "VELERO_SCRATCH_DIR", + "value": "/scratch" + }, + { + "name": "VELERO_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "LD_LIBRARY_PATH", + "value": "/plugins" + }, + { + "name": "AWS_SHARED_CREDENTIALS_FILE", + "value": "/credentials/cloud" + }, + { + "name": "GOOGLE_APPLICATION_CREDENTIALS", + "value": "/credentials/cloud" + }, + { + "name": "AZURE_CREDENTIALS_FILE", + "value": "/credentials/cloud" + }, + { + "name": "ALIBABA_CLOUD_CREDENTIALS_FILE", + "value": "/credentials/cloud" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/velero-fips:1.13.2-dev-zarf-2406703094", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 5, + "httpGet": { + "path": "/app-health/velero/livez", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 10, + "periodSeconds": 30, + "successThreshold": 1, + "timeoutSeconds": 5 + }, + "name": "velero", + "ports": [ + { + "containerPort": 8085, + "name": "http-monitoring", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 5, + "httpGet": { + "path": "/app-health/velero/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 10, + "periodSeconds": 30, + "successThreshold": 1, + "timeoutSeconds": 5 + }, + "resources": { + "limits": { + "cpu": "1", + "memory": "512Mi" + }, + "requests": { + "cpu": "500m", + "memory": "128Mi" + } + }, + "securityContext": { + "capabilities": { + "drop": [ + "ALL" + ] + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/plugins", + "name": "plugins" + }, + { + "mountPath": "/credentials", + "name": "cloud-credentials" + }, + { + "mountPath": "/scratch", + "name": "scratch" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-4pblb", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "image": "127.0.0.1:31999/du-uds-defenseunicorns/velero-plugin-for-aws-fips:1.9.2-zarf-1238650474", + "imagePullPolicy": "IfNotPresent", + "name": "velero-plugin-for-aws", + "resources": {}, + "securityContext": { + "capabilities": { + "drop": [ + "ALL" + ] + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/target", + "name": "plugins" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-4pblb", + "readOnly": true + } + ] + }, + { + "image": "127.0.0.1:31999/du-uds-defenseunicorns/velero-plugin-for-csi-fips:0.7.1-zarf-1576226041", + "imagePullPolicy": "IfNotPresent", + "name": "velero-plugin-for-csi", + "resources": {}, + "securityContext": { + "capabilities": { + "drop": [ + "ALL" + ] + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/target", + "name": "plugins" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-4pblb", + "readOnly": true + } + ] + }, + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-4pblb", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "runAsGroup": 1000, + "runAsNonRoot": true, + "runAsUser": 1000 + }, + "serviceAccount": "velero-server", + "serviceAccountName": "velero-server", + "terminationGracePeriodSeconds": 3600, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "cloud-credentials", + "secret": { + "defaultMode": 420, + "secretName": "velero-bucket-credentials" + } + }, + { + "emptyDir": {}, + "name": "plugins" + }, + { + "emptyDir": {}, + "name": "scratch" + }, + { + "name": "kube-api-access-4pblb", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:28:39Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:28:43Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:29:08Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:29:08Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:28:37Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://0553bff815c4a98eb8ede35f0ffea37db5707f0484dc4a4d0c8d94d1246ee7db", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:28:43Z" + } + } + }, + { + "containerID": "containerd://78c6584d1d096b18c088381b6bff9d659da2795b0e67f1324ce48b6ed7208dc9", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/velero-fips:1.13.2-dev-zarf-2406703094", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/velero-fips@sha256:f955947ebf2fe14f383cb165bb7f1f198c482c24430f74eb3a11d112985f6c3e", + "lastState": {}, + "name": "velero", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:28:45Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://ad108658f6297f9cc0a8023e51091d382796554f0ba5053245bf6b739db6b46e", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/velero-plugin-for-aws-fips:1.9.2-zarf-1238650474", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/velero-plugin-for-aws-fips@sha256:0da93d5ded960d04f7de0cd0150c564db7451ce829e7eedb86df54a6f50b7630", + "lastState": {}, + "name": "velero-plugin-for-aws", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://ad108658f6297f9cc0a8023e51091d382796554f0ba5053245bf6b739db6b46e", + "exitCode": 0, + "finishedAt": "2024-07-15T19:28:39Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:28:39Z" + } + } + }, + { + "containerID": "containerd://bc7398d6f12401ddea02369993c450f97070f08d2dbc58e739ab6fd80aebf8b2", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/velero-plugin-for-csi-fips:0.7.1-zarf-1576226041", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/velero-plugin-for-csi-fips@sha256:42d2c96c5a9506da4fbd8ce7c60a21a33af604548276f037ab37af99383958a2", + "lastState": {}, + "name": "velero-plugin-for-csi", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://bc7398d6f12401ddea02369993c450f97070f08d2dbc58e739ab6fd80aebf8b2", + "exitCode": 0, + "finishedAt": "2024-07-15T19:28:41Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:28:41Z" + } + } + }, + { + "containerID": "containerd://091280b8cf47abd1fe82bbf2b22c519ea4f07c95c4de8a6b6751162a1c7a74a8", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://091280b8cf47abd1fe82bbf2b22c519ea4f07c95c4de8a6b6751162a1c7a74a8", + "exitCode": 0, + "finishedAt": "2024-07-15T19:28:42Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:28:42Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.59", + "podIPs": [ + { + "ip": "10.42.0.59" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:28:37Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "authservice", + "kubectl.kubernetes.io/default-logs-container": "authservice", + "pepr.dev/checksum": "dc8636e6149a3c60f2325a2e1abc389fe76b73ffc99c901ac1c3d52908869050", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-07-15T19:30:43Z", + "generateName": "authservice-c984c4c8c-", + "labels": { + "app.kubernetes.io/instance": "authservice", + "app.kubernetes.io/name": "authservice", + "pod-template-hash": "c984c4c8c", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "authservice", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "authservice-c984c4c8c-lxqp9", + "namespace": "authservice", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "authservice-c984c4c8c", + "uid": "1f65225f-7758-44b8-bc15-31bb1fe1d5a9" + } + ], + "resourceVersion": "4707", + "uid": "40504f16-50d3-41b2-805c-74a8f3280748" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http\",\"containerPort\":10003,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "authservice" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "authservice" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/authservice/deployments/authservice" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/authservice/livez\":{\"tcpSocket\":{\"port\":10003},\"timeoutSeconds\":1},\"/app-health/authservice/readyz\":{\"tcpSocket\":{\"port\":10003},\"timeoutSeconds\":1}}" + } + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-8mrrg", + "readOnly": true + } + ] + }, + { + "image": "127.0.0.1:31999/du-uds-defenseunicorns/authservice-fips:1.0.1-zarf-2913600038", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/authservice/livez", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "name": "authservice", + "ports": [ + { + "containerPort": 10003, + "name": "http", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/authservice/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": {}, + "securityContext": { + "capabilities": { + "drop": [ + "ALL" + ] + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/authservice", + "name": "authservice" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-8mrrg", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-8mrrg", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "runAsGroup": 1000, + "runAsNonRoot": true, + "runAsUser": 1000 + }, + "serviceAccount": "default", + "serviceAccountName": "default", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "authservice", + "secret": { + "defaultMode": 420, + "secretName": "authservice-uds" + } + }, + { + "name": "kube-api-access-8mrrg", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:30:44Z", + "status": "True", + "type": "PodReadyToStartContainers" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:30:44Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:30:47Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:30:47Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-07-15T19:30:43Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://a924c662f7796cffa8eb19e9f8f4d7720a1fb6ba3b754bc8d5b5b494b2370be0", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/authservice-fips:1.0.1-zarf-2913600038", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/authservice-fips@sha256:77c447525dc934e592fc753050039e8a990110a58077889653c1f40351b90fb2", + "lastState": {}, + "name": "authservice", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:30:46Z" + } + } + }, + { + "containerID": "containerd://1f21cfec03f93c53bb3fe1f15f074e18d331a759e1ee6e7e5a0184e874389953", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-07-15T19:30:44Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "hostIPs": [ + { + "ip": "172.19.0.3" + } + ], + "initContainerStatuses": [ + { + "containerID": "containerd://7cc5767fdcb3d285d786d893b4609ed1f7df1a2b306c6b5d16d17028598aff27", + "image": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips:1.22.2-zarf-3405204139", + "imageID": "127.0.0.1:31999/du-uds-defenseunicorns/istio-proxy-fips@sha256:d13e7fe946240c57373050d344db2e44c55f4bb0751cb9ab9873753e26851bfe", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://7cc5767fdcb3d285d786d893b4609ed1f7df1a2b306c6b5d16d17028598aff27", + "exitCode": 0, + "finishedAt": "2024-07-15T19:30:44Z", + "reason": "Completed", + "startedAt": "2024-07-15T19:30:44Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.68", + "podIPs": [ + { + "ip": "10.42.0.68" + } + ], + "qosClass": "Burstable", + "startTime": "2024-07-15T19:30:43Z" + } + } + ] +} \ No newline at end of file diff --git a/compliance/validations/istio/all-pods-istio-injected/tests.yaml b/compliance/validations/istio/all-pods-istio-injected/tests.yaml new file mode 100644 index 000000000..d468d39e2 --- /dev/null +++ b/compliance/validations/istio/all-pods-istio-injected/tests.yaml @@ -0,0 +1,25 @@ +pass: + - test: default + validation: validation.yaml + resources: resources.json + expected-validation: true + - test: grafana-pods-no-istio-proxy + validation: validation.yaml + resources: resources.json + permutation: '.pods |= map(if .metadata.namespace == "grafana" then .spec.containers |= map(select(.name != "istio-proxy")) else . end)' + expected-validation: false + - test: grafana-pods-istio-proxy-incorrect-name + validation: validation.yaml + resources: resources.json + permutation: '.pods |= map(if .metadata.namespace == "grafana" then .spec.containers |= map(if .name == "istio-proxy" then .name = "different-name" else . end) else . end)' + expected-validation: false + - test: grafana-pods-istio-init-incorrect-name + validation: validation.yaml + resources: resources.json + permutation: '.pods |= map(if .metadata.namespace == "grafana" then .spec.initContainers |= map(if .name == "istio-init" then .name = "different-name" else . end) else . end)' + expected-validation: false + - test: grafana-pods-no-annotation + validation: validation.yaml + resources: resources.json + permutation: '.pods |= map(if .metadata.namespace == "grafana" then .metadata.annotations = {} else . end)' + expected-validation: false diff --git a/compliance/validations/istio/all-pods-istio-injected/validation.yaml b/compliance/validations/istio/all-pods-istio-injected/validation.yaml new file mode 100644 index 000000000..e6881d7e0 --- /dev/null +++ b/compliance/validations/istio/all-pods-istio-injected/validation.yaml @@ -0,0 +1,66 @@ +metadata: + name: all-pods-istio-injected + uuid: 1761ac07-80dd-47d2-947e-09f67943b986 +domain: + type: kubernetes + kubernetes-spec: + resources: + - name: pods + resource-rule: + version: v1 + resource: pods + namespaces: [] +provider: + type: opa + opa-spec: + rego: | + package validate + import rego.v1 + + # Default policy result + default validate := false + default msg := "Not evaluated" + + exempt_namespaces := {"kube-system", "istio-system", "uds-dev-stack", "zarf", "istio-admin-gateway", "istio-tenant-gateway", "istio-passthrough-gateway"} + msg_exempt_namespaces = concat(", ", exempt_namespaces) + + validate if { + has_istio_sidecar.result + } + msg = has_istio_sidecar.msg + + # Check for sidecar and init containers in pod spec + no_sidecar = [sprintf("%s/%s", [pod.metadata.namespace, pod.metadata.name]) | pod := input.pods[_]; not has_sidecar(pod); not is_exempt(pod)] + + has_istio_sidecar = {"result": true, "msg": msg} if { + count(no_sidecar) == 0 + msg := "All pods have Istio sidecar proxy." + } else = {"result": false, "msg": msg} if { + msg := sprintf("Istio sidecar proxy not found in pods: %s.", [concat(", ", no_sidecar)]) + } + + has_sidecar(pod) if { + status := pod.metadata.annotations["sidecar.istio.io/status"] + containers := json.unmarshal(status).containers + initContainers := json.unmarshal(status).initContainers + + has_container_name(pod.spec.containers, containers) + has_container_name(pod.spec.initContainers, initContainers) + } else = false + + has_container_name(containers, names) if { + every name in names { + containers[_].name == name + } + } else = true if { + names == null + } else = false + + is_exempt(pod) if { + pod.metadata.namespace in exempt_namespaces + } + output: + validation: validate.validate + observations: + - validate.msg + - validate.msg_exempt_namespaces diff --git a/compliance/validations/istio/authorization-policies-require-authentication-DEPRECATED/README.md b/compliance/validations/istio/authorization-policies-require-authentication-DEPRECATED/README.md new file mode 100644 index 000000000..163b7f15c --- /dev/null +++ b/compliance/validations/istio/authorization-policies-require-authentication-DEPRECATED/README.md @@ -0,0 +1,9 @@ +# README.md + +**NAME** - istio-authorization-policies-require-authentication + +**INPUT** - Collects the AuthorizationPolicy named `jwt-authz` in the `istio-system` namespace. + +**POLICY** - Checks that the AuthorizationPolicy requires authentication by ensuring that `requestPrincipals` is defined and the `selector.protect` label is set to `keycloak`. + +**NOTES** - Ensure that the AuthorizationPolicy exists and is correctly configured to require authentication for Keycloak. \ No newline at end of file diff --git a/compliance/validations/istio/authorization-policies-require-authentication-DEPRECATED/resources.json b/compliance/validations/istio/authorization-policies-require-authentication-DEPRECATED/resources.json new file mode 100644 index 000000000..c22469b0f --- /dev/null +++ b/compliance/validations/istio/authorization-policies-require-authentication-DEPRECATED/resources.json @@ -0,0 +1,41 @@ +{ + "authorizationPolicy": { + "apiVersion": "security.istio.io/v1beta1", + "kind": "AuthorizationPolicy", + "metadata": { + "annotations": { + "meta.helm.sh/release-name": "authservice", + "meta.helm.sh/release-namespace": "authservice" + }, + "creationTimestamp": "2024-04-22T14:10:05Z", + "generation": 1, + "labels": { + "app.kubernetes.io/managed-by": "Helm" + }, + "name": "jwt-authz", + "namespace": "istio-system", + "resourceVersion": "3753", + "uid": "be533399-3b67-4dbd-a6c3-97d21cae7360" + }, + "spec": { + "rules": [ + { + "from": [ + { + "source": { + "requestPrincipals": [ + "https://login.uds.dev/auth/realms/doug/*" + ] + } + } + ] + } + ], + "selector": { + "matchLabels": { + "protect": "keycloak" + } + } + } + } +} \ No newline at end of file diff --git a/compliance/validations/istio/authorization-policies-require-authentication-DEPRECATED/tests.yaml b/compliance/validations/istio/authorization-policies-require-authentication-DEPRECATED/tests.yaml new file mode 100644 index 000000000..17d3581a9 --- /dev/null +++ b/compliance/validations/istio/authorization-policies-require-authentication-DEPRECATED/tests.yaml @@ -0,0 +1,20 @@ +pass: + - test: default + validation: validation.yaml + resources: resources.json + expected-validation: true + - test: change-protect-label + validation: validation.yaml + resources: resources.json + permutation: .authorizationPolicy.spec.selector.matchLabels.protect = "other" + expected-validation: false + - test: remove-requestPrincipals + validation: validation.yaml + resources: resources.json + permutation: del(.authorizationPolicy.spec.rules[0].from[0].source.requestPrincipals) + expected-validation: false + - test: remove-authorizationPolicy + validation: validation.yaml + resources: resources.json + permutation: del(.authorizationPolicy) + expected-validation: false diff --git a/compliance/validations/istio/authorization-policies-require-authentication-DEPRECATED/validation.yaml b/compliance/validations/istio/authorization-policies-require-authentication-DEPRECATED/validation.yaml new file mode 100644 index 000000000..d4abe2920 --- /dev/null +++ b/compliance/validations/istio/authorization-policies-require-authentication-DEPRECATED/validation.yaml @@ -0,0 +1,47 @@ +metadata: + name: istio-authorization-policies-require-authentication + uuid: e38c0695-10f6-40b6-b246-fa58b26ccd25 +domain: + type: kubernetes + kubernetes-spec: + resources: + - name: authorizationPolicy + resource-rule: + name: jwt-authz + group: security.istio.io + namespaces: ["istio-system"] + resource: authorizationpolicies + version: v1beta1 +provider: + type: opa + opa-spec: + output: + observations: + - validate.msg + validation: validate.validate + rego: | + package validate + + # Default policy result + default validate = false + default msg = "Authorization Policies do not require authentication" + + # Evaluation for Istio Authorization Policies + validate { + result_auth_policy.result + } + + msg = result_auth_policy.msg + + result_auth_policy = {"result": true, "msg": msg} { + # Check that authorization policy exists and require authentication + input.authorizationPolicy.kind == "AuthorizationPolicy" + + # "require authentication" is defined as having requestPrincipals defined + # and the selector.protect label is set to "keycloak" + input.authorizationPolicy.spec.rules[_].from[_].source.requestPrincipals != null + input.authorizationPolicy.spec.selector.matchLabels.protect == "keycloak" + msg := "Authorization Policy requires authentication for keycloak" + } else = {"result": false, "msg": msg} { + msg := "Authorization Policy does not require authentication" + } diff --git a/compliance/validations/istio/authorized-keycloak-access/README.md b/compliance/validations/istio/authorized-keycloak-access/README.md new file mode 100644 index 000000000..17fb7f3b4 --- /dev/null +++ b/compliance/validations/istio/authorized-keycloak-access/README.md @@ -0,0 +1,9 @@ +# README.md + +**NAME** - istio-enforces-authorized-keycloak-access + +**INPUT** - Collects the AuthorizationPolicy named `keycloak-block-admin-access-from-public-gateway` in the `keycloak` namespace. + +**POLICY** - Checks that the AuthorizationPolicy restricts access to Keycloak admin by denying access from sources not in the `istio-admin-gateway` namespace to paths `/admin*` and `/realms/master*` on port `8080`. + +**NOTES** - Ensure that the AuthorizationPolicy exists and is correctly configured to deny access to Keycloak admin as specified. \ No newline at end of file diff --git a/compliance/validations/istio/authorized-keycloak-access/resources.json b/compliance/validations/istio/authorized-keycloak-access/resources.json new file mode 100644 index 000000000..38eaff7fa --- /dev/null +++ b/compliance/validations/istio/authorized-keycloak-access/resources.json @@ -0,0 +1,132 @@ +{ + "authorizationPolicy": { + "apiVersion": "security.istio.io/v1beta1", + "kind": "AuthorizationPolicy", + "metadata": { + "annotations": { + "meta.helm.sh/release-name": "keycloak", + "meta.helm.sh/release-namespace": "keycloak" + }, + "creationTimestamp": "2024-08-05T13:42:55Z", + "generation": 1, + "labels": { + "app.kubernetes.io/managed-by": "Helm" + }, + "name": "keycloak-block-admin-access-from-public-gateway", + "namespace": "keycloak", + "resourceVersion": "1683", + "uid": "d479e061-abbd-4a05-8450-90939bc7497f" + }, + "spec": { + "action": "DENY", + "rules": [ + { + "from": [ + { + "source": { + "notNamespaces": [ + "istio-admin-gateway" + ] + } + } + ], + "to": [ + { + "operation": { + "paths": [ + "/admin*", + "/realms/master*" + ], + "ports": [ + "8080" + ] + } + } + ] + }, + { + "from": [ + { + "source": { + "notNamespaces": [ + "istio-admin-gateway", + "monitoring" + ] + } + } + ], + "to": [ + { + "operation": { + "paths": [ + "/metrics*" + ], + "ports": [ + "8080" + ] + } + } + ] + }, + { + "from": [ + { + "source": { + "notNamespaces": [ + "pepr-system" + ] + } + } + ], + "to": [ + { + "operation": { + "paths": [ + "/realms/uds/clients-registrations/*" + ], + "ports": [ + "8080" + ] + } + } + ] + }, + { + "from": [ + { + "source": { + "notNamespaces": [ + "istio-tenant-gateway", + "istio-admin-gateway" + ] + } + } + ], + "to": [ + { + "operation": { + "ports": [ + "8080" + ] + } + } + ], + "when": [ + { + "key": "request.headers[istio-mtls-client-certificate]", + "values": [ + "*" + ] + } + ] + } + ], + "selector": { + "matchLabels": { + "app.kubernetes.io/instance": "keycloak", + "app.kubernetes.io/name": "keycloak" + } + } + } + } +} \ No newline at end of file diff --git a/compliance/validations/istio/authorized-keycloak-access/tests.yaml b/compliance/validations/istio/authorized-keycloak-access/tests.yaml new file mode 100644 index 000000000..c2ffc31ec --- /dev/null +++ b/compliance/validations/istio/authorized-keycloak-access/tests.yaml @@ -0,0 +1,15 @@ +pass: + - test: default + validation: validation.yaml + resources: resources.json + expected-validation: true + - test: remove-auth-rules + validation: validation.yaml + resources: resources.json + permutation: "del(.authorizationPolicy.spec.rules)" + expected-validation: false + - test: add-not-namespaces + validation: validation.yaml + resources: resources.json + permutation: '(.authorizationPolicy.spec.rules[] | .from[] | .source.notNamespaces) |= . + ["test-ns"]' + expected-validation: false diff --git a/compliance/validations/istio/authorized-keycloak-access/validation.yaml b/compliance/validations/istio/authorized-keycloak-access/validation.yaml new file mode 100644 index 000000000..b59e82453 --- /dev/null +++ b/compliance/validations/istio/authorized-keycloak-access/validation.yaml @@ -0,0 +1,72 @@ +metadata: + name: istio-enforces-authorized-keycloak-access + uuid: fbd877c8-d6b6-4d88-8685-2c4aaaab02a1 +domain: + type: kubernetes + kubernetes-spec: + resources: + - name: authorizationPolicy + resource-rule: + name: keycloak-block-admin-access-from-public-gateway + group: security.istio.io + resource: authorizationpolicies + namespaces: [keycloak] + version: v1beta1 +provider: + type: opa + opa-spec: + rego: | + package validate + import rego.v1 + + # Default policy result + default validate := false + default msg := "Not evaluated" + + # Validate both AuthorizationPolicy restricts access to Keycloak admin + validate if { + check_auth_policy_for_keycloak_admin_access.result + } + + msg = check_auth_policy_for_keycloak_admin_access.msg + + check_auth_policy_for_keycloak_admin_access = {"result": true, "msg": msg} if { + input.authorizationPolicy.kind == "AuthorizationPolicy" + valid_auth_policy(input.authorizationPolicy) + msg := "AuthorizationPolicy restricts access to Keycloak admin." + } else = {"result": false, "msg": msg} if { + msg := "AuthorizationPolicy does not restrict access to Keycloak admin." + } + + # Define the rule for denying access + expected_keycloak_admin_denial_rule := { + "from": [ + { + "source": { + "notNamespaces": ["istio-admin-gateway"] + } + } + ], + "to": [ + { + "operation": { + "ports": ["8080"], + "paths": ["/admin*", "/realms/master*"] + } + } + ] + } + + # Validate that the authorization policy contains the expected first rule + valid_auth_policy(ap) if { + ap.spec.action == "DENY" + rules := ap.spec.rules + + # Ensure the expected rule is present in the input policy + some i + rules[i] == expected_keycloak_admin_denial_rule + } + output: + validation: validate.validate + observations: + - validate.msg diff --git a/compliance/validations/istio/authorized-traffic-egress/README.md b/compliance/validations/istio/authorized-traffic-egress/README.md new file mode 100644 index 000000000..6b9d57715 --- /dev/null +++ b/compliance/validations/istio/authorized-traffic-egress/README.md @@ -0,0 +1,9 @@ +# README.md + +**NAME** - authorized-traffic-egress-PLACEHOLDER + +**INPUT** - This validation currently does not specify any input resources. + +**POLICY** - This policy currently does not specify any validation logic. + +**NOTES** - This validation is a placeholder and needs to be updated with specific resources and validation logic. \ No newline at end of file diff --git a/compliance/validations/istio/authorized-traffic-egress/validation.yaml b/compliance/validations/istio/authorized-traffic-egress/validation.yaml new file mode 100644 index 000000000..0a997e887 --- /dev/null +++ b/compliance/validations/istio/authorized-traffic-egress/validation.yaml @@ -0,0 +1,14 @@ +metadata: + name: authorized-traffic-egress-PLACEHOLDER + uuid: 7455f86d-b79c-4226-9ce3-f3fb7d9348c8 +domain: + type: kubernetes + kubernetes-spec: + resources: [] +provider: + type: opa + opa-spec: + rego: | + package validate + + default validate := false diff --git a/compliance/validations/istio/check-istio-admin-gateway-and-usage/README.md b/compliance/validations/istio/check-istio-admin-gateway-and-usage/README.md new file mode 100644 index 000000000..c3f39c8f7 --- /dev/null +++ b/compliance/validations/istio/check-istio-admin-gateway-and-usage/README.md @@ -0,0 +1,9 @@ +# README.md + +**NAME** - check-istio-admin-gateway-and-usage + +**INPUT** - This validation collects the `admin-gateway` from the `istio-admin-gateway` namespace and all `virtualservices` from all namespaces. + +**POLICY** - This policy checks if the `admin-gateway` exists in the `istio-admin-gateway` namespace and verifies that all admin virtual services are using the admin gateway. + +**NOTES** - Ensure that the `admin-gateway` is correctly set up in the `istio-admin-gateway` namespace. The policy specifically looks for virtual services with names containing "admin" to be using the admin gateway. \ No newline at end of file diff --git a/compliance/validations/istio/check-istio-admin-gateway-and-usage/resources.json b/compliance/validations/istio/check-istio-admin-gateway-and-usage/resources.json new file mode 100644 index 000000000..5ee7e41f1 --- /dev/null +++ b/compliance/validations/istio/check-istio-admin-gateway-and-usage/resources.json @@ -0,0 +1,546 @@ +{ + "adminGateway": { + "apiVersion": "networking.istio.io/v1beta1", + "kind": "Gateway", + "metadata": { + "annotations": { + "meta.helm.sh/release-name": "uds-istio-config", + "meta.helm.sh/release-namespace": "istio-admin-gateway" + }, + "creationTimestamp": "2024-04-22T14:04:26Z", + "generation": 1, + "labels": { + "app.kubernetes.io/managed-by": "Helm" + }, + "name": "admin-gateway", + "namespace": "istio-admin-gateway", + "resourceVersion": "1196", + "uid": "7dbddd10-c3ca-45d5-9377-f99bfd819a2c" + }, + "spec": { + "selector": { + "app": "admin-ingressgateway" + }, + "servers": [ + { + "hosts": [ + "*.admin.uds.dev" + ], + "port": { + "name": "http-admin", + "number": 80, + "protocol": "HTTP" + }, + "tls": { + "httpsRedirect": true + } + }, + { + "hosts": [ + "*.admin.uds.dev" + ], + "port": { + "name": "https-admin", + "number": 443, + "protocol": "HTTPS" + }, + "tls": { + "credentialName": "gateway-tls", + "minProtocolVersion": "TLSV1_3", + "mode": "SIMPLE" + } + }, + { + "hosts": [ + "keycloak.admin.uds.dev" + ], + "port": { + "name": "http-keycloak", + "number": 80, + "protocol": "HTTP" + }, + "tls": { + "httpsRedirect": true + } + }, + { + "hosts": [ + "keycloak.admin.uds.dev" + ], + "port": { + "name": "https-keycloak", + "number": 443, + "protocol": "HTTPS" + }, + "tls": { + "credentialName": "gateway-tls", + "minProtocolVersion": "TLSV1_3", + "mode": "OPTIONAL_MUTUAL" + } + } + ] + } + }, + "virtualServices": [ + { + "apiVersion": "networking.istio.io/v1beta1", + "kind": "VirtualService", + "metadata": { + "creationTimestamp": "2024-04-22T14:05:22Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "keycloak" + }, + "name": "keycloak-tenant-remove-private-paths-from-public-gateway", + "namespace": "keycloak", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "keycloak", + "uid": "9310f8a4-d575-4fe9-bcc5-f00ba5abe9d2" + } + ], + "resourceVersion": "1702", + "uid": "e4ff9458-0a7c-4723-9c51-b51568a6a277" + }, + "spec": { + "gateways": [ + "istio-tenant-gateway/tenant-gateway" + ], + "hosts": [ + "sso.uds.dev" + ], + "http": [ + { + "headers": { + "request": { + "add": { + "istio-mtls-client-certificate": "%DOWNSTREAM_PEER_CERT%" + }, + "remove": [ + "istio-mtls-client-certificate" + ] + } + }, + "match": [ + { + "name": "redirect-welcome", + "uri": { + "exact": "/" + } + }, + { + "name": "redirect-admin", + "uri": { + "prefix": "/admin" + } + }, + { + "name": "redirect-master-realm", + "uri": { + "prefix": "/realms/master" + } + }, + { + "name": "redirect-metrics", + "uri": { + "prefix": "/metrics" + } + } + ], + "rewrite": { + "uri": "/realms/uds/account" + }, + "route": [ + { + "destination": { + "host": "keycloak-http.keycloak.svc.cluster.local", + "port": { + "number": 8080 + } + } + } + ] + } + ] + } + }, + { + "apiVersion": "networking.istio.io/v1beta1", + "kind": "VirtualService", + "metadata": { + "creationTimestamp": "2024-04-22T14:05:22Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "keycloak" + }, + "name": "keycloak-tenant-public-auth-access-with-optional-client-certificate", + "namespace": "keycloak", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "keycloak", + "uid": "9310f8a4-d575-4fe9-bcc5-f00ba5abe9d2" + } + ], + "resourceVersion": "1703", + "uid": "8355e39e-79b8-4bb8-b5fc-6d4e5f72c8a4" + }, + "spec": { + "gateways": [ + "istio-tenant-gateway/tenant-gateway" + ], + "hosts": [ + "sso.uds.dev" + ], + "http": [ + { + "headers": { + "request": { + "add": { + "istio-mtls-client-certificate": "%DOWNSTREAM_PEER_CERT%" + }, + "remove": [ + "istio-mtls-client-certificate" + ] + } + }, + "route": [ + { + "destination": { + "host": "keycloak-http.keycloak.svc.cluster.local", + "port": { + "number": 8080 + } + } + } + ] + } + ] + } + }, + { + "apiVersion": "networking.istio.io/v1beta1", + "kind": "VirtualService", + "metadata": { + "creationTimestamp": "2024-04-22T14:05:22Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "keycloak" + }, + "name": "keycloak-admin-admin-access-with-optional-client-certificate", + "namespace": "keycloak", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "keycloak", + "uid": "9310f8a4-d575-4fe9-bcc5-f00ba5abe9d2" + } + ], + "resourceVersion": "1704", + "uid": "100da481-a5a8-4a87-82a7-35163d0f7a10" + }, + "spec": { + "gateways": [ + "istio-admin-gateway/admin-gateway" + ], + "hosts": [ + "keycloak.admin.uds.dev" + ], + "http": [ + { + "headers": { + "request": { + "add": { + "istio-mtls-client-certificate": "%DOWNSTREAM_PEER_CERT%" + }, + "remove": [ + "istio-mtls-client-certificate" + ] + } + }, + "route": [ + { + "destination": { + "host": "keycloak-http.keycloak.svc.cluster.local", + "port": { + "number": 8080 + } + } + } + ] + } + ] + } + }, + { + "apiVersion": "networking.istio.io/v1beta1", + "kind": "VirtualService", + "metadata": { + "creationTimestamp": "2024-04-22T14:05:22Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "keycloak" + }, + "name": "keycloak-tenant-emulate-gitlab-authorize-endpoint", + "namespace": "keycloak", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "keycloak", + "uid": "9310f8a4-d575-4fe9-bcc5-f00ba5abe9d2" + } + ], + "resourceVersion": "1706", + "uid": "45ad1fa8-b4b2-47f6-8d27-b3711f500ecd" + }, + "spec": { + "gateways": [ + "istio-tenant-gateway/tenant-gateway" + ], + "hosts": [ + "sso.uds.dev" + ], + "http": [ + { + "match": [ + { + "name": "gitlab-authorize", + "uri": { + "prefix": "/oauth/authorize" + } + } + ], + "rewrite": { + "uri": "/realms/uds/protocol/openid-connect/auth" + }, + "route": [ + { + "destination": { + "host": "keycloak-http.keycloak.svc.cluster.local", + "port": { + "number": 8080 + } + } + } + ] + } + ] + } + }, + { + "apiVersion": "networking.istio.io/v1beta1", + "kind": "VirtualService", + "metadata": { + "creationTimestamp": "2024-04-22T14:05:22Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "keycloak" + }, + "name": "keycloak-tenant-emulate-gitlab-user-endpoint", + "namespace": "keycloak", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "keycloak", + "uid": "9310f8a4-d575-4fe9-bcc5-f00ba5abe9d2" + } + ], + "resourceVersion": "1710", + "uid": "cead5510-3501-4605-bbb0-c2c05dc56702" + }, + "spec": { + "gateways": [ + "istio-tenant-gateway/tenant-gateway" + ], + "hosts": [ + "sso.uds.dev" + ], + "http": [ + { + "match": [ + { + "name": "gitlab-user", + "uri": { + "prefix": "/api/v4/user" + } + } + ], + "rewrite": { + "uri": "/realms/uds/protocol/openid-connect/userinfo" + }, + "route": [ + { + "destination": { + "host": "keycloak-http.keycloak.svc.cluster.local", + "port": { + "number": 8080 + } + } + } + ] + } + ] + } + }, + { + "apiVersion": "networking.istio.io/v1beta1", + "kind": "VirtualService", + "metadata": { + "creationTimestamp": "2024-04-22T14:05:22Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "keycloak" + }, + "name": "keycloak-tenant-emulate-gitlab-token-endpoint", + "namespace": "keycloak", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "keycloak", + "uid": "9310f8a4-d575-4fe9-bcc5-f00ba5abe9d2" + } + ], + "resourceVersion": "1711", + "uid": "53f44ca4-2a3d-4053-9c25-7ddc3e1213f4" + }, + "spec": { + "gateways": [ + "istio-tenant-gateway/tenant-gateway" + ], + "hosts": [ + "sso.uds.dev" + ], + "http": [ + { + "match": [ + { + "name": "gitlab-token", + "uri": { + "prefix": "/oauth/token" + } + } + ], + "rewrite": { + "uri": "/realms/uds/protocol/openid-connect/token" + }, + "route": [ + { + "destination": { + "host": "keycloak-http.keycloak.svc.cluster.local", + "port": { + "number": 8080 + } + } + } + ] + } + ] + } + }, + { + "apiVersion": "networking.istio.io/v1beta1", + "kind": "VirtualService", + "metadata": { + "creationTimestamp": "2024-04-22T14:06:37Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "neuvector" + }, + "name": "neuvector-admin-neuvector-8443-neuvector-service-webui", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "neuvector", + "uid": "e5021367-f25b-466f-93a1-19a6419ebafa" + } + ], + "resourceVersion": "1941", + "uid": "b647739b-571a-44e5-a90a-14156f910572" + }, + "spec": { + "gateways": [ + "istio-admin-gateway/admin-gateway" + ], + "hosts": [ + "neuvector.admin.uds.dev" + ], + "http": [ + { + "route": [ + { + "destination": { + "host": "neuvector-service-webui.neuvector.svc.cluster.local", + "port": { + "number": 8443 + } + } + } + ] + } + ] + } + }, + { + "apiVersion": "networking.istio.io/v1beta1", + "kind": "VirtualService", + "metadata": { + "creationTimestamp": "2024-04-22T14:09:45Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "grafana" + }, + "name": "grafana-admin-grafana-80-grafana", + "namespace": "grafana", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "grafana", + "uid": "5e00957e-acfd-453d-82eb-c4fae4252660" + } + ], + "resourceVersion": "3622", + "uid": "e1805572-9271-4e48-9e26-a1f84ac78a09" + }, + "spec": { + "gateways": [ + "istio-admin-gateway/admin-gateway" + ], + "hosts": [ + "grafana.admin.uds.dev" + ], + "http": [ + { + "route": [ + { + "destination": { + "host": "grafana.grafana.svc.cluster.local", + "port": { + "number": 80 + } + } + } + ] + } + ] + } + } + ] +} \ No newline at end of file diff --git a/compliance/validations/istio/check-istio-admin-gateway-and-usage/tests.yaml b/compliance/validations/istio/check-istio-admin-gateway-and-usage/tests.yaml new file mode 100644 index 000000000..d77fce294 --- /dev/null +++ b/compliance/validations/istio/check-istio-admin-gateway-and-usage/tests.yaml @@ -0,0 +1,20 @@ +pass: + - test: default + validation: validation.yaml + resources: resources.json + expected-validation: true + - test: no-gateway + validation: validation.yaml + resources: resources.json + permutation: "del(.adminGateway)" + expected-validation: false + - test: admin-vs-not-using-admin-gw + validation: validation.yaml + resources: resources.json + permutation: '.virtualServices |= map(if .metadata.name == "keycloak-admin-admin-access-with-optional-client-certificate" then .spec.gateways = ["new-gateway/new-gateway-name"] else . end)' + expected-validation: false + - test: not-admin-vs-using-admin-gw + validation: validation.yaml + resources: resources.json + permutation: '.virtualServices |= map(if .metadata.name == "keycloak-tenant-public-auth-access-with-optional-client-certificate" then .spec.gateways = ["istio-admin-gateway/admin-gateway"] else . end)' + expected-validation: false diff --git a/compliance/validations/istio/check-istio-admin-gateway-and-usage/validation.yaml b/compliance/validations/istio/check-istio-admin-gateway-and-usage/validation.yaml new file mode 100644 index 000000000..61139d719 --- /dev/null +++ b/compliance/validations/istio/check-istio-admin-gateway-and-usage/validation.yaml @@ -0,0 +1,74 @@ +metadata: + name: check-istio-admin-gateway-and-usage + uuid: c6c9daf1-4196-406d-8679-312c0512ab2e +domain: + type: kubernetes + kubernetes-spec: + resources: + - name: adminGateway + resource-rule: + name: admin-gateway + group: networking.istio.io + version: v1beta1 + resource: gateways + namespaces: ["istio-admin-gateway"] + - name: virtualServices + resource-rule: + group: networking.istio.io + version: v1beta1 + resource: virtualservices + namespaces: [] +provider: + type: opa + opa-spec: + rego: | + package validate + import rego.v1 + + # Default values + default validate := false + default admin_gw_exists := false + default admin_vs_match := false + default msg := "Not evaluated" + + # Expected admin gateway details + expected_gateway := "admin-gateway" + expected_gateway_namespace := "istio-admin-gateway" + expected_ns_name := sprintf("%s/%s", [expected_gateway_namespace, expected_gateway]) + + validate if { + result_admin_gw_exixts.result + result_admin_vs_match.result + } + + msg = concat(" ", [result_admin_gw_exixts.msg, result_admin_vs_match.msg]) + + result_admin_gw_exixts = {"result": true, "msg": msg} if { + input.adminGateway.kind == "Gateway" + input.adminGateway.metadata.name == expected_gateway + input.adminGateway.metadata.namespace == expected_gateway_namespace + msg := sprintf("Admin gateway exists: %s.", [expected_ns_name]) + } else = {"result": false, "msg": msg} if { + msg := sprintf("Admin gateway does not exist, looking for: %s.", [expected_ns_name]) + } + + result_admin_vs_match = {"result": true, "msg": msg} if { + count(admin_vs-admin_vs_using_gateway) == 0 + count(all_vs_using_gateway-admin_vs_using_gateway) == 0 + msg := "Admin virtual services are using admin gateway." + } else = {"result": false, "msg": msg} if { + msg := sprintf("Mismatch of admin virtual services using gateway. Admin VS not using GW: %s. Non-Admin VS using gateway: %s.", [concat(", ", admin_vs-admin_vs_using_gateway), concat(", ", all_vs_using_gateway-admin_vs_using_gateway)]) + } + + # Count admin virtual services + admin_vs := {adminVs.metadata.name | adminVs := input.virtualServices[_]; adminVs.kind == "VirtualService"; contains(adminVs.metadata.name, "admin")} + + # Count admin VirtualServices correctly using the admin gateway (given by vs name containing "admin") + admin_vs_using_gateway := {adminVs.metadata.name | adminVs := input.virtualServices[_]; adminVs.kind == "VirtualService"; contains(adminVs.metadata.name, "admin"); adminVs.spec.gateways[_] == expected_ns_name} + + # Count all VirtualServices using the admin gateway + all_vs_using_gateway := {vs.metadata.name | vs := input.virtualServices[_]; vs.kind == "VirtualService"; vs.spec.gateways[_] == expected_ns_name} + output: + validation: validate.validate + observations: + - validate.msg diff --git a/compliance/validations/istio/check-istio-logging-all-traffic/README.md b/compliance/validations/istio/check-istio-logging-all-traffic/README.md new file mode 100644 index 000000000..d4f351a0f --- /dev/null +++ b/compliance/validations/istio/check-istio-logging-all-traffic/README.md @@ -0,0 +1,9 @@ +# README.md + +**NAME** - check-istio-logging-all-traffic + +**INPUT** - This validation collects the Istio Mesh Configuration from the `istio-system` namespace. + +**POLICY** - This policy checks if Istio's Mesh Configuration has logging enabled by verifying if the access log file is set to `/dev/stdout`. + +**NOTES** - Ensure that the Istio Mesh Configuration is correctly set up in the `istio-system` namespace. The policy specifically looks for the `accessLogFile` field to be set to `/dev/stdout`. \ No newline at end of file diff --git a/compliance/validations/istio/check-istio-logging-all-traffic/resources.json b/compliance/validations/istio/check-istio-logging-all-traffic/resources.json new file mode 100644 index 000000000..637faf937 --- /dev/null +++ b/compliance/validations/istio/check-istio-logging-all-traffic/resources.json @@ -0,0 +1,28 @@ +{ + "istioMeshConfig": { + "accessLogFile": "/dev/stdout", + "defaultConfig": { + "discoveryAddress": "istiod.istio-system.svc:15012", + "gatewayTopology": { + "forwardClientCertDetails": "SANITIZE" + }, + "holdApplicationUntilProxyStarts": true, + "tracing": { + "zipkin": { + "address": "zipkin.istio-system:9411" + } + } + }, + "defaultProviders": { + "metrics": [ + "prometheus" + ] + }, + "enablePrometheusMerge": true, + "pathNormalization": { + "normalization": "MERGE_SLASHES" + }, + "rootNamespace": "istio-system", + "trustDomain": "cluster.local" + } +} \ No newline at end of file diff --git a/compliance/validations/istio/check-istio-logging-all-traffic/tests.yaml b/compliance/validations/istio/check-istio-logging-all-traffic/tests.yaml new file mode 100644 index 000000000..bc6eafc76 --- /dev/null +++ b/compliance/validations/istio/check-istio-logging-all-traffic/tests.yaml @@ -0,0 +1,15 @@ +pass: + - test: default + validation: validation.yaml + resources: resources.json + expected-validation: true + - test: change-accessLogFile-to-different-dir + validation: validation.yaml + resources: resources.json + permutation: '.istioMeshConfig.accessLogFile = "/log/test"' + expected-validation: false + - test: remove-accessLogFile + validation: validation.yaml + resources: resources.json + permutation: "del(.istioMeshConfig.accessLogFile)" + expected-validation: false diff --git a/compliance/validations/istio/check-istio-logging-all-traffic/validation.yaml b/compliance/validations/istio/check-istio-logging-all-traffic/validation.yaml new file mode 100644 index 000000000..20227e2eb --- /dev/null +++ b/compliance/validations/istio/check-istio-logging-all-traffic/validation.yaml @@ -0,0 +1,46 @@ +metadata: + name: check-istio-logging-all-traffic + uuid: 90738c86-6315-450a-ac69-cc50eb4859cc +domain: + type: kubernetes + kubernetes-spec: + resources: + - name: istioMeshConfig + resource-rule: + field: + jsonpath: .data.mesh + type: yaml + namespaces: + - istio-system + resource: configmaps + version: v1 + name: istio +provider: + type: opa + opa-spec: + output: + observations: + - validate.msg + validation: validate.validate + rego: | + package validate + import rego.v1 + + # Default values + default validate := false + default msg := "Not evaluated" + + # Check if Istio's Mesh Configuration has logging enabled + validate if { + logging_enabled.result + } + + msg = logging_enabled.msg + + logging_enabled = {"result": true, "msg": msg} if { + # Check for access log file output to stdout + input.istioMeshConfig.accessLogFile == "/dev/stdout" + msg := "Istio is logging all traffic." + } else = {"result": false, "msg": msg} if { + msg := "Istio is not logging all traffic." + } diff --git a/compliance/validations/istio/communications-terminated-after-inactivity/README.md b/compliance/validations/istio/communications-terminated-after-inactivity/README.md new file mode 100644 index 000000000..5b3b48eae --- /dev/null +++ b/compliance/validations/istio/communications-terminated-after-inactivity/README.md @@ -0,0 +1,9 @@ +# README.md + +**NAME** - communications-terminated-after-inactivity-PLACEHOLDER + +**INPUT** - This validation currently does not collect any resources. + +**POLICY** - This policy is a placeholder and does not perform any validation. + +**NOTES** - The policy is a placeholder and needs to be updated to include the necessary checks for terminating communications after inactivity. \ No newline at end of file diff --git a/compliance/validations/istio/communications-terminated-after-inactivity/validation.yaml b/compliance/validations/istio/communications-terminated-after-inactivity/validation.yaml new file mode 100644 index 000000000..9bc171ca7 --- /dev/null +++ b/compliance/validations/istio/communications-terminated-after-inactivity/validation.yaml @@ -0,0 +1,17 @@ +metadata: + name: communications-terminated-after-inactivity-PLACEHOLDER + uuid: 663f5e92-6db4-4042-8b5a-eba3ebe5a622 +domain: + type: kubernetes + kubernetes-spec: + resources: [] +provider: + type: opa + opa-spec: + rego: | + package validate + + validate := false + + # Check on destination rule, outlier detection? + # -> Doesn't appear that UDS is configured to create destination rules. diff --git a/compliance/validations/istio/egress-gateway-exists-and-configured/README.md b/compliance/validations/istio/egress-gateway-exists-and-configured/README.md new file mode 100644 index 000000000..3e5e9ad89 --- /dev/null +++ b/compliance/validations/istio/egress-gateway-exists-and-configured/README.md @@ -0,0 +1,9 @@ +# README.md + +**NAME** - egress-gateway-exists-and-configured-PLACEHOLDER + +**INPUT** - This validation currently does not collect any resources. + +**POLICY** - This policy is a placeholder and does not perform any validation. + +**NOTES** - The policy is a placeholder and needs to be updated to include the necessary checks for the existence and configuration of the egress gateway. \ No newline at end of file diff --git a/compliance/validations/istio/egress-gateway-exists-and-configured/validation.yaml b/compliance/validations/istio/egress-gateway-exists-and-configured/validation.yaml new file mode 100644 index 000000000..e0f1dec06 --- /dev/null +++ b/compliance/validations/istio/egress-gateway-exists-and-configured/validation.yaml @@ -0,0 +1,14 @@ +metadata: + name: egress-gateway-exists-and-configured-PLACEHOLDER + uuid: c3b022eb-19a5-4711-8099-da4a90c9dd5d +domain: + type: kubernetes + kubernetes-spec: + resources: [] +provider: + type: opa + opa-spec: + rego: | + package validate + + default validate := false diff --git a/compliance/validations/istio/enforce-mtls-strict/README.md b/compliance/validations/istio/enforce-mtls-strict/README.md new file mode 100644 index 000000000..8c5fa459e --- /dev/null +++ b/compliance/validations/istio/enforce-mtls-strict/README.md @@ -0,0 +1,9 @@ +# README.md + +**NAME** - enforce-mtls-strict + +**INPUT** - This validation collects all `peerauthentications` from all namespaces. + +**POLICY** - This policy checks if all `PeerAuthentications` have mTLS mode set to `STRICT`. + +**NOTES** - Ensure that all `PeerAuthentications` are correctly configured with mTLS mode set to `STRICT`. The policy specifically looks for the `mtls.mode` field to be set to `STRICT`. \ No newline at end of file diff --git a/compliance/validations/istio/enforce-mtls-strict/resources.json b/compliance/validations/istio/enforce-mtls-strict/resources.json new file mode 100644 index 000000000..fac931181 --- /dev/null +++ b/compliance/validations/istio/enforce-mtls-strict/resources.json @@ -0,0 +1,225 @@ +{ + "peerAuths": [ + { + "apiVersion": "security.istio.io/v1beta1", + "kind": "PeerAuthentication", + "metadata": { + "annotations": { + "meta.helm.sh/release-name": "zarf-a102b532d6a523b085622665b606574b0cd82025", + "meta.helm.sh/release-namespace": "istio-system" + }, + "creationTimestamp": "2024-06-07T14:35:59Z", + "generation": 1, + "labels": { + "app.kubernetes.io/managed-by": "Helm" + }, + "name": "default-istio-system", + "namespace": "istio-system", + "resourceVersion": "1154", + "uid": "846d35fc-f942-4efc-b1ea-be35d3352db8" + }, + "spec": { + "mtls": { + "mode": "STRICT" + } + } + }, + { + "apiVersion": "security.istio.io/v1beta1", + "kind": "PeerAuthentication", + "metadata": { + "annotations": { + "meta.helm.sh/release-name": "zarf-a102b532d6a523b085622665b606574b0cd82025", + "meta.helm.sh/release-namespace": "istio-system" + }, + "creationTimestamp": "2024-06-07T14:35:59Z", + "generation": 1, + "labels": { + "app.kubernetes.io/managed-by": "Helm" + }, + "name": "permissive-pepr-webhook", + "namespace": "pepr-system", + "resourceVersion": "1155", + "uid": "8911bc2b-fc43-414c-9511-7712c463a8f3" + }, + "spec": { + "mtls": { + "mode": "STRICT" + }, + "portLevelMtls": { + "3000": { + "mode": "PERMISSIVE" + } + }, + "selector": { + "matchLabels": { + "pepr.dev/controller": "admission" + } + } + } + }, + { + "apiVersion": "security.istio.io/v1beta1", + "kind": "PeerAuthentication", + "metadata": { + "annotations": { + "meta.helm.sh/release-name": "uds-metrics-server-config", + "meta.helm.sh/release-namespace": "metrics-server" + }, + "creationTimestamp": "2024-06-07T14:36:34Z", + "generation": 1, + "labels": { + "app.kubernetes.io/managed-by": "Helm" + }, + "name": "metrics-server-api-exception", + "namespace": "metrics-server", + "resourceVersion": "1520", + "uid": "829a5b07-76c8-45f9-903e-f90976b677aa" + }, + "spec": { + "mtls": { + "mode": "STRICT" + }, + "portLevelMtls": { + "10250": { + "mode": "PERMISSIVE" + } + }, + "selector": { + "matchLabels": { + "app.kubernetes.io/name": "metrics-server" + } + } + } + }, + { + "apiVersion": "security.istio.io/v1beta1", + "kind": "PeerAuthentication", + "metadata": { + "annotations": { + "meta.helm.sh/release-name": "keycloak", + "meta.helm.sh/release-namespace": "keycloak" + }, + "creationTimestamp": "2024-06-07T14:37:03Z", + "generation": 1, + "labels": { + "app.kubernetes.io/managed-by": "Helm" + }, + "name": "keycloak", + "namespace": "keycloak", + "resourceVersion": "1659", + "uid": "21586733-a185-4a6b-b8cc-cc77bb77b012" + }, + "spec": { + "mtls": { + "mode": "STRICT" + } + } + }, + { + "apiVersion": "security.istio.io/v1beta1", + "kind": "PeerAuthentication", + "metadata": { + "annotations": { + "meta.helm.sh/release-name": "uds-neuvector-config", + "meta.helm.sh/release-namespace": "neuvector" + }, + "creationTimestamp": "2024-06-07T14:38:19Z", + "generation": 1, + "labels": { + "app.kubernetes.io/managed-by": "Helm" + }, + "name": "controller-neuvector", + "namespace": "neuvector", + "resourceVersion": "1912", + "uid": "c927e10e-e859-4f54-b2ad-ff457ae8a7e5" + }, + "spec": { + "mtls": { + "mode": "STRICT" + }, + "portLevelMtls": { + "18300": { + "mode": "PERMISSIVE" + }, + "30443": { + "mode": "PERMISSIVE" + } + }, + "selector": { + "matchLabels": { + "app": "neuvector-controller-pod" + } + } + } + }, + { + "apiVersion": "security.istio.io/v1beta1", + "kind": "PeerAuthentication", + "metadata": { + "annotations": { + "meta.helm.sh/release-name": "uds-loki-config", + "meta.helm.sh/release-namespace": "loki" + }, + "creationTimestamp": "2024-06-07T14:38:49Z", + "generation": 1, + "labels": { + "app.kubernetes.io/managed-by": "Helm" + }, + "name": "loki-simple-scalable", + "namespace": "loki", + "resourceVersion": "2382", + "uid": "78bfd0bf-5682-45b5-9a38-0fc4dee6ccd4" + }, + "spec": { + "mtls": { + "mode": "STRICT" + }, + "portLevelMtls": { + "9095": { + "mode": "PERMISSIVE" + } + }, + "selector": { + "matchLabels": { + "app.kubernetes.io/name": "loki" + } + } + } + }, + { + "apiVersion": "security.istio.io/v1beta1", + "kind": "PeerAuthentication", + "metadata": { + "annotations": { + "meta.helm.sh/release-name": "uds-prometheus-config", + "meta.helm.sh/release-namespace": "monitoring" + }, + "creationTimestamp": "2024-06-07T14:40:25Z", + "generation": 1, + "labels": { + "app.kubernetes.io/managed-by": "Helm" + }, + "name": "prometheus-operator-webhook", + "namespace": "monitoring", + "resourceVersion": "2862", + "uid": "1131d8b9-3c21-4076-b22a-e4bd3c0bdc44" + }, + "spec": { + "mtls": { + "mode": "STRICT" + }, + "portLevelMtls": { + "10250": { + "mode": "PERMISSIVE" + } + }, + "selector": { + "matchLabels": { + "app": "kube-prometheus-stack-operator" + } + } + } + } + ] +} \ No newline at end of file diff --git a/compliance/validations/istio/enforce-mtls-strict/tests.yaml b/compliance/validations/istio/enforce-mtls-strict/tests.yaml new file mode 100644 index 000000000..011697430 --- /dev/null +++ b/compliance/validations/istio/enforce-mtls-strict/tests.yaml @@ -0,0 +1,10 @@ +pass: + - test: default + validation: validation.yaml + resources: resources.json + expected-validation: true + - test: not_all_strict + validation: validation.yaml + resources: resources.json + permutation: '.peerAuths[0].spec.mtls.mode = "PERMISSIVE"' + expected-validation: false diff --git a/compliance/validations/istio/enforce-mtls-strict/validation.yaml b/compliance/validations/istio/enforce-mtls-strict/validation.yaml new file mode 100644 index 000000000..ed2fb4271 --- /dev/null +++ b/compliance/validations/istio/enforce-mtls-strict/validation.yaml @@ -0,0 +1,49 @@ +metadata: + name: enforce-mtls-strict + uuid: ca49ac97-487a-446a-a0b7-92b20e2c83cb +domain: + type: kubernetes + kubernetes-spec: + resources: + - name: peerAuths + resource-rule: + group: security.istio.io + version: v1beta1 + resource: peerauthentications + namespaces: [] +provider: + type: opa + opa-spec: + rego: | + package validate + import rego.v1 + + # Default values + default validate := false + default all_strict := false + default msg := "Not evaluated" + + validate if { + result_all_strict.result + } + + msg = concat(" ", [result_all_strict.msg]) + + # Evaluate if all PeerAuthentications have mtls mode set to STRICT + peer_auths := {sprintf("%s/%s", [pa.metadata.namespace, pa.metadata.name]) | pa := input.peerAuths[_]} + peer_auths_strict := {sprintf("%s/%s", [pa.metadata.namespace, pa.metadata.name]) | pa := input.peerAuths[_]; mtls_strict(pa)} + + result_all_strict = {"result": true, "msg": msg} if { + peer_auths == peer_auths_strict + msg := "All PeerAuthentications have mtls mode set to STRICT." + } else = {"result": false, "msg": msg} if { + msg := sprintf("Not all PeerAuthentications have mtls mode set to STRICT: %s.", [peer_auths - peer_auths_strict]) + } + + mtls_strict(pa) if { + pa.spec.mtls.mode == "STRICT" + } + output: + validation: validate.validate + observations: + - validate.msg diff --git a/compliance/validations/istio/external-traffic-managed/README.md b/compliance/validations/istio/external-traffic-managed/README.md new file mode 100644 index 000000000..ccd517728 --- /dev/null +++ b/compliance/validations/istio/external-traffic-managed/README.md @@ -0,0 +1,9 @@ +# README.md + +**NAME** - external-traffic-managed-PLACEHOLDER + +**INPUT** - This validation currently does not collect any resources. + +**POLICY** - This policy is a placeholder and does not perform any validation. + +**NOTES** - The policy is a placeholder and needs to be updated to include the necessary checks for managing external traffic, possibly involving `ServiceEntry` resources. \ No newline at end of file diff --git a/compliance/validations/istio/external-traffic-managed/validation.yaml b/compliance/validations/istio/external-traffic-managed/validation.yaml new file mode 100644 index 000000000..b83dab0b3 --- /dev/null +++ b/compliance/validations/istio/external-traffic-managed/validation.yaml @@ -0,0 +1,18 @@ +metadata: + name: external-traffic-managed-PLACEHOLDER + uuid: 19faf69a-de74-4b78-a628-64a9f244ae13 +domain: + type: kubernetes + kubernetes-spec: + resources: [] +provider: + type: opa + opa-spec: + rego: | + package validate + + default validate := false + + # This policy could check meshConfig.outboundTrafficPolicy.mode (default is ALLOW_ANY) + # Possibly would need a ServiceEntry(?) + # (https://istio.io/latest/docs/tasks/traffic-management/egress/egress-control/#envoy-passthrough-to-external-services) diff --git a/compliance/validations/istio/fips-evaluation/README.md b/compliance/validations/istio/fips-evaluation/README.md new file mode 100644 index 000000000..486a4ffef --- /dev/null +++ b/compliance/validations/istio/fips-evaluation/README.md @@ -0,0 +1,9 @@ +# README.md + +**NAME** - fips-evaluation-PLACEHOLDER + +**INPUT** - This validation currently does not collect any resources. + +**POLICY** - This policy is a placeholder and does not perform any validation. + +**NOTES** - Update the `kubernetes-spec` and `opa-spec` in the `validation.yaml` file to perform the desired FIPS evaluation. \ No newline at end of file diff --git a/compliance/validations/istio/fips-evaluation/validation.yaml b/compliance/validations/istio/fips-evaluation/validation.yaml new file mode 100644 index 000000000..51d9663ee --- /dev/null +++ b/compliance/validations/istio/fips-evaluation/validation.yaml @@ -0,0 +1,14 @@ +metadata: + name: fips-evaluation-PLACEHOLDER + uuid: 73434890-2751-4894-b7b2-7e583b4a8977 +domain: + type: kubernetes + kubernetes-spec: + resources: [] +provider: + type: opa + opa-spec: + rego: | + package validate + + default validate := false diff --git a/compliance/validations/istio/gateway-configuration-check/README.md b/compliance/validations/istio/gateway-configuration-check/README.md new file mode 100644 index 000000000..3dcacdc4a --- /dev/null +++ b/compliance/validations/istio/gateway-configuration-check/README.md @@ -0,0 +1,9 @@ +# README.md + +**NAME** - gateway-configuration-check + +**INPUT** - This validation collects all Istio gateways in the Kubernetes cluster. + +**POLICY** - This policy checks that only allowed gateways ("admin", "tenant", "passthrough") are present and that all required gateway types are found. + +**NOTES** - Ensure that the allowed gateways are correctly specified and that all required gateway types are present in the cluster. \ No newline at end of file diff --git a/compliance/validations/istio/gateway-configuration-check/resources.json b/compliance/validations/istio/gateway-configuration-check/resources.json new file mode 100644 index 000000000..ee48519a3 --- /dev/null +++ b/compliance/validations/istio/gateway-configuration-check/resources.json @@ -0,0 +1,220 @@ +{ + "gateways": [ + { + "apiVersion": "networking.istio.io/v1beta1", + "kind": "Gateway", + "metadata": { + "annotations": { + "meta.helm.sh/release-name": "uds-istio-config", + "meta.helm.sh/release-namespace": "istio-admin-gateway" + }, + "creationTimestamp": "2024-06-07T14:36:07Z", + "generation": 1, + "labels": { + "app.kubernetes.io/managed-by": "Helm" + }, + "name": "admin-gateway", + "namespace": "istio-admin-gateway", + "resourceVersion": "1216", + "uid": "07ede0ee-0ffc-42d0-ae22-15fa69dfb45a" + }, + "spec": { + "selector": { + "app": "admin-ingressgateway" + }, + "servers": [ + { + "hosts": [ + "*.admin.uds.dev" + ], + "port": { + "name": "http-admin", + "number": 80, + "protocol": "HTTP" + }, + "tls": { + "httpsRedirect": true + } + }, + { + "hosts": [ + "*.admin.uds.dev" + ], + "port": { + "name": "https-admin", + "number": 443, + "protocol": "HTTPS" + }, + "tls": { + "credentialName": "gateway-tls", + "minProtocolVersion": "TLSV1_3", + "mode": "SIMPLE" + } + }, + { + "hosts": [ + "keycloak.admin.uds.dev" + ], + "port": { + "name": "http-keycloak", + "number": 80, + "protocol": "HTTP" + }, + "tls": { + "httpsRedirect": true + } + }, + { + "hosts": [ + "keycloak.admin.uds.dev" + ], + "port": { + "name": "https-keycloak", + "number": 443, + "protocol": "HTTPS" + }, + "tls": { + "credentialName": "gateway-tls", + "minProtocolVersion": "TLSV1_3", + "mode": "OPTIONAL_MUTUAL" + } + } + ] + } + }, + { + "apiVersion": "networking.istio.io/v1beta1", + "kind": "Gateway", + "metadata": { + "annotations": { + "meta.helm.sh/release-name": "uds-istio-config", + "meta.helm.sh/release-namespace": "istio-tenant-gateway" + }, + "creationTimestamp": "2024-06-07T14:36:11Z", + "generation": 1, + "labels": { + "app.kubernetes.io/managed-by": "Helm" + }, + "name": "tenant-gateway", + "namespace": "istio-tenant-gateway", + "resourceVersion": "1273", + "uid": "fb672c84-0a55-4ccc-84c7-7448868598f3" + }, + "spec": { + "selector": { + "app": "tenant-ingressgateway" + }, + "servers": [ + { + "hosts": [ + "sso.uds.dev" + ], + "port": { + "name": "http-keycloak", + "number": 80, + "protocol": "HTTP" + }, + "tls": { + "httpsRedirect": true + } + }, + { + "hosts": [ + "sso.uds.dev" + ], + "port": { + "name": "https-keycloak", + "number": 443, + "protocol": "HTTPS" + }, + "tls": { + "credentialName": "gateway-tls", + "minProtocolVersion": "TLSV1_3", + "mode": "OPTIONAL_MUTUAL" + } + }, + { + "hosts": [ + "*.uds.dev" + ], + "port": { + "name": "http-tenant", + "number": 80, + "protocol": "HTTP" + }, + "tls": { + "httpsRedirect": true + } + }, + { + "hosts": [ + "*.uds.dev" + ], + "port": { + "name": "https-tenant", + "number": 443, + "protocol": "HTTPS" + }, + "tls": { + "credentialName": "gateway-tls", + "minProtocolVersion": "TLSV1_3", + "mode": "SIMPLE" + } + } + ] + } + }, + { + "apiVersion": "networking.istio.io/v1beta1", + "kind": "Gateway", + "metadata": { + "annotations": { + "meta.helm.sh/release-name": "uds-istio-config", + "meta.helm.sh/release-namespace": "istio-passthrough-gateway" + }, + "creationTimestamp": "2024-06-07T14:36:15Z", + "generation": 1, + "labels": { + "app.kubernetes.io/managed-by": "Helm" + }, + "name": "passthrough-gateway", + "namespace": "istio-passthrough-gateway", + "resourceVersion": "1330", + "uid": "501528ef-4199-4804-994d-a1392d6f249e" + }, + "spec": { + "selector": { + "app": "passthrough-ingressgateway" + }, + "servers": [ + { + "hosts": [ + "*.uds.dev" + ], + "port": { + "name": "http-passthrough", + "number": 80, + "protocol": "HTTP" + }, + "tls": { + "httpsRedirect": true + } + }, + { + "hosts": [ + "*.uds.dev" + ], + "port": { + "name": "https-passthrough", + "number": 443, + "protocol": "HTTPS" + }, + "tls": { + "mode": "PASSTHROUGH" + } + } + ] + } + } + ] +} \ No newline at end of file diff --git a/compliance/validations/istio/gateway-configuration-check/tests.yaml b/compliance/validations/istio/gateway-configuration-check/tests.yaml new file mode 100644 index 000000000..ac7eea542 --- /dev/null +++ b/compliance/validations/istio/gateway-configuration-check/tests.yaml @@ -0,0 +1,15 @@ +pass: + - test: default + validation: validation.yaml + resources: resources.json + expected-validation: true + - test: remove_first_gateway + validation: validation.yaml + resources: resources.json + permutation: "del(.gateways[0])" + expected-validation: false + - test: add_new_gateway + validation: validation.yaml + resources: resources.json + permutation: '.gateways += [{"apiVersion": "networking.istio.io/v1beta1", "kind": "Gateway", "metadata": {"name": "new-gateway", "namespace": "new-namespace"}}]' + expected-validation: false diff --git a/compliance/validations/istio/gateway-configuration-check/validation.yaml b/compliance/validations/istio/gateway-configuration-check/validation.yaml new file mode 100644 index 000000000..c1be18882 --- /dev/null +++ b/compliance/validations/istio/gateway-configuration-check/validation.yaml @@ -0,0 +1,63 @@ +metadata: + name: gateway-configuration-check + uuid: b0a8f21e-b12f-47ea-a967-2f4a3ec69e44 +domain: + type: kubernetes + kubernetes-spec: + resources: + - name: gateways + resource-rule: + group: networking.istio.io + resource: gateways + namespaces: [] + version: v1beta1 +provider: + type: opa + opa-spec: + rego: | + package validate + import rego.v1 + + # default values + default validate := false + default msg := "Not evaluated" + + validate if { + check_expected_gw.result + check_all_gw_found.result + } + + msg := concat(" ", [check_expected_gw.msg, check_all_gw_found.msg]) + msg_existing_gateways := concat(", ", gateways) + msg_allowed_gateways := concat(", ", allowed) + + # Check if only allowed gateways are in the system + allowed := {"admin", "tenant", "passthrough"} + gateways := {sprintf("%s/%s", [gw.metadata.namespace, gw.metadata.name]) | gw := input.gateways[_]} + allowed_gateways := {sprintf("%s/%s", [gw.metadata.namespace, gw.metadata.name]) | gw := input.gateways[_]; gw_in_list(gw, allowed)} + actual_allowed := {s | g := gateways[_]; s := allowed[_]; contains(g, s)} + + check_expected_gw = {"result": true, "msg": msg} if { + gateways == allowed_gateways + msg := "Only allowed gateways found." + } else = {"result": false, "msg": msg} if { + msg := sprintf("Some disallowed gateways found: %v.", [gateways-allowed_gateways]) + } + + gw_in_list(gw, allowed) if { + contains(gw.metadata.name, allowed[_]) + } + + # Check if the entire set contains all required gateways + check_all_gw_found = {"result": true, "msg": msg} if { + actual_allowed == allowed + msg := "All gateway types found." + } else = {"result": false, "msg": msg} if { + msg := sprintf("Gateway type(s) missing: %v.", [allowed - actual_allowed]) + } + output: + validation: validate.validate + observations: + - validate.msg + - validate.msg_existing_gateways + - validate.msg_allowed_gateways diff --git a/compliance/validations/istio/healthcheck/README.md b/compliance/validations/istio/healthcheck/README.md new file mode 100644 index 000000000..278857e12 --- /dev/null +++ b/compliance/validations/istio/healthcheck/README.md @@ -0,0 +1,9 @@ +# README.md + +**NAME** - istio-health-check + +**INPUT** - This validation collects the Istiod deployment and horizontal pod autoscaler (HPA) in the "istio-system" namespace. + +**POLICY** - This policy checks if the Istiod deployment is healthy and if the HPA has sufficient replicas. + +**NOTES** - Ensure that the Istiod deployment and HPA are correctly configured and running in the "istio-system" namespace. \ No newline at end of file diff --git a/compliance/validations/istio/healthcheck/resources.json b/compliance/validations/istio/healthcheck/resources.json new file mode 100644 index 000000000..7b8914043 --- /dev/null +++ b/compliance/validations/istio/healthcheck/resources.json @@ -0,0 +1,407 @@ +{ + "istioddeployment": { + "apiVersion": "apps/v1", + "kind": "Deployment", + "metadata": { + "annotations": { + "deployment.kubernetes.io/revision": "1", + "meta.helm.sh/release-name": "istiod", + "meta.helm.sh/release-namespace": "istio-system" + }, + "creationTimestamp": "2024-06-07T14:35:55Z", + "generation": 1, + "labels": { + "app": "istiod", + "app.kubernetes.io/managed-by": "Helm", + "install.operator.istio.io/owning-resource": "unknown", + "istio": "pilot", + "istio.io/rev": "default", + "operator.istio.io/component": "Pilot", + "release": "istiod" + }, + "name": "istiod", + "namespace": "istio-system", + "resourceVersion": "1141", + "uid": "c913f7f1-0ac7-4a73-9fd5-614715411fb6" + }, + "spec": { + "progressDeadlineSeconds": 600, + "replicas": 1, + "revisionHistoryLimit": 10, + "selector": { + "matchLabels": { + "istio": "pilot" + } + }, + "strategy": { + "rollingUpdate": { + "maxSurge": "100%", + "maxUnavailable": "25%" + }, + "type": "RollingUpdate" + }, + "template": { + "metadata": { + "annotations": { + "prometheus.io/port": "15014", + "prometheus.io/scrape": "true", + "sidecar.istio.io/inject": "false" + }, + "creationTimestamp": null, + "labels": { + "app": "istiod", + "install.operator.istio.io/owning-resource": "unknown", + "istio": "pilot", + "istio.io/dataplane-mode": "none", + "istio.io/rev": "default", + "operator.istio.io/component": "Pilot", + "sidecar.istio.io/inject": "false" + } + }, + "spec": { + "containers": [ + { + "args": [ + "discovery", + "--monitoringAddr=:15014", + "--log_output_level=default:info", + "--domain", + "cluster.local", + "--keepaliveMaxServerConnectionAge", + "30m" + ], + "env": [ + { + "name": "REVISION", + "value": "default" + }, + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "KUBECONFIG", + "value": "/var/run/secrets/remote/config" + }, + { + "name": "PILOT_TRACE_SAMPLING", + "value": "1" + }, + { + "name": "PILOT_ENABLE_ANALYSIS", + "value": "false" + }, + { + "name": "CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PLATFORM" + } + ], + "image": "docker.io/istio/pilot:1.22.1-distroless", + "imagePullPolicy": "IfNotPresent", + "name": "discovery", + "ports": [ + { + "containerPort": 8080, + "protocol": "TCP" + }, + { + "containerPort": 15010, + "protocol": "TCP" + }, + { + "containerPort": 15017, + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/ready", + "port": 8080, + "scheme": "HTTP" + }, + "initialDelaySeconds": 1, + "periodSeconds": 3, + "successThreshold": 1, + "timeoutSeconds": 5 + }, + "resources": { + "requests": { + "cpu": "500m", + "memory": "2Gi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true, + "runAsNonRoot": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/istio-dns", + "name": "local-certs" + }, + { + "mountPath": "/etc/cacerts", + "name": "cacerts", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/remote", + "name": "istio-kubeconfig", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/istiod/tls", + "name": "istio-csr-dns-cert", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/istiod/ca", + "name": "istio-csr-ca-configmap", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "serviceAccount": "istiod", + "serviceAccountName": "istiod", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "key": "cni.istio.io/not-ready", + "operator": "Exists" + } + ], + "volumes": [ + { + "emptyDir": { + "medium": "Memory" + }, + "name": "local-certs" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "name": "cacerts", + "secret": { + "defaultMode": 420, + "optional": true, + "secretName": "cacerts" + } + }, + { + "name": "istio-kubeconfig", + "secret": { + "defaultMode": 420, + "optional": true, + "secretName": "istio-kubeconfig" + } + }, + { + "name": "istio-csr-dns-cert", + "secret": { + "defaultMode": 420, + "optional": true, + "secretName": "istiod-tls" + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert", + "optional": true + }, + "name": "istio-csr-ca-configmap" + } + ] + } + } + }, + "status": { + "availableReplicas": 1, + "conditions": [ + { + "lastTransitionTime": "2024-06-07T14:35:57Z", + "lastUpdateTime": "2024-06-07T14:35:57Z", + "message": "Deployment has minimum availability.", + "reason": "MinimumReplicasAvailable", + "status": "True", + "type": "Available" + }, + { + "lastTransitionTime": "2024-06-07T14:35:55Z", + "lastUpdateTime": "2024-06-07T14:35:57Z", + "message": "ReplicaSet \"istiod-5d75444496\" has successfully progressed.", + "reason": "NewReplicaSetAvailable", + "status": "True", + "type": "Progressing" + } + ], + "observedGeneration": 1, + "readyReplicas": 1, + "replicas": 1, + "updatedReplicas": 1 + } + }, + "istiodhpa": { + "apiVersion": "autoscaling/v2", + "kind": "HorizontalPodAutoscaler", + "metadata": { + "annotations": { + "meta.helm.sh/release-name": "istiod", + "meta.helm.sh/release-namespace": "istio-system" + }, + "creationTimestamp": "2024-06-07T14:35:55Z", + "labels": { + "app": "istiod", + "app.kubernetes.io/managed-by": "Helm", + "install.operator.istio.io/owning-resource": "unknown", + "istio.io/rev": "default", + "operator.istio.io/component": "Pilot", + "release": "istiod" + }, + "name": "istiod", + "namespace": "istio-system", + "resourceVersion": "153610", + "uid": "595b2821-fb62-4203-9a4d-c3bba5689215" + }, + "spec": { + "maxReplicas": 5, + "metrics": [ + { + "resource": { + "name": "cpu", + "target": { + "averageUtilization": 80, + "type": "Utilization" + } + }, + "type": "Resource" + } + ], + "minReplicas": 1, + "scaleTargetRef": { + "apiVersion": "apps/v1", + "kind": "Deployment", + "name": "istiod" + } + }, + "status": { + "conditions": [ + { + "lastTransitionTime": "2024-06-11T12:12:51Z", + "message": "recent recommendations were higher than current one, applying the highest recent recommendation", + "reason": "ScaleDownStabilized", + "status": "True", + "type": "AbleToScale" + }, + { + "lastTransitionTime": "2024-06-07T14:37:10Z", + "message": "the HPA was able to successfully calculate a replica count from cpu resource utilization (percentage of request)", + "reason": "ValidMetricFound", + "status": "True", + "type": "ScalingActive" + }, + { + "lastTransitionTime": "2024-06-07T15:31:59Z", + "message": "the desired count is within the acceptable range", + "reason": "DesiredWithinRange", + "status": "False", + "type": "ScalingLimited" + } + ], + "currentMetrics": [ + { + "resource": { + "current": { + "averageUtilization": 0, + "averageValue": "3m" + }, + "name": "cpu" + }, + "type": "Resource" + } + ], + "currentReplicas": 1, + "desiredReplicas": 1 + } + } +} \ No newline at end of file diff --git a/compliance/validations/istio/healthcheck/tests.yaml b/compliance/validations/istio/healthcheck/tests.yaml new file mode 100644 index 000000000..fe5940d0e --- /dev/null +++ b/compliance/validations/istio/healthcheck/tests.yaml @@ -0,0 +1,15 @@ +pass: + - test: default + validation: validation.yaml + resources: resources.json + expected-validation: true + - test: hpa_zero_replicas + validation: validation.yaml + resources: resources.json + permutation: ".istiodhpa.status.currentReplicas = 0" + expected-validation: false + - test: deployment_condition_false + validation: validation.yaml + resources: resources.json + permutation: ".istioddeployment.status.availableReplicas = 0" + expected-validation: false diff --git a/compliance/validations/istio/healthcheck/validation.yaml b/compliance/validations/istio/healthcheck/validation.yaml new file mode 100644 index 000000000..9eea7e20f --- /dev/null +++ b/compliance/validations/istio/healthcheck/validation.yaml @@ -0,0 +1,62 @@ +metadata: + name: istio-health-check + uuid: 67456ae8-4505-4c93-b341-d977d90cb125 +domain: + type: kubernetes + kubernetes-spec: + resources: + - name: istioddeployment + resource-rule: + group: apps + name: istiod + namespaces: + - istio-system + resource: deployments + version: v1 + - name: istiodhpa + resource-rule: + group: autoscaling + name: istiod + namespaces: + - istio-system + resource: horizontalpodautoscalers + version: v2 +provider: + type: opa + opa-spec: + output: + validation: validate.validate + observations: + - validate.msg + - validate.deployment_message + - validate.hpa_message + rego: | + package validate + import rego.v1 + + # Default values + default validate := false + default msg := "Not evaluated" + + # Check if the Istio Deployment is healthy + validate if { + check_deployment_health.result + check_hpa_health.result + } + + msg = concat(" ", [check_deployment_health.msg, check_hpa_health.msg]) + + check_deployment_health = {"result": true, "msg": msg} if { + input.istioddeployment.status.replicas > 0 + input.istioddeployment.status.availableReplicas == input.istioddeployment.status.replicas + msg := "Istiod Deployment is healthy." + } else = {"result": false, "msg": msg} if { + msg := "Istiod Deployment is not healthy." + } + + check_hpa_health = {"result": true, "msg": msg} if { + input.istiodhpa.status.currentReplicas >= input.istiodhpa.spec.minReplicas + msg := "HPA has sufficient replicas." + } else = {"result": false, "msg": msg} if { + msg := "HPA does not have sufficient replicas." + } diff --git a/compliance/validations/istio/ingress-traffic-encrypted/README.md b/compliance/validations/istio/ingress-traffic-encrypted/README.md new file mode 100644 index 000000000..6fc5c4032 --- /dev/null +++ b/compliance/validations/istio/ingress-traffic-encrypted/README.md @@ -0,0 +1,9 @@ +# README.md + +**NAME** - ingress-traffic-encrypted + +**INPUT** - This validation collects all Istio gateways in the Kubernetes cluster. + +**POLICY** - This policy checks that all gateways encrypt ingress traffic, except for the "istio-passthrough-gateway/passthrough-gateway". + +**NOTES** - The server spec in the gateways must have a `port.protocol` set to `HTTPS` and `tls.httpsRedirect` set to `true` OR `port.protocol` set to `HTTPS` and `tls.mode` either `SIMPLE` or `OPTIONAL_MUTUAL`. \ No newline at end of file diff --git a/compliance/validations/istio/ingress-traffic-encrypted/resources.json b/compliance/validations/istio/ingress-traffic-encrypted/resources.json new file mode 100644 index 000000000..ee48519a3 --- /dev/null +++ b/compliance/validations/istio/ingress-traffic-encrypted/resources.json @@ -0,0 +1,220 @@ +{ + "gateways": [ + { + "apiVersion": "networking.istio.io/v1beta1", + "kind": "Gateway", + "metadata": { + "annotations": { + "meta.helm.sh/release-name": "uds-istio-config", + "meta.helm.sh/release-namespace": "istio-admin-gateway" + }, + "creationTimestamp": "2024-06-07T14:36:07Z", + "generation": 1, + "labels": { + "app.kubernetes.io/managed-by": "Helm" + }, + "name": "admin-gateway", + "namespace": "istio-admin-gateway", + "resourceVersion": "1216", + "uid": "07ede0ee-0ffc-42d0-ae22-15fa69dfb45a" + }, + "spec": { + "selector": { + "app": "admin-ingressgateway" + }, + "servers": [ + { + "hosts": [ + "*.admin.uds.dev" + ], + "port": { + "name": "http-admin", + "number": 80, + "protocol": "HTTP" + }, + "tls": { + "httpsRedirect": true + } + }, + { + "hosts": [ + "*.admin.uds.dev" + ], + "port": { + "name": "https-admin", + "number": 443, + "protocol": "HTTPS" + }, + "tls": { + "credentialName": "gateway-tls", + "minProtocolVersion": "TLSV1_3", + "mode": "SIMPLE" + } + }, + { + "hosts": [ + "keycloak.admin.uds.dev" + ], + "port": { + "name": "http-keycloak", + "number": 80, + "protocol": "HTTP" + }, + "tls": { + "httpsRedirect": true + } + }, + { + "hosts": [ + "keycloak.admin.uds.dev" + ], + "port": { + "name": "https-keycloak", + "number": 443, + "protocol": "HTTPS" + }, + "tls": { + "credentialName": "gateway-tls", + "minProtocolVersion": "TLSV1_3", + "mode": "OPTIONAL_MUTUAL" + } + } + ] + } + }, + { + "apiVersion": "networking.istio.io/v1beta1", + "kind": "Gateway", + "metadata": { + "annotations": { + "meta.helm.sh/release-name": "uds-istio-config", + "meta.helm.sh/release-namespace": "istio-tenant-gateway" + }, + "creationTimestamp": "2024-06-07T14:36:11Z", + "generation": 1, + "labels": { + "app.kubernetes.io/managed-by": "Helm" + }, + "name": "tenant-gateway", + "namespace": "istio-tenant-gateway", + "resourceVersion": "1273", + "uid": "fb672c84-0a55-4ccc-84c7-7448868598f3" + }, + "spec": { + "selector": { + "app": "tenant-ingressgateway" + }, + "servers": [ + { + "hosts": [ + "sso.uds.dev" + ], + "port": { + "name": "http-keycloak", + "number": 80, + "protocol": "HTTP" + }, + "tls": { + "httpsRedirect": true + } + }, + { + "hosts": [ + "sso.uds.dev" + ], + "port": { + "name": "https-keycloak", + "number": 443, + "protocol": "HTTPS" + }, + "tls": { + "credentialName": "gateway-tls", + "minProtocolVersion": "TLSV1_3", + "mode": "OPTIONAL_MUTUAL" + } + }, + { + "hosts": [ + "*.uds.dev" + ], + "port": { + "name": "http-tenant", + "number": 80, + "protocol": "HTTP" + }, + "tls": { + "httpsRedirect": true + } + }, + { + "hosts": [ + "*.uds.dev" + ], + "port": { + "name": "https-tenant", + "number": 443, + "protocol": "HTTPS" + }, + "tls": { + "credentialName": "gateway-tls", + "minProtocolVersion": "TLSV1_3", + "mode": "SIMPLE" + } + } + ] + } + }, + { + "apiVersion": "networking.istio.io/v1beta1", + "kind": "Gateway", + "metadata": { + "annotations": { + "meta.helm.sh/release-name": "uds-istio-config", + "meta.helm.sh/release-namespace": "istio-passthrough-gateway" + }, + "creationTimestamp": "2024-06-07T14:36:15Z", + "generation": 1, + "labels": { + "app.kubernetes.io/managed-by": "Helm" + }, + "name": "passthrough-gateway", + "namespace": "istio-passthrough-gateway", + "resourceVersion": "1330", + "uid": "501528ef-4199-4804-994d-a1392d6f249e" + }, + "spec": { + "selector": { + "app": "passthrough-ingressgateway" + }, + "servers": [ + { + "hosts": [ + "*.uds.dev" + ], + "port": { + "name": "http-passthrough", + "number": 80, + "protocol": "HTTP" + }, + "tls": { + "httpsRedirect": true + } + }, + { + "hosts": [ + "*.uds.dev" + ], + "port": { + "name": "https-passthrough", + "number": 443, + "protocol": "HTTPS" + }, + "tls": { + "mode": "PASSTHROUGH" + } + } + ] + } + } + ] +} \ No newline at end of file diff --git a/compliance/validations/istio/ingress-traffic-encrypted/tests.yaml b/compliance/validations/istio/ingress-traffic-encrypted/tests.yaml new file mode 100644 index 000000000..ca3b6b747 --- /dev/null +++ b/compliance/validations/istio/ingress-traffic-encrypted/tests.yaml @@ -0,0 +1,15 @@ +pass: + - test: default + validation: validation.yaml + resources: resources.json + expected-validation: true + - test: change_admin_gateway_protocol_to_tcp + validation: validation.yaml + resources: resources.json + permutation: '.gateways |= map(if .metadata.name == "admin-gateway" then .spec.servers[0].port.protocol = "TCP" else . end)' + expected-validation: false + - test: change_admin_gateway_httpsRedirect_to_false + validation: validation.yaml + resources: resources.json + permutation: '.gateways |= map(if .metadata.name == "admin-gateway" then .spec.servers[0].tls.httpsRedirect = false else . end)' + expected-validation: false diff --git a/compliance/validations/istio/ingress-traffic-encrypted/validation.yaml b/compliance/validations/istio/ingress-traffic-encrypted/validation.yaml new file mode 100644 index 000000000..198125f72 --- /dev/null +++ b/compliance/validations/istio/ingress-traffic-encrypted/validation.yaml @@ -0,0 +1,74 @@ +metadata: + name: ingress-traffic-encrypted + uuid: fd071676-6b92-4e1c-a4f0-4c8d2bd55aed +domain: + type: kubernetes + kubernetes-spec: + resources: + - name: gateways + resource-rule: + group: networking.istio.io + version: v1beta1 + resource: gateways + namespaces: [] +provider: + type: opa + opa-spec: + rego: | + package validate + import rego.v1 + + # Default values + default validate := false + default msg := "Not evaluated" + + # Validation + validate if { + check_gateways_allowed.result + } + msg = check_gateways_allowed.msg + msg_exempted_gateways = concat(", ", exempt_gateways) + + # Collect gateways that do not encrypt ingress traffic + gateways_disallowed = {sprintf("%s/%s", [gateway.metadata.namespace, gateway.metadata.name]) | + gateway := input.gateways[_]; + not allowed_gateway(gateway) + } + + check_gateways_allowed = {"result": true, "msg": msg} if { + count(gateways_disallowed) == 0 + msg := "All gateways encrypt ingress traffic" + } else = {"result": false, "msg": msg} if { + msg := sprintf("Some gateways do not encrypt ingress traffic: %s", [concat(", ", gateways_disallowed)]) + } + + # Check allowed gateway + allowed_gateway(gateway) if { + every server in gateway.spec.servers { + allowed_server(server) + } + } + + exempt_gateways := {"istio-passthrough-gateway/passthrough-gateway"} + allowed_gateway(gateway) if { + sprintf("%s/%s", [gateway.metadata.namespace, gateway.metadata.name]) in exempt_gateways + # *Unchecked condition that exempted gateway is only used by virtual services that route https traffic + # Find all virtual services that use this gateway + # Check that vs has https scheme + } + + # Check allowed server spec in gateway + allowed_server(server) if { + server.port.protocol == "HTTP" + server.tls.httpsRedirect == true + } + + allowed_server(server) if { + server.port.protocol == "HTTPS" + server.tls.mode in {"SIMPLE", "OPTIONAL_MUTUAL"} + } + output: + validation: validate.validate + observations: + - validate.msg + - validate.msg_exempted_gateways diff --git a/compliance/validations/istio/metrics-logging-configured/README.md b/compliance/validations/istio/metrics-logging-configured/README.md new file mode 100644 index 000000000..0d4a63049 --- /dev/null +++ b/compliance/validations/istio/metrics-logging-configured/README.md @@ -0,0 +1,9 @@ +# README.md + +**NAME** - istio-metrics-logging-configured + +**INPUT** - This validation collects the "istioConfig" configmap in the "istio-system" namespace. + +**POLICY** - This policy checks if metrics logging is supported by validating the Istio configuration. + +**NOTES** - Ensure that the Istio configmap is correctly configured and located in the "istio-system" namespace. The policy specifically looks for the `enablePrometheusMerge` field to be not set to `false`. \ No newline at end of file diff --git a/compliance/validations/istio/metrics-logging-configured/resources.json b/compliance/validations/istio/metrics-logging-configured/resources.json new file mode 100644 index 000000000..f8161f0aa --- /dev/null +++ b/compliance/validations/istio/metrics-logging-configured/resources.json @@ -0,0 +1,28 @@ +{ + "istioConfig": { + "accessLogFile": "/dev/stdout", + "defaultConfig": { + "discoveryAddress": "istiod.istio-system.svc:15012", + "gatewayTopology": { + "forwardClientCertDetails": "SANITIZE" + }, + "holdApplicationUntilProxyStarts": true, + "tracing": { + "zipkin": { + "address": "zipkin.istio-system:9411" + } + } + }, + "defaultProviders": { + "metrics": [ + "prometheus" + ] + }, + "enablePrometheusMerge": true, + "pathNormalization": { + "normalization": "MERGE_SLASHES" + }, + "rootNamespace": "istio-system", + "trustDomain": "cluster.local" + } +} \ No newline at end of file diff --git a/compliance/validations/istio/metrics-logging-configured/tests.yaml b/compliance/validations/istio/metrics-logging-configured/tests.yaml new file mode 100644 index 000000000..30a2f63e4 --- /dev/null +++ b/compliance/validations/istio/metrics-logging-configured/tests.yaml @@ -0,0 +1,15 @@ +pass: + - test: default + validation: validation.yaml + resources: resources.json + expected-validation: true + - test: change_enablePrometheusMerge_to_false + validation: validation.yaml + resources: resources.json + permutation: ".istioConfig.enablePrometheusMerge = false" + expected-validation: false + - test: change_enablePrometheusMerge_to_false + validation: validation.yaml + resources: resources.json + permutation: "del(.istioConfig.enablePrometheusMerge)" + expected-validation: true diff --git a/compliance/validations/istio/metrics-logging-configured/validation.yaml b/compliance/validations/istio/metrics-logging-configured/validation.yaml new file mode 100644 index 000000000..89df8a9e3 --- /dev/null +++ b/compliance/validations/istio/metrics-logging-configured/validation.yaml @@ -0,0 +1,44 @@ +metadata: + name: istio-metrics-logging-configured + uuid: 70d99754-2918-400c-ac9a-319f874fff90 +domain: + type: kubernetes + kubernetes-spec: + resources: + - name: istioConfig + resource-rule: + resource: configmaps + namespaces: + - istio-system + version: v1 + name: istio + field: + jsonpath: .data.mesh + type: yaml +provider: + type: opa + opa-spec: + rego: | + package validate + import rego.v1 + + # Default values + default validate := false + default msg := "Not evaluated" + + # Validate Istio configuration for metrics logging support + validate if { + check_metrics_enabled.result + } + msg = check_metrics_enabled.msg + + check_metrics_enabled = { "result": false, "msg": msg } if { + input.istioConfig.enablePrometheusMerge == false + msg := "Metrics logging not supported." + } else = { "result": true, "msg": msg } if { + msg := "Metrics logging supported." + } + output: + validation: validate.validate + observations: + - validate.msg diff --git a/compliance/validations/istio/prometheus-annotations-validation/README.md b/compliance/validations/istio/prometheus-annotations-validation/README.md new file mode 100644 index 000000000..558d2758a --- /dev/null +++ b/compliance/validations/istio/prometheus-annotations-validation/README.md @@ -0,0 +1,9 @@ +# README.md + +**NAME** - istio-prometheus-annotations-validation + +**INPUT** - This validation collects all pods in the Kubernetes cluster. + +**POLICY** - This policy checks that all pods have the required Prometheus annotations for scraping metrics, except for those in exempted namespaces. + +**NOTES** - The exempted namespaces are "kube-system", "istio-system", "uds-dev-stack", and "zarf". Ensure that these namespaces are correct and update them if necessary. \ No newline at end of file diff --git a/compliance/validations/istio/prometheus-annotations-validation/resources.json b/compliance/validations/istio/prometheus-annotations-validation/resources.json new file mode 100644 index 000000000..e50da5902 --- /dev/null +++ b/compliance/validations/istio/prometheus-annotations-validation/resources.json @@ -0,0 +1,25428 @@ +{ + "pods": [ + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "creationTimestamp": "2024-06-07T14:33:04Z", + "generateName": "metallb-controller-665d96757f-", + "labels": { + "app.kubernetes.io/component": "controller", + "app.kubernetes.io/instance": "metallb", + "app.kubernetes.io/name": "metallb", + "pod-template-hash": "665d96757f" + }, + "name": "metallb-controller-665d96757f-c4zbp", + "namespace": "uds-dev-stack", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "metallb-controller-665d96757f", + "uid": "3a41d478-929b-44df-a608-5a7fe1a2061e" + } + ], + "resourceVersion": "481", + "uid": "e740023f-2732-43fc-9e43-2da1b1dd23cf" + }, + "spec": { + "containers": [ + { + "args": [ + "--port=7472", + "--log-level=info", + "--tls-min-version=VersionTLS12" + ], + "env": [ + { + "name": "METALLB_ML_SECRET_NAME", + "value": "metallb-memberlist" + }, + { + "name": "METALLB_DEPLOYMENT", + "value": "metallb-controller" + }, + { + "name": "METALLB_BGP_TYPE", + "value": "frr" + } + ], + "image": "quay.io/metallb/controller:v0.14.5", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/metrics", + "port": "monitoring", + "scheme": "HTTP" + }, + "initialDelaySeconds": 10, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "name": "controller", + "ports": [ + { + "containerPort": 7472, + "name": "monitoring", + "protocol": "TCP" + }, + { + "containerPort": 9443, + "name": "webhook-server", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/metrics", + "port": "monitoring", + "scheme": "HTTP" + }, + "initialDelaySeconds": 10, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": {}, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/tmp/k8s-webhook-server/serving-certs", + "name": "cert", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-5t6md", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "nodeName": "k3d-uds-server-0", + "nodeSelector": { + "kubernetes.io/os": "linux" + }, + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 65534, + "runAsNonRoot": true, + "runAsUser": 65534 + }, + "serviceAccount": "metallb-controller", + "serviceAccountName": "metallb-controller", + "terminationGracePeriodSeconds": 0, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "name": "cert", + "secret": { + "defaultMode": 420, + "secretName": "metallb-webhook-cert" + } + }, + { + "name": "kube-api-access-5t6md", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:04Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:24Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:24Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:04Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://08db9740afe6a09b0788cf25e61ccd86fde100ade543a17e053201310572095e", + "image": "quay.io/metallb/controller:v0.14.5", + "imageID": "quay.io/metallb/controller@sha256:3f776529447094c8d318baeb4f9efe024cf154859762ec3eefcd878b1fe8a01f", + "lastState": {}, + "name": "controller", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:33:07Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "phase": "Running", + "podIP": "10.42.0.3", + "podIPs": [ + { + "ip": "10.42.0.3" + } + ], + "qosClass": "BestEffort", + "startTime": "2024-06-07T14:33:04Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "creationTimestamp": "2024-06-07T14:33:04Z", + "generateName": "metallb-speaker-", + "labels": { + "app.kubernetes.io/component": "speaker", + "app.kubernetes.io/instance": "metallb", + "app.kubernetes.io/name": "metallb", + "controller-revision-hash": "6c7b58bfd7", + "pod-template-generation": "1" + }, + "name": "metallb-speaker-w768g", + "namespace": "uds-dev-stack", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "DaemonSet", + "name": "metallb-speaker", + "uid": "b879fca1-6a2f-45ce-a137-337089d7c368" + } + ], + "resourceVersion": "530", + "uid": "f0b25b25-81a5-4cb7-910e-8197958949c6" + }, + "spec": { + "affinity": { + "nodeAffinity": { + "requiredDuringSchedulingIgnoredDuringExecution": { + "nodeSelectorTerms": [ + { + "matchFields": [ + { + "key": "metadata.name", + "operator": "In", + "values": [ + "k3d-uds-server-0" + ] + } + ] + } + ] + } + } + }, + "containers": [ + { + "args": [ + "--port=7472", + "--log-level=info" + ], + "env": [ + { + "name": "METALLB_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "METALLB_HOST", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "METALLB_ML_BIND_ADDR", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "METALLB_ML_LABELS", + "value": "app.kubernetes.io/name=metallb,app.kubernetes.io/component=speaker" + }, + { + "name": "METALLB_ML_BIND_PORT", + "value": "7946" + }, + { + "name": "METALLB_ML_SECRET_KEY_PATH", + "value": "/etc/ml_secret_key" + }, + { + "name": "FRR_CONFIG_FILE", + "value": "/etc/frr_reloader/frr.conf" + }, + { + "name": "FRR_RELOADER_PID_FILE", + "value": "/etc/frr_reloader/reloader.pid" + }, + { + "name": "METALLB_BGP_TYPE", + "value": "frr" + } + ], + "image": "quay.io/metallb/speaker:v0.14.5", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/metrics", + "port": "monitoring", + "scheme": "HTTP" + }, + "initialDelaySeconds": 10, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "name": "speaker", + "ports": [ + { + "containerPort": 7472, + "hostPort": 7472, + "name": "monitoring", + "protocol": "TCP" + }, + { + "containerPort": 7946, + "hostPort": 7946, + "name": "memberlist-tcp", + "protocol": "TCP" + }, + { + "containerPort": 7946, + "hostPort": 7946, + "name": "memberlist-udp", + "protocol": "UDP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/metrics", + "port": "monitoring", + "scheme": "HTTP" + }, + "initialDelaySeconds": 10, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": {}, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/ml_secret_key", + "name": "memberlist" + }, + { + "mountPath": "/etc/frr_reloader", + "name": "reloader" + }, + { + "mountPath": "/etc/metallb", + "name": "metallb-excludel2" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-qm2q8", + "readOnly": true + } + ] + }, + { + "command": [ + "/bin/sh", + "-c", + "/sbin/tini -- /usr/lib/frr/docker-start \u0026\nattempts=0\nuntil [[ -f /etc/frr/frr.log || $attempts -eq 60 ]]; do\n sleep 1\n attempts=$(( $attempts + 1 ))\ndone\ntail -f /etc/frr/frr.log\n" + ], + "env": [ + { + "name": "TINI_SUBREAPER", + "value": "true" + } + ], + "image": "quay.io/frrouting/frr:9.0.2", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "livez", + "port": 7473, + "scheme": "HTTP" + }, + "initialDelaySeconds": 10, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "name": "frr", + "resources": {}, + "securityContext": { + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW", + "SYS_ADMIN", + "NET_BIND_SERVICE" + ] + } + }, + "startupProbe": { + "failureThreshold": 30, + "httpGet": { + "path": "/livez", + "port": 7473, + "scheme": "HTTP" + }, + "periodSeconds": 5, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/frr", + "name": "frr-sockets" + }, + { + "mountPath": "/etc/frr", + "name": "frr-conf" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-qm2q8", + "readOnly": true + } + ] + }, + { + "command": [ + "/etc/frr_reloader/frr-reloader.sh" + ], + "image": "quay.io/frrouting/frr:9.0.2", + "imagePullPolicy": "IfNotPresent", + "name": "reloader", + "resources": {}, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/frr", + "name": "frr-sockets" + }, + { + "mountPath": "/etc/frr", + "name": "frr-conf" + }, + { + "mountPath": "/etc/frr_reloader", + "name": "reloader" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-qm2q8", + "readOnly": true + } + ] + }, + { + "args": [ + "--metrics-port=7473" + ], + "command": [ + "/etc/frr_metrics/frr-metrics" + ], + "image": "quay.io/frrouting/frr:9.0.2", + "imagePullPolicy": "IfNotPresent", + "name": "frr-metrics", + "ports": [ + { + "containerPort": 7473, + "hostPort": 7473, + "name": "monitoring", + "protocol": "TCP" + } + ], + "resources": {}, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/frr", + "name": "frr-sockets" + }, + { + "mountPath": "/etc/frr", + "name": "frr-conf" + }, + { + "mountPath": "/etc/frr_metrics", + "name": "metrics" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-qm2q8", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "hostNetwork": true, + "initContainers": [ + { + "command": [ + "/bin/sh", + "-c", + "cp -rLf /tmp/frr/* /etc/frr/" + ], + "image": "quay.io/frrouting/frr:9.0.2", + "imagePullPolicy": "IfNotPresent", + "name": "cp-frr-files", + "resources": {}, + "securityContext": { + "runAsGroup": 101, + "runAsUser": 100 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/tmp/frr", + "name": "frr-startup" + }, + { + "mountPath": "/etc/frr", + "name": "frr-conf" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-qm2q8", + "readOnly": true + } + ] + }, + { + "command": [ + "/bin/sh", + "-c", + "cp -f /frr-reloader.sh /etc/frr_reloader/" + ], + "image": "quay.io/metallb/speaker:v0.14.5", + "imagePullPolicy": "IfNotPresent", + "name": "cp-reloader", + "resources": {}, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/frr_reloader", + "name": "reloader" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-qm2q8", + "readOnly": true + } + ] + }, + { + "command": [ + "/bin/sh", + "-c", + "cp -f /frr-metrics /etc/frr_metrics/" + ], + "image": "quay.io/metallb/speaker:v0.14.5", + "imagePullPolicy": "IfNotPresent", + "name": "cp-metrics", + "resources": {}, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/frr_metrics", + "name": "metrics" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-qm2q8", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "nodeSelector": { + "kubernetes.io/os": "linux" + }, + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "serviceAccount": "metallb-speaker", + "serviceAccountName": "metallb-speaker", + "shareProcessNamespace": true, + "terminationGracePeriodSeconds": 0, + "tolerations": [ + { + "effect": "NoSchedule", + "key": "node-role.kubernetes.io/master", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node-role.kubernetes.io/control-plane", + "operator": "Exists" + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists" + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/disk-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/memory-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/pid-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/unschedulable", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/network-unavailable", + "operator": "Exists" + } + ], + "volumes": [ + { + "name": "memberlist", + "secret": { + "defaultMode": 420, + "secretName": "metallb-memberlist" + } + }, + { + "configMap": { + "defaultMode": 256, + "name": "metallb-excludel2" + }, + "name": "metallb-excludel2" + }, + { + "emptyDir": {}, + "name": "frr-sockets" + }, + { + "configMap": { + "defaultMode": 420, + "name": "metallb-frr-startup" + }, + "name": "frr-startup" + }, + { + "emptyDir": {}, + "name": "frr-conf" + }, + { + "emptyDir": {}, + "name": "reloader" + }, + { + "emptyDir": {}, + "name": "metrics" + }, + { + "name": "kube-api-access-qm2q8", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:17Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:28Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:28Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:04Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://a4fcaa6986eea88b60934b08f03c1dc5c4d826fc033dc5cbe7f356992eca4242", + "image": "quay.io/frrouting/frr:9.0.2", + "imageID": "quay.io/frrouting/frr@sha256:086acb1278fe86118345f456a1fbfafb80c34d03f7bca9137da0729a1aee5e9c", + "lastState": {}, + "name": "frr", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:33:18Z" + } + } + }, + { + "containerID": "containerd://8407398896d1bcf0c628096b3912e48cde1e11dc3680ffa57924c6daec04ae85", + "image": "quay.io/frrouting/frr:9.0.2", + "imageID": "quay.io/frrouting/frr@sha256:086acb1278fe86118345f456a1fbfafb80c34d03f7bca9137da0729a1aee5e9c", + "lastState": {}, + "name": "frr-metrics", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:33:18Z" + } + } + }, + { + "containerID": "containerd://dc156a3e9ffa1c3782ab106f8c522dd7adcd19bb8d695cad2c1ec31ce9b10bba", + "image": "quay.io/frrouting/frr:9.0.2", + "imageID": "quay.io/frrouting/frr@sha256:086acb1278fe86118345f456a1fbfafb80c34d03f7bca9137da0729a1aee5e9c", + "lastState": {}, + "name": "reloader", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:33:18Z" + } + } + }, + { + "containerID": "containerd://bf432de657a6b004d9c8fdb5c720fa47b5c464c82bef28f2d5bee4e148081c06", + "image": "quay.io/metallb/speaker:v0.14.5", + "imageID": "quay.io/metallb/speaker@sha256:34e9cc2db6d83ca3ad4d92a6e2eadaf6b78be65621798e90827041749898acc0", + "lastState": {}, + "name": "speaker", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:33:18Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://c4d49eb82f8230b3c0dd686fd997dd443a8a5f468a10d184f80e6dfc87bb328a", + "image": "quay.io/frrouting/frr:9.0.2", + "imageID": "quay.io/frrouting/frr@sha256:086acb1278fe86118345f456a1fbfafb80c34d03f7bca9137da0729a1aee5e9c", + "lastState": {}, + "name": "cp-frr-files", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://c4d49eb82f8230b3c0dd686fd997dd443a8a5f468a10d184f80e6dfc87bb328a", + "exitCode": 0, + "finishedAt": "2024-06-07T14:33:12Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:33:12Z" + } + } + }, + { + "containerID": "containerd://a3e7a06367976cd6d1422cb538b080051a347f777b266c56c359b733df3534a6", + "image": "quay.io/metallb/speaker:v0.14.5", + "imageID": "quay.io/metallb/speaker@sha256:34e9cc2db6d83ca3ad4d92a6e2eadaf6b78be65621798e90827041749898acc0", + "lastState": {}, + "name": "cp-reloader", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://a3e7a06367976cd6d1422cb538b080051a347f777b266c56c359b733df3534a6", + "exitCode": 0, + "finishedAt": "2024-06-07T14:33:16Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:33:16Z" + } + } + }, + { + "containerID": "containerd://36e42d6bb3d9a9008283fd26ee4ef97cbad58d541a323a0f89b10f9b1589c131", + "image": "quay.io/metallb/speaker:v0.14.5", + "imageID": "quay.io/metallb/speaker@sha256:34e9cc2db6d83ca3ad4d92a6e2eadaf6b78be65621798e90827041749898acc0", + "lastState": {}, + "name": "cp-metrics", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://36e42d6bb3d9a9008283fd26ee4ef97cbad58d541a323a0f89b10f9b1589c131", + "exitCode": 0, + "finishedAt": "2024-06-07T14:33:17Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:33:17Z" + } + } + } + ], + "phase": "Running", + "podIP": "172.19.0.3", + "podIPs": [ + { + "ip": "172.19.0.3" + } + ], + "qosClass": "BestEffort", + "startTime": "2024-06-07T14:33:04Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "creationTimestamp": "2024-06-07T14:33:26Z", + "generateName": "nginx-", + "labels": { + "controller-revision-hash": "796f655567", + "name": "nginx", + "pod-template-generation": "1", + "sidecar.istio.io/inject": "false" + }, + "name": "nginx-7x5gk", + "namespace": "uds-dev-stack", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "DaemonSet", + "name": "nginx", + "uid": "3355c296-e86c-45ff-8c40-dc211381667d" + } + ], + "resourceVersion": "543", + "uid": "4dbe8047-3902-49f7-9891-0ea680b055a3" + }, + "spec": { + "affinity": { + "nodeAffinity": { + "requiredDuringSchedulingIgnoredDuringExecution": { + "nodeSelectorTerms": [ + { + "matchFields": [ + { + "key": "metadata.name", + "operator": "In", + "values": [ + "k3d-uds-server-0" + ] + } + ] + } + ] + } + } + }, + "containers": [ + { + "command": [ + "nginx", + "-g", + "daemon off;" + ], + "image": "ghcr.io/defenseunicorns/oss/uds-k3d-nginx:alpine-1.25.3", + "imagePullPolicy": "IfNotPresent", + "name": "nginx", + "ports": [ + { + "containerPort": 80, + "hostPort": 80, + "protocol": "TCP" + }, + { + "containerPort": 443, + "hostPort": 443, + "protocol": "TCP" + } + ], + "resources": {}, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/nginx/nginx.conf", + "name": "config-volume", + "subPath": "nginx.conf" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-c2r2d", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "serviceAccount": "default", + "serviceAccountName": "default", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists" + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/disk-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/memory-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/pid-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/unschedulable", + "operator": "Exists" + } + ], + "volumes": [ + { + "configMap": { + "defaultMode": 420, + "name": "nginx-config" + }, + "name": "config-volume" + }, + { + "name": "kube-api-access-c2r2d", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:26Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:30Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:30Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:26Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://028a3419e247aa5b5b2693982ee5b406eca570e24368a7bae6b40772ec846f59", + "image": "ghcr.io/defenseunicorns/oss/uds-k3d-nginx:alpine-1.25.3", + "imageID": "ghcr.io/defenseunicorns/oss/uds-k3d-nginx@sha256:a59278fd22a9d411121e190b8cec8aa57b306aa3332459197777583beb728f59", + "lastState": {}, + "name": "nginx", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:33:29Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "phase": "Running", + "podIP": "10.42.0.6", + "podIPs": [ + { + "ip": "10.42.0.6" + } + ], + "qosClass": "BestEffort", + "startTime": "2024-06-07T14:33:26Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "creationTimestamp": "2024-06-07T14:33:26Z", + "generateName": "local-path-provisioner-6d9d9b57c9-", + "labels": { + "app": "local-path-provisioner", + "pod-template-hash": "6d9d9b57c9" + }, + "name": "local-path-provisioner-6d9d9b57c9-sxjml", + "namespace": "uds-dev-stack", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "local-path-provisioner-6d9d9b57c9", + "uid": "b3198f06-8d33-4c0c-a046-9e8a7b60c4d1" + } + ], + "resourceVersion": "545", + "uid": "d9ef6be9-697f-486d-9a68-94c125eb76d6" + }, + "spec": { + "containers": [ + { + "command": [ + "local-path-provisioner", + "--debug", + "start", + "--config", + "/etc/config/config.json" + ], + "env": [ + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + } + ], + "image": "rancher/local-path-provisioner:v0.0.26", + "imagePullPolicy": "IfNotPresent", + "name": "local-path-provisioner", + "resources": {}, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/config/", + "name": "config-volume" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-v9kg6", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "serviceAccount": "local-path-provisioner-service-account", + "serviceAccountName": "local-path-provisioner-service-account", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "configMap": { + "defaultMode": 420, + "name": "local-path-config" + }, + "name": "config-volume" + }, + { + "name": "kube-api-access-v9kg6", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:26Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:30Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:30Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:26Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://4d11a1ed56c82487ffc5f18d3eb5f53af22cad148f4a082801e7435d1fed378d", + "image": "docker.io/rancher/local-path-provisioner:v0.0.26", + "imageID": "docker.io/rancher/local-path-provisioner@sha256:aee53cadc62bd023911e7f077877d047c5b3c269f9bba25724d558654f43cea0", + "lastState": {}, + "name": "local-path-provisioner", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:33:29Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "phase": "Running", + "podIP": "10.42.0.5", + "podIPs": [ + { + "ip": "10.42.0.5" + } + ], + "qosClass": "BestEffort", + "startTime": "2024-06-07T14:33:26Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "creationTimestamp": "2024-06-07T14:33:26Z", + "generateName": "ensure-machine-id-", + "labels": { + "controller-revision-hash": "555967fc7b", + "name": "ensure-machine-id", + "pod-template-generation": "1" + }, + "name": "ensure-machine-id-df5h9", + "namespace": "uds-dev-stack", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "DaemonSet", + "name": "ensure-machine-id", + "uid": "03af65b4-778e-484a-98a9-ed00fb1109ce" + } + ], + "resourceVersion": "584", + "uid": "002c58a5-786d-41ff-acb4-1abab62bbd40" + }, + "spec": { + "affinity": { + "nodeAffinity": { + "requiredDuringSchedulingIgnoredDuringExecution": { + "nodeSelectorTerms": [ + { + "matchFields": [ + { + "key": "metadata.name", + "operator": "In", + "values": [ + "k3d-uds-server-0" + ] + } + ] + } + ] + } + } + }, + "containers": [ + { + "image": "registry.k8s.io/pause:3.9", + "imagePullPolicy": "IfNotPresent", + "name": "pause", + "resources": { + "limits": { + "cpu": "100m", + "memory": "50Mi" + }, + "requests": { + "cpu": "100m", + "memory": "50Mi" + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-j2rl4", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "hostPID": true, + "initContainers": [ + { + "args": [ + "echo \"B0D07F1F43F246409516ADBDCCC86FCE\" \u003e /mnt/host/etc/machine-id;" + ], + "command": [ + "/bin/sh", + "-c" + ], + "image": "cgr.dev/chainguard/wolfi-base:latest", + "imagePullPolicy": "Always", + "name": "generate-machine-id", + "resources": {}, + "securityContext": { + "privileged": true, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/mnt/host/etc", + "name": "machine-id" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-j2rl4", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "serviceAccount": "default", + "serviceAccountName": "default", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists" + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/disk-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/memory-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/pid-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/unschedulable", + "operator": "Exists" + } + ], + "volumes": [ + { + "hostPath": { + "path": "/etc", + "type": "" + }, + "name": "machine-id" + }, + { + "name": "kube-api-access-j2rl4", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:30Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:32Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:32Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:26Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://d14b7ef126f21af0b85aef91ee06b04ecb9c383641a6819bcacf24cb0da4762f", + "image": "registry.k8s.io/pause:3.9", + "imageID": "registry.k8s.io/pause@sha256:7031c1b283388d2c2e09b57badb803c05ebed362dc88d84b480cc47f72a21097", + "lastState": {}, + "name": "pause", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:33:31Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://32c24b23288ec1f9e850f1f905a88969c275a3c2b43f0c87a0256bf7ab7970e4", + "image": "cgr.dev/chainguard/wolfi-base:latest", + "imageID": "cgr.dev/chainguard/wolfi-base@sha256:3eff851ab805966c768d2a8107545a96218426cee1e5cc805865505edbe6ce92", + "lastState": {}, + "name": "generate-machine-id", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://32c24b23288ec1f9e850f1f905a88969c275a3c2b43f0c87a0256bf7ab7970e4", + "exitCode": 0, + "finishedAt": "2024-06-07T14:33:29Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:33:29Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.4", + "podIPs": [ + { + "ip": "10.42.0.4" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:33:26Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "checksum/config": "25ba5a36ee6bd1887b73590eee26c55e5673fbf1ef59d3f2e380255cea24fc78", + "checksum/secrets": "9dfc3e7275d6373dbf1aee60edc7c0db19fb00875cd3723b020c629dc646ba0c" + }, + "creationTimestamp": "2024-06-07T14:33:31Z", + "generateName": "minio-9f479d889-", + "labels": { + "app": "minio", + "pod-template-hash": "9f479d889", + "release": "minio" + }, + "name": "minio-9f479d889-79crp", + "namespace": "uds-dev-stack", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "minio-9f479d889", + "uid": "86fe59b2-087f-4990-9af8-43af36787cdf" + } + ], + "resourceVersion": "608", + "uid": "85ddc048-b51c-4719-a904-5ac2ffba2ac0" + }, + "spec": { + "containers": [ + { + "command": [ + "/bin/sh", + "-ce", + "/usr/bin/docker-entrypoint.sh minio server /export -S /etc/minio/certs/ --address :9000 --console-address :9001" + ], + "env": [ + { + "name": "MINIO_ROOT_USER", + "valueFrom": { + "secretKeyRef": { + "key": "rootUser", + "name": "minio" + } + } + }, + { + "name": "MINIO_ROOT_PASSWORD", + "valueFrom": { + "secretKeyRef": { + "key": "rootPassword", + "name": "minio" + } + } + }, + { + "name": "MINIO_PROMETHEUS_AUTH_TYPE", + "value": "public" + } + ], + "image": "quay.io/minio/minio:RELEASE.2024-04-18T19-09-19Z", + "imagePullPolicy": "IfNotPresent", + "name": "minio", + "ports": [ + { + "containerPort": 9000, + "name": "http", + "protocol": "TCP" + }, + { + "containerPort": 9001, + "name": "http-console", + "protocol": "TCP" + } + ], + "resources": { + "requests": { + "cpu": "150m", + "memory": "256Mi" + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/tmp/credentials", + "name": "minio-user", + "readOnly": true + }, + { + "mountPath": "/export", + "name": "export" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-4xhl7", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 1000, + "fsGroupChangePolicy": "OnRootMismatch", + "runAsGroup": 1000, + "runAsUser": 1000 + }, + "serviceAccount": "minio-sa", + "serviceAccountName": "minio-sa", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "name": "export", + "persistentVolumeClaim": { + "claimName": "minio" + } + }, + { + "name": "minio-user", + "secret": { + "defaultMode": 420, + "secretName": "minio" + } + }, + { + "name": "kube-api-access-4xhl7", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:35Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:39Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:39Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:35Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://7fb60fb93818d05af7391888524a93b66ef610b3765ad5936c89a4f8f2f3c7be", + "image": "quay.io/minio/minio:RELEASE.2024-04-18T19-09-19Z", + "imageID": "quay.io/minio/minio@sha256:036a068d7d6b69400da6bc07a480bee1e241ef3c341c41d988ed11f520f85124", + "lastState": {}, + "name": "minio", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:33:38Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "phase": "Running", + "podIP": "10.42.0.8", + "podIPs": [ + { + "ip": "10.42.0.8" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:33:35Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "kubectl.kubernetes.io/restartedAt": "2024-06-07T10:33:46-04:00" + }, + "creationTimestamp": "2024-06-07T14:33:46Z", + "generateName": "coredns-c7b7755fc-", + "labels": { + "k8s-app": "kube-dns", + "pod-template-hash": "c7b7755fc" + }, + "name": "coredns-c7b7755fc-brsr4", + "namespace": "kube-system", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "coredns-c7b7755fc", + "uid": "191bb204-9378-4221-bacd-9cab0aa1d834" + } + ], + "resourceVersion": "685", + "uid": "9e2faf64-250f-4b40-806f-c84e9429763b" + }, + "spec": { + "containers": [ + { + "args": [ + "-conf", + "/etc/coredns/Corefile" + ], + "image": "rancher/mirrored-coredns-coredns:1.10.1", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/health", + "port": 8080, + "scheme": "HTTP" + }, + "initialDelaySeconds": 60, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "name": "coredns", + "ports": [ + { + "containerPort": 53, + "name": "dns", + "protocol": "UDP" + }, + { + "containerPort": 53, + "name": "dns-tcp", + "protocol": "TCP" + }, + { + "containerPort": 9153, + "name": "metrics", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/ready", + "port": 8181, + "scheme": "HTTP" + }, + "periodSeconds": 2, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": { + "limits": { + "memory": "170Mi" + }, + "requests": { + "cpu": "100m", + "memory": "70Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_BIND_SERVICE" + ], + "drop": [ + "all" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/coredns", + "name": "config-volume", + "readOnly": true + }, + { + "mountPath": "/etc/coredns/custom", + "name": "custom-config-volume", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-lmgf5", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "Default", + "enableServiceLinks": true, + "nodeName": "k3d-uds-server-0", + "nodeSelector": { + "kubernetes.io/os": "linux" + }, + "preemptionPolicy": "PreemptLowerPriority", + "priority": 2000000000, + "priorityClassName": "system-cluster-critical", + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "serviceAccount": "coredns", + "serviceAccountName": "coredns", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "key": "CriticalAddonsOnly", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node-role.kubernetes.io/control-plane", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node-role.kubernetes.io/master", + "operator": "Exists" + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "topologySpreadConstraints": [ + { + "labelSelector": { + "matchLabels": { + "k8s-app": "kube-dns" + } + }, + "maxSkew": 1, + "topologyKey": "kubernetes.io/hostname", + "whenUnsatisfiable": "DoNotSchedule" + } + ], + "volumes": [ + { + "configMap": { + "defaultMode": 420, + "items": [ + { + "key": "Corefile", + "path": "Corefile" + }, + { + "key": "NodeHosts", + "path": "NodeHosts" + } + ], + "name": "coredns" + }, + "name": "config-volume" + }, + { + "configMap": { + "defaultMode": 420, + "name": "coredns-custom", + "optional": true + }, + "name": "custom-config-volume" + }, + { + "name": "kube-api-access-lmgf5", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:46Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:47Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:47Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:33:46Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://cd5aa584f79006e655641cd4f6c724cb161d759d106861700c23bd3f23fc628a", + "image": "docker.io/rancher/mirrored-coredns-coredns:1.10.1", + "imageID": "docker.io/rancher/mirrored-coredns-coredns@sha256:a11fafae1f8037cbbd66c5afa40ba2423936b72b4fd50a7034a7e8b955163594", + "lastState": {}, + "name": "coredns", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:33:46Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "phase": "Running", + "podIP": "10.42.0.10", + "podIPs": [ + { + "ip": "10.42.0.10" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:33:46Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "checksum/secret": "ebbd974057077dd4d2977c2e448b94c77c696bf3491d474c2483511093e5e992" + }, + "creationTimestamp": "2024-06-07T14:34:14Z", + "generateName": "zarf-docker-registry-7dc948f55b-", + "labels": { + "app": "docker-registry", + "pod-template-hash": "7dc948f55b", + "release": "zarf-docker-registry", + "zarf.dev/agent": "ignore" + }, + "name": "zarf-docker-registry-7dc948f55b-n4hpx", + "namespace": "zarf", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "zarf-docker-registry-7dc948f55b", + "uid": "f6ac21e6-98d4-49b9-9fe7-8c6376954d90" + } + ], + "resourceVersion": "841", + "uid": "1f775090-2171-41ae-ae78-42c25c1c086e" + }, + "spec": { + "affinity": { + "podAffinity": { + "preferredDuringSchedulingIgnoredDuringExecution": [ + { + "podAffinityTerm": { + "labelSelector": { + "matchExpressions": [ + { + "key": "app", + "operator": "In", + "values": [ + "docker-registry" + ] + } + ] + }, + "topologyKey": "kubernetes.io/hostname" + }, + "weight": 100 + } + ] + } + }, + "containers": [ + { + "command": [ + "/bin/registry", + "serve", + "/etc/docker/registry/config.yml" + ], + "env": [ + { + "name": "REGISTRY_AUTH", + "value": "htpasswd" + }, + { + "name": "REGISTRY_AUTH_HTPASSWD_REALM", + "value": "Registry Realm" + }, + { + "name": "REGISTRY_AUTH_HTPASSWD_PATH", + "value": "/etc/docker/registry/htpasswd" + }, + { + "name": "REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY", + "value": "/var/lib/registry" + }, + { + "name": "REGISTRY_STORAGE_DELETE_ENABLED", + "value": "true" + } + ], + "image": "127.0.0.1:31999/library/registry:2.8.3", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/", + "port": 5000, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "name": "docker-registry", + "ports": [ + { + "containerPort": 5000, + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/", + "port": 5000, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": { + "limits": { + "cpu": "3", + "memory": "2Gi" + }, + "requests": { + "cpu": "100m", + "memory": "256Mi" + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/lib/registry/", + "name": "data" + }, + { + "mountPath": "/etc/docker/registry", + "name": "config" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-5mtk7", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 2000001000, + "priorityClassName": "system-node-critical", + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 1000, + "runAsUser": 1000 + }, + "serviceAccount": "default", + "serviceAccountName": "default", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "name": "config", + "secret": { + "defaultMode": 420, + "items": [ + { + "key": "configData", + "path": "config.yml" + }, + { + "key": "htpasswd", + "path": "htpasswd" + } + ], + "secretName": "zarf-docker-registry-secret" + } + }, + { + "name": "data", + "persistentVolumeClaim": { + "claimName": "zarf-docker-registry" + } + }, + { + "name": "kube-api-access-5mtk7", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:34:14Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:34:15Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:34:15Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:34:14Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://f562cd15f5f447c467ee157d139a1f5dce710856856ddd4e53437a966d781620", + "image": "127.0.0.1:31999/library/registry:2.8.3", + "imageID": "127.0.0.1:31999/library/registry@sha256:53ee3286cf0400c2ec957e31594c77439ec959e26ca00c8264c5ce521f7859ac", + "lastState": {}, + "name": "docker-registry", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:34:15Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "phase": "Running", + "podIP": "10.42.0.14", + "podIPs": [ + { + "ip": "10.42.0.14" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:34:14Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "creationTimestamp": "2024-06-07T14:34:19Z", + "generateName": "agent-hook-fd5f6b7fd-", + "labels": { + "app": "agent-hook", + "pod-template-hash": "fd5f6b7fd", + "zarf.dev/agent": "ignore" + }, + "name": "agent-hook-fd5f6b7fd-mtvhh", + "namespace": "zarf", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "agent-hook-fd5f6b7fd", + "uid": "94e69251-8d88-4f9c-8c33-a3fd90fb4696" + } + ], + "resourceVersion": "914", + "uid": "3ede9ea5-a576-4c01-ad3c-ce836132369f" + }, + "spec": { + "containers": [ + { + "image": "127.0.0.1:31999/defenseunicorns/zarf/agent:v0.34.0", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/healthz", + "port": 8443, + "scheme": "HTTPS" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "name": "server", + "ports": [ + { + "containerPort": 8443, + "protocol": "TCP" + } + ], + "resources": { + "limits": { + "cpu": "500m", + "memory": "128Mi" + }, + "requests": { + "cpu": "100m", + "memory": "32Mi" + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/certs", + "name": "tls-certs", + "readOnly": true + }, + { + "mountPath": "/.config", + "name": "config" + }, + { + "mountPath": "/etc/xdg", + "name": "xdg" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-vnl6m", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 2000001000, + "priorityClassName": "system-node-critical", + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "serviceAccount": "zarf", + "serviceAccountName": "zarf", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "name": "tls-certs", + "secret": { + "defaultMode": 420, + "secretName": "agent-hook-tls" + } + }, + { + "emptyDir": {}, + "name": "config" + }, + { + "emptyDir": {}, + "name": "xdg" + }, + { + "name": "kube-api-access-vnl6m", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:34:19Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:34:21Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:34:21Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:34:19Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://8cddd8d76762dc47dd960f1fb3a06387316623cfed5b83b33d66c6dca78cc375", + "image": "127.0.0.1:31999/defenseunicorns/zarf/agent:v0.34.0", + "imageID": "127.0.0.1:31999/defenseunicorns/zarf/agent@sha256:f326633a23b6ecaf74ba7f4f115c24e47e78b7564116d40da978b2deb0840063", + "lastState": {}, + "name": "server", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:34:20Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "phase": "Running", + "podIP": "10.42.0.16", + "podIPs": [ + { + "ip": "10.42.0.16" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:34:19Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "creationTimestamp": "2024-06-07T14:34:19Z", + "generateName": "agent-hook-fd5f6b7fd-", + "labels": { + "app": "agent-hook", + "pod-template-hash": "fd5f6b7fd", + "zarf.dev/agent": "ignore" + }, + "name": "agent-hook-fd5f6b7fd-m9jnz", + "namespace": "zarf", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "agent-hook-fd5f6b7fd", + "uid": "94e69251-8d88-4f9c-8c33-a3fd90fb4696" + } + ], + "resourceVersion": "918", + "uid": "986f6460-eced-4b5d-a6fd-027720d12a79" + }, + "spec": { + "containers": [ + { + "image": "127.0.0.1:31999/defenseunicorns/zarf/agent:v0.34.0", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/healthz", + "port": 8443, + "scheme": "HTTPS" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "name": "server", + "ports": [ + { + "containerPort": 8443, + "protocol": "TCP" + } + ], + "resources": { + "limits": { + "cpu": "500m", + "memory": "128Mi" + }, + "requests": { + "cpu": "100m", + "memory": "32Mi" + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/certs", + "name": "tls-certs", + "readOnly": true + }, + { + "mountPath": "/.config", + "name": "config" + }, + { + "mountPath": "/etc/xdg", + "name": "xdg" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-qnxt2", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 2000001000, + "priorityClassName": "system-node-critical", + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "serviceAccount": "zarf", + "serviceAccountName": "zarf", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "name": "tls-certs", + "secret": { + "defaultMode": 420, + "secretName": "agent-hook-tls" + } + }, + { + "emptyDir": {}, + "name": "config" + }, + { + "emptyDir": {}, + "name": "xdg" + }, + { + "name": "kube-api-access-qnxt2", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:34:19Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:34:21Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:34:21Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:34:19Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://2bf73e9bfba5d66e92bbc74eb399f1edffa21d83d8b5733d5000dc4cf1748169", + "image": "127.0.0.1:31999/defenseunicorns/zarf/agent:v0.34.0", + "imageID": "127.0.0.1:31999/defenseunicorns/zarf/agent@sha256:f326633a23b6ecaf74ba7f4f115c24e47e78b7564116d40da978b2deb0840063", + "lastState": {}, + "name": "server", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:34:20Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "phase": "Running", + "podIP": "10.42.0.15", + "podIPs": [ + { + "ip": "10.42.0.15" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:34:19Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "prometheus.io/port": "15014", + "prometheus.io/scrape": "true", + "sidecar.istio.io/inject": "false" + }, + "creationTimestamp": "2024-06-07T14:35:55Z", + "generateName": "istiod-5d75444496-", + "labels": { + "app": "istiod", + "install.operator.istio.io/owning-resource": "unknown", + "istio": "pilot", + "istio.io/dataplane-mode": "none", + "istio.io/rev": "default", + "operator.istio.io/component": "Pilot", + "pod-template-hash": "5d75444496", + "sidecar.istio.io/inject": "false", + "zarf-agent": "patched" + }, + "name": "istiod-5d75444496-t85z7", + "namespace": "istio-system", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "istiod-5d75444496", + "uid": "88b31cbe-f985-49e4-b634-6432dd86b2f8" + } + ], + "resourceVersion": "1136", + "uid": "4d592fa4-18fa-46cd-b2df-f1a74f0c1507" + }, + "spec": { + "containers": [ + { + "args": [ + "discovery", + "--monitoringAddr=:15014", + "--log_output_level=default:info", + "--domain", + "cluster.local", + "--keepaliveMaxServerConnectionAge", + "30m" + ], + "env": [ + { + "name": "REVISION", + "value": "default" + }, + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "KUBECONFIG", + "value": "/var/run/secrets/remote/config" + }, + { + "name": "PILOT_TRACE_SAMPLING", + "value": "1" + }, + { + "name": "PILOT_ENABLE_ANALYSIS", + "value": "false" + }, + { + "name": "CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PLATFORM" + } + ], + "image": "127.0.0.1:31999/istio/pilot:1.22.1-distroless-zarf-4264239833", + "imagePullPolicy": "IfNotPresent", + "name": "discovery", + "ports": [ + { + "containerPort": 8080, + "protocol": "TCP" + }, + { + "containerPort": 15010, + "protocol": "TCP" + }, + { + "containerPort": 15017, + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/ready", + "port": 8080, + "scheme": "HTTP" + }, + "initialDelaySeconds": 1, + "periodSeconds": 3, + "successThreshold": 1, + "timeoutSeconds": 5 + }, + "resources": { + "requests": { + "cpu": "500m", + "memory": "2Gi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true, + "runAsNonRoot": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/istio-dns", + "name": "local-certs" + }, + { + "mountPath": "/etc/cacerts", + "name": "cacerts", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/remote", + "name": "istio-kubeconfig", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/istiod/tls", + "name": "istio-csr-dns-cert", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/istiod/ca", + "name": "istio-csr-ca-configmap", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-d9gkx", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "serviceAccount": "istiod", + "serviceAccountName": "istiod", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "key": "cni.istio.io/not-ready", + "operator": "Exists" + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": { + "medium": "Memory" + }, + "name": "local-certs" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "name": "cacerts", + "secret": { + "defaultMode": 420, + "optional": true, + "secretName": "cacerts" + } + }, + { + "name": "istio-kubeconfig", + "secret": { + "defaultMode": 420, + "optional": true, + "secretName": "istio-kubeconfig" + } + }, + { + "name": "istio-csr-dns-cert", + "secret": { + "defaultMode": 420, + "optional": true, + "secretName": "istiod-tls" + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert", + "optional": true + }, + "name": "istio-csr-ca-configmap" + }, + { + "name": "kube-api-access-d9gkx", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:35:55Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:35:57Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:35:57Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:35:55Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://c6dab073a0e0c52d289f345b2528e4613895bd5ac971b31324e8bc681627671c", + "image": "127.0.0.1:31999/istio/pilot:1.22.1-distroless-zarf-4264239833", + "imageID": "127.0.0.1:31999/istio/pilot@sha256:6ee01043f85cb2818363c5a7a2bf2f9ec191f2dc3d5353f97cedfa6678b94068", + "lastState": {}, + "name": "discovery", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:35:56Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "phase": "Running", + "podIP": "10.42.0.17", + "podIPs": [ + { + "ip": "10.42.0.17" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:35:55Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "inject.istio.io/templates": "gateway", + "istio.io/rev": "default", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "proxy.istio.io/overrides": "{\"containers\":[{\"name\":\"istio-proxy\",\"ports\":[{\"name\":\"http-envoy-prom\",\"containerPort\":15090,\"protocol\":\"TCP\"}],\"resources\":{\"limits\":{\"cpu\":\"2\",\"memory\":\"1Gi\"},\"requests\":{\"cpu\":\"100m\",\"memory\":\"128Mi\"}},\"volumeMounts\":[{\"name\":\"kube-api-access-wzbh2\",\"readOnly\":true,\"mountPath\":\"/var/run/secrets/kubernetes.io/serviceaccount\"}],\"terminationMessagePath\":\"/dev/termination-log\",\"terminationMessagePolicy\":\"File\",\"imagePullPolicy\":\"Always\",\"securityContext\":{\"capabilities\":{\"drop\":[\"ALL\"]},\"privileged\":false,\"runAsUser\":1337,\"runAsGroup\":1337,\"runAsNonRoot\":true,\"readOnlyRootFilesystem\":true,\"allowPrivilegeEscalation\":false}}]}", + "sidecar.istio.io/inject": "true", + "sidecar.istio.io/status": "{\"initContainers\":null,\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}" + }, + "creationTimestamp": "2024-06-07T14:36:02Z", + "generateName": "admin-ingressgateway-65c568569f-", + "labels": { + "app": "admin-ingressgateway", + "istio": "admin-ingressgateway", + "pod-template-hash": "65c568569f", + "service.istio.io/canonical-name": "admin-ingressgateway", + "service.istio.io/canonical-revision": "latest", + "sidecar.istio.io/inject": "true", + "zarf-agent": "patched" + }, + "name": "admin-ingressgateway-65c568569f-wfqd2", + "namespace": "istio-admin-gateway", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "admin-ingressgateway-65c568569f", + "uid": "cc279224-2176-4244-a31b-9cec94764295" + } + ], + "resourceVersion": "1207", + "uid": "f9b9118d-b6f1-4fac-ba20-0bf60638041d" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "router", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http-envoy-prom\",\"containerPort\":15090,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_APP_CONTAINERS" + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "admin-ingressgateway" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/istio-admin-gateway/deployments/admin-ingressgateway" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "Always", + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-wzbh2", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "sysctls": [ + { + "name": "net.ipv4.ip_unprivileged_port_start", + "value": "0" + } + ] + }, + "serviceAccount": "admin-ingressgateway", + "serviceAccountName": "admin-ingressgateway", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "kube-api-access-wzbh2", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:02Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:05Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:05Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:02Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://63b925a8e3ccd6439ad7bcb4ed945b66f168ccbf8ad0b2c985f5da3792755cff", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:36:05Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "phase": "Running", + "podIP": "10.42.0.18", + "podIPs": [ + { + "ip": "10.42.0.18" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:36:02Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "inject.istio.io/templates": "gateway", + "istio.io/rev": "default", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "proxy.istio.io/overrides": "{\"containers\":[{\"name\":\"istio-proxy\",\"ports\":[{\"name\":\"http-envoy-prom\",\"containerPort\":15090,\"protocol\":\"TCP\"}],\"resources\":{\"limits\":{\"cpu\":\"2\",\"memory\":\"1Gi\"},\"requests\":{\"cpu\":\"100m\",\"memory\":\"128Mi\"}},\"volumeMounts\":[{\"name\":\"kube-api-access-78bfd\",\"readOnly\":true,\"mountPath\":\"/var/run/secrets/kubernetes.io/serviceaccount\"}],\"terminationMessagePath\":\"/dev/termination-log\",\"terminationMessagePolicy\":\"File\",\"imagePullPolicy\":\"Always\",\"securityContext\":{\"capabilities\":{\"drop\":[\"ALL\"]},\"privileged\":false,\"runAsUser\":1337,\"runAsGroup\":1337,\"runAsNonRoot\":true,\"readOnlyRootFilesystem\":true,\"allowPrivilegeEscalation\":false}}]}", + "sidecar.istio.io/inject": "true", + "sidecar.istio.io/status": "{\"initContainers\":null,\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}" + }, + "creationTimestamp": "2024-06-07T14:36:08Z", + "generateName": "tenant-ingressgateway-79d5d77d67-", + "labels": { + "app": "tenant-ingressgateway", + "istio": "tenant-ingressgateway", + "pod-template-hash": "79d5d77d67", + "service.istio.io/canonical-name": "tenant-ingressgateway", + "service.istio.io/canonical-revision": "latest", + "sidecar.istio.io/inject": "true", + "zarf-agent": "patched" + }, + "name": "tenant-ingressgateway-79d5d77d67-j9m2x", + "namespace": "istio-tenant-gateway", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "tenant-ingressgateway-79d5d77d67", + "uid": "db714c67-44f2-4df3-b86b-81568c3b036e" + } + ], + "resourceVersion": "1261", + "uid": "b5dacd2c-6548-41b4-a176-c10cc4c9c3ae" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "router", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http-envoy-prom\",\"containerPort\":15090,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_APP_CONTAINERS" + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "tenant-ingressgateway" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/istio-tenant-gateway/deployments/tenant-ingressgateway" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "Always", + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-78bfd", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "sysctls": [ + { + "name": "net.ipv4.ip_unprivileged_port_start", + "value": "0" + } + ] + }, + "serviceAccount": "tenant-ingressgateway", + "serviceAccountName": "tenant-ingressgateway", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "kube-api-access-78bfd", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:08Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:09Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:09Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:08Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://48317375bcb597f850cc3ae14d3f7c3d6b5d3695669388c87d433c6445812be0", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:36:09Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "phase": "Running", + "podIP": "10.42.0.19", + "podIPs": [ + { + "ip": "10.42.0.19" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:36:08Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "inject.istio.io/templates": "gateway", + "istio.io/rev": "default", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "proxy.istio.io/overrides": "{\"containers\":[{\"name\":\"istio-proxy\",\"ports\":[{\"name\":\"http-envoy-prom\",\"containerPort\":15090,\"protocol\":\"TCP\"}],\"resources\":{\"limits\":{\"cpu\":\"2\",\"memory\":\"1Gi\"},\"requests\":{\"cpu\":\"100m\",\"memory\":\"128Mi\"}},\"volumeMounts\":[{\"name\":\"kube-api-access-8qtkj\",\"readOnly\":true,\"mountPath\":\"/var/run/secrets/kubernetes.io/serviceaccount\"}],\"terminationMessagePath\":\"/dev/termination-log\",\"terminationMessagePolicy\":\"File\",\"imagePullPolicy\":\"Always\",\"securityContext\":{\"capabilities\":{\"drop\":[\"ALL\"]},\"privileged\":false,\"runAsUser\":1337,\"runAsGroup\":1337,\"runAsNonRoot\":true,\"readOnlyRootFilesystem\":true,\"allowPrivilegeEscalation\":false}}]}", + "sidecar.istio.io/inject": "true", + "sidecar.istio.io/status": "{\"initContainers\":null,\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}" + }, + "creationTimestamp": "2024-06-07T14:36:12Z", + "generateName": "passthrough-ingressgateway-77f78c89b5-", + "labels": { + "app": "passthrough-ingressgateway", + "istio": "passthrough-ingressgateway", + "pod-template-hash": "77f78c89b5", + "service.istio.io/canonical-name": "passthrough-ingressgateway", + "service.istio.io/canonical-revision": "latest", + "sidecar.istio.io/inject": "true", + "zarf-agent": "patched" + }, + "name": "passthrough-ingressgateway-77f78c89b5-rt6c7", + "namespace": "istio-passthrough-gateway", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "passthrough-ingressgateway-77f78c89b5", + "uid": "de9c5861-af93-40d7-9e91-c3460186cbb0" + } + ], + "resourceVersion": "1322", + "uid": "4de86155-37d2-40ee-b162-5e55980f6168" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "router", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http-envoy-prom\",\"containerPort\":15090,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_APP_CONTAINERS" + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "passthrough-ingressgateway" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/istio-passthrough-gateway/deployments/passthrough-ingressgateway" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "Always", + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-8qtkj", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "sysctls": [ + { + "name": "net.ipv4.ip_unprivileged_port_start", + "value": "0" + } + ] + }, + "serviceAccount": "passthrough-ingressgateway", + "serviceAccountName": "passthrough-ingressgateway", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "kube-api-access-8qtkj", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:12Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:13Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:13Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:12Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://e206625af18cbc0abf79da22cee66dcb995356e62bc47fb6c940541b84f6a63b", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:36:13Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "phase": "Running", + "podIP": "10.42.0.20", + "podIPs": [ + { + "ip": "10.42.0.20" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:36:12Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "buildTimestamp": "1717701911533", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "server", + "kubectl.kubernetes.io/default-logs-container": "server", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}" + }, + "creationTimestamp": "2024-06-07T14:36:17Z", + "generateName": "pepr-uds-core-7fbff558dc-", + "labels": { + "app": "pepr-uds-core", + "pepr.dev/controller": "admission", + "pod-template-hash": "7fbff558dc", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "pepr-uds-core", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "pepr-uds-core-7fbff558dc-tq2p7", + "namespace": "pepr-system", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "pepr-uds-core-7fbff558dc", + "uid": "4b37bd01-3881-4f93-a050-26d4a39699b4" + } + ], + "resourceVersion": "1481", + "uid": "953e1f27-cf16-4a8f-86dc-8629870f18ce" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"containerPort\":3000,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "server" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "pepr-uds-core" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/pepr-system/deployments/pepr-uds-core" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/server/livez\":{\"httpGet\":{\"path\":\"/healthz\",\"port\":3000,\"scheme\":\"HTTPS\"},\"timeoutSeconds\":1},\"/app-health/server/readyz\":{\"httpGet\":{\"path\":\"/healthz\",\"port\":3000,\"scheme\":\"HTTPS\"},\"timeoutSeconds\":1}}" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-m7wwh", + "readOnly": true + } + ] + }, + { + "command": [ + "node", + "/app/node_modules/pepr/dist/controller.js", + "37b63af8e3363f0cbaf741d871cec5371c02cd285632b085a9aca57c6955f9ad" + ], + "env": [ + { + "name": "PEPR_WATCH_MODE", + "value": "false" + }, + { + "name": "PEPR_PRETTY_LOG", + "value": "false" + }, + { + "name": "LOG_LEVEL", + "value": "debug" + }, + { + "name": "UDS_DOMAIN", + "value": "uds.dev" + }, + { + "name": "UDS_ALLOW_ALL_NS_EXEMPTIONS", + "value": "###ZARF_VAR_ALLOW_ALL_NS_EXEMPTIONS###" + }, + { + "name": "UDS_SINGLE_TEST", + "value": "###ZARF_VAR_UDS_SINGLE_TEST###" + } + ], + "image": "127.0.0.1:31999/defenseunicorns/pepr/controller:v0.31.1-zarf-804409620", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/server/livez", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "name": "server", + "ports": [ + { + "containerPort": 3000, + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/server/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": { + "limits": { + "cpu": "500m", + "memory": "256Mi" + }, + "requests": { + "cpu": "100m", + "memory": "64Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "runAsGroup": 65532, + "runAsNonRoot": true, + "runAsUser": 65532 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/certs", + "name": "tls-certs", + "readOnly": true + }, + { + "mountPath": "/app/api-token", + "name": "api-token", + "readOnly": true + }, + { + "mountPath": "/app/load", + "name": "module", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-m7wwh", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-m7wwh", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 2000001000, + "priorityClassName": "system-node-critical", + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 65532, + "runAsGroup": 65532, + "runAsNonRoot": true, + "runAsUser": 65532 + }, + "serviceAccount": "pepr-uds-core", + "serviceAccountName": "pepr-uds-core", + "terminationGracePeriodSeconds": 5, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "tls-certs", + "secret": { + "defaultMode": 420, + "secretName": "pepr-uds-core-tls" + } + }, + { + "name": "api-token", + "secret": { + "defaultMode": 420, + "secretName": "pepr-uds-core-api-token" + } + }, + { + "name": "module", + "secret": { + "defaultMode": 420, + "secretName": "pepr-uds-core-module" + } + }, + { + "name": "kube-api-access-m7wwh", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:18Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:27Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:27Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:17Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://9a0e0bcb70b99980e5169fffe5d9d7f1d5a951f0854657f0f839a30fcd1b3b40", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:36:19Z" + } + } + }, + { + "containerID": "containerd://7cb57a3d0fca3d0cb26e8c1aa3dd514a533b50c84147e63b890a2f604d82940b", + "image": "127.0.0.1:31999/defenseunicorns/pepr/controller:v0.31.1-zarf-804409620", + "imageID": "127.0.0.1:31999/defenseunicorns/pepr/controller@sha256:3e21ce610d2ca67e31154a7d3f3afbe641f0b1fdd9616ad854fc34fb9bce8507", + "lastState": {}, + "name": "server", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:36:21Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://854c7cc3006ab176f0a6a48cf04f4fd44a229d7f21a7c3e860c5c0afa5c5bef9", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://854c7cc3006ab176f0a6a48cf04f4fd44a229d7f21a7c3e860c5c0afa5c5bef9", + "exitCode": 0, + "finishedAt": "2024-06-07T14:36:17Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:36:17Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.22", + "podIPs": [ + { + "ip": "10.42.0.22" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:36:17Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "buildTimestamp": "1717701911533", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "watcher", + "kubectl.kubernetes.io/default-logs-container": "watcher", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}" + }, + "creationTimestamp": "2024-06-07T14:36:17Z", + "generateName": "pepr-uds-core-watcher-79c68864c4-", + "labels": { + "app": "pepr-uds-core-watcher", + "pepr.dev/controller": "watcher", + "pod-template-hash": "79c68864c4", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "pepr-uds-core-watcher", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "pepr-uds-core-watcher-79c68864c4-xhbm7", + "namespace": "pepr-system", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "pepr-uds-core-watcher-79c68864c4", + "uid": "10d3f35e-1c57-45d0-bca6-92456b1d7455" + } + ], + "resourceVersion": "1485", + "uid": "c060c7d4-07c5-444c-a85d-edc84b2f3ffe" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"containerPort\":3000,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "watcher" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "pepr-uds-core-watcher" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/pepr-system/deployments/pepr-uds-core-watcher" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/watcher/livez\":{\"httpGet\":{\"path\":\"/healthz\",\"port\":3000,\"scheme\":\"HTTPS\"},\"timeoutSeconds\":1},\"/app-health/watcher/readyz\":{\"httpGet\":{\"path\":\"/healthz\",\"port\":3000,\"scheme\":\"HTTPS\"},\"timeoutSeconds\":1}}" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-65jv4", + "readOnly": true + } + ] + }, + { + "command": [ + "node", + "/app/node_modules/pepr/dist/controller.js", + "37b63af8e3363f0cbaf741d871cec5371c02cd285632b085a9aca57c6955f9ad" + ], + "env": [ + { + "name": "PEPR_WATCH_MODE", + "value": "true" + }, + { + "name": "PEPR_PRETTY_LOG", + "value": "false" + }, + { + "name": "LOG_LEVEL", + "value": "debug" + }, + { + "name": "UDS_DOMAIN", + "value": "uds.dev" + }, + { + "name": "UDS_ALLOW_ALL_NS_EXEMPTIONS", + "value": "###ZARF_VAR_ALLOW_ALL_NS_EXEMPTIONS###" + }, + { + "name": "UDS_SINGLE_TEST", + "value": "###ZARF_VAR_UDS_SINGLE_TEST###" + } + ], + "image": "127.0.0.1:31999/defenseunicorns/pepr/controller:v0.31.1-zarf-804409620", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/watcher/livez", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "name": "watcher", + "ports": [ + { + "containerPort": 3000, + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/watcher/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": { + "limits": { + "cpu": "500m", + "memory": "256Mi" + }, + "requests": { + "cpu": "100m", + "memory": "64Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "runAsGroup": 65532, + "runAsNonRoot": true, + "runAsUser": 65532 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/certs", + "name": "tls-certs", + "readOnly": true + }, + { + "mountPath": "/app/load", + "name": "module", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-65jv4", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-65jv4", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 65532, + "runAsGroup": 65532, + "runAsNonRoot": true, + "runAsUser": 65532 + }, + "serviceAccount": "pepr-uds-core", + "serviceAccountName": "pepr-uds-core", + "terminationGracePeriodSeconds": 5, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "tls-certs", + "secret": { + "defaultMode": 420, + "secretName": "pepr-uds-core-tls" + } + }, + { + "name": "module", + "secret": { + "defaultMode": 420, + "secretName": "pepr-uds-core-module" + } + }, + { + "name": "kube-api-access-65jv4", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:18Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:27Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:27Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:17Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://acc85506cb258f16a813e4af7efaa3a11ed88415951477118f40740835e78d21", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:36:19Z" + } + } + }, + { + "containerID": "containerd://0a48365f908b95ba85b41024755e658282379c6fbbe4fd2b733c7d67d584104c", + "image": "127.0.0.1:31999/defenseunicorns/pepr/controller:v0.31.1-zarf-804409620", + "imageID": "127.0.0.1:31999/defenseunicorns/pepr/controller@sha256:3e21ce610d2ca67e31154a7d3f3afbe641f0b1fdd9616ad854fc34fb9bce8507", + "lastState": {}, + "name": "watcher", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:36:21Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://9e37e9537e6bbb8fa43ff44c3b4a389367aff2fd33aa0992bfe5a08dcdeccd80", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://9e37e9537e6bbb8fa43ff44c3b4a389367aff2fd33aa0992bfe5a08dcdeccd80", + "exitCode": 0, + "finishedAt": "2024-06-07T14:36:18Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:36:18Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.23", + "podIPs": [ + { + "ip": "10.42.0.23" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:36:17Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "buildTimestamp": "1717701911533", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "server", + "kubectl.kubernetes.io/default-logs-container": "server", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}" + }, + "creationTimestamp": "2024-06-07T14:36:17Z", + "generateName": "pepr-uds-core-7fbff558dc-", + "labels": { + "app": "pepr-uds-core", + "pepr.dev/controller": "admission", + "pod-template-hash": "7fbff558dc", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "pepr-uds-core", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "pepr-uds-core-7fbff558dc-2222r", + "namespace": "pepr-system", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "pepr-uds-core-7fbff558dc", + "uid": "4b37bd01-3881-4f93-a050-26d4a39699b4" + } + ], + "resourceVersion": "1491", + "uid": "e4b36744-977b-4c37-b7c6-20822f309a5b" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"containerPort\":3000,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "server" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "pepr-uds-core" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/pepr-system/deployments/pepr-uds-core" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/server/livez\":{\"httpGet\":{\"path\":\"/healthz\",\"port\":3000,\"scheme\":\"HTTPS\"},\"timeoutSeconds\":1},\"/app-health/server/readyz\":{\"httpGet\":{\"path\":\"/healthz\",\"port\":3000,\"scheme\":\"HTTPS\"},\"timeoutSeconds\":1}}" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-whp7d", + "readOnly": true + } + ] + }, + { + "command": [ + "node", + "/app/node_modules/pepr/dist/controller.js", + "37b63af8e3363f0cbaf741d871cec5371c02cd285632b085a9aca57c6955f9ad" + ], + "env": [ + { + "name": "PEPR_WATCH_MODE", + "value": "false" + }, + { + "name": "PEPR_PRETTY_LOG", + "value": "false" + }, + { + "name": "LOG_LEVEL", + "value": "debug" + }, + { + "name": "UDS_DOMAIN", + "value": "uds.dev" + }, + { + "name": "UDS_ALLOW_ALL_NS_EXEMPTIONS", + "value": "###ZARF_VAR_ALLOW_ALL_NS_EXEMPTIONS###" + }, + { + "name": "UDS_SINGLE_TEST", + "value": "###ZARF_VAR_UDS_SINGLE_TEST###" + } + ], + "image": "127.0.0.1:31999/defenseunicorns/pepr/controller:v0.31.1-zarf-804409620", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/server/livez", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "name": "server", + "ports": [ + { + "containerPort": 3000, + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/server/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": { + "limits": { + "cpu": "500m", + "memory": "256Mi" + }, + "requests": { + "cpu": "100m", + "memory": "64Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "runAsGroup": 65532, + "runAsNonRoot": true, + "runAsUser": 65532 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/certs", + "name": "tls-certs", + "readOnly": true + }, + { + "mountPath": "/app/api-token", + "name": "api-token", + "readOnly": true + }, + { + "mountPath": "/app/load", + "name": "module", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-whp7d", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-whp7d", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 2000001000, + "priorityClassName": "system-node-critical", + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 65532, + "runAsGroup": 65532, + "runAsNonRoot": true, + "runAsUser": 65532 + }, + "serviceAccount": "pepr-uds-core", + "serviceAccountName": "pepr-uds-core", + "terminationGracePeriodSeconds": 5, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "tls-certs", + "secret": { + "defaultMode": 420, + "secretName": "pepr-uds-core-tls" + } + }, + { + "name": "api-token", + "secret": { + "defaultMode": 420, + "secretName": "pepr-uds-core-api-token" + } + }, + { + "name": "module", + "secret": { + "defaultMode": 420, + "secretName": "pepr-uds-core-module" + } + }, + { + "name": "kube-api-access-whp7d", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:18Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:27Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:27Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:17Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://dea96fb5ce3413827270115e359aa31f216fdacac06ed4883cdea945173400f3", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:36:19Z" + } + } + }, + { + "containerID": "containerd://bb85111c39f918e33eb7073c1cf1f539098aa052d5a5480943e08ab5ef2c7b0a", + "image": "127.0.0.1:31999/defenseunicorns/pepr/controller:v0.31.1-zarf-804409620", + "imageID": "127.0.0.1:31999/defenseunicorns/pepr/controller@sha256:3e21ce610d2ca67e31154a7d3f3afbe641f0b1fdd9616ad854fc34fb9bce8507", + "lastState": {}, + "name": "server", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:36:21Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://c56fd4106095f4ebb9fb1d74adc644851d72b70aa6a5b6201c1f307c0494cc3f", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://c56fd4106095f4ebb9fb1d74adc644851d72b70aa6a5b6201c1f307c0494cc3f", + "exitCode": 0, + "finishedAt": "2024-06-07T14:36:18Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:36:17Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.21", + "podIPs": [ + { + "ip": "10.42.0.21" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:36:17Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "metrics-server", + "kubectl.kubernetes.io/default-logs-container": "metrics-server", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-06-07T14:36:36Z", + "generateName": "metrics-server-69584cc865-", + "labels": { + "app.kubernetes.io/instance": "metrics-server", + "app.kubernetes.io/name": "metrics-server", + "pod-template-hash": "69584cc865", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "metrics-server", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "metrics-server-69584cc865-qf86j", + "namespace": "metrics-server", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "metrics-server-69584cc865", + "uid": "135cc85a-83a7-4082-bfa9-b7d302ad5b20" + } + ], + "resourceVersion": "1611", + "uid": "c188458e-8c7e-42b3-bfd9-7efbb0ac9bf2" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"https\",\"containerPort\":10250,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "metrics-server" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "metrics-server" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/metrics-server/deployments/metrics-server" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/metrics-server/livez\":{\"httpGet\":{\"path\":\"/livez\",\"port\":10250,\"scheme\":\"HTTPS\"},\"timeoutSeconds\":1},\"/app-health/metrics-server/readyz\":{\"httpGet\":{\"path\":\"/readyz\",\"port\":10250,\"scheme\":\"HTTPS\"},\"timeoutSeconds\":1}}" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-79cnp", + "readOnly": true + } + ] + }, + { + "args": [ + "--secure-port=10250", + "--cert-dir=/tmp", + "--kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname", + "--kubelet-use-node-status-port", + "--metric-resolution=15s", + "--authorization-always-allow-paths=/metrics" + ], + "image": "127.0.0.1:31999/metrics-server/metrics-server:v0.7.1-zarf-459117927", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/metrics-server/livez", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "name": "metrics-server", + "ports": [ + { + "containerPort": 10250, + "name": "https", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 5, + "httpGet": { + "path": "/app-health/metrics-server/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 10, + "periodSeconds": 5, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": { + "requests": { + "cpu": "100m", + "memory": "200Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true, + "runAsNonRoot": true, + "runAsUser": 1000, + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/tmp", + "name": "tmp" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-79cnp", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-79cnp", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 2000000000, + "priorityClassName": "system-cluster-critical", + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "runAsGroup": 1000, + "runAsNonRoot": true, + "runAsUser": 1000 + }, + "serviceAccount": "metrics-server", + "serviceAccountName": "metrics-server", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "emptyDir": {}, + "name": "tmp" + }, + { + "name": "kube-api-access-79cnp", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:38Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:51Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:51Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:36:36Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://a3bcdc94ec898ec637d718935d40a44f8402b7c66cce86ed5f170fe43f1ff705", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:36:38Z" + } + } + }, + { + "containerID": "containerd://5acf1d7c184ca85550f35fbd819e0bfd298d5885a4b340481ce92c0bee56fe5b", + "image": "127.0.0.1:31999/metrics-server/metrics-server:v0.7.1-zarf-459117927", + "imageID": "127.0.0.1:31999/metrics-server/metrics-server@sha256:7f0fc3565b6d4655d078bb8e250d0423d7c79aeb05fbc71e1ffa6ff664264d70", + "lastState": {}, + "name": "metrics-server", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:36:39Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://56321e146f957771c00c61f86a2f9a6f74f0ed917d6df3f92464e1cd4dffea8f", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://56321e146f957771c00c61f86a2f9a6f74f0ed917d6df3f92464e1cd4dffea8f", + "exitCode": 0, + "finishedAt": "2024-06-07T14:36:36Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:36:36Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.24", + "podIPs": [ + { + "ip": "10.42.0.24" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:36:36Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "keycloak", + "kubectl.kubernetes.io/default-logs-container": "keycloak", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-06-07T14:37:03Z", + "generateName": "keycloak-", + "labels": { + "app.kubernetes.io/instance": "keycloak", + "app.kubernetes.io/name": "keycloak", + "apps.kubernetes.io/pod-index": "0", + "controller-revision-hash": "keycloak-584d5fcfb7", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "keycloak", + "service.istio.io/canonical-revision": "latest", + "statefulset.kubernetes.io/pod-name": "keycloak-0", + "zarf-agent": "patched" + }, + "name": "keycloak-0", + "namespace": "keycloak", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "StatefulSet", + "name": "keycloak", + "uid": "3ec2c2f6-c634-4e4b-8e87-ae401174b745" + } + ], + "resourceVersion": "1823", + "uid": "7f4d0caa-3b1e-4c7e-bbcb-80f31728e776" + }, + "spec": { + "affinity": { + "podAntiAffinity": { + "preferredDuringSchedulingIgnoredDuringExecution": [ + { + "podAffinityTerm": { + "labelSelector": { + "matchExpressions": [ + { + "key": "app.kubernetes.io/component", + "operator": "NotIn", + "values": [ + "test" + ] + } + ], + "matchLabels": { + "app.kubernetes.io/instance": "keycloak", + "app.kubernetes.io/name": "keycloak" + } + }, + "topologyKey": "failure-domain.beta.kubernetes.io/zone" + }, + "weight": 100 + } + ] + } + }, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http\",\"containerPort\":8080,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "keycloak" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "keycloak" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/keycloak/statefulsets/keycloak" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/keycloak/livez\":{\"httpGet\":{\"path\":\"/health/live\",\"port\":8080,\"scheme\":\"HTTP\"},\"timeoutSeconds\":2},\"/app-health/keycloak/readyz\":{\"httpGet\":{\"path\":\"/health/ready\",\"port\":8080,\"scheme\":\"HTTP\"},\"timeoutSeconds\":2}}" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-nlkpn", + "readOnly": true + } + ] + }, + { + "args": [ + "start-dev", + "--spi-theme-static-max-age=-1", + "--spi-theme-cache-themes=false", + "--spi-theme-cache-templates=false", + "--import-realm", + "--features=preview" + ], + "command": [ + "/opt/keycloak/bin/kc.sh" + ], + "env": [ + { + "name": "UDS_DOMAIN", + "value": "uds.dev" + }, + { + "name": "KC_HEALTH_ENABLED", + "value": "true" + }, + { + "name": "KC_METRICS_ENABLED", + "value": "true" + }, + { + "name": "QUARKUS_HTTP_ACCESS_LOG_ENABLED", + "value": "true" + }, + { + "name": "KC_HOSTNAME_STRICT", + "value": "false" + }, + { + "name": "KC_HOSTNAME_STRICT_HTTPS", + "value": "false" + }, + { + "name": "KC_PROXY", + "value": "edge" + }, + { + "name": "KC_HTTPS_CLIENT_AUTH", + "value": "request" + }, + { + "name": "KC_SPI_X509CERT_LOOKUP_PROVIDER", + "value": "nginx" + }, + { + "name": "KC_SPI_X509CERT_LOOKUP_NGINX_SSL_CLIENT_CERT", + "value": "istio-mtls-client-certificate" + }, + { + "name": "KC_SPI_X509CERT_LOOKUP_NGINX_SSL_CLIENT_CERT_CHAIN_PREFIX", + "value": "UNUSED" + }, + { + "name": "KC_LOG_LEVEL", + "value": "DEBUG" + }, + { + "name": "QUARKUS_LOG_CATEGORY__ORG_APACHE_HTTP__LEVEL", + "value": "DEBUG" + }, + { + "name": "QUARKUS_LOG_CATEGORY__ORG_KEYCLOAK_SERVICES_X509__LEVEL", + "value": "TRACE" + } + ], + "envFrom": [ + { + "secretRef": { + "name": "keycloak-realm-env" + } + } + ], + "image": "127.0.0.1:31999/keycloak/keycloak:24.0.5-zarf-2242132316", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 15, + "httpGet": { + "path": "/app-health/keycloak/livez", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 10, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 2 + }, + "name": "keycloak", + "ports": [ + { + "containerPort": 8080, + "name": "http", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 15, + "httpGet": { + "path": "/app-health/keycloak/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 10, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 2 + }, + "resources": { + "limits": { + "cpu": "1", + "memory": "1Gi" + }, + "requests": { + "cpu": "500m", + "memory": "512Mi" + } + }, + "securityContext": { + "capabilities": { + "drop": [ + "ALL" + ] + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/opt/keycloak/providers", + "name": "providers" + }, + { + "mountPath": "/opt/keycloak/data", + "name": "data" + }, + { + "mountPath": "/opt/keycloak/themes", + "name": "themes" + }, + { + "mountPath": "/opt/keycloak/conf", + "name": "conf", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-nlkpn", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "hostname": "keycloak-0", + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "image": "127.0.0.1:31999/defenseunicorns/uds/identity-config:0.4.5-zarf-1934043158", + "imagePullPolicy": "IfNotPresent", + "name": "uds-config", + "resources": { + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "capabilities": { + "drop": [ + "ALL" + ] + }, + "runAsGroup": 65532, + "runAsUser": 65532 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/opt/keycloak/providers", + "name": "providers" + }, + { + "mountPath": "/opt/keycloak/data", + "name": "data" + }, + { + "mountPath": "/opt/keycloak/themes", + "name": "themes" + }, + { + "mountPath": "/opt/keycloak/conf", + "name": "conf" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-nlkpn", + "readOnly": true + } + ] + }, + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-nlkpn", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 1000, + "runAsGroup": 1000, + "runAsNonRoot": true, + "runAsUser": 1000 + }, + "serviceAccount": "default", + "serviceAccountName": "default", + "subdomain": "keycloak-headless", + "terminationGracePeriodSeconds": 5, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "emptyDir": {}, + "name": "providers" + }, + { + "emptyDir": {}, + "name": "conf" + }, + { + "name": "data", + "persistentVolumeClaim": { + "claimName": "keycloak-data" + } + }, + { + "name": "themes", + "persistentVolumeClaim": { + "claimName": "keycloak-themes" + } + }, + { + "name": "kube-api-access-nlkpn", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:37:09Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:37:56Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:37:56Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:37:06Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://98b723747fbc4ab069941b409c2c1364803055710b556efc4a281bef03a1f9d0", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:37:09Z" + } + } + }, + { + "containerID": "containerd://24cffc7e3667dbd48ef3f53817f81df065610a8e2231ce22f807bbaf28dfc28a", + "image": "127.0.0.1:31999/keycloak/keycloak:24.0.5-zarf-2242132316", + "imageID": "127.0.0.1:31999/keycloak/keycloak@sha256:6508f327b24f3b21dc712fdfedf7dc613720806752f958f3ae90d53f05bfffb3", + "lastState": {}, + "name": "keycloak", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:37:12Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://61198b4b3f3f80e4b1f1d70d1175723fb4e113315b5733f6139827c6716ae3cf", + "image": "127.0.0.1:31999/defenseunicorns/uds/identity-config:0.4.5-zarf-1934043158", + "imageID": "127.0.0.1:31999/defenseunicorns/uds/identity-config@sha256:3fbab8e7cfa010251aa29a1bbec2e73a7bdc236f358fb57db3943a9f0307bf1f", + "lastState": {}, + "name": "uds-config", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://61198b4b3f3f80e4b1f1d70d1175723fb4e113315b5733f6139827c6716ae3cf", + "exitCode": 0, + "finishedAt": "2024-06-07T14:37:07Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:37:07Z" + } + } + }, + { + "containerID": "containerd://42656b79a9c7579dc5b3b04b00be6b95189d0c863549ff35ae072aa778897083", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://42656b79a9c7579dc5b3b04b00be6b95189d0c863549ff35ae072aa778897083", + "exitCode": 0, + "finishedAt": "2024-06-07T14:37:08Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:37:08Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.27", + "podIPs": [ + { + "ip": "10.42.0.27" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:37:06Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "neuvector-enforcer-pod", + "kubectl.kubernetes.io/default-logs-container": "neuvector-enforcer-pod", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/uds-core-policies": "succeeded", + "uds-core.pepr.dev/uds-core-policies.DisallowHostNamespaces": "exempted", + "uds-core.pepr.dev/uds-core-policies.DisallowPrivileged": "exempted", + "uds-core.pepr.dev/uds-core-policies.DropAllCapabilities": "exempted", + "uds-core.pepr.dev/uds-core-policies.RequireNonRootUser": "exempted", + "uds-core.pepr.dev/uds-core-policies.RestrictHostPathWrite": "exempted", + "uds-core.pepr.dev/uds-core-policies.RestrictVolumeTypes": "exempted" + }, + "creationTimestamp": "2024-06-07T14:38:20Z", + "generateName": "neuvector-enforcer-pod-", + "labels": { + "app": "neuvector-enforcer-pod", + "controller-revision-hash": "6775c5c797", + "pod-template-generation": "1", + "release": "core", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "neuvector-enforcer-pod", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "neuvector-enforcer-pod-nt94p", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "DaemonSet", + "name": "neuvector-enforcer-pod", + "uid": "6dccb27d-6ee5-4ce7-9212-a01b1420cbfb" + } + ], + "resourceVersion": "2221", + "uid": "5f5fce1b-9cba-4e19-8fe8-81105c64a17a" + }, + "spec": { + "affinity": { + "nodeAffinity": { + "requiredDuringSchedulingIgnoredDuringExecution": { + "nodeSelectorTerms": [ + { + "matchFields": [ + { + "key": "metadata.name", + "operator": "In", + "values": [ + "k3d-uds-server-0" + ] + } + ] + } + ] + } + } + }, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "neuvector-enforcer-pod" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "neuvector-enforcer-pod" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/neuvector/daemonsets/neuvector-enforcer-pod" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-hps9b", + "readOnly": true + } + ] + }, + { + "env": [ + { + "name": "CLUSTER_JOIN_ADDR", + "value": "neuvector-svc-controller.neuvector" + }, + { + "name": "CLUSTER_ADVERTISED_ADDR", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "CLUSTER_BIND_ADDR", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + } + ], + "image": "127.0.0.1:31999/neuvector/enforcer:5.3.2-zarf-2886042343", + "imagePullPolicy": "IfNotPresent", + "name": "neuvector-enforcer-pod", + "resources": {}, + "securityContext": { + "privileged": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/lib/modules", + "name": "modules-vol", + "readOnly": true + }, + { + "mountPath": "/var/nv_debug", + "name": "nv-debug" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-hps9b", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "hostPID": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-hps9b", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "serviceAccount": "enforcer", + "serviceAccountName": "enforcer", + "terminationGracePeriodSeconds": 1200, + "tolerations": [ + { + "effect": "NoSchedule", + "key": "node-role.kubernetes.io/master" + }, + { + "effect": "NoSchedule", + "key": "node-role.kubernetes.io/control-plane" + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists" + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/disk-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/memory-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/pid-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/unschedulable", + "operator": "Exists" + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "hostPath": { + "path": "/lib/modules", + "type": "" + }, + "name": "modules-vol" + }, + { + "hostPath": { + "path": "/var/nv_debug", + "type": "" + }, + "name": "nv-debug" + }, + { + "name": "kube-api-access-hps9b", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:38:21Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:38:28Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:38:28Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:38:20Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://977a00abbbc0e201f32cc068fcd3b84546b25dfe873196358ee56620519af4b4", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:38:21Z" + } + } + }, + { + "containerID": "containerd://786d6b11b69d7becbefa39703c471dd2dcd506e08fdcf6e2254e0a584cded575", + "image": "127.0.0.1:31999/neuvector/enforcer:5.3.2-zarf-2886042343", + "imageID": "127.0.0.1:31999/neuvector/enforcer@sha256:043f6f02afae05861eee20248bba17e58afbe33dcc2cafcca2cf83c7df361fac", + "lastState": {}, + "name": "neuvector-enforcer-pod", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:38:26Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://10e8bca0a1e6b216fa1e7c7cf33a224262959fe8e64fbc9dc1d398facb035d38", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://10e8bca0a1e6b216fa1e7c7cf33a224262959fe8e64fbc9dc1d398facb035d38", + "exitCode": 0, + "finishedAt": "2024-06-07T14:38:21Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:38:21Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.28", + "podIPs": [ + { + "ip": "10.42.0.28" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:38:20Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "neuvector-manager-pod", + "kubectl.kubernetes.io/default-logs-container": "neuvector-manager-pod", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-06-07T14:38:20Z", + "generateName": "neuvector-manager-pod-56ddd789bb-", + "labels": { + "app": "neuvector-manager-pod", + "pod-template-hash": "56ddd789bb", + "release": "core", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "neuvector-manager-pod", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "neuvector-manager-pod-56ddd789bb-pzdsg", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "neuvector-manager-pod-56ddd789bb", + "uid": "88dd6d25-f771-4ff6-a703-375660b4d43d" + } + ], + "resourceVersion": "2233", + "uid": "aebb54f0-cbcf-428d-91d2-43403fc6595d" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http\",\"containerPort\":8443,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "neuvector-manager-pod" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "neuvector-manager-pod" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/neuvector/deployments/neuvector-manager-pod" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-7226g", + "readOnly": true + } + ] + }, + { + "env": [ + { + "name": "CTRL_SERVER_IP", + "value": "neuvector-svc-controller.neuvector" + }, + { + "name": "MANAGER_SSL", + "value": "off" + } + ], + "image": "127.0.0.1:31999/neuvector/manager:5.3.2-zarf-1801671909", + "imagePullPolicy": "IfNotPresent", + "name": "neuvector-manager-pod", + "ports": [ + { + "containerPort": 8443, + "name": "http", + "protocol": "TCP" + } + ], + "resources": {}, + "securityContext": { + "capabilities": { + "drop": [ + "ALL" + ] + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-7226g", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-7226g", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "runAsGroup": 1000, + "runAsNonRoot": true, + "runAsUser": 1000 + }, + "serviceAccount": "basic", + "serviceAccountName": "basic", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "kube-api-access-7226g", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:38:21Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:38:30Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:38:30Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:38:20Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://743909c516a206891e8807685cbfe81a597b79ff2887a4fbd4cefabd1849590c", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:38:21Z" + } + } + }, + { + "containerID": "containerd://93bcda13255ce6bce3fdb9848c39512377e0700f35188fd23c371d64aaa5ff87", + "image": "127.0.0.1:31999/neuvector/manager:5.3.2-zarf-1801671909", + "imageID": "127.0.0.1:31999/neuvector/manager@sha256:3a65e2c2916a058293638620b712cfac1a559824ac4d295cd08474c98a3e7381", + "lastState": {}, + "name": "neuvector-manager-pod", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:38:28Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://475c52820b00e4cc57f4c5a6dd2f790d7ac3606e83c70fbf105c97fd10f2ab40", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://475c52820b00e4cc57f4c5a6dd2f790d7ac3606e83c70fbf105c97fd10f2ab40", + "exitCode": 0, + "finishedAt": "2024-06-07T14:38:21Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:38:21Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.31", + "podIPs": [ + { + "ip": "10.42.0.31" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:38:20Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "checksum/init-configmap": "d2907592400cb73cef987a87115b0c6a17428bfdbda232ddf0de6ea52f3eb571", + "checksum/uds-sso-secret": "", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "neuvector-controller-pod", + "kubectl.kubernetes.io/default-logs-container": "neuvector-controller-pod", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/uds-core-policies": "succeeded", + "uds-core.pepr.dev/uds-core-policies.DisallowPrivileged": "exempted", + "uds-core.pepr.dev/uds-core-policies.DropAllCapabilities": "exempted", + "uds-core.pepr.dev/uds-core-policies.RequireNonRootUser": "exempted", + "uds-core.pepr.dev/uds-core-policies.RestrictHostPathWrite": "exempted", + "uds-core.pepr.dev/uds-core-policies.RestrictVolumeTypes": "exempted" + }, + "creationTimestamp": "2024-06-07T14:38:38Z", + "generateName": "neuvector-controller-pod-5d7c9d5588-", + "labels": { + "app": "neuvector-controller-pod", + "pod-template-hash": "5d7c9d5588", + "release": "core", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "neuvector-controller-pod", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "neuvector-controller-pod-5d7c9d5588-mgzsf", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "neuvector-controller-pod-5d7c9d5588", + "uid": "eb3a14bf-c3f0-4fef-a657-a25c5a712a93" + } + ], + "resourceVersion": "2509", + "uid": "f3fe50db-0d40-4f4f-94e2-4ab30d3095d3" + }, + "spec": { + "affinity": { + "podAntiAffinity": { + "preferredDuringSchedulingIgnoredDuringExecution": [ + { + "podAffinityTerm": { + "labelSelector": { + "matchExpressions": [ + { + "key": "app", + "operator": "In", + "values": [ + "neuvector-controller-pod" + ] + } + ] + }, + "topologyKey": "kubernetes.io/hostname" + }, + "weight": 100 + } + ] + } + }, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "neuvector-controller-pod" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "neuvector-controller-pod" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/neuvector/deployments/neuvector-controller-pod" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-k4946", + "readOnly": true + } + ] + }, + { + "env": [ + { + "name": "CLUSTER_JOIN_ADDR", + "value": "neuvector-svc-controller.neuvector" + }, + { + "name": "CLUSTER_ADVERTISED_ADDR", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "CLUSTER_BIND_ADDR", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "NO_DEFAULT_ADMIN", + "value": "1" + } + ], + "image": "127.0.0.1:31999/neuvector/controller:5.3.2-zarf-4157091163", + "imagePullPolicy": "IfNotPresent", + "name": "neuvector-controller-pod", + "readinessProbe": { + "exec": { + "command": [ + "cat", + "/tmp/ready" + ] + }, + "failureThreshold": 3, + "initialDelaySeconds": 5, + "periodSeconds": 5, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": {}, + "securityContext": { + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/config", + "name": "config-volume", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-k4946", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-k4946", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "serviceAccount": "controller", + "serviceAccountName": "controller", + "terminationGracePeriodSeconds": 300, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "config-volume", + "projected": { + "defaultMode": 420, + "sources": [ + { + "configMap": { + "name": "neuvector-init", + "optional": true + } + }, + { + "secret": { + "name": "neuvector-init", + "optional": true + } + }, + { + "secret": { + "name": "neuvector-secret", + "optional": true + } + } + ] + } + }, + { + "name": "kube-api-access-k4946", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:38:39Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:38:53Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:38:53Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:38:38Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://f09a16a3f79ff3f62a59a9c7ed431043815978aa2c5fb0e5402c1a02389d3e7f", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:38:39Z" + } + } + }, + { + "containerID": "containerd://3088539b3933c2fd668c3b02a9e3a23a7994978f2c2e65ec50d5f349117aa70f", + "image": "127.0.0.1:31999/neuvector/controller:5.3.2-zarf-4157091163", + "imageID": "127.0.0.1:31999/neuvector/controller@sha256:c5d6ff1924fdad2b8e4fdb428a7636edd82ea50ef94ab15e9a0c7117fc607d1c", + "lastState": {}, + "name": "neuvector-controller-pod", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:38:40Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://446f36a71ada6e7d3e09a043c06ef19ae0bdff71c47220c26fe586b6a3fc2c76", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://446f36a71ada6e7d3e09a043c06ef19ae0bdff71c47220c26fe586b6a3fc2c76", + "exitCode": 0, + "finishedAt": "2024-06-07T14:38:38Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:38:38Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.37", + "podIPs": [ + { + "ip": "10.42.0.37" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:38:38Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "checksum/config": "aa54d1c46dc4de580885be8c1184da75a3838afa977449fdf39bf419da521275", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "nginx", + "kubectl.kubernetes.io/default-logs-container": "nginx", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-06-07T14:38:51Z", + "generateName": "loki-gateway-d7c788676-", + "labels": { + "app.kubernetes.io/component": "gateway", + "app.kubernetes.io/instance": "loki", + "app.kubernetes.io/name": "loki", + "pod-template-hash": "d7c788676", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "loki", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "loki-gateway-d7c788676-4srwc", + "namespace": "loki", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "loki-gateway-d7c788676", + "uid": "e34a955a-a9ce-4e08-b438-cee5a06b0eb6" + } + ], + "resourceVersion": "2670", + "uid": "89db0787-f4c9-4ab5-b02b-67defbbdb9a6" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http\",\"containerPort\":8080,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "nginx" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "loki-gateway" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/loki/deployments/loki-gateway" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/nginx/readyz\":{\"httpGet\":{\"path\":\"/\",\"port\":8080,\"scheme\":\"HTTP\"},\"timeoutSeconds\":1}}" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-cpqvb", + "readOnly": true + } + ] + }, + { + "image": "127.0.0.1:31999/nginxinc/nginx-unprivileged:1.25-alpine-zarf-1006365545", + "imagePullPolicy": "IfNotPresent", + "name": "nginx", + "ports": [ + { + "containerPort": 8080, + "name": "http", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/nginx/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 15, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": {}, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/nginx", + "name": "config" + }, + { + "mountPath": "/tmp", + "name": "tmp" + }, + { + "mountPath": "/docker-entrypoint.d", + "name": "docker-entrypoint-d-override" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-cpqvb", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-cpqvb", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 101, + "runAsGroup": 101, + "runAsNonRoot": true, + "runAsUser": 101 + }, + "serviceAccount": "loki", + "serviceAccountName": "loki", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "configMap": { + "defaultMode": 420, + "name": "loki-gateway" + }, + "name": "config" + }, + { + "emptyDir": {}, + "name": "tmp" + }, + { + "emptyDir": {}, + "name": "docker-entrypoint-d-override" + }, + { + "name": "kube-api-access-cpqvb", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:38:55Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:39:23Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:39:23Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:38:52Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://5f264ee0271c2825510e9b372383053db4659e357fac618c08fecb8ee373c3ba", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:38:56Z" + } + } + }, + { + "containerID": "containerd://82a48ad0040bde0f60f786d7a0e658bd2a4bab8bfa7cb3280d3eed0cd49e30e5", + "image": "127.0.0.1:31999/nginxinc/nginx-unprivileged:1.25-alpine-zarf-1006365545", + "imageID": "127.0.0.1:31999/nginxinc/nginx-unprivileged@sha256:31e948e116a2ac07338d1f0d8578bbc96776f8dcf580a8e658550ba01d5092c4", + "lastState": {}, + "name": "nginx", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:39:06Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://59bacbddd363664ec02221f6fe141218d05e2c56c146f59eb10b433da6ebd338", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://59bacbddd363664ec02221f6fe141218d05e2c56c146f59eb10b433da6ebd338", + "exitCode": 0, + "finishedAt": "2024-06-07T14:38:55Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:38:54Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.38", + "podIPs": [ + { + "ip": "10.42.0.38" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:38:52Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "checksum/config": "40704e20dbbda1ca58cfa8d9ce03976b283d6b1d9b3274118a95cf4180009906", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "loki", + "kubectl.kubernetes.io/default-logs-container": "loki", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-06-07T14:38:52Z", + "generateName": "loki-backend-", + "labels": { + "app.kubernetes.io/component": "backend", + "app.kubernetes.io/instance": "loki", + "app.kubernetes.io/name": "loki", + "app.kubernetes.io/part-of": "memberlist", + "apps.kubernetes.io/pod-index": "0", + "controller-revision-hash": "loki-backend-6f5b99f4f4", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "loki", + "service.istio.io/canonical-revision": "latest", + "statefulset.kubernetes.io/pod-name": "loki-backend-0", + "zarf-agent": "patched" + }, + "name": "loki-backend-0", + "namespace": "loki", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "StatefulSet", + "name": "loki-backend", + "uid": "90b63b4e-2726-4b30-ac3a-42e21400e1cb" + } + ], + "resourceVersion": "2695", + "uid": "09cdbc78-d89b-43fa-a5f6-2d7eedfef742" + }, + "spec": { + "automountServiceAccountToken": true, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http-metrics\",\"containerPort\":3100,\"protocol\":\"TCP\"}\n ,{\"name\":\"grpc\",\"containerPort\":9095,\"protocol\":\"TCP\"}\n ,{\"name\":\"http-memberlist\",\"containerPort\":7946,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "loki" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "loki-backend" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/loki/statefulsets/loki-backend" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/loki/readyz\":{\"httpGet\":{\"path\":\"/ready\",\"port\":3100,\"scheme\":\"HTTP\"},\"timeoutSeconds\":1}}" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-4pwkx", + "readOnly": true + } + ] + }, + { + "args": [ + "-config.file=/etc/loki/config/config.yaml", + "-target=backend", + "-legacy-read-mode=false" + ], + "image": "127.0.0.1:31999/grafana/loki:2.9.6-zarf-176807990", + "imagePullPolicy": "IfNotPresent", + "name": "loki", + "ports": [ + { + "containerPort": 3100, + "name": "http-metrics", + "protocol": "TCP" + }, + { + "containerPort": 9095, + "name": "grpc", + "protocol": "TCP" + }, + { + "containerPort": 7946, + "name": "http-memberlist", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/loki/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 30, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": {}, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/loki/config", + "name": "config" + }, + { + "mountPath": "/etc/loki/runtime-config", + "name": "runtime-config" + }, + { + "mountPath": "/tmp", + "name": "tmp" + }, + { + "mountPath": "/var/loki", + "name": "data" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-4pwkx", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "hostname": "loki-backend-0", + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-4pwkx", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 10001, + "runAsGroup": 10001, + "runAsNonRoot": true, + "runAsUser": 10001 + }, + "serviceAccount": "loki", + "serviceAccountName": "loki", + "subdomain": "loki-backend-headless", + "terminationGracePeriodSeconds": 300, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "data", + "persistentVolumeClaim": { + "claimName": "data-loki-backend-0" + } + }, + { + "emptyDir": {}, + "name": "tmp" + }, + { + "configMap": { + "defaultMode": 420, + "items": [ + { + "key": "config.yaml", + "path": "config.yaml" + } + ], + "name": "loki" + }, + "name": "config" + }, + { + "configMap": { + "defaultMode": 420, + "name": "loki-runtime" + }, + "name": "runtime-config" + }, + { + "name": "kube-api-access-4pwkx", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:39:03Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:39:40Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:39:40Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:38:59Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://f7cf99f7432e06180757d37d6cb2048544be45b66b5367f0d99c7cd8cc15b5b8", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:39:04Z" + } + } + }, + { + "containerID": "containerd://a347cd31324e8c4c86561a9174a8174436da20b2cd74f492af633199a8ec2609", + "image": "127.0.0.1:31999/grafana/loki:2.9.6-zarf-176807990", + "imageID": "127.0.0.1:31999/grafana/loki@sha256:ac12e5e83d9d77d1f62dd273f1ced8b55ed9a2429acc9e17ff7cbdee126eb4c1", + "lastState": {}, + "name": "loki", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:39:07Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://a78785d642a7a2e14c962a51b8865d4a3dd9f689a6c42c512ce605a5e770a745", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://a78785d642a7a2e14c962a51b8865d4a3dd9f689a6c42c512ce605a5e770a745", + "exitCode": 0, + "finishedAt": "2024-06-07T14:39:02Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:39:02Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.42", + "podIPs": [ + { + "ip": "10.42.0.42" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:38:59Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "checksum/config": "40704e20dbbda1ca58cfa8d9ce03976b283d6b1d9b3274118a95cf4180009906", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "loki", + "kubectl.kubernetes.io/default-logs-container": "loki", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-06-07T14:38:52Z", + "generateName": "loki-read-965cc8d57-", + "labels": { + "app.kubernetes.io/component": "read", + "app.kubernetes.io/instance": "loki", + "app.kubernetes.io/name": "loki", + "app.kubernetes.io/part-of": "memberlist", + "pod-template-hash": "965cc8d57", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "loki", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "loki-read-965cc8d57-q9xqw", + "namespace": "loki", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "loki-read-965cc8d57", + "uid": "a096c654-21f2-41a0-a080-67bd402af70a" + } + ], + "resourceVersion": "2711", + "uid": "ab88bad5-aaba-4ff0-a18d-64b9fa7d5d29" + }, + "spec": { + "automountServiceAccountToken": true, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http-metrics\",\"containerPort\":3100,\"protocol\":\"TCP\"}\n ,{\"name\":\"grpc\",\"containerPort\":9095,\"protocol\":\"TCP\"}\n ,{\"name\":\"http-memberlist\",\"containerPort\":7946,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "loki" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "loki-read" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/loki/deployments/loki-read" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/loki/readyz\":{\"httpGet\":{\"path\":\"/ready\",\"port\":3100,\"scheme\":\"HTTP\"},\"timeoutSeconds\":1}}" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-n2kwj", + "readOnly": true + } + ] + }, + { + "args": [ + "-config.file=/etc/loki/config/config.yaml", + "-target=read", + "-legacy-read-mode=false", + "-common.compactor-grpc-address=loki-backend.loki.svc.cluster.local:9095" + ], + "image": "127.0.0.1:31999/grafana/loki:2.9.6-zarf-176807990", + "imagePullPolicy": "IfNotPresent", + "name": "loki", + "ports": [ + { + "containerPort": 3100, + "name": "http-metrics", + "protocol": "TCP" + }, + { + "containerPort": 9095, + "name": "grpc", + "protocol": "TCP" + }, + { + "containerPort": 7946, + "name": "http-memberlist", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/loki/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 30, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": {}, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/loki/config", + "name": "config" + }, + { + "mountPath": "/etc/loki/runtime-config", + "name": "runtime-config" + }, + { + "mountPath": "/tmp", + "name": "tmp" + }, + { + "mountPath": "/var/loki", + "name": "data" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-n2kwj", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-n2kwj", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 10001, + "runAsGroup": 10001, + "runAsNonRoot": true, + "runAsUser": 10001 + }, + "serviceAccount": "loki", + "serviceAccountName": "loki", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "emptyDir": {}, + "name": "tmp" + }, + { + "emptyDir": {}, + "name": "data" + }, + { + "configMap": { + "defaultMode": 420, + "items": [ + { + "key": "config.yaml", + "path": "config.yaml" + } + ], + "name": "loki" + }, + "name": "config" + }, + { + "configMap": { + "defaultMode": 420, + "name": "loki-runtime" + }, + "name": "runtime-config" + }, + { + "name": "kube-api-access-n2kwj", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:38:55Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:39:43Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:39:43Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:38:52Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://c861470957edbe2926ec656294db8c78238efc7ac026dfe58bf8ad0a25049112", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:38:56Z" + } + } + }, + { + "containerID": "containerd://69f206cfa0f0b469ecd7ce7b9c5b10b30aaaa1e0f6570f61777e9c13a9ab52c4", + "image": "127.0.0.1:31999/grafana/loki:2.9.6-zarf-176807990", + "imageID": "127.0.0.1:31999/grafana/loki@sha256:ac12e5e83d9d77d1f62dd273f1ced8b55ed9a2429acc9e17ff7cbdee126eb4c1", + "lastState": {}, + "name": "loki", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:39:06Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://c4d5994d71e34abcbbe8c66c67db76a5428d1c8a3a930813095968ebf2bb62c7", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://c4d5994d71e34abcbbe8c66c67db76a5428d1c8a3a930813095968ebf2bb62c7", + "exitCode": 0, + "finishedAt": "2024-06-07T14:38:54Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:38:54Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.39", + "podIPs": [ + { + "ip": "10.42.0.39" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:38:52Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "checksum/config": "40704e20dbbda1ca58cfa8d9ce03976b283d6b1d9b3274118a95cf4180009906", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "loki", + "kubectl.kubernetes.io/default-logs-container": "loki", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-06-07T14:38:52Z", + "generateName": "loki-write-", + "labels": { + "app.kubernetes.io/component": "write", + "app.kubernetes.io/instance": "loki", + "app.kubernetes.io/name": "loki", + "app.kubernetes.io/part-of": "memberlist", + "apps.kubernetes.io/pod-index": "0", + "controller-revision-hash": "loki-write-79659b658", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "loki", + "service.istio.io/canonical-revision": "latest", + "statefulset.kubernetes.io/pod-name": "loki-write-0", + "zarf-agent": "patched" + }, + "name": "loki-write-0", + "namespace": "loki", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "StatefulSet", + "name": "loki-write", + "uid": "7e976ccc-6bed-4478-9f9b-4eedbf659a0a" + } + ], + "resourceVersion": "2791", + "uid": "804e6369-2e8b-47d2-b928-2bb63dd24b29" + }, + "spec": { + "automountServiceAccountToken": true, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http-metrics\",\"containerPort\":3100,\"protocol\":\"TCP\"}\n ,{\"name\":\"grpc\",\"containerPort\":9095,\"protocol\":\"TCP\"}\n ,{\"name\":\"http-memberlist\",\"containerPort\":7946,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "loki" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "loki-write" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/loki/statefulsets/loki-write" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/loki/readyz\":{\"httpGet\":{\"path\":\"/ready\",\"port\":3100,\"scheme\":\"HTTP\"},\"timeoutSeconds\":1}}" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-ncjjq", + "readOnly": true + } + ] + }, + { + "args": [ + "-config.file=/etc/loki/config/config.yaml", + "-target=write" + ], + "image": "127.0.0.1:31999/grafana/loki:2.9.6-zarf-176807990", + "imagePullPolicy": "IfNotPresent", + "name": "loki", + "ports": [ + { + "containerPort": 3100, + "name": "http-metrics", + "protocol": "TCP" + }, + { + "containerPort": 9095, + "name": "grpc", + "protocol": "TCP" + }, + { + "containerPort": 7946, + "name": "http-memberlist", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/loki/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 30, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": {}, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/loki/config", + "name": "config" + }, + { + "mountPath": "/etc/loki/runtime-config", + "name": "runtime-config" + }, + { + "mountPath": "/var/loki", + "name": "data" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-ncjjq", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "hostname": "loki-write-0", + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-ncjjq", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 10001, + "runAsGroup": 10001, + "runAsNonRoot": true, + "runAsUser": 10001 + }, + "serviceAccount": "loki", + "serviceAccountName": "loki", + "subdomain": "loki-write-headless", + "terminationGracePeriodSeconds": 300, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "data", + "persistentVolumeClaim": { + "claimName": "data-loki-write-0" + } + }, + { + "configMap": { + "defaultMode": 420, + "items": [ + { + "key": "config.yaml", + "path": "config.yaml" + } + ], + "name": "loki" + }, + "name": "config" + }, + { + "configMap": { + "defaultMode": 420, + "name": "loki-runtime" + }, + "name": "runtime-config" + }, + { + "name": "kube-api-access-ncjjq", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:39:03Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:40:00Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:40:00Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:38:59Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://c2900e7dc1ea13ef0cad59f3890e5a87440335eb506fc74aef8cd477061494e9", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:39:04Z" + } + } + }, + { + "containerID": "containerd://76e63a1ad41c12f9723f810f6bbabe14616a53829d5b754fe10534a3a0387c36", + "image": "127.0.0.1:31999/grafana/loki:2.9.6-zarf-176807990", + "imageID": "127.0.0.1:31999/grafana/loki@sha256:ac12e5e83d9d77d1f62dd273f1ced8b55ed9a2429acc9e17ff7cbdee126eb4c1", + "lastState": {}, + "name": "loki", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:39:07Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://d4643293917635ef11462519cc95cace56beae16a233c19f0431e277fe824d30", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://d4643293917635ef11462519cc95cace56beae16a233c19f0431e277fe824d30", + "exitCode": 0, + "finishedAt": "2024-06-07T14:39:02Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:39:02Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.43", + "podIPs": [ + { + "ip": "10.42.0.43" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:38:59Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "checksum/init-configmap": "d2907592400cb73cef987a87115b0c6a17428bfdbda232ddf0de6ea52f3eb571", + "checksum/uds-sso-secret": "", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "neuvector-controller-pod", + "kubectl.kubernetes.io/default-logs-container": "neuvector-controller-pod", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/uds-core-policies": "succeeded", + "uds-core.pepr.dev/uds-core-policies.DisallowPrivileged": "exempted", + "uds-core.pepr.dev/uds-core-policies.DropAllCapabilities": "exempted", + "uds-core.pepr.dev/uds-core-policies.RequireNonRootUser": "exempted", + "uds-core.pepr.dev/uds-core-policies.RestrictHostPathWrite": "exempted", + "uds-core.pepr.dev/uds-core-policies.RestrictVolumeTypes": "exempted" + }, + "creationTimestamp": "2024-06-07T14:39:53Z", + "generateName": "neuvector-controller-pod-5d7c9d5588-", + "labels": { + "app": "neuvector-controller-pod", + "pod-template-hash": "5d7c9d5588", + "release": "core", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "neuvector-controller-pod", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "neuvector-controller-pod-5d7c9d5588-884hh", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "neuvector-controller-pod-5d7c9d5588", + "uid": "eb3a14bf-c3f0-4fef-a657-a25c5a712a93" + } + ], + "resourceVersion": "2820", + "uid": "afc727be-bc60-4201-9f4e-2f912e9394cb" + }, + "spec": { + "affinity": { + "podAntiAffinity": { + "preferredDuringSchedulingIgnoredDuringExecution": [ + { + "podAffinityTerm": { + "labelSelector": { + "matchExpressions": [ + { + "key": "app", + "operator": "In", + "values": [ + "neuvector-controller-pod" + ] + } + ] + }, + "topologyKey": "kubernetes.io/hostname" + }, + "weight": 100 + } + ] + } + }, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "neuvector-controller-pod" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "neuvector-controller-pod" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/neuvector/deployments/neuvector-controller-pod" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-l28mp", + "readOnly": true + } + ] + }, + { + "env": [ + { + "name": "CLUSTER_JOIN_ADDR", + "value": "neuvector-svc-controller.neuvector" + }, + { + "name": "CLUSTER_ADVERTISED_ADDR", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "CLUSTER_BIND_ADDR", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "NO_DEFAULT_ADMIN", + "value": "1" + } + ], + "image": "127.0.0.1:31999/neuvector/controller:5.3.2-zarf-4157091163", + "imagePullPolicy": "IfNotPresent", + "name": "neuvector-controller-pod", + "readinessProbe": { + "exec": { + "command": [ + "cat", + "/tmp/ready" + ] + }, + "failureThreshold": 3, + "initialDelaySeconds": 5, + "periodSeconds": 5, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": {}, + "securityContext": { + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/config", + "name": "config-volume", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-l28mp", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-l28mp", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "serviceAccount": "controller", + "serviceAccountName": "controller", + "terminationGracePeriodSeconds": 300, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "config-volume", + "projected": { + "defaultMode": 420, + "sources": [ + { + "configMap": { + "name": "neuvector-init", + "optional": true + } + }, + { + "secret": { + "name": "neuvector-init", + "optional": true + } + }, + { + "secret": { + "name": "neuvector-secret", + "optional": true + } + } + ] + } + }, + { + "name": "kube-api-access-l28mp", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:39:54Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:40:09Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:40:09Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:39:53Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://24c510311a248260324ffed1d8fec9f24495fa9f19ab16281eeb2cbddfe9cd1e", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:39:55Z" + } + } + }, + { + "containerID": "containerd://29bb9a60e7875e06563a9b94c268a6c0b638de4bd51e68b82886ba4b7d184f80", + "image": "127.0.0.1:31999/neuvector/controller:5.3.2-zarf-4157091163", + "imageID": "127.0.0.1:31999/neuvector/controller@sha256:c5d6ff1924fdad2b8e4fdb428a7636edd82ea50ef94ab15e9a0c7117fc607d1c", + "lastState": {}, + "name": "neuvector-controller-pod", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:39:56Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://7b5a488f9c4532c234492e7f71a84a7565f599de35eb097fd09bc8a6e59fe7e3", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://7b5a488f9c4532c234492e7f71a84a7565f599de35eb097fd09bc8a6e59fe7e3", + "exitCode": 0, + "finishedAt": "2024-06-07T14:39:54Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:39:54Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.44", + "podIPs": [ + { + "ip": "10.42.0.44" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:39:53Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "kube-prometheus-stack", + "kubectl.kubernetes.io/default-logs-container": "kube-prometheus-stack", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-06-07T14:40:36Z", + "generateName": "kube-prometheus-stack-operator-6db8586956-", + "labels": { + "app": "kube-prometheus-stack-operator", + "app.kubernetes.io/component": "prometheus-operator", + "app.kubernetes.io/instance": "kube-prometheus-stack", + "app.kubernetes.io/managed-by": "Helm", + "app.kubernetes.io/name": "kube-prometheus-stack-prometheus-operator", + "app.kubernetes.io/part-of": "kube-prometheus-stack", + "app.kubernetes.io/version": "58.7.2", + "chart": "kube-prometheus-stack-58.7.2", + "heritage": "Helm", + "pod-template-hash": "6db8586956", + "release": "kube-prometheus-stack", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "kube-prometheus-stack-prometheus-operator", + "service.istio.io/canonical-revision": "58.7.2", + "zarf-agent": "patched" + }, + "name": "kube-prometheus-stack-operator-6db8586956-rf74f", + "namespace": "monitoring", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "kube-prometheus-stack-operator-6db8586956", + "uid": "126d925c-8844-48ce-832d-09c499c20d50" + } + ], + "resourceVersion": "3204", + "uid": "5b75b4bb-f8f7-4d18-936c-cba1a8f6e3ba" + }, + "spec": { + "automountServiceAccountToken": true, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"https\",\"containerPort\":10250,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "kube-prometheus-stack" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "kube-prometheus-stack-operator" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/monitoring/deployments/kube-prometheus-stack-operator" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-n477l", + "readOnly": true + } + ] + }, + { + "args": [ + "--kubelet-service=kube-system/kube-prometheus-stack-kubelet", + "--localhost=127.0.0.1", + "--prometheus-config-reloader=quay.io/prometheus-operator/prometheus-config-reloader:v0.74.0", + "--config-reloader-cpu-request=50m", + "--config-reloader-cpu-limit=100m", + "--config-reloader-memory-request=128Mi", + "--config-reloader-memory-limit=128Mi", + "--thanos-default-base-image=quay.io/thanos/thanos:v0.35.0", + "--secret-field-selector=type!=kubernetes.io/dockercfg,type!=kubernetes.io/service-account-token,type!=helm.sh/release.v1", + "--web.enable-tls=true", + "--web.cert-file=/cert/cert", + "--web.key-file=/cert/key", + "--web.listen-address=:10250", + "--web.tls-min-version=VersionTLS13" + ], + "env": [ + { + "name": "GOGC", + "value": "30" + } + ], + "image": "127.0.0.1:31999/prometheus-operator/prometheus-operator:v0.74.0-zarf-2469397602", + "imagePullPolicy": "IfNotPresent", + "name": "kube-prometheus-stack", + "ports": [ + { + "containerPort": 10250, + "name": "https", + "protocol": "TCP" + } + ], + "resources": { + "limits": { + "cpu": "500m", + "memory": "512Mi" + }, + "requests": { + "cpu": "100m", + "memory": "512Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/cert", + "name": "tls-secret", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-n477l", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-n477l", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 65534, + "runAsGroup": 65534, + "runAsNonRoot": true, + "runAsUser": 65534, + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "serviceAccount": "kube-prometheus-stack-operator", + "serviceAccountName": "kube-prometheus-stack-operator", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "tls-secret", + "secret": { + "defaultMode": 420, + "secretName": "kube-prometheus-stack-admission" + } + }, + { + "name": "kube-api-access-n477l", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:40:38Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:40:41Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:40:41Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:40:36Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://300e1c3160811b142d6fc7e6118b758b4d4d7b6deefd6ba3509faf05f2ba4023", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:40:38Z" + } + } + }, + { + "containerID": "containerd://16ab87c01034dc64a06308b99f53f3799f9daa45fd37eba4ffb38314b97549e6", + "image": "127.0.0.1:31999/prometheus-operator/prometheus-operator:v0.74.0-zarf-2469397602", + "imageID": "127.0.0.1:31999/prometheus-operator/prometheus-operator@sha256:70d94e60cabd216a16769a4443878d807b66461737eae0525cb7c04eaf011757", + "lastState": {}, + "name": "kube-prometheus-stack", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:40:39Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://39bcdbce8270a9a5a79b14ee903685ff7a9379a0453d27386dc1f4b4527146c6", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://39bcdbce8270a9a5a79b14ee903685ff7a9379a0453d27386dc1f4b4527146c6", + "exitCode": 0, + "finishedAt": "2024-06-07T14:40:37Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:40:37Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.48", + "podIPs": [ + { + "ip": "10.42.0.48" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:40:37Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "cluster-autoscaler.kubernetes.io/safe-to-evict": "true", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "node-exporter", + "kubectl.kubernetes.io/default-logs-container": "node-exporter", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded", + "uds-core.pepr.dev/uds-core-policies.RestrictVolumeTypes": "exempted" + }, + "creationTimestamp": "2024-06-07T14:40:36Z", + "generateName": "kube-prometheus-stack-prometheus-node-exporter-", + "labels": { + "app.kubernetes.io/component": "metrics", + "app.kubernetes.io/instance": "kube-prometheus-stack", + "app.kubernetes.io/managed-by": "Helm", + "app.kubernetes.io/name": "prometheus-node-exporter", + "app.kubernetes.io/part-of": "prometheus-node-exporter", + "app.kubernetes.io/version": "1.8.0", + "controller-revision-hash": "6fd5474c88", + "helm.sh/chart": "prometheus-node-exporter-4.34.0", + "jobLabel": "node-exporter", + "pod-template-generation": "1", + "release": "kube-prometheus-stack", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "prometheus-node-exporter", + "service.istio.io/canonical-revision": "1.8.0", + "zarf-agent": "patched" + }, + "name": "kube-prometheus-stack-prometheus-node-exporter-wn72h", + "namespace": "monitoring", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "DaemonSet", + "name": "kube-prometheus-stack-prometheus-node-exporter", + "uid": "666ae069-d804-49c8-ab5d-34a2ab7a8b12" + } + ], + "resourceVersion": "3210", + "uid": "998565a1-5d93-46a0-af81-74cb6c23086a" + }, + "spec": { + "affinity": { + "nodeAffinity": { + "requiredDuringSchedulingIgnoredDuringExecution": { + "nodeSelectorTerms": [ + { + "matchFields": [ + { + "key": "metadata.name", + "operator": "In", + "values": [ + "k3d-uds-server-0" + ] + } + ] + } + ] + } + } + }, + "automountServiceAccountToken": false, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http-metrics\",\"containerPort\":9100,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "node-exporter" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "kube-prometheus-stack-prometheus-node-exporter" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/monitoring/daemonsets/kube-prometheus-stack-prometheus-node-exporter" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/node-exporter/livez\":{\"httpGet\":{\"path\":\"/\",\"port\":9100,\"scheme\":\"HTTP\"},\"timeoutSeconds\":1},\"/app-health/node-exporter/readyz\":{\"httpGet\":{\"path\":\"/\",\"port\":9100,\"scheme\":\"HTTP\"},\"timeoutSeconds\":1}}" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + } + ] + }, + { + "args": [ + "--path.procfs=/host/proc", + "--path.sysfs=/host/sys", + "--path.rootfs=/host/root", + "--path.udev.data=/host/root/run/udev/data", + "--web.listen-address=[$(HOST_IP)]:9100", + "--collector.filesystem.mount-points-exclude=^/(dev|proc|sys|var/lib/docker/.+|var/lib/kubelet/.+)($|/)", + "--collector.filesystem.fs-types-exclude=^(autofs|binfmt_misc|bpf|cgroup2?|configfs|debugfs|devpts|devtmpfs|fusectl|hugetlbfs|iso9660|mqueue|nsfs|overlay|proc|procfs|pstore|rpc_pipefs|securityfs|selinuxfs|squashfs|sysfs|tracefs)$" + ], + "env": [ + { + "name": "HOST_IP", + "value": "0.0.0.0" + } + ], + "image": "127.0.0.1:31999/prometheus/node-exporter:v1.8.1-zarf-3836483114", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/node-exporter/livez", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "name": "node-exporter", + "ports": [ + { + "containerPort": 9100, + "name": "http-metrics", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/node-exporter/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": {}, + "securityContext": { + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/host/proc", + "name": "proc", + "readOnly": true + }, + { + "mountPath": "/host/sys", + "name": "sys", + "readOnly": true + }, + { + "mountPath": "/host/root", + "mountPropagation": "HostToContainer", + "name": "root", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File" + } + ], + "nodeName": "k3d-uds-server-0", + "nodeSelector": { + "kubernetes.io/os": "linux" + }, + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 65534, + "runAsGroup": 65534, + "runAsNonRoot": true, + "runAsUser": 65534 + }, + "serviceAccount": "kube-prometheus-stack-prometheus-node-exporter", + "serviceAccountName": "kube-prometheus-stack-prometheus-node-exporter", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoSchedule", + "operator": "Exists" + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists" + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/disk-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/memory-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/pid-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/unschedulable", + "operator": "Exists" + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "hostPath": { + "path": "/proc", + "type": "" + }, + "name": "proc" + }, + { + "hostPath": { + "path": "/sys", + "type": "" + }, + "name": "sys" + }, + { + "hostPath": { + "path": "/", + "type": "" + }, + "name": "root" + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:40:38Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:40:41Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:40:41Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:40:36Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://4406c0f4ff43d6c508b48594bce2dab82d88e5498c587271f507cf546d18ee23", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:40:38Z" + } + } + }, + { + "containerID": "containerd://98a9836cd7f3996caca67754b18b504e5f686c80cd7b545d157462d3dc012a38", + "image": "127.0.0.1:31999/prometheus/node-exporter:v1.8.1-zarf-3836483114", + "imageID": "127.0.0.1:31999/prometheus/node-exporter@sha256:c13575817446993529a7192d00ec3f3480a3216e93a291dad3ed87bc23887152", + "lastState": {}, + "name": "node-exporter", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:40:39Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://335d322c7a3b61e89b4d477062315217543c2737ae2c479593d09afa799a25f4", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://335d322c7a3b61e89b4d477062315217543c2737ae2c479593d09afa799a25f4", + "exitCode": 0, + "finishedAt": "2024-06-07T14:40:37Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:40:37Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.47", + "podIPs": [ + { + "ip": "10.42.0.47" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:40:36Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "alertmanager", + "kubectl.kubernetes.io/default-logs-container": "alertmanager", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-06-07T14:40:40Z", + "generateName": "alertmanager-kube-prometheus-stack-alertmanager-", + "labels": { + "alertmanager": "kube-prometheus-stack-alertmanager", + "app.kubernetes.io/instance": "kube-prometheus-stack-alertmanager", + "app.kubernetes.io/managed-by": "prometheus-operator", + "app.kubernetes.io/name": "alertmanager", + "app.kubernetes.io/version": "0.27.0", + "apps.kubernetes.io/pod-index": "0", + "controller-revision-hash": "alertmanager-kube-prometheus-stack-alertmanager-78f4944b59", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "alertmanager", + "service.istio.io/canonical-revision": "0.27.0", + "statefulset.kubernetes.io/pod-name": "alertmanager-kube-prometheus-stack-alertmanager-0", + "zarf-agent": "patched" + }, + "name": "alertmanager-kube-prometheus-stack-alertmanager-0", + "namespace": "monitoring", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "StatefulSet", + "name": "alertmanager-kube-prometheus-stack-alertmanager", + "uid": "6a488ae0-5112-4b96-853b-9cd35f6866be" + } + ], + "resourceVersion": "3275", + "uid": "3e5d010a-d2f3-439b-98a4-b869f51951f5" + }, + "spec": { + "automountServiceAccountToken": true, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http-web\",\"containerPort\":9093,\"protocol\":\"TCP\"}\n ,{\"name\":\"mesh-tcp\",\"containerPort\":9094,\"protocol\":\"TCP\"}\n ,{\"name\":\"mesh-udp\",\"containerPort\":9094,\"protocol\":\"UDP\"}\n ,{\"name\":\"reloader-web\",\"containerPort\":8080,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "alertmanager,config-reloader" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "alertmanager-kube-prometheus-stack-alertmanager" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/monitoring/statefulsets/alertmanager-kube-prometheus-stack-alertmanager" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/alertmanager/livez\":{\"httpGet\":{\"path\":\"/-/healthy\",\"port\":9093,\"scheme\":\"HTTP\"},\"timeoutSeconds\":3},\"/app-health/alertmanager/readyz\":{\"httpGet\":{\"path\":\"/-/ready\",\"port\":9093,\"scheme\":\"HTTP\"},\"timeoutSeconds\":3}}" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-48zfn", + "readOnly": true + } + ] + }, + { + "args": [ + "--config.file=/etc/alertmanager/config_out/alertmanager.env.yaml", + "--storage.path=/alertmanager", + "--data.retention=120h", + "--cluster.listen-address=", + "--web.listen-address=:9093", + "--web.external-url=http://kube-prometheus-stack-alertmanager.monitoring:9093", + "--web.route-prefix=/", + "--cluster.label=monitoring/kube-prometheus-stack-alertmanager", + "--cluster.peer=alertmanager-kube-prometheus-stack-alertmanager-0.alertmanager-operated:9094", + "--cluster.reconnect-timeout=5m", + "--web.config.file=/etc/alertmanager/web_config/web-config.yaml" + ], + "env": [ + { + "name": "POD_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + } + ], + "image": "127.0.0.1:31999/prometheus/alertmanager:v0.27.0-zarf-3373367403", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 10, + "httpGet": { + "path": "/app-health/alertmanager/livez", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "name": "alertmanager", + "ports": [ + { + "containerPort": 9093, + "name": "http-web", + "protocol": "TCP" + }, + { + "containerPort": 9094, + "name": "mesh-tcp", + "protocol": "TCP" + }, + { + "containerPort": 9094, + "name": "mesh-udp", + "protocol": "UDP" + } + ], + "readinessProbe": { + "failureThreshold": 10, + "httpGet": { + "path": "/app-health/alertmanager/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 3, + "periodSeconds": 5, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "requests": { + "memory": "200Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "FallbackToLogsOnError", + "volumeMounts": [ + { + "mountPath": "/etc/alertmanager/config", + "name": "config-volume" + }, + { + "mountPath": "/etc/alertmanager/config_out", + "name": "config-out", + "readOnly": true + }, + { + "mountPath": "/etc/alertmanager/certs", + "name": "tls-assets", + "readOnly": true + }, + { + "mountPath": "/alertmanager", + "name": "alertmanager-kube-prometheus-stack-alertmanager-db" + }, + { + "mountPath": "/etc/alertmanager/web_config/web-config.yaml", + "name": "web-config", + "readOnly": true, + "subPath": "web-config.yaml" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-48zfn", + "readOnly": true + } + ] + }, + { + "args": [ + "--listen-address=:8080", + "--reload-url=http://127.0.0.1:9093/-/reload", + "--config-file=/etc/alertmanager/config/alertmanager.yaml.gz", + "--config-envsubst-file=/etc/alertmanager/config_out/alertmanager.env.yaml", + "--watched-dir=/etc/alertmanager/config" + ], + "command": [ + "/bin/prometheus-config-reloader" + ], + "env": [ + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "SHARD", + "value": "-1" + } + ], + "image": "127.0.0.1:31999/prometheus-operator/prometheus-config-reloader:v0.74.0-zarf-3626352270", + "imagePullPolicy": "IfNotPresent", + "name": "config-reloader", + "ports": [ + { + "containerPort": 8080, + "name": "reloader-web", + "protocol": "TCP" + } + ], + "resources": { + "limits": { + "cpu": "100m", + "memory": "128Mi" + }, + "requests": { + "cpu": "50m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "FallbackToLogsOnError", + "volumeMounts": [ + { + "mountPath": "/etc/alertmanager/config", + "name": "config-volume", + "readOnly": true + }, + { + "mountPath": "/etc/alertmanager/config_out", + "name": "config-out" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-48zfn", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "hostname": "alertmanager-kube-prometheus-stack-alertmanager-0", + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "--watch-interval=0", + "--listen-address=:8080", + "--config-file=/etc/alertmanager/config/alertmanager.yaml.gz", + "--config-envsubst-file=/etc/alertmanager/config_out/alertmanager.env.yaml", + "--watched-dir=/etc/alertmanager/config" + ], + "command": [ + "/bin/prometheus-config-reloader" + ], + "env": [ + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "SHARD", + "value": "-1" + } + ], + "image": "127.0.0.1:31999/prometheus-operator/prometheus-config-reloader:v0.74.0-zarf-3626352270", + "imagePullPolicy": "IfNotPresent", + "name": "init-config-reloader", + "ports": [ + { + "containerPort": 8080, + "name": "reloader-web", + "protocol": "TCP" + } + ], + "resources": { + "limits": { + "cpu": "100m", + "memory": "128Mi" + }, + "requests": { + "cpu": "50m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "FallbackToLogsOnError", + "volumeMounts": [ + { + "mountPath": "/etc/alertmanager/config", + "name": "config-volume", + "readOnly": true + }, + { + "mountPath": "/etc/alertmanager/config_out", + "name": "config-out" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-48zfn", + "readOnly": true + } + ] + }, + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-48zfn", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 2000, + "runAsGroup": 2000, + "runAsNonRoot": true, + "runAsUser": 1000, + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "serviceAccount": "kube-prometheus-stack-alertmanager", + "serviceAccountName": "kube-prometheus-stack-alertmanager", + "subdomain": "alertmanager-operated", + "terminationGracePeriodSeconds": 120, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "config-volume", + "secret": { + "defaultMode": 420, + "secretName": "alertmanager-kube-prometheus-stack-alertmanager-generated" + } + }, + { + "name": "tls-assets", + "projected": { + "defaultMode": 420, + "sources": [ + { + "secret": { + "name": "alertmanager-kube-prometheus-stack-alertmanager-tls-assets-0" + } + } + ] + } + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "config-out" + }, + { + "name": "web-config", + "secret": { + "defaultMode": 420, + "secretName": "alertmanager-kube-prometheus-stack-alertmanager-web-config" + } + }, + { + "emptyDir": {}, + "name": "alertmanager-kube-prometheus-stack-alertmanager-db" + }, + { + "name": "kube-api-access-48zfn", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:40:43Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:40:47Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:40:47Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:40:40Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://3f0de68c04b02ba3cbab300a9bc068d07ee9df5691ad2d844103ad55ba010739", + "image": "127.0.0.1:31999/prometheus/alertmanager:v0.27.0-zarf-3373367403", + "imageID": "127.0.0.1:31999/prometheus/alertmanager@sha256:2fbdd4c66d91e740fe3fd462d8f52fc3d305a5b403bab3a58feb62be237a84fb", + "lastState": {}, + "name": "alertmanager", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:40:44Z" + } + } + }, + { + "containerID": "containerd://e776e053c29f01987e2f495f590f509c842044d12d107795e364294058afd841", + "image": "127.0.0.1:31999/prometheus-operator/prometheus-config-reloader:v0.74.0-zarf-3626352270", + "imageID": "127.0.0.1:31999/prometheus-operator/prometheus-config-reloader@sha256:2f391ccd12088306b68f620ee4c8ad308d82e746e22484a21edbfa1aaff51df5", + "lastState": {}, + "name": "config-reloader", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:40:44Z" + } + } + }, + { + "containerID": "containerd://946a964dfc5c57b5f9a650d625b04470f2dd95ca3b366b4dfc35d80d20c5ce67", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:40:43Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://c855457cbe7619fd72c332202f6028543bc953c498ef0039f342546d10bc949e", + "image": "127.0.0.1:31999/prometheus-operator/prometheus-config-reloader:v0.74.0-zarf-3626352270", + "imageID": "127.0.0.1:31999/prometheus-operator/prometheus-config-reloader@sha256:2f391ccd12088306b68f620ee4c8ad308d82e746e22484a21edbfa1aaff51df5", + "lastState": {}, + "name": "init-config-reloader", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://c855457cbe7619fd72c332202f6028543bc953c498ef0039f342546d10bc949e", + "exitCode": 0, + "finishedAt": "2024-06-07T14:40:42Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:40:41Z" + } + } + }, + { + "containerID": "containerd://eb4afdfc9260c7e826760af025c0ee12ada879d9282eec2537cafdd305a6755f", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://eb4afdfc9260c7e826760af025c0ee12ada879d9282eec2537cafdd305a6755f", + "exitCode": 0, + "finishedAt": "2024-06-07T14:40:42Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:40:42Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.49", + "podIPs": [ + { + "ip": "10.42.0.49" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:40:40Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "kube-state-metrics", + "kubectl.kubernetes.io/default-logs-container": "kube-state-metrics", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-06-07T14:40:36Z", + "generateName": "kube-prometheus-stack-kube-state-metrics-65594f9476-", + "labels": { + "app.kubernetes.io/component": "metrics", + "app.kubernetes.io/instance": "kube-prometheus-stack", + "app.kubernetes.io/managed-by": "Helm", + "app.kubernetes.io/name": "kube-state-metrics", + "app.kubernetes.io/part-of": "kube-state-metrics", + "app.kubernetes.io/version": "2.12.0", + "helm.sh/chart": "kube-state-metrics-5.19.0", + "pod-template-hash": "65594f9476", + "release": "kube-prometheus-stack", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "kube-state-metrics", + "service.istio.io/canonical-revision": "2.12.0", + "zarf-agent": "patched" + }, + "name": "kube-prometheus-stack-kube-state-metrics-65594f9476-2slwt", + "namespace": "monitoring", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "kube-prometheus-stack-kube-state-metrics-65594f9476", + "uid": "3907c223-9229-433f-b8d5-dbde08ebb417" + } + ], + "resourceVersion": "3283", + "uid": "6ef328fe-f9b7-4096-9d62-428d08d83846" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http\",\"containerPort\":8080,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "kube-state-metrics" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "kube-prometheus-stack-kube-state-metrics" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/monitoring/deployments/kube-prometheus-stack-kube-state-metrics" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/kube-state-metrics/livez\":{\"httpGet\":{\"path\":\"/healthz\",\"port\":8080,\"scheme\":\"HTTP\"},\"timeoutSeconds\":5},\"/app-health/kube-state-metrics/readyz\":{\"httpGet\":{\"path\":\"/\",\"port\":8080,\"scheme\":\"HTTP\"},\"timeoutSeconds\":5}}" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-bhqx5", + "readOnly": true + } + ] + }, + { + "args": [ + "--port=8080", + "--resources=certificatesigningrequests,configmaps,cronjobs,daemonsets,deployments,endpoints,horizontalpodautoscalers,ingresses,jobs,leases,limitranges,mutatingwebhookconfigurations,namespaces,networkpolicies,nodes,persistentvolumeclaims,persistentvolumes,poddisruptionbudgets,pods,replicasets,replicationcontrollers,resourcequotas,secrets,services,statefulsets,storageclasses,validatingwebhookconfigurations,volumeattachments" + ], + "image": "127.0.0.1:31999/kube-state-metrics/kube-state-metrics:v2.12.0-zarf-3970135638", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/kube-state-metrics/livez", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 5, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 5 + }, + "name": "kube-state-metrics", + "ports": [ + { + "containerPort": 8080, + "name": "http", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/kube-state-metrics/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 5, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 5 + }, + "resources": {}, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-bhqx5", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-bhqx5", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 65534, + "runAsGroup": 65534, + "runAsNonRoot": true, + "runAsUser": 65534, + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "serviceAccount": "kube-prometheus-stack-kube-state-metrics", + "serviceAccountName": "kube-prometheus-stack-kube-state-metrics", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "kube-api-access-bhqx5", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:40:38Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:40:47Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:40:47Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:40:37Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://ec96f7c2c7a98a6357c94d5b2a781a609711f20a43d648da26de81c4c6c2731d", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:40:38Z" + } + } + }, + { + "containerID": "containerd://7ff7eb875d8cd5356fa58effc23fad66a140ca93993e6cab41d79dae449865cc", + "image": "127.0.0.1:31999/kube-state-metrics/kube-state-metrics:v2.12.0-zarf-3970135638", + "imageID": "127.0.0.1:31999/kube-state-metrics/kube-state-metrics@sha256:0b849c2a1fd2a8e3a8465803c0e0853e063fd89b33ad10847f82152b8f1f7066", + "lastState": {}, + "name": "kube-state-metrics", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:40:39Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://a6e05bbe29a830534010f6447eb2f86ea4016a7f54e69dff89fe2f43f52c74d7", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://a6e05bbe29a830534010f6447eb2f86ea4016a7f54e69dff89fe2f43f52c74d7", + "exitCode": 0, + "finishedAt": "2024-06-07T14:40:37Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:40:37Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.46", + "podIPs": [ + { + "ip": "10.42.0.46" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:40:37Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "prometheus", + "kubectl.kubernetes.io/default-logs-container": "prometheus", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "proxy.istio.io/config": "proxyMetadata:\n OUTPUT_CERTS: /etc/istio-output-certs\n", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "sidecar.istio.io/userVolumeMount": "[{\"name\": \"istio-certs\", \"mountPath\": \"/etc/istio-output-certs\"}]", + "traffic.sidecar.istio.io/includeOutboundIPRanges": "", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded", + "uds-core.pepr.dev/uds-core-policies.RestrictHostPathWrite": "exempted", + "uds-core.pepr.dev/uds-core-policies.RestrictVolumeTypes": "exempted" + }, + "creationTimestamp": "2024-06-07T14:40:40Z", + "generateName": "prometheus-kube-prometheus-stack-prometheus-", + "labels": { + "app": "prometheus", + "app.kubernetes.io/instance": "kube-prometheus-stack-prometheus", + "app.kubernetes.io/managed-by": "prometheus-operator", + "app.kubernetes.io/name": "prometheus", + "app.kubernetes.io/version": "2.52.0", + "apps.kubernetes.io/pod-index": "0", + "controller-revision-hash": "prometheus-kube-prometheus-stack-prometheus-7fdcfb85d6", + "operator.prometheus.io/name": "kube-prometheus-stack-prometheus", + "operator.prometheus.io/shard": "0", + "prometheus": "kube-prometheus-stack-prometheus", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "prometheus", + "service.istio.io/canonical-revision": "2.52.0", + "statefulset.kubernetes.io/pod-name": "prometheus-kube-prometheus-stack-prometheus-0", + "zarf-agent": "patched" + }, + "name": "prometheus-kube-prometheus-stack-prometheus-0", + "namespace": "monitoring", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "StatefulSet", + "name": "prometheus-kube-prometheus-stack-prometheus", + "uid": "381a9a1e-c0bf-4ae6-bee6-e45ab1b164dd" + } + ], + "resourceVersion": "3396", + "uid": "ec959d87-ee81-4018-8633-cfbdd070a726" + }, + "spec": { + "automountServiceAccountToken": true, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"proxyMetadata\":{\"OUTPUT_CERTS\":\"/etc/istio-output-certs\"},\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http-web\",\"containerPort\":9090,\"protocol\":\"TCP\"}\n ,{\"name\":\"reloader-web\",\"containerPort\":8080,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "prometheus,config-reloader" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "prometheus-kube-prometheus-stack-prometheus" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/monitoring/statefulsets/prometheus-kube-prometheus-stack-prometheus" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "OUTPUT_CERTS", + "value": "/etc/istio-output-certs" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/prometheus/livez\":{\"httpGet\":{\"path\":\"/-/healthy\",\"port\":9090,\"scheme\":\"HTTP\"},\"timeoutSeconds\":3},\"/app-health/prometheus/readyz\":{\"httpGet\":{\"path\":\"/-/ready\",\"port\":9090,\"scheme\":\"HTTP\"},\"timeoutSeconds\":3},\"/app-health/prometheus/startupz\":{\"httpGet\":{\"path\":\"/-/ready\",\"port\":9090,\"scheme\":\"HTTP\"},\"timeoutSeconds\":3}}" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/etc/istio-output-certs", + "name": "istio-certs" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-zch2v", + "readOnly": true + } + ] + }, + { + "args": [ + "--web.console.templates=/etc/prometheus/consoles", + "--web.console.libraries=/etc/prometheus/console_libraries", + "--config.file=/etc/prometheus/config_out/prometheus.env.yaml", + "--web.enable-lifecycle", + "--enable-feature=remote-write-receiver", + "--web.external-url=http://kube-prometheus-stack-prometheus.monitoring:9090", + "--web.route-prefix=/", + "--storage.tsdb.retention.time=10d", + "--storage.tsdb.path=/prometheus", + "--storage.tsdb.wal-compression", + "--web.config.file=/etc/prometheus/web_config/web-config.yaml" + ], + "image": "127.0.0.1:31999/prometheus/prometheus:v2.52.0-zarf-1047855950", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 6, + "httpGet": { + "path": "/app-health/prometheus/livez", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 5, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "name": "prometheus", + "ports": [ + { + "containerPort": 9090, + "name": "http-web", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/prometheus/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 5, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "300m", + "memory": "2Gi" + }, + "requests": { + "cpu": "100m", + "memory": "512Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "startupProbe": { + "failureThreshold": 60, + "httpGet": { + "path": "/app-health/prometheus/startupz", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "FallbackToLogsOnError", + "volumeMounts": [ + { + "mountPath": "/etc/prometheus/config_out", + "name": "config-out", + "readOnly": true + }, + { + "mountPath": "/etc/prometheus/certs", + "name": "tls-assets", + "readOnly": true + }, + { + "mountPath": "/prometheus", + "name": "prometheus-kube-prometheus-stack-prometheus-db", + "subPath": "prometheus-db" + }, + { + "mountPath": "/etc/prom-certs/", + "name": "istio-certs" + }, + { + "mountPath": "/etc/prometheus/rules/prometheus-kube-prometheus-stack-prometheus-rulefiles-0", + "name": "prometheus-kube-prometheus-stack-prometheus-rulefiles-0" + }, + { + "mountPath": "/etc/prometheus/web_config/web-config.yaml", + "name": "web-config", + "readOnly": true, + "subPath": "web-config.yaml" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-zch2v", + "readOnly": true + } + ] + }, + { + "args": [ + "--listen-address=:8080", + "--reload-url=http://127.0.0.1:9090/-/reload", + "--config-file=/etc/prometheus/config/prometheus.yaml.gz", + "--config-envsubst-file=/etc/prometheus/config_out/prometheus.env.yaml", + "--watched-dir=/etc/prometheus/rules/prometheus-kube-prometheus-stack-prometheus-rulefiles-0" + ], + "command": [ + "/bin/prometheus-config-reloader" + ], + "env": [ + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "SHARD", + "value": "0" + } + ], + "image": "127.0.0.1:31999/prometheus-operator/prometheus-config-reloader:v0.74.0-zarf-3626352270", + "imagePullPolicy": "IfNotPresent", + "name": "config-reloader", + "ports": [ + { + "containerPort": 8080, + "name": "reloader-web", + "protocol": "TCP" + } + ], + "resources": { + "limits": { + "cpu": "100m", + "memory": "128Mi" + }, + "requests": { + "cpu": "50m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "FallbackToLogsOnError", + "volumeMounts": [ + { + "mountPath": "/etc/prometheus/config", + "name": "config" + }, + { + "mountPath": "/etc/prometheus/config_out", + "name": "config-out" + }, + { + "mountPath": "/etc/prometheus/rules/prometheus-kube-prometheus-stack-prometheus-rulefiles-0", + "name": "prometheus-kube-prometheus-stack-prometheus-rulefiles-0" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-zch2v", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "hostname": "prometheus-kube-prometheus-stack-prometheus-0", + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "--watch-interval=0", + "--listen-address=:8080", + "--config-file=/etc/prometheus/config/prometheus.yaml.gz", + "--config-envsubst-file=/etc/prometheus/config_out/prometheus.env.yaml", + "--watched-dir=/etc/prometheus/rules/prometheus-kube-prometheus-stack-prometheus-rulefiles-0" + ], + "command": [ + "/bin/prometheus-config-reloader" + ], + "env": [ + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "SHARD", + "value": "0" + } + ], + "image": "127.0.0.1:31999/prometheus-operator/prometheus-config-reloader:v0.74.0-zarf-3626352270", + "imagePullPolicy": "IfNotPresent", + "name": "init-config-reloader", + "ports": [ + { + "containerPort": 8080, + "name": "reloader-web", + "protocol": "TCP" + } + ], + "resources": { + "limits": { + "cpu": "100m", + "memory": "128Mi" + }, + "requests": { + "cpu": "50m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "readOnlyRootFilesystem": true + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "FallbackToLogsOnError", + "volumeMounts": [ + { + "mountPath": "/etc/prometheus/config", + "name": "config" + }, + { + "mountPath": "/etc/prometheus/config_out", + "name": "config-out" + }, + { + "mountPath": "/etc/prometheus/rules/prometheus-kube-prometheus-stack-prometheus-rulefiles-0", + "name": "prometheus-kube-prometheus-stack-prometheus-rulefiles-0" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-zch2v", + "readOnly": true + } + ] + }, + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "OUTPUT_CERTS", + "value": "/etc/istio-output-certs" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-zch2v", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 2000, + "runAsGroup": 2000, + "runAsNonRoot": true, + "runAsUser": 1000, + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "serviceAccount": "kube-prometheus-stack-prometheus", + "serviceAccountName": "kube-prometheus-stack-prometheus", + "shareProcessNamespace": false, + "subdomain": "prometheus-operated", + "terminationGracePeriodSeconds": 600, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "prometheus-kube-prometheus-stack-prometheus-db", + "persistentVolumeClaim": { + "claimName": "prometheus-kube-prometheus-stack-prometheus-db-prometheus-kube-prometheus-stack-prometheus-0" + } + }, + { + "name": "config", + "secret": { + "defaultMode": 420, + "secretName": "prometheus-kube-prometheus-stack-prometheus" + } + }, + { + "name": "tls-assets", + "projected": { + "defaultMode": 420, + "sources": [ + { + "secret": { + "name": "prometheus-kube-prometheus-stack-prometheus-tls-assets-0" + } + } + ] + } + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "config-out" + }, + { + "configMap": { + "defaultMode": 420, + "name": "prometheus-kube-prometheus-stack-prometheus-rulefiles-0" + }, + "name": "prometheus-kube-prometheus-stack-prometheus-rulefiles-0" + }, + { + "name": "web-config", + "secret": { + "defaultMode": 420, + "secretName": "prometheus-kube-prometheus-stack-prometheus-web-config" + } + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-certs" + }, + { + "name": "kube-api-access-zch2v", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:40:47Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:41:00Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:41:00Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:40:44Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://86023ec56c04e539dbeb150747ffdb73ed4db0e6af05fe19a80ebc03dc698356", + "image": "127.0.0.1:31999/prometheus-operator/prometheus-config-reloader:v0.74.0-zarf-3626352270", + "imageID": "127.0.0.1:31999/prometheus-operator/prometheus-config-reloader@sha256:2f391ccd12088306b68f620ee4c8ad308d82e746e22484a21edbfa1aaff51df5", + "lastState": {}, + "name": "config-reloader", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:40:49Z" + } + } + }, + { + "containerID": "containerd://2860f0575865ade2911ba880f45f070844a844b691f491e6bc6adf864983984e", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:40:47Z" + } + } + }, + { + "containerID": "containerd://ab41954c1d1aed6af64c9107fbc2b3052f5eaea167c56f2a534820225898f315", + "image": "127.0.0.1:31999/prometheus/prometheus:v2.52.0-zarf-1047855950", + "imageID": "127.0.0.1:31999/prometheus/prometheus@sha256:b922bb8c3ddb40066be79e704e22b94513acaada413fd22eb99ea4afe8740b43", + "lastState": {}, + "name": "prometheus", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:40:49Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://ecad69b5666b61947da072fbe6d161f43fef167201774ce899824141aee820fe", + "image": "127.0.0.1:31999/prometheus-operator/prometheus-config-reloader:v0.74.0-zarf-3626352270", + "imageID": "127.0.0.1:31999/prometheus-operator/prometheus-config-reloader@sha256:2f391ccd12088306b68f620ee4c8ad308d82e746e22484a21edbfa1aaff51df5", + "lastState": {}, + "name": "init-config-reloader", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://ecad69b5666b61947da072fbe6d161f43fef167201774ce899824141aee820fe", + "exitCode": 0, + "finishedAt": "2024-06-07T14:40:45Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:40:45Z" + } + } + }, + { + "containerID": "containerd://afa5faa7fb1c89b49d309d4ecc89fd93681e6ab9f8ea4b23e1c9762bb11225ff", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://afa5faa7fb1c89b49d309d4ecc89fd93681e6ab9f8ea4b23e1c9762bb11225ff", + "exitCode": 0, + "finishedAt": "2024-06-07T14:40:46Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:40:46Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.51", + "podIPs": [ + { + "ip": "10.42.0.51" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:40:44Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "checksum/init-configmap": "d2907592400cb73cef987a87115b0c6a17428bfdbda232ddf0de6ea52f3eb571", + "checksum/uds-sso-secret": "", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "neuvector-controller-pod", + "kubectl.kubernetes.io/default-logs-container": "neuvector-controller-pod", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/uds-core-policies": "succeeded", + "uds-core.pepr.dev/uds-core-policies.DisallowPrivileged": "exempted", + "uds-core.pepr.dev/uds-core-policies.DropAllCapabilities": "exempted", + "uds-core.pepr.dev/uds-core-policies.RequireNonRootUser": "exempted", + "uds-core.pepr.dev/uds-core-policies.RestrictHostPathWrite": "exempted", + "uds-core.pepr.dev/uds-core-policies.RestrictVolumeTypes": "exempted" + }, + "creationTimestamp": "2024-06-07T14:41:09Z", + "generateName": "neuvector-controller-pod-5d7c9d5588-", + "labels": { + "app": "neuvector-controller-pod", + "pod-template-hash": "5d7c9d5588", + "release": "core", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "neuvector-controller-pod", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "neuvector-controller-pod-5d7c9d5588-nxn6p", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "neuvector-controller-pod-5d7c9d5588", + "uid": "eb3a14bf-c3f0-4fef-a657-a25c5a712a93" + } + ], + "resourceVersion": "3566", + "uid": "cc4d43f8-aa36-429e-aa94-f827d5cb915c" + }, + "spec": { + "affinity": { + "podAntiAffinity": { + "preferredDuringSchedulingIgnoredDuringExecution": [ + { + "podAffinityTerm": { + "labelSelector": { + "matchExpressions": [ + { + "key": "app", + "operator": "In", + "values": [ + "neuvector-controller-pod" + ] + } + ] + }, + "topologyKey": "kubernetes.io/hostname" + }, + "weight": 100 + } + ] + } + }, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "neuvector-controller-pod" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "neuvector-controller-pod" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/neuvector/deployments/neuvector-controller-pod" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-q4k2v", + "readOnly": true + } + ] + }, + { + "env": [ + { + "name": "CLUSTER_JOIN_ADDR", + "value": "neuvector-svc-controller.neuvector" + }, + { + "name": "CLUSTER_ADVERTISED_ADDR", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "CLUSTER_BIND_ADDR", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "NO_DEFAULT_ADMIN", + "value": "1" + } + ], + "image": "127.0.0.1:31999/neuvector/controller:5.3.2-zarf-4157091163", + "imagePullPolicy": "IfNotPresent", + "name": "neuvector-controller-pod", + "readinessProbe": { + "exec": { + "command": [ + "cat", + "/tmp/ready" + ] + }, + "failureThreshold": 3, + "initialDelaySeconds": 5, + "periodSeconds": 5, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": {}, + "securityContext": { + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/config", + "name": "config-volume", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-q4k2v", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-q4k2v", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": {}, + "serviceAccount": "controller", + "serviceAccountName": "controller", + "terminationGracePeriodSeconds": 300, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "config-volume", + "projected": { + "defaultMode": 420, + "sources": [ + { + "configMap": { + "name": "neuvector-init", + "optional": true + } + }, + { + "secret": { + "name": "neuvector-init", + "optional": true + } + }, + { + "secret": { + "name": "neuvector-secret", + "optional": true + } + } + ] + } + }, + { + "name": "kube-api-access-q4k2v", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:41:12Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:41:31Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:41:31Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:41:09Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://95214988c5f738e7d783d5486867b1262db461e51ac0fe44aa1da7cadb982390", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:41:12Z" + } + } + }, + { + "containerID": "containerd://bb10636ff8f86e1faed4105e47dc92f9d71192271867421be5edf1763ae697af", + "image": "127.0.0.1:31999/neuvector/controller:5.3.2-zarf-4157091163", + "imageID": "127.0.0.1:31999/neuvector/controller@sha256:c5d6ff1924fdad2b8e4fdb428a7636edd82ea50ef94ab15e9a0c7117fc607d1c", + "lastState": {}, + "name": "neuvector-controller-pod", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:41:15Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://87c33d4712b6b7fe0fe3a33257677cb8fa1b4898e956e2144044d1909cfc5251", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://87c33d4712b6b7fe0fe3a33257677cb8fa1b4898e956e2144044d1909cfc5251", + "exitCode": 0, + "finishedAt": "2024-06-07T14:41:11Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:41:11Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.55", + "podIPs": [ + { + "ip": "10.42.0.55" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:41:09Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "checksum/config": "5e25fa9a618f14d4d9593ca3a824ce003a30a8cbb52327a8e9b818ac547c3cc5", + "checksum/sc-dashboard-provider-config": "593c0a8778b83f11fe80ccb21dfb20bc46705e2be3178df1dc4c89d164c8cd9c", + "checksum/secret": "4b38b5e9fc91844d569e9bebd5496fd9ad287f48dbe68676c670b0a3a12dd139", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "grafana", + "kubectl.kubernetes.io/default-logs-container": "grafana-sc-dashboard", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-06-07T14:41:48Z", + "generateName": "grafana-686487c574-", + "labels": { + "app.kubernetes.io/instance": "grafana", + "app.kubernetes.io/name": "grafana", + "pod-template-hash": "686487c574", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "grafana", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "grafana-686487c574-48lqp", + "namespace": "grafana", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "grafana-686487c574", + "uid": "33cb3601-ba2a-4f7c-a637-605d9840731d" + } + ], + "resourceVersion": "3736", + "uid": "2b71baf7-7125-4567-a82d-4447558f7672" + }, + "spec": { + "automountServiceAccountToken": true, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"grafana\",\"containerPort\":3000,\"protocol\":\"TCP\"}\n ,{\"name\":\"gossip-tcp\",\"containerPort\":9094,\"protocol\":\"TCP\"}\n ,{\"name\":\"gossip-udp\",\"containerPort\":9094,\"protocol\":\"UDP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "grafana-sc-dashboard,grafana-sc-datasources,grafana" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "grafana" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/grafana/deployments/grafana" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/grafana/livez\":{\"httpGet\":{\"path\":\"/api/health\",\"port\":3000,\"scheme\":\"HTTP\"},\"timeoutSeconds\":30},\"/app-health/grafana/readyz\":{\"httpGet\":{\"path\":\"/api/health\",\"port\":3000,\"scheme\":\"HTTP\"},\"timeoutSeconds\":1}}" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-bn7rz", + "readOnly": true + } + ] + }, + { + "env": [ + { + "name": "METHOD", + "value": "WATCH" + }, + { + "name": "LABEL", + "value": "grafana_dashboard" + }, + { + "name": "FOLDER", + "value": "/tmp/dashboards" + }, + { + "name": "RESOURCE", + "value": "both" + }, + { + "name": "NAMESPACE", + "value": "ALL" + }, + { + "name": "REQ_USERNAME", + "valueFrom": { + "secretKeyRef": { + "key": "admin-user", + "name": "grafana" + } + } + }, + { + "name": "REQ_PASSWORD", + "valueFrom": { + "secretKeyRef": { + "key": "admin-password", + "name": "grafana" + } + } + }, + { + "name": "REQ_URL", + "value": "http://localhost:3000/api/admin/provisioning/dashboards/reload" + }, + { + "name": "REQ_METHOD", + "value": "POST" + } + ], + "image": "127.0.0.1:31999/kiwigrid/k8s-sidecar:1.26.1-zarf-4221900739", + "imagePullPolicy": "IfNotPresent", + "name": "grafana-sc-dashboard", + "resources": {}, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/tmp/dashboards", + "name": "sc-dashboard-volume" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-bn7rz", + "readOnly": true + } + ] + }, + { + "env": [ + { + "name": "METHOD", + "value": "WATCH" + }, + { + "name": "LABEL", + "value": "grafana_datasource" + }, + { + "name": "FOLDER", + "value": "/etc/grafana/provisioning/datasources" + }, + { + "name": "RESOURCE", + "value": "both" + }, + { + "name": "REQ_USERNAME", + "valueFrom": { + "secretKeyRef": { + "key": "admin-user", + "name": "grafana" + } + } + }, + { + "name": "REQ_PASSWORD", + "valueFrom": { + "secretKeyRef": { + "key": "admin-password", + "name": "grafana" + } + } + }, + { + "name": "REQ_URL", + "value": "http://localhost:3000/api/admin/provisioning/datasources/reload" + }, + { + "name": "REQ_METHOD", + "value": "POST" + } + ], + "image": "127.0.0.1:31999/kiwigrid/k8s-sidecar:1.26.1-zarf-4221900739", + "imagePullPolicy": "IfNotPresent", + "name": "grafana-sc-datasources", + "resources": {}, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/grafana/provisioning/datasources", + "name": "sc-datasources-volume" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-bn7rz", + "readOnly": true + } + ] + }, + { + "env": [ + { + "name": "POD_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "GF_SECURITY_ADMIN_USER", + "valueFrom": { + "secretKeyRef": { + "key": "admin-user", + "name": "grafana" + } + } + }, + { + "name": "GF_SECURITY_ADMIN_PASSWORD", + "valueFrom": { + "secretKeyRef": { + "key": "admin-password", + "name": "grafana" + } + } + }, + { + "name": "GF_PATHS_DATA", + "value": "/var/lib/grafana/" + }, + { + "name": "GF_PATHS_LOGS", + "value": "/var/log/grafana" + }, + { + "name": "GF_PATHS_PLUGINS", + "value": "/var/lib/grafana/plugins" + }, + { + "name": "GF_PATHS_PROVISIONING", + "value": "/etc/grafana/provisioning" + } + ], + "image": "127.0.0.1:31999/grafana/grafana:10.4.2-zarf-855602154", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 10, + "httpGet": { + "path": "/app-health/grafana/livez", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 60, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 30 + }, + "name": "grafana", + "ports": [ + { + "containerPort": 3000, + "name": "grafana", + "protocol": "TCP" + }, + { + "containerPort": 9094, + "name": "gossip-tcp", + "protocol": "TCP" + }, + { + "containerPort": 9094, + "name": "gossip-udp", + "protocol": "UDP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/grafana/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": {}, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "seccompProfile": { + "type": "RuntimeDefault" + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/grafana/grafana.ini", + "name": "config", + "subPath": "grafana.ini" + }, + { + "mountPath": "/var/lib/grafana", + "name": "storage" + }, + { + "mountPath": "/tmp/dashboards", + "name": "sc-dashboard-volume" + }, + { + "mountPath": "/etc/grafana/provisioning/dashboards/sc-dashboardproviders.yaml", + "name": "sc-dashboard-provider", + "subPath": "provider.yaml" + }, + { + "mountPath": "/etc/grafana/provisioning/datasources", + "name": "sc-datasources-volume" + }, + { + "mountPath": "/etc/secrets/auth_generic_oauth", + "name": "auth-generic-oauth-secret-mount", + "readOnly": true + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-bn7rz", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-bn7rz", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "fsGroup": 472, + "runAsGroup": 472, + "runAsNonRoot": true, + "runAsUser": 472 + }, + "serviceAccount": "grafana", + "serviceAccountName": "grafana", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "configMap": { + "defaultMode": 420, + "name": "grafana" + }, + "name": "config" + }, + { + "emptyDir": {}, + "name": "storage" + }, + { + "emptyDir": {}, + "name": "sc-dashboard-volume" + }, + { + "configMap": { + "defaultMode": 420, + "name": "grafana-config-dashboards" + }, + "name": "sc-dashboard-provider" + }, + { + "emptyDir": {}, + "name": "sc-datasources-volume" + }, + { + "name": "auth-generic-oauth-secret-mount", + "secret": { + "defaultMode": 288, + "secretName": "sso-client-uds-core-admin-grafana" + } + }, + { + "name": "kube-api-access-bn7rz", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:41:57Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:42:07Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:42:07Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:41:48Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://8758e045b633cc11094f4c891a56a432b56a6874ab8a15473c68b96b93a7003d", + "image": "127.0.0.1:31999/grafana/grafana:10.4.2-zarf-855602154", + "imageID": "127.0.0.1:31999/grafana/grafana@sha256:173b46f35cdbcb4b137868a5488be265eb0bb8487d959bb970e62171225f202f", + "lastState": {}, + "name": "grafana", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:42:04Z" + } + } + }, + { + "containerID": "containerd://667eaa618923b71ef9eb723f5b1f5f38b4b60120aa3289e50d1786f318622182", + "image": "127.0.0.1:31999/kiwigrid/k8s-sidecar:1.26.1-zarf-4221900739", + "imageID": "127.0.0.1:31999/kiwigrid/k8s-sidecar@sha256:b2e05106a897584f31a33dbd9f3efd1a5153f2197d2bd3213d94e23a6f32f725", + "lastState": {}, + "name": "grafana-sc-dashboard", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:41:59Z" + } + } + }, + { + "containerID": "containerd://5f5ed8e1abe482780cf6ae0cfd2b40af044f5dfdbf1eb9898f3bb9bc67b933bf", + "image": "127.0.0.1:31999/kiwigrid/k8s-sidecar:1.26.1-zarf-4221900739", + "imageID": "127.0.0.1:31999/kiwigrid/k8s-sidecar@sha256:b2e05106a897584f31a33dbd9f3efd1a5153f2197d2bd3213d94e23a6f32f725", + "lastState": {}, + "name": "grafana-sc-datasources", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:41:59Z" + } + } + }, + { + "containerID": "containerd://d7d3d74612b6b1b8f2fed8a9cfc29aa12c9d008953225878eafb2601512e6ca9", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:41:57Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://64084b27ff629f5e4bb83082243539ed0475d0f0ba2dd54dcde057467b6968dc", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://64084b27ff629f5e4bb83082243539ed0475d0f0ba2dd54dcde057467b6968dc", + "exitCode": 0, + "finishedAt": "2024-06-07T14:41:57Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:41:56Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.57", + "podIPs": [ + { + "ip": "10.42.0.57" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:41:48Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "checksum/config": "f0969d09510ef78afd7c2ce0bcab5032fd83dd4fab9b7455113fa6d4d7197026", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "authservice", + "kubectl.kubernetes.io/default-logs-container": "authservice", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-06-07T14:42:14Z", + "generateName": "authservice-5dbcd95947-", + "labels": { + "app.kubernetes.io/instance": "authservice", + "app.kubernetes.io/name": "authservice", + "pod-template-hash": "5dbcd95947", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "authservice", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "authservice-5dbcd95947-p9snb", + "namespace": "authservice", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "authservice-5dbcd95947", + "uid": "6c0d36a6-4b81-4b40-ac7c-76ab963e2679" + } + ], + "resourceVersion": "3834", + "uid": "eb91bbd4-18ed-4da6-a672-1c61fdbd3a9f" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http\",\"containerPort\":10003,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "authservice" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "authservice" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/authservice/deployments/authservice" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/authservice/livez\":{\"tcpSocket\":{\"port\":10003},\"timeoutSeconds\":1},\"/app-health/authservice/readyz\":{\"tcpSocket\":{\"port\":10003},\"timeoutSeconds\":1}}" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-q92n7", + "readOnly": true + } + ] + }, + { + "image": "127.0.0.1:31999/istio-ecosystem/authservice/authservice:0.5.3-zarf-3409882933", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/authservice/livez", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "name": "authservice", + "ports": [ + { + "containerPort": 10003, + "name": "http", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 3, + "httpGet": { + "path": "/app-health/authservice/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": {}, + "securityContext": { + "capabilities": { + "drop": [ + "ALL" + ] + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/authservice", + "name": "authservice" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-q92n7", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-q92n7", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "runAsGroup": 1000, + "runAsNonRoot": true, + "runAsUser": 1000 + }, + "serviceAccount": "default", + "serviceAccountName": "default", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "authservice", + "secret": { + "defaultMode": 420, + "secretName": "authservice" + } + }, + { + "name": "kube-api-access-q92n7", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:42:16Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:42:20Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:42:20Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:42:14Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://3649352210284b1182b34bac205eba605ff6d74a030fe9d90f1df4b09adf9560", + "image": "127.0.0.1:31999/istio-ecosystem/authservice/authservice:0.5.3-zarf-3409882933", + "imageID": "127.0.0.1:31999/istio-ecosystem/authservice/authservice@sha256:eeb082929ebf22bebd3141f23916694add1e4ab607b2c15ffa30a919998a6528", + "lastState": {}, + "name": "authservice", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:42:18Z" + } + } + }, + { + "containerID": "containerd://fe10bfd4a4c2b9f92d2e49168ad69df0dcb172c6e46c01bdafb2c08979510d9a", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:42:17Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://cd30bb943578b69f28539b8a557632663ed71d94565c353a1be25e4d4904bc27", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://cd30bb943578b69f28539b8a557632663ed71d94565c353a1be25e4d4904bc27", + "exitCode": 0, + "finishedAt": "2024-06-07T14:42:15Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:42:15Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.59", + "podIPs": [ + { + "ip": "10.42.0.59" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:42:14Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "checksum/secret": "79f899ac6a4a76b043e67e4b17b25dfdf1b899526953bf3015fc1b4e41123ee5", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "velero", + "kubectl.kubernetes.io/default-logs-container": "velero", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-06-07T14:42:59Z", + "generateName": "velero-5d99fdc5b5-", + "labels": { + "app.kubernetes.io/instance": "velero", + "app.kubernetes.io/managed-by": "Helm", + "app.kubernetes.io/name": "velero", + "helm.sh/chart": "velero-6.6.0", + "name": "velero", + "pod-template-hash": "5d99fdc5b5", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "velero", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "velero-5d99fdc5b5-6rk9f", + "namespace": "velero", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "velero-5d99fdc5b5", + "uid": "d76f7c15-69e5-4c4c-8607-be0149ea25e0" + } + ], + "resourceVersion": "4167", + "uid": "4748be5d-80a0-4556-bf6b-d327ec8f3008" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http-monitoring\",\"containerPort\":8085,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "velero" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "velero" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/velero/deployments/velero" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/velero/livez\":{\"httpGet\":{\"path\":\"/metrics\",\"port\":8085,\"scheme\":\"HTTP\"},\"timeoutSeconds\":5},\"/app-health/velero/readyz\":{\"httpGet\":{\"path\":\"/metrics\",\"port\":8085,\"scheme\":\"HTTP\"},\"timeoutSeconds\":5}}" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-2gnxr", + "readOnly": true + } + ] + }, + { + "args": [ + "server", + "--uploader-type=kopia" + ], + "command": [ + "/velero" + ], + "env": [ + { + "name": "VELERO_SCRATCH_DIR", + "value": "/scratch" + }, + { + "name": "VELERO_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "LD_LIBRARY_PATH", + "value": "/plugins" + }, + { + "name": "AWS_SHARED_CREDENTIALS_FILE", + "value": "/credentials/cloud" + }, + { + "name": "GOOGLE_APPLICATION_CREDENTIALS", + "value": "/credentials/cloud" + }, + { + "name": "AZURE_CREDENTIALS_FILE", + "value": "/credentials/cloud" + }, + { + "name": "ALIBABA_CLOUD_CREDENTIALS_FILE", + "value": "/credentials/cloud" + } + ], + "image": "127.0.0.1:31999/velero/velero:v1.13.2-zarf-726794283", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "failureThreshold": 5, + "httpGet": { + "path": "/app-health/velero/livez", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 10, + "periodSeconds": 30, + "successThreshold": 1, + "timeoutSeconds": 5 + }, + "name": "velero", + "ports": [ + { + "containerPort": 8085, + "name": "http-monitoring", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 5, + "httpGet": { + "path": "/app-health/velero/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 10, + "periodSeconds": 30, + "successThreshold": 1, + "timeoutSeconds": 5 + }, + "resources": { + "limits": { + "cpu": "1", + "memory": "512Mi" + }, + "requests": { + "cpu": "500m", + "memory": "128Mi" + } + }, + "securityContext": { + "capabilities": { + "drop": [ + "ALL" + ] + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/plugins", + "name": "plugins" + }, + { + "mountPath": "/credentials", + "name": "cloud-credentials" + }, + { + "mountPath": "/scratch", + "name": "scratch" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-2gnxr", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "image": "127.0.0.1:31999/velero/velero-plugin-for-aws:v1.9.2-zarf-3048596433", + "imagePullPolicy": "IfNotPresent", + "name": "velero-plugin-for-aws", + "resources": {}, + "securityContext": { + "capabilities": { + "drop": [ + "ALL" + ] + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/target", + "name": "plugins" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-2gnxr", + "readOnly": true + } + ] + }, + { + "image": "127.0.0.1:31999/velero/velero-plugin-for-csi:v0.7.1-zarf-792660929", + "imagePullPolicy": "IfNotPresent", + "name": "velero-plugin-for-csi", + "resources": {}, + "securityContext": { + "capabilities": { + "drop": [ + "ALL" + ] + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/target", + "name": "plugins" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-2gnxr", + "readOnly": true + } + ] + }, + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-2gnxr", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "runAsGroup": 1000, + "runAsNonRoot": true, + "runAsUser": 1000 + }, + "serviceAccount": "velero-server", + "serviceAccountName": "velero-server", + "terminationGracePeriodSeconds": 3600, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "cloud-credentials", + "secret": { + "defaultMode": 420, + "secretName": "velero-bucket-credentials" + } + }, + { + "emptyDir": {}, + "name": "plugins" + }, + { + "emptyDir": {}, + "name": "scratch" + }, + { + "name": "kube-api-access-2gnxr", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:43:04Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:43:29Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:43:29Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:42:59Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://3a5b45dc41df6b3431ef268b83129a2e58a9d7e1c6107ad48d8cdcd7e2f80c32", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:43:04Z" + } + } + }, + { + "containerID": "containerd://ef189f589c4bb96baf1e9787c84423f70d56d6eb907e9de21c292d7b372ff97a", + "image": "127.0.0.1:31999/velero/velero:v1.13.2-zarf-726794283", + "imageID": "127.0.0.1:31999/velero/velero@sha256:94c06080c3297fbdfd9877c60fdbfd0e9ee6ff04368dcdfb5343f5fb2d29568a", + "lastState": {}, + "name": "velero", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:43:04Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://44cd80e33ce5c513f01467f04c99358348cfb34d666ee5ff95c5c2c41d3427e1", + "image": "127.0.0.1:31999/velero/velero-plugin-for-aws:v1.9.2-zarf-3048596433", + "imageID": "127.0.0.1:31999/velero/velero-plugin-for-aws@sha256:3c0114ecb87368556cf8415959ceb82e1fca053ca1d049f115a43c2e0e2c3c66", + "lastState": {}, + "name": "velero-plugin-for-aws", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://44cd80e33ce5c513f01467f04c99358348cfb34d666ee5ff95c5c2c41d3427e1", + "exitCode": 0, + "finishedAt": "2024-06-07T14:43:00Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:43:00Z" + } + } + }, + { + "containerID": "containerd://7315f8c7db9149bf9abd9128ac1c42e46a604f605aacfda4cf71393ec20b2199", + "image": "127.0.0.1:31999/velero/velero-plugin-for-csi:v0.7.1-zarf-792660929", + "imageID": "127.0.0.1:31999/velero/velero-plugin-for-csi@sha256:d9e0d38f3d46596d293f118269f2e08da5e14cbc3c10f1bb612035938bec674d", + "lastState": {}, + "name": "velero-plugin-for-csi", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://7315f8c7db9149bf9abd9128ac1c42e46a604f605aacfda4cf71393ec20b2199", + "exitCode": 0, + "finishedAt": "2024-06-07T14:43:02Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:43:02Z" + } + } + }, + { + "containerID": "containerd://0af4e7f30ecd4098890b50dc1cb0e624d63d64e0b492393c2ea3c63c16d24b2c", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://0af4e7f30ecd4098890b50dc1cb0e624d63d64e0b492393c2ea3c63c16d24b2c", + "exitCode": 0, + "finishedAt": "2024-06-07T14:43:03Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:43:03Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.61", + "podIPs": [ + { + "ip": "10.42.0.61" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:42:59Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "neuvector-updater-pod", + "kubectl.kubernetes.io/default-logs-container": "neuvector-updater-pod", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\",\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-06-08T11:31:45Z", + "generateName": "neuvector-updater-pod-28630080-", + "labels": { + "app": "neuvector-updater-pod", + "batch.kubernetes.io/controller-uid": "69a3dfd3-1798-4541-abaf-9fd045080de1", + "batch.kubernetes.io/job-name": "neuvector-updater-pod-28630080", + "controller-uid": "69a3dfd3-1798-4541-abaf-9fd045080de1", + "job-name": "neuvector-updater-pod-28630080", + "release": "core", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "neuvector-updater-pod", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "neuvector-updater-pod-28630080-nk5f5", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "batch/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "Job", + "name": "neuvector-updater-pod-28630080", + "uid": "69a3dfd3-1798-4541-abaf-9fd045080de1" + } + ], + "resourceVersion": "39926", + "uid": "f3c05205-e1b8-43a5-95dd-cd1b1c02bc0a" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "neuvector-updater-pod" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "neuvector-updater-pod" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/batch/v1/namespaces/neuvector/cronjobs/neuvector-updater-pod" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-htlkn", + "readOnly": true + } + ] + }, + { + "command": [ + "/bin/sh", + "-c", + "/usr/bin/curl -kv -X PATCH -H \"Authorization:Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)\" -H \"Content-Type:application/strategic-merge-patch+json\" -d '{\"spec\":{\"template\":{\"metadata\":{\"annotations\":{\"kubectl.kubernetes.io/restartedAt\":\"'`date +%Y-%m-%dT%H:%M:%S%z`'\"}}}}}' 'https://kubernetes.default/apis/apps/v1/namespaces/neuvector/deployments/neuvector-scanner-pod'" + ], + "image": "127.0.0.1:31999/neuvector/updater:latest-zarf-2735231738", + "imagePullPolicy": "Always", + "name": "neuvector-updater-pod", + "resources": {}, + "securityContext": { + "capabilities": { + "drop": [ + "ALL" + ] + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-htlkn", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-htlkn", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Never", + "schedulerName": "default-scheduler", + "securityContext": { + "runAsGroup": 1000, + "runAsNonRoot": true, + "runAsUser": 1000 + }, + "serviceAccount": "updater", + "serviceAccountName": "updater", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "kube-api-access-htlkn", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-08T11:31:47Z", + "reason": "PodCompleted", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-08T11:31:45Z", + "reason": "PodCompleted", + "status": "False", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-08T11:31:45Z", + "reason": "PodCompleted", + "status": "False", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-08T11:31:45Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://d9347e9017d5617a7de62560cf88ef083c8ada121d990de1f018f99bd14679ca", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": false, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://d9347e9017d5617a7de62560cf88ef083c8ada121d990de1f018f99bd14679ca", + "exitCode": 0, + "finishedAt": "2024-06-08T11:48:39Z", + "reason": "Completed", + "startedAt": "2024-06-08T11:31:47Z" + } + } + }, + { + "containerID": "containerd://ee6790449c2b5e20ed19274f3a62702d326fa3121e4647bb09e09417591b9178", + "image": "127.0.0.1:31999/neuvector/updater:latest-zarf-2735231738", + "imageID": "127.0.0.1:31999/neuvector/updater@sha256:60a8546b96ae2e702dcdac424db81566ebe28e2e2fc1449bf188dda0cad6aee3", + "lastState": {}, + "name": "neuvector-updater-pod", + "ready": false, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://ee6790449c2b5e20ed19274f3a62702d326fa3121e4647bb09e09417591b9178", + "exitCode": 0, + "finishedAt": "2024-06-08T11:31:48Z", + "reason": "Completed", + "startedAt": "2024-06-08T11:31:48Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://29f61aa06527ee52396a19aa736ddc72af53e22473846388985dffc5150f7072", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://29f61aa06527ee52396a19aa736ddc72af53e22473846388985dffc5150f7072", + "exitCode": 0, + "finishedAt": "2024-06-08T11:31:46Z", + "reason": "Completed", + "startedAt": "2024-06-08T11:31:46Z" + } + } + } + ], + "phase": "Succeeded", + "podIP": "10.42.0.63", + "podIPs": [ + { + "ip": "10.42.0.63" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-08T11:31:45Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "neuvector-updater-pod", + "kubectl.kubernetes.io/default-logs-container": "neuvector-updater-pod", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\",\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-06-10T00:55:32Z", + "generateName": "neuvector-updater-pod-28632960-", + "labels": { + "app": "neuvector-updater-pod", + "batch.kubernetes.io/controller-uid": "8373aa55-0ea9-49f1-b9b8-97bdded4f35d", + "batch.kubernetes.io/job-name": "neuvector-updater-pod-28632960", + "controller-uid": "8373aa55-0ea9-49f1-b9b8-97bdded4f35d", + "job-name": "neuvector-updater-pod-28632960", + "release": "core", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "neuvector-updater-pod", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "neuvector-updater-pod-28632960-srlcm", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "batch/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "Job", + "name": "neuvector-updater-pod-28632960", + "uid": "8373aa55-0ea9-49f1-b9b8-97bdded4f35d" + } + ], + "resourceVersion": "86760", + "uid": "1986d29e-0aae-4950-ad47-f0aafa4731da" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "neuvector-updater-pod" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "neuvector-updater-pod" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/batch/v1/namespaces/neuvector/cronjobs/neuvector-updater-pod" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-lk4bq", + "readOnly": true + } + ] + }, + { + "command": [ + "/bin/sh", + "-c", + "/usr/bin/curl -kv -X PATCH -H \"Authorization:Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)\" -H \"Content-Type:application/strategic-merge-patch+json\" -d '{\"spec\":{\"template\":{\"metadata\":{\"annotations\":{\"kubectl.kubernetes.io/restartedAt\":\"'`date +%Y-%m-%dT%H:%M:%S%z`'\"}}}}}' 'https://kubernetes.default/apis/apps/v1/namespaces/neuvector/deployments/neuvector-scanner-pod'" + ], + "image": "127.0.0.1:31999/neuvector/updater:latest-zarf-2735231738", + "imagePullPolicy": "Always", + "name": "neuvector-updater-pod", + "resources": {}, + "securityContext": { + "capabilities": { + "drop": [ + "ALL" + ] + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-lk4bq", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-lk4bq", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Never", + "schedulerName": "default-scheduler", + "securityContext": { + "runAsGroup": 1000, + "runAsNonRoot": true, + "runAsUser": 1000 + }, + "serviceAccount": "updater", + "serviceAccountName": "updater", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "kube-api-access-lk4bq", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-10T00:55:33Z", + "reason": "PodCompleted", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-10T00:55:32Z", + "reason": "PodCompleted", + "status": "False", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-10T00:55:32Z", + "reason": "PodCompleted", + "status": "False", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-10T00:55:32Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://bf16d1f44e578b7dc9799c600d907aa1ba6cd8da18ad9160441b047f0565e15a", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": false, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://bf16d1f44e578b7dc9799c600d907aa1ba6cd8da18ad9160441b047f0565e15a", + "exitCode": 0, + "finishedAt": "2024-06-10T01:00:14Z", + "reason": "Completed", + "startedAt": "2024-06-10T00:55:33Z" + } + } + }, + { + "containerID": "containerd://c633a58176a56e81c28a3f6dd89df85c7510f30d83e31aeb49dea202542f67e7", + "image": "127.0.0.1:31999/neuvector/updater:latest-zarf-2735231738", + "imageID": "127.0.0.1:31999/neuvector/updater@sha256:60a8546b96ae2e702dcdac424db81566ebe28e2e2fc1449bf188dda0cad6aee3", + "lastState": {}, + "name": "neuvector-updater-pod", + "ready": false, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://c633a58176a56e81c28a3f6dd89df85c7510f30d83e31aeb49dea202542f67e7", + "exitCode": 0, + "finishedAt": "2024-06-10T00:55:34Z", + "reason": "Completed", + "startedAt": "2024-06-10T00:55:34Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://b22e1a4cc3028ccab180463eb23d8e5bb60b95fbb89be72c0c9cc56b90b69197", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://b22e1a4cc3028ccab180463eb23d8e5bb60b95fbb89be72c0c9cc56b90b69197", + "exitCode": 0, + "finishedAt": "2024-06-10T00:55:33Z", + "reason": "Completed", + "startedAt": "2024-06-10T00:55:32Z" + } + } + } + ], + "phase": "Succeeded", + "podIP": "10.42.0.67", + "podIPs": [ + { + "ip": "10.42.0.67" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-10T00:55:32Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "checksum/config": "a54b4b978607806a73c1e79d416367816e4d9407c7f1cffa13519cfc40a654fc", + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "promtail", + "kubectl.kubernetes.io/default-logs-container": "promtail", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded", + "uds-core.pepr.dev/uds-core-policies.DisallowPrivileged": "exempted", + "uds-core.pepr.dev/uds-core-policies.RequireNonRootUser": "exempted", + "uds-core.pepr.dev/uds-core-policies.RestrictHostPathWrite": "exempted", + "uds-core.pepr.dev/uds-core-policies.RestrictSELinuxType": "exempted", + "uds-core.pepr.dev/uds-core-policies.RestrictVolumeTypes": "exempted" + }, + "creationTimestamp": "2024-06-07T14:41:06Z", + "generateName": "promtail-", + "labels": { + "app.kubernetes.io/instance": "promtail", + "app.kubernetes.io/name": "promtail", + "controller-revision-hash": "7fdf7b776f", + "pod-template-generation": "1", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "promtail", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "promtail-zkfwh", + "namespace": "promtail", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "DaemonSet", + "name": "promtail", + "uid": "a2aecb14-ea43-49fd-86c3-d8d5e196c826" + } + ], + "resourceVersion": "87037", + "uid": "5db68d80-533b-4d72-a5ea-560a3363b9af" + }, + "spec": { + "affinity": { + "nodeAffinity": { + "requiredDuringSchedulingIgnoredDuringExecution": { + "nodeSelectorTerms": [ + { + "matchFields": [ + { + "key": "metadata.name", + "operator": "In", + "values": [ + "k3d-uds-server-0" + ] + } + ] + } + ] + } + } + }, + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n {\"name\":\"http-metrics\",\"containerPort\":3101,\"protocol\":\"TCP\"}\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "promtail" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "promtail" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/promtail/daemonsets/promtail" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + }, + { + "name": "ISTIO_KUBE_APP_PROBERS", + "value": "{\"/app-health/promtail/readyz\":{\"httpGet\":{\"path\":\"/ready\",\"port\":3101,\"scheme\":\"HTTP\"},\"timeoutSeconds\":1}}" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-scgmx", + "readOnly": true + } + ] + }, + { + "args": [ + "-config.file=/etc/promtail/promtail.yaml", + "-config.expand-env=true" + ], + "env": [ + { + "name": "HOSTNAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "NODE_HOSTNAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + } + ], + "image": "127.0.0.1:31999/grafana/promtail:2.9.6-zarf-1225602080", + "imagePullPolicy": "IfNotPresent", + "name": "promtail", + "ports": [ + { + "containerPort": 3101, + "name": "http-metrics", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 5, + "httpGet": { + "path": "/app-health/promtail/readyz", + "port": 15020, + "scheme": "HTTP" + }, + "initialDelaySeconds": 10, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 1 + }, + "resources": { + "limits": { + "cpu": "500m", + "memory": "750Mi" + }, + "requests": { + "cpu": "100m", + "memory": "256Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsUser": 0, + "seLinuxOptions": { + "type": "spc_t" + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/etc/promtail", + "name": "config" + }, + { + "mountPath": "/run/promtail", + "name": "run" + }, + { + "mountPath": "/var/lib/docker/containers", + "name": "containers", + "readOnly": true + }, + { + "mountPath": "/var/log/pods", + "name": "pods", + "readOnly": true + }, + { + "mountPath": "/var/log", + "name": "varlog", + "readOnly": true + }, + { + "mountPath": "/etc/machine-id", + "name": "machine-id", + "readOnly": true, + "subPath": "machine-id" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-scgmx", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-scgmx", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "runAsGroup": 0, + "runAsUser": 0 + }, + "serviceAccount": "promtail", + "serviceAccountName": "promtail", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoSchedule", + "key": "node-role.kubernetes.io/master", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node-role.kubernetes.io/control-plane", + "operator": "Exists" + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists" + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/disk-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/memory-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/pid-pressure", + "operator": "Exists" + }, + { + "effect": "NoSchedule", + "key": "node.kubernetes.io/unschedulable", + "operator": "Exists" + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "config", + "secret": { + "defaultMode": 420, + "secretName": "promtail" + } + }, + { + "hostPath": { + "path": "/run/promtail", + "type": "" + }, + "name": "run" + }, + { + "hostPath": { + "path": "/var/lib/docker/containers", + "type": "" + }, + "name": "containers" + }, + { + "hostPath": { + "path": "/var/log/pods", + "type": "" + }, + "name": "pods" + }, + { + "hostPath": { + "path": "/var/log", + "type": "" + }, + "name": "varlog" + }, + { + "hostPath": { + "path": "/etc", + "type": "" + }, + "name": "machine-id" + }, + { + "name": "kube-api-access-scgmx", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:41:07Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-10T01:06:08Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-10T01:06:08Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-07T14:41:06Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://1dc041a71a446c38cdc81140347809723b69c991cf5411cc1d16ffc8d9bf2841", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:41:07Z" + } + } + }, + { + "containerID": "containerd://f9860f638119e65159c9d69c8388948029967b934bdc418639cac5c8cddd27f7", + "image": "127.0.0.1:31999/grafana/promtail:2.9.6-zarf-1225602080", + "imageID": "127.0.0.1:31999/grafana/promtail@sha256:1b407c081c4da6e32489b21aa2972b1621f4daf10c94e8404d1cd90517f3750e", + "lastState": {}, + "name": "promtail", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-07T14:41:18Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://96b2c6ab5ca922aaf00fc6921ae36994ef2051c744f180fbd1420a2e744add7c", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://96b2c6ab5ca922aaf00fc6921ae36994ef2051c744f180fbd1420a2e744add7c", + "exitCode": 0, + "finishedAt": "2024-06-07T14:41:06Z", + "reason": "Completed", + "startedAt": "2024-06-07T14:41:06Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.54", + "podIPs": [ + { + "ip": "10.42.0.54" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-07T14:41:06Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "neuvector-scanner-pod", + "kubectl.kubernetes.io/default-logs-container": "neuvector-scanner-pod", + "kubectl.kubernetes.io/restartedAt": "2024-06-11T07:25:47+0000", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-06-11T07:25:47Z", + "generateName": "neuvector-scanner-pod-b5d7d59f-", + "labels": { + "app": "neuvector-scanner-pod", + "pod-template-hash": "b5d7d59f", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "neuvector-scanner-pod", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "neuvector-scanner-pod-b5d7d59f-rf24r", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "neuvector-scanner-pod-b5d7d59f", + "uid": "b7559932-31e0-471e-91c0-f91c55c4e223" + } + ], + "resourceVersion": "138526", + "uid": "1ba0dcf8-45d3-4393-92b1-00817ec2493b" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "neuvector-scanner-pod" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "neuvector-scanner-pod" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/neuvector/deployments/neuvector-scanner-pod" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-98vks", + "readOnly": true + } + ] + }, + { + "env": [ + { + "name": "CLUSTER_JOIN_ADDR", + "value": "neuvector-svc-controller.neuvector" + } + ], + "image": "127.0.0.1:31999/neuvector/scanner:latest-zarf-3299389045", + "imagePullPolicy": "Always", + "name": "neuvector-scanner-pod", + "resources": {}, + "securityContext": { + "capabilities": { + "drop": [ + "ALL" + ] + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-98vks", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-98vks", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "runAsGroup": 1000, + "runAsNonRoot": true, + "runAsUser": 1000 + }, + "serviceAccount": "scanner", + "serviceAccountName": "scanner", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "kube-api-access-98vks", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-11T07:25:47Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-11T07:25:50Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-11T07:25:50Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-11T07:25:47Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://647e5e933b75f3e70c893a63f96d513cd0b623445dc5d429939d1354fb03cc94", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-11T07:25:47Z" + } + } + }, + { + "containerID": "containerd://5c51efbb71dc083324abfc457ce7eed5c0cbe57af2cd09fcfe169e2d99a58736", + "image": "127.0.0.1:31999/neuvector/scanner:latest-zarf-3299389045", + "imageID": "127.0.0.1:31999/neuvector/scanner@sha256:bd2056b7d73208d0a24ac464cee5cdc37e8fa8428df76b0b2f61f9530863cbd0", + "lastState": {}, + "name": "neuvector-scanner-pod", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-11T07:25:49Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://c326c54f411815f5683dfd974c736f517b0e87592c961bdf5ae25d4b339df2c5", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://c326c54f411815f5683dfd974c736f517b0e87592c961bdf5ae25d4b339df2c5", + "exitCode": 0, + "finishedAt": "2024-06-11T07:25:47Z", + "reason": "Completed", + "startedAt": "2024-06-11T07:25:47Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.72", + "podIPs": [ + { + "ip": "10.42.0.72" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-11T07:25:47Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "neuvector-updater-pod", + "kubectl.kubernetes.io/default-logs-container": "neuvector-updater-pod", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\",\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-06-11T07:25:44Z", + "generateName": "neuvector-updater-pod-28634400-", + "labels": { + "app": "neuvector-updater-pod", + "batch.kubernetes.io/controller-uid": "5d3ea4c8-1beb-4807-8370-1ea6cd8580a4", + "batch.kubernetes.io/job-name": "neuvector-updater-pod-28634400", + "controller-uid": "5d3ea4c8-1beb-4807-8370-1ea6cd8580a4", + "job-name": "neuvector-updater-pod-28634400", + "release": "core", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "neuvector-updater-pod", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "neuvector-updater-pod-28634400-v9nc8", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "batch/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "Job", + "name": "neuvector-updater-pod-28634400", + "uid": "5d3ea4c8-1beb-4807-8370-1ea6cd8580a4" + } + ], + "resourceVersion": "138550", + "uid": "62475b5a-c8be-4be5-8060-b70fc86461d6" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "neuvector-updater-pod" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "neuvector-updater-pod" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/batch/v1/namespaces/neuvector/cronjobs/neuvector-updater-pod" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-ddtp7", + "readOnly": true + } + ] + }, + { + "command": [ + "/bin/sh", + "-c", + "/usr/bin/curl -kv -X PATCH -H \"Authorization:Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)\" -H \"Content-Type:application/strategic-merge-patch+json\" -d '{\"spec\":{\"template\":{\"metadata\":{\"annotations\":{\"kubectl.kubernetes.io/restartedAt\":\"'`date +%Y-%m-%dT%H:%M:%S%z`'\"}}}}}' 'https://kubernetes.default/apis/apps/v1/namespaces/neuvector/deployments/neuvector-scanner-pod'" + ], + "image": "127.0.0.1:31999/neuvector/updater:latest-zarf-2735231738", + "imagePullPolicy": "Always", + "name": "neuvector-updater-pod", + "resources": {}, + "securityContext": { + "capabilities": { + "drop": [ + "ALL" + ] + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-ddtp7", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-ddtp7", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Never", + "schedulerName": "default-scheduler", + "securityContext": { + "runAsGroup": 1000, + "runAsNonRoot": true, + "runAsUser": 1000 + }, + "serviceAccount": "updater", + "serviceAccountName": "updater", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "kube-api-access-ddtp7", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-11T07:25:45Z", + "reason": "PodCompleted", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-11T07:25:44Z", + "reason": "PodCompleted", + "status": "False", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-11T07:25:44Z", + "reason": "PodCompleted", + "status": "False", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-11T07:25:44Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://31cd2632709a932190127d542486373c4e430c0283272027ce62d87da1d15297", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": false, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://31cd2632709a932190127d542486373c4e430c0283272027ce62d87da1d15297", + "exitCode": 0, + "finishedAt": "2024-06-11T07:25:47Z", + "reason": "Completed", + "startedAt": "2024-06-11T07:25:45Z" + } + } + }, + { + "containerID": "containerd://7bbe44f88ba5d60455901cf3d72b062febd747ea00d8f86eaa09e0e319609564", + "image": "127.0.0.1:31999/neuvector/updater:latest-zarf-2735231738", + "imageID": "127.0.0.1:31999/neuvector/updater@sha256:60a8546b96ae2e702dcdac424db81566ebe28e2e2fc1449bf188dda0cad6aee3", + "lastState": {}, + "name": "neuvector-updater-pod", + "ready": false, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://7bbe44f88ba5d60455901cf3d72b062febd747ea00d8f86eaa09e0e319609564", + "exitCode": 0, + "finishedAt": "2024-06-11T07:25:47Z", + "reason": "Completed", + "startedAt": "2024-06-11T07:25:46Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://0f86c6046ed396b80875c078e48cabbc9f1f62c26d60915837af8abb12cecb42", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://0f86c6046ed396b80875c078e48cabbc9f1f62c26d60915837af8abb12cecb42", + "exitCode": 0, + "finishedAt": "2024-06-11T07:25:45Z", + "reason": "Completed", + "startedAt": "2024-06-11T07:25:45Z" + } + } + } + ], + "phase": "Succeeded", + "podIP": "10.42.0.71", + "podIPs": [ + { + "ip": "10.42.0.71" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-11T07:25:44Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "neuvector-scanner-pod", + "kubectl.kubernetes.io/default-logs-container": "neuvector-scanner-pod", + "kubectl.kubernetes.io/restartedAt": "2024-06-11T07:25:47+0000", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-06-11T07:25:51Z", + "generateName": "neuvector-scanner-pod-b5d7d59f-", + "labels": { + "app": "neuvector-scanner-pod", + "pod-template-hash": "b5d7d59f", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "neuvector-scanner-pod", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "neuvector-scanner-pod-b5d7d59f-cwktq", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "neuvector-scanner-pod-b5d7d59f", + "uid": "b7559932-31e0-471e-91c0-f91c55c4e223" + } + ], + "resourceVersion": "138586", + "uid": "5b0b8948-e33f-4297-8925-1a61c7291ccc" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "neuvector-scanner-pod" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "neuvector-scanner-pod" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/neuvector/deployments/neuvector-scanner-pod" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-fhcbk", + "readOnly": true + } + ] + }, + { + "env": [ + { + "name": "CLUSTER_JOIN_ADDR", + "value": "neuvector-svc-controller.neuvector" + } + ], + "image": "127.0.0.1:31999/neuvector/scanner:latest-zarf-3299389045", + "imagePullPolicy": "Always", + "name": "neuvector-scanner-pod", + "resources": {}, + "securityContext": { + "capabilities": { + "drop": [ + "ALL" + ] + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-fhcbk", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-fhcbk", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "runAsGroup": 1000, + "runAsNonRoot": true, + "runAsUser": 1000 + }, + "serviceAccount": "scanner", + "serviceAccountName": "scanner", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "kube-api-access-fhcbk", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-11T07:25:53Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-11T07:25:58Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-11T07:25:58Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-11T07:25:51Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://798c5d64425e4e8b2c7ccc7c62261c243f0c8aadef350586b990f1613a75fb99", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-11T07:25:54Z" + } + } + }, + { + "containerID": "containerd://70ae20d4a72d5e82acaec8f9578e2848b7caa87bb655cfa7a354bcb9d4761075", + "image": "127.0.0.1:31999/neuvector/scanner:latest-zarf-3299389045", + "imageID": "127.0.0.1:31999/neuvector/scanner@sha256:bd2056b7d73208d0a24ac464cee5cdc37e8fa8428df76b0b2f61f9530863cbd0", + "lastState": {}, + "name": "neuvector-scanner-pod", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-11T07:25:56Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://bdf5ff10ecc5803860394337c1292e6ecf70697237c475d45f3709f9be182c22", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://bdf5ff10ecc5803860394337c1292e6ecf70697237c475d45f3709f9be182c22", + "exitCode": 0, + "finishedAt": "2024-06-11T07:25:53Z", + "reason": "Completed", + "startedAt": "2024-06-11T07:25:53Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.73", + "podIPs": [ + { + "ip": "10.42.0.73" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-11T07:25:51Z" + } + }, + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "annotations": { + "istio.io/rev": "default", + "kubectl.kubernetes.io/default-container": "neuvector-scanner-pod", + "kubectl.kubernetes.io/default-logs-container": "neuvector-scanner-pod", + "kubectl.kubernetes.io/restartedAt": "2024-06-11T07:25:47+0000", + "prometheus.io/path": "/stats/prometheus", + "prometheus.io/port": "15020", + "prometheus.io/scrape": "true", + "sidecar.istio.io/status": "{\"initContainers\":[\"istio-init\"],\"containers\":[\"istio-proxy\"],\"volumes\":[\"workload-socket\",\"credential-socket\",\"workload-certs\",\"istio-envoy\",\"istio-data\",\"istio-podinfo\",\"istio-token\",\"istiod-ca-cert\"],\"imagePullSecrets\":null,\"revision\":\"default\"}", + "uds-core.pepr.dev/mutated": "[\"require-non-root-user\",\"drop-all-capabilities\"]", + "uds-core.pepr.dev/uds-core-policies": "succeeded" + }, + "creationTimestamp": "2024-06-11T07:25:58Z", + "generateName": "neuvector-scanner-pod-b5d7d59f-", + "labels": { + "app": "neuvector-scanner-pod", + "pod-template-hash": "b5d7d59f", + "security.istio.io/tlsMode": "istio", + "service.istio.io/canonical-name": "neuvector-scanner-pod", + "service.istio.io/canonical-revision": "latest", + "zarf-agent": "patched" + }, + "name": "neuvector-scanner-pod-b5d7d59f-2ql2b", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "apps/v1", + "blockOwnerDeletion": true, + "controller": true, + "kind": "ReplicaSet", + "name": "neuvector-scanner-pod-b5d7d59f", + "uid": "b7559932-31e0-471e-91c0-f91c55c4e223" + } + ], + "resourceVersion": "138639", + "uid": "bb6e8ac5-e279-4a60-b8be-48fad5c09ad0" + }, + "spec": { + "containers": [ + { + "args": [ + "proxy", + "sidecar", + "--domain", + "$(POD_NAMESPACE).svc.cluster.local", + "--proxyLogLevel=warning", + "--proxyComponentLogLevel=misc:error", + "--log_output_level=default:info" + ], + "env": [ + { + "name": "PILOT_CERT_PROVIDER", + "value": "istiod" + }, + { + "name": "CA_ADDR", + "value": "istiod.istio-system.svc:15012" + }, + { + "name": "POD_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.name" + } + } + }, + { + "name": "POD_NAMESPACE", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + } + } + }, + { + "name": "INSTANCE_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.podIP" + } + } + }, + { + "name": "SERVICE_ACCOUNT", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.serviceAccountName" + } + } + }, + { + "name": "HOST_IP", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "status.hostIP" + } + } + }, + { + "name": "ISTIO_CPU_LIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "PROXY_CONFIG", + "value": "{\"gatewayTopology\":{\"forwardClientCertDetails\":\"SANITIZE\"},\"holdApplicationUntilProxyStarts\":true}\n" + }, + { + "name": "ISTIO_META_POD_PORTS", + "value": "[\n]" + }, + { + "name": "ISTIO_META_APP_CONTAINERS", + "value": "neuvector-scanner-pod" + }, + { + "name": "GOMEMLIMIT", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.memory" + } + } + }, + { + "name": "GOMAXPROCS", + "valueFrom": { + "resourceFieldRef": { + "divisor": "0", + "resource": "limits.cpu" + } + } + }, + { + "name": "ISTIO_META_CLUSTER_ID", + "value": "Kubernetes" + }, + { + "name": "ISTIO_META_NODE_NAME", + "valueFrom": { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "spec.nodeName" + } + } + }, + { + "name": "ISTIO_META_INTERCEPTION_MODE", + "value": "REDIRECT" + }, + { + "name": "ISTIO_META_WORKLOAD_NAME", + "value": "neuvector-scanner-pod" + }, + { + "name": "ISTIO_META_OWNER", + "value": "kubernetes://apis/apps/v1/namespaces/neuvector/deployments/neuvector-scanner-pod" + }, + { + "name": "ISTIO_META_MESH_ID", + "value": "cluster.local" + }, + { + "name": "TRUST_DOMAIN", + "value": "cluster.local" + } + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "lifecycle": { + "postStart": { + "exec": { + "command": [ + "pilot-agent", + "wait" + ] + } + } + }, + "name": "istio-proxy", + "ports": [ + { + "containerPort": 15090, + "name": "http-envoy-prom", + "protocol": "TCP" + } + ], + "readinessProbe": { + "failureThreshold": 4, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 15, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsGroup": 1337, + "runAsNonRoot": true, + "runAsUser": 1337 + }, + "startupProbe": { + "failureThreshold": 600, + "httpGet": { + "path": "/healthz/ready", + "port": 15021, + "scheme": "HTTP" + }, + "periodSeconds": 1, + "successThreshold": 1, + "timeoutSeconds": 3 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/workload-spiffe-uds", + "name": "workload-socket" + }, + { + "mountPath": "/var/run/secrets/credential-uds", + "name": "credential-socket" + }, + { + "mountPath": "/var/run/secrets/workload-spiffe-credentials", + "name": "workload-certs" + }, + { + "mountPath": "/var/run/secrets/istio", + "name": "istiod-ca-cert" + }, + { + "mountPath": "/var/lib/istio/data", + "name": "istio-data" + }, + { + "mountPath": "/etc/istio/proxy", + "name": "istio-envoy" + }, + { + "mountPath": "/var/run/secrets/tokens", + "name": "istio-token" + }, + { + "mountPath": "/etc/istio/pod", + "name": "istio-podinfo" + }, + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-8fdrp", + "readOnly": true + } + ] + }, + { + "env": [ + { + "name": "CLUSTER_JOIN_ADDR", + "value": "neuvector-svc-controller.neuvector" + } + ], + "image": "127.0.0.1:31999/neuvector/scanner:latest-zarf-3299389045", + "imagePullPolicy": "Always", + "name": "neuvector-scanner-pod", + "resources": {}, + "securityContext": { + "capabilities": { + "drop": [ + "ALL" + ] + } + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-8fdrp", + "readOnly": true + } + ] + } + ], + "dnsPolicy": "ClusterFirst", + "enableServiceLinks": true, + "imagePullSecrets": [ + { + "name": "private-registry" + } + ], + "initContainers": [ + { + "args": [ + "istio-iptables", + "-p", + "15001", + "-z", + "15006", + "-u", + "1337", + "-m", + "REDIRECT", + "-i", + "*", + "-x", + "", + "-b", + "*", + "-d", + "15090,15021,15020", + "--log_output_level=default:info" + ], + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imagePullPolicy": "IfNotPresent", + "name": "istio-init", + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ], + "drop": [ + "ALL" + ] + }, + "privileged": false, + "readOnlyRootFilesystem": false, + "runAsGroup": 0, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePath": "/dev/termination-log", + "terminationMessagePolicy": "File", + "volumeMounts": [ + { + "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount", + "name": "kube-api-access-8fdrp", + "readOnly": true + } + ] + } + ], + "nodeName": "k3d-uds-server-0", + "preemptionPolicy": "PreemptLowerPriority", + "priority": 0, + "restartPolicy": "Always", + "schedulerName": "default-scheduler", + "securityContext": { + "runAsGroup": 1000, + "runAsNonRoot": true, + "runAsUser": 1000 + }, + "serviceAccount": "scanner", + "serviceAccountName": "scanner", + "terminationGracePeriodSeconds": 30, + "tolerations": [ + { + "effect": "NoExecute", + "key": "node.kubernetes.io/not-ready", + "operator": "Exists", + "tolerationSeconds": 300 + }, + { + "effect": "NoExecute", + "key": "node.kubernetes.io/unreachable", + "operator": "Exists", + "tolerationSeconds": 300 + } + ], + "volumes": [ + { + "emptyDir": {}, + "name": "workload-socket" + }, + { + "emptyDir": {}, + "name": "credential-socket" + }, + { + "emptyDir": {}, + "name": "workload-certs" + }, + { + "emptyDir": { + "medium": "Memory" + }, + "name": "istio-envoy" + }, + { + "emptyDir": {}, + "name": "istio-data" + }, + { + "downwardAPI": { + "defaultMode": 420, + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.labels" + }, + "path": "labels" + }, + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.annotations" + }, + "path": "annotations" + } + ] + }, + "name": "istio-podinfo" + }, + { + "name": "istio-token", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "audience": "istio-ca", + "expirationSeconds": 43200, + "path": "istio-token" + } + } + ] + } + }, + { + "configMap": { + "defaultMode": 420, + "name": "istio-ca-root-cert" + }, + "name": "istiod-ca-cert" + }, + { + "name": "kube-api-access-8fdrp", + "projected": { + "defaultMode": 420, + "sources": [ + { + "serviceAccountToken": { + "expirationSeconds": 3607, + "path": "token" + } + }, + { + "configMap": { + "items": [ + { + "key": "ca.crt", + "path": "ca.crt" + } + ], + "name": "kube-root-ca.crt" + } + }, + { + "downwardAPI": { + "items": [ + { + "fieldRef": { + "apiVersion": "v1", + "fieldPath": "metadata.namespace" + }, + "path": "namespace" + } + ] + } + } + ] + } + } + ] + }, + "status": { + "conditions": [ + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-11T07:26:00Z", + "status": "True", + "type": "Initialized" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-11T07:26:05Z", + "status": "True", + "type": "Ready" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-11T07:26:05Z", + "status": "True", + "type": "ContainersReady" + }, + { + "lastProbeTime": null, + "lastTransitionTime": "2024-06-11T07:25:58Z", + "status": "True", + "type": "PodScheduled" + } + ], + "containerStatuses": [ + { + "containerID": "containerd://122a7872b5f34d96da8607e4020dfd7a80c98d44150dcae36e6cbc40f98a5b2d", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-proxy", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-11T07:26:00Z" + } + } + }, + { + "containerID": "containerd://be1e0c4652b178c5bab2265deb3118f095837420337b411619f5cb87e78e67d1", + "image": "127.0.0.1:31999/neuvector/scanner:latest-zarf-3299389045", + "imageID": "127.0.0.1:31999/neuvector/scanner@sha256:bd2056b7d73208d0a24ac464cee5cdc37e8fa8428df76b0b2f61f9530863cbd0", + "lastState": {}, + "name": "neuvector-scanner-pod", + "ready": true, + "restartCount": 0, + "started": true, + "state": { + "running": { + "startedAt": "2024-06-11T07:26:03Z" + } + } + } + ], + "hostIP": "172.19.0.3", + "initContainerStatuses": [ + { + "containerID": "containerd://8a954c6decc8bd6157607955078629f0d43b2629c89efd24900b5d317b92d547", + "image": "127.0.0.1:31999/istio/proxyv2:1.22.1-distroless-zarf-2656446571", + "imageID": "127.0.0.1:31999/istio/proxyv2@sha256:e6b5a980e618feb51144fe2056fb385946f63bbaabe845adb6862b756df9f23c", + "lastState": {}, + "name": "istio-init", + "ready": true, + "restartCount": 0, + "started": false, + "state": { + "terminated": { + "containerID": "containerd://8a954c6decc8bd6157607955078629f0d43b2629c89efd24900b5d317b92d547", + "exitCode": 0, + "finishedAt": "2024-06-11T07:25:59Z", + "reason": "Completed", + "startedAt": "2024-06-11T07:25:59Z" + } + } + } + ], + "phase": "Running", + "podIP": "10.42.0.74", + "podIPs": [ + { + "ip": "10.42.0.74" + } + ], + "qosClass": "Burstable", + "startTime": "2024-06-11T07:25:58Z" + } + } + ] +} \ No newline at end of file diff --git a/compliance/validations/istio/prometheus-annotations-validation/tests.yaml b/compliance/validations/istio/prometheus-annotations-validation/tests.yaml new file mode 100644 index 000000000..561af468c --- /dev/null +++ b/compliance/validations/istio/prometheus-annotations-validation/tests.yaml @@ -0,0 +1,10 @@ +pass: + - test: default + validation: validation.yaml + resources: resources.json + expected-validation: true + - test: grafana-pods-missing-annotations + validation: validation.yaml + resources: resources.json + permutation: '.pods |= map(if .metadata.namespace == "grafana" then .metadata.annotations["prometheus.io/scrape"] = false else . end)' + expected-validation: false diff --git a/compliance/validations/istio/prometheus-annotations-validation/validation.yaml b/compliance/validations/istio/prometheus-annotations-validation/validation.yaml new file mode 100644 index 000000000..7ef265e52 --- /dev/null +++ b/compliance/validations/istio/prometheus-annotations-validation/validation.yaml @@ -0,0 +1,60 @@ +metadata: + name: istio-prometheus-annotations-validation + uuid: f345c359-3208-46fb-9348-959bd628301e +domain: + type: kubernetes + kubernetes-spec: + resources: + - name: pods + resource-rule: + resource: pods + version: v1 + namespaces: [] +provider: + type: opa + opa-spec: + rego: | + package validate + import rego.v1 + + # Default values + default validate := false + default msg := "Not evaluated" + + # Check for required Istio and Prometheus annotations + validate if { + has_prometheus_annotation.result + } + + msg = has_prometheus_annotation.msg + msg_exempted_namespaces = concat(", ", exempt_namespaces) + + # Check for prometheus annotations in pod spec + no_annotation = [sprintf("%s/%s", [pod.metadata.namespace, pod.metadata.name]) | pod := input.pods[_]; not contains_annotation(pod); not is_exempt(pod)] + + has_prometheus_annotation = {"result": true, "msg": msg} if { + count(no_annotation) == 0 + msg := "All pods have correct prometheus annotations." + } else = {"result": false, "msg": msg} if { + msg := sprintf("Prometheus annotations not found in pods: %s.", [concat(", ", no_annotation)]) + } + + contains_annotation(pod) if { + annotations := pod.metadata.annotations + annotations["prometheus.io/scrape"] == "true" + annotations["prometheus.io/path"] != "" + annotations["prometheus.io/port"] == "15020" + } + + # Exemptions + exempt_namespaces = {"kube-system", "istio-system", "uds-dev-stack", "zarf"} + + is_exempt(pod) if { + pod.metadata.namespace in exempt_namespaces + } + + output: + validation: validate.validate + observations: + - validate.msg + - validate.msg_exempted_namespaces diff --git a/compliance/validations/istio/rbac-enforcement-check/README.md b/compliance/validations/istio/rbac-enforcement-check/README.md new file mode 100644 index 000000000..22103df95 --- /dev/null +++ b/compliance/validations/istio/rbac-enforcement-check/README.md @@ -0,0 +1,9 @@ +# README.md + +**NAME** - istio-rbac-enforcement-check + +**INPUT** - This validation collects AuthorizationPolicy resources from all namespaces in the Kubernetes cluster. + +**POLICY** - This policy checks that Istio RBAC is enforced by ensuring that AuthorizationPolicy resources are present in the cluster. + +**NOTES** - Ensure that the AuthorizationPolicy resources are correctly specified in the policy. The policy will fail if no AuthorizationPolicy resources are found. \ No newline at end of file diff --git a/compliance/validations/istio/rbac-enforcement-check/resources.json b/compliance/validations/istio/rbac-enforcement-check/resources.json new file mode 100644 index 000000000..999d1ea81 --- /dev/null +++ b/compliance/validations/istio/rbac-enforcement-check/resources.json @@ -0,0 +1,177 @@ +{ + "authorizationPolicies": [ + { + "apiVersion": "security.istio.io/v1beta1", + "kind": "AuthorizationPolicy", + "metadata": { + "annotations": { + "meta.helm.sh/release-name": "keycloak", + "meta.helm.sh/release-namespace": "keycloak" + }, + "creationTimestamp": "2024-06-07T14:37:02Z", + "generation": 1, + "labels": { + "app.kubernetes.io/managed-by": "Helm" + }, + "name": "keycloak-block-admin-access-from-public-gateway", + "namespace": "keycloak", + "resourceVersion": "1656", + "uid": "cda7ec8f-f7b7-4873-a1e2-5c6ec722f7e4" + }, + "spec": { + "action": "DENY", + "rules": [ + { + "from": [ + { + "source": { + "notNamespaces": [ + "istio-admin-gateway" + ] + } + } + ], + "to": [ + { + "operation": { + "paths": [ + "/admin*", + "/realms/master*" + ] + } + } + ] + }, + { + "from": [ + { + "source": { + "notNamespaces": [ + "istio-admin-gateway", + "monitoring" + ] + } + } + ], + "to": [ + { + "operation": { + "paths": [ + "/metrics*" + ] + } + } + ] + }, + { + "from": [ + { + "source": { + "notNamespaces": [ + "pepr-system" + ] + } + } + ], + "to": [ + { + "operation": { + "paths": [ + "/realms/uds/clients-registrations/*" + ] + } + } + ] + } + ], + "selector": { + "matchLabels": { + "app.kubernetes.io/instance": "keycloak", + "app.kubernetes.io/name": "keycloak" + } + } + } + }, + { + "apiVersion": "security.istio.io/v1beta1", + "kind": "AuthorizationPolicy", + "metadata": { + "annotations": { + "meta.helm.sh/release-name": "authservice", + "meta.helm.sh/release-namespace": "authservice" + }, + "creationTimestamp": "2024-06-07T14:42:13Z", + "generation": 1, + "labels": { + "app.kubernetes.io/managed-by": "Helm" + }, + "name": "jwt-authz", + "namespace": "istio-system", + "resourceVersion": "3764", + "uid": "de7038cb-62fc-449e-b846-abab3432e39e" + }, + "spec": { + "rules": [ + { + "from": [ + { + "source": { + "requestPrincipals": [ + "https://login.uds.dev/auth/realms/doug/*" + ] + } + } + ] + } + ], + "selector": { + "matchLabels": { + "protect": "keycloak" + } + } + } + }, + { + "apiVersion": "security.istio.io/v1beta1", + "kind": "AuthorizationPolicy", + "metadata": { + "annotations": { + "meta.helm.sh/release-name": "authservice", + "meta.helm.sh/release-namespace": "authservice" + }, + "creationTimestamp": "2024-06-07T14:42:13Z", + "generation": 1, + "labels": { + "app.kubernetes.io/managed-by": "Helm" + }, + "name": "authservice", + "namespace": "istio-system", + "resourceVersion": "3767", + "uid": "5ca626af-4cd3-4652-90d5-3ab8b0d5d72c" + }, + "spec": { + "action": "CUSTOM", + "provider": { + "name": "authservice" + }, + "rules": [ + { + "when": [ + { + "key": "request.headers[authorization]", + "notValues": [ + "*" + ] + } + ] + } + ], + "selector": { + "matchLabels": { + "protect": "keycloak" + } + } + } + } + ] +} \ No newline at end of file diff --git a/compliance/validations/istio/rbac-enforcement-check/tests.yaml b/compliance/validations/istio/rbac-enforcement-check/tests.yaml new file mode 100644 index 000000000..f12f79fae --- /dev/null +++ b/compliance/validations/istio/rbac-enforcement-check/tests.yaml @@ -0,0 +1,10 @@ +pass: + - test: default + validation: validation.yaml + resources: resources.json + expected-validation: true + - test: remove-authorization-policies + validation: validation.yaml + resources: resources.json + permutation: ".authorizationPolicies = []" + expected-validation: false diff --git a/compliance/validations/istio/rbac-enforcement-check/validation.yaml b/compliance/validations/istio/rbac-enforcement-check/validation.yaml new file mode 100644 index 000000000..866ded2ab --- /dev/null +++ b/compliance/validations/istio/rbac-enforcement-check/validation.yaml @@ -0,0 +1,42 @@ +metadata: + name: istio-rbac-enforcement-check + uuid: 7b045b2a-106f-4c8c-85d9-ae3d7a8e0e28 +domain: + type: kubernetes + kubernetes-spec: + resources: + - name: authorizationPolicies + resource-rule: + group: security.istio.io + resource: authorizationpolicies + version: v1beta1 + namespaces: [] +provider: + type: opa + opa-spec: + rego: | + package validate + import rego.v1 + + # Default values + default validate := false + default msg := "Istio RBAC not enforced: No authorization policies found." + + # Evaluation for Istio Authorization Policies + validate if { + count(all_auth_policies) > 0 + } + + # Get all authorization policies + all_auth_policies := { sprintf("%s/%s", [authPolicy.metadata.namespace, authPolicy.metadata.name]) | + authPolicy := input.authorizationPolicies[_]; authPolicy.kind == "AuthorizationPolicy" } + + msg = "Istio RBAC enforced" if { + validate + } + msg_all_auth_policies = concat(", ", all_auth_policies) + output: + validation: validate.validate + observations: + - validate.msg + - validate.msg_all_auth_policies diff --git a/compliance/validations/istio/rbac-for-approved-personnel/README.md b/compliance/validations/istio/rbac-for-approved-personnel/README.md new file mode 100644 index 000000000..e287175b1 --- /dev/null +++ b/compliance/validations/istio/rbac-for-approved-personnel/README.md @@ -0,0 +1,9 @@ +# README.md + +**NAME** - istio-rbac-for-approved-personnel-PLACEHOLDER + +**INPUT** - This validation currently does not collect any resources. + +**POLICY** - This policy is a placeholder for checking RBAC for approved personnel. + +**NOTES** - The policy needs to be updated to include the necessary resources and logic to check for RBAC for approved personnel. \ No newline at end of file diff --git a/compliance/validations/istio/rbac-for-approved-personnel/validation.yaml b/compliance/validations/istio/rbac-for-approved-personnel/validation.yaml new file mode 100644 index 000000000..5c3ee4d90 --- /dev/null +++ b/compliance/validations/istio/rbac-for-approved-personnel/validation.yaml @@ -0,0 +1,14 @@ +metadata: + name: istio-rbac-for-approved-personnel-PLACEHOLDER + uuid: 9b361d7b-4e07-40db-8b86-3854ed499a4b +domain: + type: kubernetes + kubernetes-spec: + resources: [] +provider: + type: opa + opa-spec: + rego: | + package validate + + default validate := false diff --git a/compliance/validations/istio/request-authentication-and-auth-policies-configured-DEPRECATED/README.md b/compliance/validations/istio/request-authentication-and-auth-policies-configured-DEPRECATED/README.md new file mode 100644 index 000000000..60bd209cd --- /dev/null +++ b/compliance/validations/istio/request-authentication-and-auth-policies-configured-DEPRECATED/README.md @@ -0,0 +1,9 @@ +# README.md + +**NAME** - request-authenication-and-auth-policies-configured + +**INPUT** - This validation collects RequestAuthentication and AuthorizationPolicy resources from all namespaces in the Kubernetes cluster. + +**POLICY** - This policy checks that both RequestAuthentication and AuthorizationPolicy resources are configured correctly in the cluster. + +**NOTES** - Ensure that the RequestAuthentication and AuthorizationPolicy resources are correctly specified in the policy. The policy will fail if any of these resources are missing or improperly configured. \ No newline at end of file diff --git a/compliance/validations/istio/request-authentication-and-auth-policies-configured-DEPRECATED/resources.json b/compliance/validations/istio/request-authentication-and-auth-policies-configured-DEPRECATED/resources.json new file mode 100644 index 000000000..2f862bcb6 --- /dev/null +++ b/compliance/validations/istio/request-authentication-and-auth-policies-configured-DEPRECATED/resources.json @@ -0,0 +1,212 @@ +{ + "authorizationPolicy": [ + { + "apiVersion": "security.istio.io/v1beta1", + "kind": "AuthorizationPolicy", + "metadata": { + "annotations": { + "meta.helm.sh/release-name": "keycloak", + "meta.helm.sh/release-namespace": "keycloak" + }, + "creationTimestamp": "2024-06-07T14:37:02Z", + "generation": 1, + "labels": { + "app.kubernetes.io/managed-by": "Helm" + }, + "name": "keycloak-block-admin-access-from-public-gateway", + "namespace": "keycloak", + "resourceVersion": "1656", + "uid": "cda7ec8f-f7b7-4873-a1e2-5c6ec722f7e4" + }, + "spec": { + "action": "DENY", + "rules": [ + { + "from": [ + { + "source": { + "notNamespaces": [ + "istio-admin-gateway" + ] + } + } + ], + "to": [ + { + "operation": { + "paths": [ + "/admin*", + "/realms/master*" + ] + } + } + ] + }, + { + "from": [ + { + "source": { + "notNamespaces": [ + "istio-admin-gateway", + "monitoring" + ] + } + } + ], + "to": [ + { + "operation": { + "paths": [ + "/metrics*" + ] + } + } + ] + }, + { + "from": [ + { + "source": { + "notNamespaces": [ + "pepr-system" + ] + } + } + ], + "to": [ + { + "operation": { + "paths": [ + "/realms/uds/clients-registrations/*" + ] + } + } + ] + } + ], + "selector": { + "matchLabels": { + "app.kubernetes.io/instance": "keycloak", + "app.kubernetes.io/name": "keycloak" + } + } + } + }, + { + "apiVersion": "security.istio.io/v1beta1", + "kind": "AuthorizationPolicy", + "metadata": { + "annotations": { + "meta.helm.sh/release-name": "authservice", + "meta.helm.sh/release-namespace": "authservice" + }, + "creationTimestamp": "2024-06-07T14:42:13Z", + "generation": 1, + "labels": { + "app.kubernetes.io/managed-by": "Helm" + }, + "name": "jwt-authz", + "namespace": "istio-system", + "resourceVersion": "3764", + "uid": "de7038cb-62fc-449e-b846-abab3432e39e" + }, + "spec": { + "rules": [ + { + "from": [ + { + "source": { + "requestPrincipals": [ + "https://login.uds.dev/auth/realms/doug/*" + ] + } + } + ] + } + ], + "selector": { + "matchLabels": { + "protect": "keycloak" + } + } + } + }, + { + "apiVersion": "security.istio.io/v1beta1", + "kind": "AuthorizationPolicy", + "metadata": { + "annotations": { + "meta.helm.sh/release-name": "authservice", + "meta.helm.sh/release-namespace": "authservice" + }, + "creationTimestamp": "2024-06-07T14:42:13Z", + "generation": 1, + "labels": { + "app.kubernetes.io/managed-by": "Helm" + }, + "name": "authservice", + "namespace": "istio-system", + "resourceVersion": "3767", + "uid": "5ca626af-4cd3-4652-90d5-3ab8b0d5d72c" + }, + "spec": { + "action": "CUSTOM", + "provider": { + "name": "authservice" + }, + "rules": [ + { + "when": [ + { + "key": "request.headers[authorization]", + "notValues": [ + "*" + ] + } + ] + } + ], + "selector": { + "matchLabels": { + "protect": "keycloak" + } + } + } + } + ], + "requestAuthentication": [ + { + "apiVersion": "security.istio.io/v1beta1", + "kind": "RequestAuthentication", + "metadata": { + "annotations": { + "meta.helm.sh/release-name": "authservice", + "meta.helm.sh/release-namespace": "authservice" + }, + "creationTimestamp": "2024-06-07T14:42:14Z", + "generation": 1, + "labels": { + "app.kubernetes.io/managed-by": "Helm" + }, + "name": "jwt-authn", + "namespace": "istio-system", + "resourceVersion": "3773", + "uid": "108e0c7d-15d5-429e-ab45-a8a0eda7aee0" + }, + "spec": { + "jwtRules": [ + { + "forwardOriginalToken": true, + "issuer": "https://login.uds.dev/auth/realms/doug", + "jwksUri": "https://login.uds.dev/auth/realms/doug/protocol/openid-connect/certs" + } + ], + "selector": { + "matchLabels": { + "protect": "keycloak" + } + } + } + } + ] +} \ No newline at end of file diff --git a/compliance/validations/istio/request-authentication-and-auth-policies-configured-DEPRECATED/tests.yaml b/compliance/validations/istio/request-authentication-and-auth-policies-configured-DEPRECATED/tests.yaml new file mode 100644 index 000000000..ba762915f --- /dev/null +++ b/compliance/validations/istio/request-authentication-and-auth-policies-configured-DEPRECATED/tests.yaml @@ -0,0 +1,25 @@ +pass: + - test: default + validation: validation.yaml + resources: resources.json + expected-validation: true + - test: remove-jwt-rules + validation: validation.yaml + resources: resources.json + permutation: "del(.requestAuthentication[0].spec.jwtRules)" + expected-validation: false + - test: remove-auth-rules + validation: validation.yaml + resources: resources.json + permutation: "del(.authorizationPolicy[0].spec.rules)" + expected-validation: false + - test: remove-authorization-policies + validation: validation.yaml + resources: resources.json + permutation: ".authorizationPolicy = []" + expected-validation: false + - test: remove-request-authentications + validation: validation.yaml + resources: resources.json + permutation: ".requestAuthentication = []" + expected-validation: false diff --git a/compliance/validations/istio/request-authentication-and-auth-policies-configured-DEPRECATED/validation.yaml b/compliance/validations/istio/request-authentication-and-auth-policies-configured-DEPRECATED/validation.yaml new file mode 100644 index 000000000..acf733019 --- /dev/null +++ b/compliance/validations/istio/request-authentication-and-auth-policies-configured-DEPRECATED/validation.yaml @@ -0,0 +1,86 @@ +metadata: + name: request-authenication-and-auth-policies-configured + uuid: 3e217577-930e-4469-a999-1a5704b5cecb +domain: + type: kubernetes + kubernetes-spec: + resources: + - name: requestAuthentication + resource-rule: + group: security.istio.io + resource: requestauthentications + namespaces: [] + version: v1beta1 + - name: authorizationPolicy + resource-rule: + group: security.istio.io + resource: authorizationpolicies + namespaces: [] + version: v1beta1 +provider: + type: opa + opa-spec: + rego: | + package validate + + # Default policy result + default validate := false + default msg := "Not evaluated" + + # Validate both RequestAuthentication and AuthorizationPolicy are configured + validate { + authorization_policies_exist_and_configured.result + request_authentications_exist_and_configured.result + } + + msg = concat(" ", [authorization_policies_exist_and_configured.msg, request_authentications_exist_and_configured.msg]) + + # Check AuthorizationPolicies exist and are configured + bad_auth_policies := {sprintf("%s/%s", [authPolicy.metadata.namespace, authPolicy.metadata.name]) | + authPolicy := input.authorizationPolicy[_] + authPolicy.kind == "AuthorizationPolicy" + authorization_policy_not_configured(authPolicy) + } + + authorization_policy_not_configured(ap) { + # Check for missing or improperly configured rules + not ap.spec.rules + } + + authorization_policies_exist_and_configured = {"result": true, "msg": msg} { + count(input.authorizationPolicy) > 0 + count(bad_auth_policies) == 0 + msg := "All AuthorizationPolicies properly configured." + } else = {"result": false, "msg": msg} { + count(input.authorizationPolicy) == 0 + msg := "No AuthorizationPolicies found." + } else = {"result": false, "msg": msg} { + msg := sprintf("Some AuthorizationPolicies not properly configured: %v.", [concat(", ", bad_auth_policies)]) + } + + # Check RequestAuthentications exist and are configured + bad_request_authentications := {sprintf("%s/%s", [ra.metadata.namespace, ra.metadata.name]) | + ra := input.requestAuthentication[_] + ra.kind == "RequestAuthentication" + request_authentication_not_configured(ra) + } + + request_authentication_not_configured(ra) { + # Check for missing or improperly configured JWT rules + not ra.spec.jwtRules + } + + request_authentications_exist_and_configured = {"result": true, "msg": msg} { + count(input.requestAuthentication) > 0 + count(bad_request_authentications) == 0 + msg := "All RequestAuthentications properly configured." + } else = {"result": false, "msg": msg} { + count(input.requestAuthentication) == 0 + msg := "No RequestAuthentications found." + } else = {"result": false, "msg": msg} { + msg := sprintf("Some RequestAuthentications not properly configured: %v.", [concat(", ", bad_request_authentications)]) + } + output: + validation: validate.validate + observations: + - validate.msg diff --git a/compliance/validations/istio/secure-communication-with-istiod/README.md b/compliance/validations/istio/secure-communication-with-istiod/README.md new file mode 100644 index 000000000..6d2ea4b5b --- /dev/null +++ b/compliance/validations/istio/secure-communication-with-istiod/README.md @@ -0,0 +1,9 @@ +# README.md + +**NAME** - secure-communication-with-istiod + +**INPUT** - This validation collects NetworkPolicy resources from all namespaces in the Kubernetes cluster. + +**POLICY** - This policy checks that NetworkPolicies are correctly configured for istiod egress in the required namespaces. Specifically, it verifies that the NetworkPolicies have the expected port (15012) and protocol (TCP) for istiod egress. It also ensures that these configurations are present in the required namespaces and not in any improper namespaces. + +**NOTES** - The required namespaces for the NetworkPolicies are: "authservice", "grafana", "keycloak", "loki", "metrics-server", "monitoring", "neuvector", "promtail", "velero". diff --git a/compliance/validations/istio/secure-communication-with-istiod/resources.json b/compliance/validations/istio/secure-communication-with-istiod/resources.json new file mode 100644 index 000000000..6c5ea9b1c --- /dev/null +++ b/compliance/validations/istio/secure-communication-with-istiod/resources.json @@ -0,0 +1,4751 @@ +{ + "networkPolicies": [ + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "DNS lookup via CoreDNS" + }, + "creationTimestamp": "2024-06-07T14:36:34Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "metrics-server" + }, + "name": "allow-metrics-server-egress-dns-lookup-via-coredns", + "namespace": "metrics-server", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "metrics-server", + "uid": "be44af9c-845b-41b4-9b4b-3aa9899d3076" + } + ], + "resourceVersion": "1525", + "uid": "9b55a9ee-3344-4c53-86f5-99d89fc02d6e" + }, + "spec": { + "egress": [ + { + "ports": [ + { + "port": 53, + "protocol": "UDP" + } + ], + "to": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "kube-system" + } + } + }, + { + "podSelector": { + "matchLabels": { + "k8s-app": "kube-dns" + } + } + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Istiod communication" + }, + "creationTimestamp": "2024-06-07T14:36:34Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "metrics-server" + }, + "name": "allow-metrics-server-egress-istiod-communication", + "namespace": "metrics-server", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "metrics-server", + "uid": "be44af9c-845b-41b4-9b4b-3aa9899d3076" + } + ], + "resourceVersion": "1526", + "uid": "9103ec43-cfb8-4d13-b30f-43f8b35c4169" + }, + "spec": { + "egress": [ + { + "ports": [ + { + "port": 15012, + "protocol": "TCP" + } + ], + "to": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "istio-system" + } + } + }, + { + "podSelector": { + "matchLabels": { + "istio": "pilot" + } + } + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Sidecar monitoring" + }, + "creationTimestamp": "2024-06-07T14:36:35Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "metrics-server" + }, + "name": "allow-metrics-server-ingress-sidecar-monitoring", + "namespace": "metrics-server", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "metrics-server", + "uid": "be44af9c-845b-41b4-9b4b-3aa9899d3076" + } + ], + "resourceVersion": "1527", + "uid": "a266a52b-fd6a-4578-8a04-6bd9d4aa8f1e" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "monitoring" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app": "prometheus" + } + } + } + ], + "ports": [ + { + "port": 15020, + "protocol": "TCP" + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:36:35Z", + "generation": 1, + "labels": { + "uds/generated": "Anywhere", + "uds/generation": "1", + "uds/package": "metrics-server" + }, + "name": "allow-metrics-server-egress-metrics-server-anywhere", + "namespace": "metrics-server", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "metrics-server", + "uid": "be44af9c-845b-41b4-9b4b-3aa9899d3076" + } + ], + "resourceVersion": "1528", + "uid": "046927d4-7346-454d-9c54-94b92977a398" + }, + "spec": { + "egress": [ + { + "ports": [ + { + "port": 10250, + "protocol": "TCP" + } + ], + "to": [ + { + "ipBlock": { + "cidr": "0.0.0.0/0", + "except": [ + "169.254.169.254/32" + ] + } + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "metrics-server" + } + }, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:36:35Z", + "generation": 1, + "labels": { + "uds/generated": "Anywhere", + "uds/generation": "1", + "uds/package": "metrics-server" + }, + "name": "allow-metrics-server-ingress-metrics-server-anywhere", + "namespace": "metrics-server", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "metrics-server", + "uid": "be44af9c-845b-41b4-9b4b-3aa9899d3076" + } + ], + "resourceVersion": "1530", + "uid": "84aaea33-0b7a-4e1f-9aa3-93a893c51e11" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "ipBlock": { + "cidr": "0.0.0.0/0", + "except": [ + "169.254.169.254/32" + ] + } + } + ], + "ports": [ + { + "port": 10250, + "protocol": "TCP" + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "metrics-server" + } + }, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "DNS lookup via CoreDNS" + }, + "creationTimestamp": "2024-06-07T14:37:03Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "keycloak" + }, + "name": "allow-keycloak-egress-dns-lookup-via-coredns", + "namespace": "keycloak", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "keycloak", + "uid": "828c2d2a-07e2-4976-a1c3-318e7161d9c2" + } + ], + "resourceVersion": "1671", + "uid": "946dd3b8-bc7c-4acf-87de-353322dcb705" + }, + "spec": { + "egress": [ + { + "ports": [ + { + "port": 53, + "protocol": "UDP" + } + ], + "to": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "kube-system" + } + } + }, + { + "podSelector": { + "matchLabels": { + "k8s-app": "kube-dns" + } + } + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Istiod communication" + }, + "creationTimestamp": "2024-06-07T14:37:03Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "keycloak" + }, + "name": "allow-keycloak-egress-istiod-communication", + "namespace": "keycloak", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "keycloak", + "uid": "828c2d2a-07e2-4976-a1c3-318e7161d9c2" + } + ], + "resourceVersion": "1678", + "uid": "df03af54-f57b-4cbc-898f-03dbc2dc3890" + }, + "spec": { + "egress": [ + { + "ports": [ + { + "port": 15012, + "protocol": "TCP" + } + ], + "to": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "istio-system" + } + } + }, + { + "podSelector": { + "matchLabels": { + "istio": "pilot" + } + } + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Sidecar monitoring" + }, + "creationTimestamp": "2024-06-07T14:37:03Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "keycloak" + }, + "name": "allow-keycloak-ingress-sidecar-monitoring", + "namespace": "keycloak", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "keycloak", + "uid": "828c2d2a-07e2-4976-a1c3-318e7161d9c2" + } + ], + "resourceVersion": "1682", + "uid": "bb3b9dcc-a1df-441f-ab8c-53de750d30c2" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "monitoring" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app": "prometheus" + } + } + } + ], + "ports": [ + { + "port": 15020, + "protocol": "TCP" + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "UDS Operator" + }, + "creationTimestamp": "2024-06-07T14:37:03Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "keycloak" + }, + "name": "allow-keycloak-ingress-uds-operator", + "namespace": "keycloak", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "keycloak", + "uid": "828c2d2a-07e2-4976-a1c3-318e7161d9c2" + } + ], + "resourceVersion": "1683", + "uid": "58948be1-896c-4177-bbad-5e02b89ee0b4" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "pepr-system" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app": "pepr-uds-core-watcher" + } + } + } + ], + "ports": [ + { + "port": 8080, + "protocol": "TCP" + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "keycloak" + } + }, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Keycloak backchannel access" + }, + "creationTimestamp": "2024-06-07T14:37:03Z", + "generation": 1, + "labels": { + "uds/generated": "Anywhere", + "uds/generation": "1", + "uds/package": "keycloak" + }, + "name": "allow-keycloak-ingress-keycloak-backchannel-access", + "namespace": "keycloak", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "keycloak", + "uid": "828c2d2a-07e2-4976-a1c3-318e7161d9c2" + } + ], + "resourceVersion": "1684", + "uid": "1789f83a-6b30-49f3-9b6c-e20858481dd7" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "ipBlock": { + "cidr": "0.0.0.0/0", + "except": [ + "169.254.169.254/32" + ] + } + } + ], + "ports": [ + { + "port": 8080, + "protocol": "TCP" + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "keycloak" + } + }, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "OCSP Lookup" + }, + "creationTimestamp": "2024-06-07T14:37:03Z", + "generation": 1, + "labels": { + "uds/generated": "Anywhere", + "uds/generation": "1", + "uds/package": "keycloak" + }, + "name": "allow-keycloak-egress-ocsp-lookup", + "namespace": "keycloak", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "keycloak", + "uid": "828c2d2a-07e2-4976-a1c3-318e7161d9c2" + } + ], + "resourceVersion": "1685", + "uid": "fba85bc8-5dfe-41c2-8436-fadf59f59dda" + }, + "spec": { + "egress": [ + { + "ports": [ + { + "port": 443, + "protocol": "TCP" + }, + { + "port": 80, + "protocol": "TCP" + } + ], + "to": [ + { + "ipBlock": { + "cidr": "0.0.0.0/0", + "except": [ + "169.254.169.254/32" + ] + } + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "keycloak" + } + }, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "keycloak Istio tenant gateway" + }, + "creationTimestamp": "2024-06-07T14:37:03Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "keycloak" + }, + "name": "allow-keycloak-ingress-keycloak-istio-tenant-gateway", + "namespace": "keycloak", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "keycloak", + "uid": "828c2d2a-07e2-4976-a1c3-318e7161d9c2" + } + ], + "resourceVersion": "1686", + "uid": "10aed744-db64-4daa-868e-b1a44bfcb66a" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "istio-tenant-gateway" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app": "tenant-ingressgateway" + } + } + } + ], + "ports": [ + { + "port": 8080, + "protocol": "TCP" + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "keycloak" + } + }, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "keycloak Istio admin gateway" + }, + "creationTimestamp": "2024-06-07T14:37:03Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "keycloak" + }, + "name": "allow-keycloak-ingress-keycloak-istio-admin-gateway", + "namespace": "keycloak", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "keycloak", + "uid": "828c2d2a-07e2-4976-a1c3-318e7161d9c2" + } + ], + "resourceVersion": "1687", + "uid": "f414ac16-c301-4472-8b6c-60e3382fd6f3" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "istio-admin-gateway" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app": "admin-ingressgateway" + } + } + } + ], + "ports": [ + { + "port": 8080, + "protocol": "TCP" + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "keycloak" + } + }, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "http,keycloak Metrics" + }, + "creationTimestamp": "2024-06-07T14:37:03Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "keycloak" + }, + "name": "allow-keycloak-ingress-http-keycloak-metrics", + "namespace": "keycloak", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "keycloak", + "uid": "828c2d2a-07e2-4976-a1c3-318e7161d9c2" + } + ], + "resourceVersion": "1688", + "uid": "a165fcc5-7b63-4f67-a0f5-f214493a3387" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "monitoring" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app": "prometheus" + } + } + } + ], + "ports": [ + { + "port": 8080, + "protocol": "TCP" + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "keycloak" + } + }, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "DNS lookup via CoreDNS" + }, + "creationTimestamp": "2024-06-07T14:38:19Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "neuvector" + }, + "name": "allow-neuvector-egress-dns-lookup-via-coredns", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "neuvector", + "uid": "91b75744-bd1b-497b-8875-2a258d8b23cc" + } + ], + "resourceVersion": "1916", + "uid": "004eea79-71b9-45d5-9ceb-ea57acfb6e27" + }, + "spec": { + "egress": [ + { + "ports": [ + { + "port": 53, + "protocol": "UDP" + } + ], + "to": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "kube-system" + } + } + }, + { + "podSelector": { + "matchLabels": { + "k8s-app": "kube-dns" + } + } + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Istiod communication" + }, + "creationTimestamp": "2024-06-07T14:38:19Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "neuvector" + }, + "name": "allow-neuvector-egress-istiod-communication", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "neuvector", + "uid": "91b75744-bd1b-497b-8875-2a258d8b23cc" + } + ], + "resourceVersion": "1917", + "uid": "e7bfd8ab-f0a9-405f-8bbc-a3745c108e93" + }, + "spec": { + "egress": [ + { + "ports": [ + { + "port": 15012, + "protocol": "TCP" + } + ], + "to": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "istio-system" + } + } + }, + { + "podSelector": { + "matchLabels": { + "istio": "pilot" + } + } + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Sidecar monitoring" + }, + "creationTimestamp": "2024-06-07T14:38:19Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "neuvector" + }, + "name": "allow-neuvector-ingress-sidecar-monitoring", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "neuvector", + "uid": "91b75744-bd1b-497b-8875-2a258d8b23cc" + } + ], + "resourceVersion": "1918", + "uid": "ba445407-9e39-4d6e-b29f-93403e58b867" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "monitoring" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app": "prometheus" + } + } + } + ], + "ports": [ + { + "port": 15020, + "protocol": "TCP" + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Webhook" + }, + "creationTimestamp": "2024-06-07T14:38:19Z", + "generation": 1, + "labels": { + "uds/generated": "Anywhere", + "uds/generation": "1", + "uds/package": "neuvector" + }, + "name": "allow-neuvector-ingress-webhook", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "neuvector", + "uid": "91b75744-bd1b-497b-8875-2a258d8b23cc" + } + ], + "resourceVersion": "1925", + "uid": "bb131aa5-77bd-4298-92ae-07bada798e1e" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "ipBlock": { + "cidr": "0.0.0.0/0", + "except": [ + "169.254.169.254/32" + ] + } + } + ], + "ports": [ + { + "port": 30443, + "protocol": "TCP" + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app": "neuvector-controller-pod" + } + }, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Tempo" + }, + "creationTimestamp": "2024-06-07T14:38:19Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "neuvector" + }, + "name": "allow-neuvector-egress-tempo", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "neuvector", + "uid": "91b75744-bd1b-497b-8875-2a258d8b23cc" + } + ], + "resourceVersion": "1926", + "uid": "f7dbab02-de2d-4cf2-8396-e1b1a83df964" + }, + "spec": { + "egress": [ + { + "ports": [ + { + "port": 9411, + "protocol": "TCP" + } + ], + "to": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "tempo" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "tempo" + } + } + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "neuvector-manager-pod Istio admin gateway" + }, + "creationTimestamp": "2024-06-07T14:38:19Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "neuvector" + }, + "name": "allow-neuvector-ingress-neuvector-manager-pod-istio-admin-gateway", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "neuvector", + "uid": "91b75744-bd1b-497b-8875-2a258d8b23cc" + } + ], + "resourceVersion": "1927", + "uid": "39be918e-aff5-4ab4-845a-2c091eda94ce" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "istio-admin-gateway" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app": "admin-ingressgateway" + } + } + } + ], + "ports": [ + { + "port": 8443, + "protocol": "TCP" + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app": "neuvector-manager-pod" + } + }, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "DNS lookup via CoreDNS" + }, + "creationTimestamp": "2024-06-07T14:38:49Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "loki" + }, + "name": "allow-loki-egress-dns-lookup-via-coredns", + "namespace": "loki", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "loki", + "uid": "e7e59ebe-6388-4233-872e-94065e29b3c4" + } + ], + "resourceVersion": "2386", + "uid": "d901089d-7fd0-43f2-86d5-a70e5ddb6e4d" + }, + "spec": { + "egress": [ + { + "ports": [ + { + "port": 53, + "protocol": "UDP" + } + ], + "to": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "kube-system" + } + } + }, + { + "podSelector": { + "matchLabels": { + "k8s-app": "kube-dns" + } + } + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Istiod communication" + }, + "creationTimestamp": "2024-06-07T14:38:49Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "loki" + }, + "name": "allow-loki-egress-istiod-communication", + "namespace": "loki", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "loki", + "uid": "e7e59ebe-6388-4233-872e-94065e29b3c4" + } + ], + "resourceVersion": "2387", + "uid": "88590deb-8725-479a-ac63-145ee3b783d6" + }, + "spec": { + "egress": [ + { + "ports": [ + { + "port": 15012, + "protocol": "TCP" + } + ], + "to": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "istio-system" + } + } + }, + { + "podSelector": { + "matchLabels": { + "istio": "pilot" + } + } + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Sidecar monitoring" + }, + "creationTimestamp": "2024-06-07T14:38:49Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "loki" + }, + "name": "allow-loki-ingress-sidecar-monitoring", + "namespace": "loki", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "loki", + "uid": "e7e59ebe-6388-4233-872e-94065e29b3c4" + } + ], + "resourceVersion": "2388", + "uid": "2bbd00b4-fbae-4686-ba70-8e75ca8b6136" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "monitoring" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app": "prometheus" + } + } + } + ], + "ports": [ + { + "port": 15020, + "protocol": "TCP" + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Grafana Log Queries" + }, + "creationTimestamp": "2024-06-07T14:38:49Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "loki" + }, + "name": "allow-loki-ingress-grafana-log-queries", + "namespace": "loki", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "loki", + "uid": "e7e59ebe-6388-4233-872e-94065e29b3c4" + } + ], + "resourceVersion": "2391", + "uid": "7af2c554-1698-4f34-a9a0-1017a65d2e82" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "grafana" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "grafana" + } + } + } + ], + "ports": [ + { + "port": 8080, + "protocol": "TCP" + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "loki" + } + }, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Prometheus Metrics" + }, + "creationTimestamp": "2024-06-07T14:38:49Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "loki" + }, + "name": "allow-loki-ingress-prometheus-metrics", + "namespace": "loki", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "loki", + "uid": "e7e59ebe-6388-4233-872e-94065e29b3c4" + } + ], + "resourceVersion": "2392", + "uid": "b40f0657-bc46-4d03-941c-45b7e2458b47" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "monitoring" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "prometheus" + } + } + } + ], + "ports": [ + { + "port": 3100, + "protocol": "TCP" + }, + { + "port": 8080, + "protocol": "TCP" + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "loki" + } + }, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Promtail Log Storage" + }, + "creationTimestamp": "2024-06-07T14:38:49Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "loki" + }, + "name": "allow-loki-ingress-promtail-log-storage", + "namespace": "loki", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "loki", + "uid": "e7e59ebe-6388-4233-872e-94065e29b3c4" + } + ], + "resourceVersion": "2394", + "uid": "c035b1ed-16c1-4a53-81a6-df94e2ac3248" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "promtail" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "promtail" + } + } + } + ], + "ports": [ + { + "port": 8080, + "protocol": "TCP" + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "loki" + } + }, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Tempo" + }, + "creationTimestamp": "2024-06-07T14:38:49Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "loki" + }, + "name": "allow-loki-egress-tempo", + "namespace": "loki", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "loki", + "uid": "e7e59ebe-6388-4233-872e-94065e29b3c4" + } + ], + "resourceVersion": "2396", + "uid": "55eb91b4-d223-4051-8ee0-1120bc0f10b3" + }, + "spec": { + "egress": [ + { + "ports": [ + { + "port": 9411, + "protocol": "TCP" + } + ], + "to": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "tempo" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "tempo" + } + } + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "DNS lookup via CoreDNS" + }, + "creationTimestamp": "2024-06-07T14:40:25Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "prometheus-stack" + }, + "name": "allow-prometheus-stack-egress-dns-lookup-via-coredns", + "namespace": "monitoring", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "prometheus-stack", + "uid": "ff51ba04-5590-4945-8ec5-1965bdbcdb76" + } + ], + "resourceVersion": "2868", + "uid": "43efd06f-7785-4053-987d-95452545e42c" + }, + "spec": { + "egress": [ + { + "ports": [ + { + "port": 53, + "protocol": "UDP" + } + ], + "to": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "kube-system" + } + } + }, + { + "podSelector": { + "matchLabels": { + "k8s-app": "kube-dns" + } + } + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Istiod communication" + }, + "creationTimestamp": "2024-06-07T14:40:25Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "prometheus-stack" + }, + "name": "allow-prometheus-stack-egress-istiod-communication", + "namespace": "monitoring", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "prometheus-stack", + "uid": "ff51ba04-5590-4945-8ec5-1965bdbcdb76" + } + ], + "resourceVersion": "2869", + "uid": "ac0cc2fa-39c4-4c6e-8c1a-b0caa96ec828" + }, + "spec": { + "egress": [ + { + "ports": [ + { + "port": 15012, + "protocol": "TCP" + } + ], + "to": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "istio-system" + } + } + }, + { + "podSelector": { + "matchLabels": { + "istio": "pilot" + } + } + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Sidecar monitoring" + }, + "creationTimestamp": "2024-06-07T14:40:25Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "prometheus-stack" + }, + "name": "allow-prometheus-stack-ingress-sidecar-monitoring", + "namespace": "monitoring", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "prometheus-stack", + "uid": "ff51ba04-5590-4945-8ec5-1965bdbcdb76" + } + ], + "resourceVersion": "2870", + "uid": "96c427b0-8b40-447c-ab8e-e0a3f9f71923" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "monitoring" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app": "prometheus" + } + } + } + ], + "ports": [ + { + "port": 15020, + "protocol": "TCP" + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Webhook" + }, + "creationTimestamp": "2024-06-07T14:40:25Z", + "generation": 1, + "labels": { + "uds/generated": "Anywhere", + "uds/generation": "1", + "uds/package": "prometheus-stack" + }, + "name": "allow-prometheus-stack-ingress-webhook", + "namespace": "monitoring", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "prometheus-stack", + "uid": "ff51ba04-5590-4945-8ec5-1965bdbcdb76" + } + ], + "resourceVersion": "2879", + "uid": "0f1fcef1-99d8-4fcf-ab3b-3319fd613463" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "ipBlock": { + "cidr": "0.0.0.0/0", + "except": [ + "169.254.169.254/32" + ] + } + } + ], + "ports": [ + { + "port": 10250, + "protocol": "TCP" + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app": "kube-prometheus-stack-operator" + } + }, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Grafana Metrics Queries" + }, + "creationTimestamp": "2024-06-07T14:40:25Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "prometheus-stack" + }, + "name": "allow-prometheus-stack-ingress-grafana-metrics-queries", + "namespace": "monitoring", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "prometheus-stack", + "uid": "ff51ba04-5590-4945-8ec5-1965bdbcdb76" + } + ], + "resourceVersion": "2881", + "uid": "5b2b669b-42ab-4a0d-aa89-254a545d7bd9" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "grafana" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "grafana" + } + } + } + ], + "ports": [ + { + "port": 9090, + "protocol": "TCP" + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "prometheus" + } + }, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Tempo" + }, + "creationTimestamp": "2024-06-07T14:40:25Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "prometheus-stack" + }, + "name": "allow-prometheus-stack-egress-tempo", + "namespace": "monitoring", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "prometheus-stack", + "uid": "ff51ba04-5590-4945-8ec5-1965bdbcdb76" + } + ], + "resourceVersion": "2882", + "uid": "f56b6b6d-cbf3-446c-b9fd-d03aa2e27bf0" + }, + "spec": { + "egress": [ + { + "ports": [ + { + "port": 9411, + "protocol": "TCP" + } + ], + "to": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "tempo" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "tempo" + } + } + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "DNS lookup via CoreDNS" + }, + "creationTimestamp": "2024-06-07T14:41:05Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "promtail" + }, + "name": "allow-promtail-egress-dns-lookup-via-coredns", + "namespace": "promtail", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "promtail", + "uid": "1e35a512-9c9c-47a8-877e-272d87932866" + } + ], + "resourceVersion": "3427", + "uid": "ae38b310-a500-4199-b5e8-eaa05e50af83" + }, + "spec": { + "egress": [ + { + "ports": [ + { + "port": 53, + "protocol": "UDP" + } + ], + "to": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "kube-system" + } + } + }, + { + "podSelector": { + "matchLabels": { + "k8s-app": "kube-dns" + } + } + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Istiod communication" + }, + "creationTimestamp": "2024-06-07T14:41:05Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "promtail" + }, + "name": "allow-promtail-egress-istiod-communication", + "namespace": "promtail", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "promtail", + "uid": "1e35a512-9c9c-47a8-877e-272d87932866" + } + ], + "resourceVersion": "3428", + "uid": "2f64b3ec-29db-4ccc-ae2b-da45c01b31bb" + }, + "spec": { + "egress": [ + { + "ports": [ + { + "port": 15012, + "protocol": "TCP" + } + ], + "to": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "istio-system" + } + } + }, + { + "podSelector": { + "matchLabels": { + "istio": "pilot" + } + } + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Sidecar monitoring" + }, + "creationTimestamp": "2024-06-07T14:41:05Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "promtail" + }, + "name": "allow-promtail-ingress-sidecar-monitoring", + "namespace": "promtail", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "promtail", + "uid": "1e35a512-9c9c-47a8-877e-272d87932866" + } + ], + "resourceVersion": "3429", + "uid": "b3101049-323d-45e9-91b4-a542f645821b" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "monitoring" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app": "prometheus" + } + } + } + ], + "ports": [ + { + "port": 15020, + "protocol": "TCP" + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Prometheus Metrics" + }, + "creationTimestamp": "2024-06-07T14:41:05Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "promtail" + }, + "name": "allow-promtail-ingress-prometheus-metrics", + "namespace": "promtail", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "promtail", + "uid": "1e35a512-9c9c-47a8-877e-272d87932866" + } + ], + "resourceVersion": "3430", + "uid": "52c0d085-bc1d-4577-a861-97a9727c790b" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "monitoring" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "prometheus" + } + } + } + ], + "ports": [ + { + "port": 3101, + "protocol": "TCP" + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Tempo" + }, + "creationTimestamp": "2024-06-07T14:41:05Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "promtail" + }, + "name": "allow-promtail-egress-tempo", + "namespace": "promtail", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "promtail", + "uid": "1e35a512-9c9c-47a8-877e-272d87932866" + } + ], + "resourceVersion": "3432", + "uid": "f9704a6a-2a83-4c90-86b8-f543e38839dd" + }, + "spec": { + "egress": [ + { + "ports": [ + { + "port": 9411, + "protocol": "TCP" + } + ], + "to": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "tempo" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "tempo" + } + } + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Write Logs to Loki" + }, + "creationTimestamp": "2024-06-07T14:41:05Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "promtail" + }, + "name": "allow-promtail-egress-write-logs-to-loki", + "namespace": "promtail", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "promtail", + "uid": "1e35a512-9c9c-47a8-877e-272d87932866" + } + ], + "resourceVersion": "3433", + "uid": "e5ecbbc4-7e90-4819-ab97-f078244785ce" + }, + "spec": { + "egress": [ + { + "ports": [ + { + "port": 8080, + "protocol": "TCP" + } + ], + "to": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "loki" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "loki" + } + } + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "promtail" + } + }, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "promtail Metrics" + }, + "creationTimestamp": "2024-06-07T14:41:05Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "promtail" + }, + "name": "allow-promtail-ingress-promtail-metrics", + "namespace": "promtail", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "promtail", + "uid": "1e35a512-9c9c-47a8-877e-272d87932866" + } + ], + "resourceVersion": "3434", + "uid": "757f4a86-51b9-4057-b7c6-c5e1fbd8d32a" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "monitoring" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app": "prometheus" + } + } + } + ], + "ports": [ + { + "port": 3101, + "protocol": "TCP" + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "promtail" + } + }, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "DNS lookup via CoreDNS" + }, + "creationTimestamp": "2024-06-07T14:41:43Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "grafana" + }, + "name": "allow-grafana-egress-dns-lookup-via-coredns", + "namespace": "grafana", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "grafana", + "uid": "eb4ad385-6506-4881-99b3-b133f70c83ec" + } + ], + "resourceVersion": "3601", + "uid": "5be3c893-cf9d-4e2e-9fc3-c5d10933908f" + }, + "spec": { + "egress": [ + { + "ports": [ + { + "port": 53, + "protocol": "UDP" + } + ], + "to": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "kube-system" + } + } + }, + { + "podSelector": { + "matchLabels": { + "k8s-app": "kube-dns" + } + } + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Istiod communication" + }, + "creationTimestamp": "2024-06-07T14:41:43Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "grafana" + }, + "name": "allow-grafana-egress-istiod-communication", + "namespace": "grafana", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "grafana", + "uid": "eb4ad385-6506-4881-99b3-b133f70c83ec" + } + ], + "resourceVersion": "3602", + "uid": "07968bea-ab81-4e17-a9cd-bbde317776c6" + }, + "spec": { + "egress": [ + { + "ports": [ + { + "port": 15012, + "protocol": "TCP" + } + ], + "to": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "istio-system" + } + } + }, + { + "podSelector": { + "matchLabels": { + "istio": "pilot" + } + } + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Sidecar monitoring" + }, + "creationTimestamp": "2024-06-07T14:41:43Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "grafana" + }, + "name": "allow-grafana-ingress-sidecar-monitoring", + "namespace": "grafana", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "grafana", + "uid": "eb4ad385-6506-4881-99b3-b133f70c83ec" + } + ], + "resourceVersion": "3603", + "uid": "dd2336fa-2119-4a58-a3b4-4f9c0dfe71b8" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "monitoring" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app": "prometheus" + } + } + } + ], + "ports": [ + { + "port": 15020, + "protocol": "TCP" + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Tempo Datasource" + }, + "creationTimestamp": "2024-06-07T14:41:43Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "grafana" + }, + "name": "allow-grafana-ingress-tempo-datasource", + "namespace": "grafana", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "grafana", + "uid": "eb4ad385-6506-4881-99b3-b133f70c83ec" + } + ], + "resourceVersion": "3604", + "uid": "f4f5a07e-01cd-4d77-8ec2-3338bb5c4590" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "tempo" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "tempo" + } + } + } + ], + "ports": [ + { + "port": 9090, + "protocol": "TCP" + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "grafana" + } + }, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Tempo" + }, + "creationTimestamp": "2024-06-07T14:41:44Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "grafana" + }, + "name": "allow-grafana-egress-tempo", + "namespace": "grafana", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "grafana", + "uid": "eb4ad385-6506-4881-99b3-b133f70c83ec" + } + ], + "resourceVersion": "3606", + "uid": "79d52a98-23a9-4b19-8270-e1e7679d0275" + }, + "spec": { + "egress": [ + { + "ports": [ + { + "port": 9411, + "protocol": "TCP" + } + ], + "to": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "tempo" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "tempo" + } + } + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "grafana Istio admin gateway" + }, + "creationTimestamp": "2024-06-07T14:41:44Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "grafana" + }, + "name": "allow-grafana-ingress-grafana-istio-admin-gateway", + "namespace": "grafana", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "grafana", + "uid": "eb4ad385-6506-4881-99b3-b133f70c83ec" + } + ], + "resourceVersion": "3608", + "uid": "f5b474c3-d943-4bae-a77a-72b225fe7f61" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "istio-admin-gateway" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app": "admin-ingressgateway" + } + } + } + ], + "ports": [ + { + "port": 3000, + "protocol": "TCP" + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "grafana" + } + }, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "grafana Metrics" + }, + "creationTimestamp": "2024-06-07T14:41:44Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "grafana" + }, + "name": "allow-grafana-ingress-grafana-metrics", + "namespace": "grafana", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "grafana", + "uid": "eb4ad385-6506-4881-99b3-b133f70c83ec" + } + ], + "resourceVersion": "3615", + "uid": "24a89a49-4261-4df3-ada8-1f70511b7a9b" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "monitoring" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app": "prometheus" + } + } + } + ], + "ports": [ + { + "port": 3000, + "protocol": "TCP" + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "grafana" + } + }, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "DNS lookup via CoreDNS" + }, + "creationTimestamp": "2024-06-07T14:42:14Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "authservice" + }, + "name": "allow-authservice-egress-dns-lookup-via-coredns", + "namespace": "authservice", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "authservice", + "uid": "046a178c-e731-44d8-a487-e424f8034789" + } + ], + "resourceVersion": "3779", + "uid": "18a6dadf-f1e3-4466-add1-0d852b8ff529" + }, + "spec": { + "egress": [ + { + "ports": [ + { + "port": 53, + "protocol": "UDP" + } + ], + "to": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "kube-system" + } + } + }, + { + "podSelector": { + "matchLabels": { + "k8s-app": "kube-dns" + } + } + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Istiod communication" + }, + "creationTimestamp": "2024-06-07T14:42:14Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "authservice" + }, + "name": "allow-authservice-egress-istiod-communication", + "namespace": "authservice", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "authservice", + "uid": "046a178c-e731-44d8-a487-e424f8034789" + } + ], + "resourceVersion": "3782", + "uid": "e922febc-a442-415c-83e8-ce53b653ba44" + }, + "spec": { + "egress": [ + { + "ports": [ + { + "port": 15012, + "protocol": "TCP" + } + ], + "to": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "istio-system" + } + } + }, + { + "podSelector": { + "matchLabels": { + "istio": "pilot" + } + } + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Sidecar monitoring" + }, + "creationTimestamp": "2024-06-07T14:42:14Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "authservice" + }, + "name": "allow-authservice-ingress-sidecar-monitoring", + "namespace": "authservice", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "authservice", + "uid": "046a178c-e731-44d8-a487-e424f8034789" + } + ], + "resourceVersion": "3783", + "uid": "1f7a1385-b33c-4cdb-b165-912471696796" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "monitoring" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app": "prometheus" + } + } + } + ], + "ports": [ + { + "port": 15020, + "protocol": "TCP" + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Protected Apps" + }, + "creationTimestamp": "2024-06-07T14:42:14Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "authservice" + }, + "name": "allow-authservice-ingress-protected-apps", + "namespace": "authservice", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "authservice", + "uid": "046a178c-e731-44d8-a487-e424f8034789" + } + ], + "resourceVersion": "3787", + "uid": "7334e55f-45b2-47f4-bdec-2b7a53177f97" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "namespaceSelector": {} + }, + { + "podSelector": { + "matchLabels": { + "protect": "keycloak" + } + } + } + ], + "ports": [ + { + "port": 10003, + "protocol": "TCP" + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "authservice" + } + }, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "DNS lookup via CoreDNS" + }, + "creationTimestamp": "2024-06-07T14:42:39Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "velero" + }, + "name": "allow-velero-egress-dns-lookup-via-coredns", + "namespace": "velero", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "velero", + "uid": "acf82b1d-57d0-47ce-8880-e54543180a04" + } + ], + "resourceVersion": "3897", + "uid": "3a9fda9e-59ca-432d-9f2a-3775443cf964" + }, + "spec": { + "egress": [ + { + "ports": [ + { + "port": 53, + "protocol": "UDP" + } + ], + "to": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "kube-system" + } + } + }, + { + "podSelector": { + "matchLabels": { + "k8s-app": "kube-dns" + } + } + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Istiod communication" + }, + "creationTimestamp": "2024-06-07T14:42:39Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "velero" + }, + "name": "allow-velero-egress-istiod-communication", + "namespace": "velero", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "velero", + "uid": "acf82b1d-57d0-47ce-8880-e54543180a04" + } + ], + "resourceVersion": "3898", + "uid": "7315782c-a390-42ea-9c52-7e4f28e3c15c" + }, + "spec": { + "egress": [ + { + "ports": [ + { + "port": 15012, + "protocol": "TCP" + } + ], + "to": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "istio-system" + } + } + }, + { + "podSelector": { + "matchLabels": { + "istio": "pilot" + } + } + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Sidecar monitoring" + }, + "creationTimestamp": "2024-06-07T14:42:39Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "velero" + }, + "name": "allow-velero-ingress-sidecar-monitoring", + "namespace": "velero", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "velero", + "uid": "acf82b1d-57d0-47ce-8880-e54543180a04" + } + ], + "resourceVersion": "3899", + "uid": "1a5f853e-518d-4b4f-bd79-89e7fa52332b" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "monitoring" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app": "prometheus" + } + } + } + ], + "ports": [ + { + "port": 15020, + "protocol": "TCP" + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Prometheus Metrics" + }, + "creationTimestamp": "2024-06-07T14:42:39Z", + "generation": 1, + "labels": { + "uds/generation": "1", + "uds/package": "velero" + }, + "name": "allow-velero-ingress-prometheus-metrics", + "namespace": "velero", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "velero", + "uid": "acf82b1d-57d0-47ce-8880-e54543180a04" + } + ], + "resourceVersion": "3905", + "uid": "642b650d-daee-46c9-98b3-0732e1cfb2b7" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "namespaceSelector": { + "matchLabels": { + "kubernetes.io/metadata.name": "monitoring" + } + } + }, + { + "podSelector": { + "matchLabels": { + "app": "prometheus" + } + } + } + ], + "ports": [ + { + "port": 8085, + "protocol": "TCP" + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "velero" + } + }, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:36:34Z", + "generation": 2, + "labels": { + "uds/generation": "1", + "uds/package": "metrics-server" + }, + "name": "deny-metrics-server-default", + "namespace": "metrics-server", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "metrics-server", + "uid": "be44af9c-845b-41b4-9b4b-3aa9899d3076" + } + ], + "resourceVersion": "174925", + "uid": "ddd12bef-6fdc-4a5f-a14a-f2241377233e" + }, + "spec": { + "podSelector": {}, + "policyTypes": [ + "Ingress", + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:36:35Z", + "generation": 2, + "labels": { + "uds/generated": "KubeAPI", + "uds/generation": "1", + "uds/package": "metrics-server" + }, + "name": "allow-metrics-server-egress-metrics-server-kubeapi", + "namespace": "metrics-server", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "metrics-server", + "uid": "be44af9c-845b-41b4-9b4b-3aa9899d3076" + } + ], + "resourceVersion": "174926", + "uid": "9acffae9-2899-45c7-9845-ec14d72661c9" + }, + "spec": { + "egress": [ + { + "to": [ + { + "ipBlock": { + "cidr": "172.19.0.3/32" + } + }, + { + "ipBlock": { + "cidr": "10.43.0.1/32" + } + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "metrics-server" + } + }, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:37:03Z", + "generation": 2, + "labels": { + "uds/generation": "1", + "uds/package": "keycloak" + }, + "name": "deny-keycloak-default", + "namespace": "keycloak", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "keycloak", + "uid": "828c2d2a-07e2-4976-a1c3-318e7161d9c2" + } + ], + "resourceVersion": "174929", + "uid": "59140c79-d6b1-41f7-8539-e470a94caa25" + }, + "spec": { + "podSelector": {}, + "policyTypes": [ + "Ingress", + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:38:49Z", + "generation": 2, + "labels": { + "uds/generation": "1", + "uds/package": "loki" + }, + "name": "deny-loki-default", + "namespace": "loki", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "loki", + "uid": "e7e59ebe-6388-4233-872e-94065e29b3c4" + } + ], + "resourceVersion": "174956", + "uid": "eb6a63fe-cd8b-4720-9dba-e3ae07e91c93" + }, + "spec": { + "podSelector": {}, + "policyTypes": [ + "Ingress", + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:38:49Z", + "generation": 2, + "labels": { + "uds/generated": "IntraNamespace", + "uds/generation": "1", + "uds/package": "loki" + }, + "name": "allow-loki-ingress-all-pods-intranamespace", + "namespace": "loki", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "loki", + "uid": "e7e59ebe-6388-4233-872e-94065e29b3c4" + } + ], + "resourceVersion": "174957", + "uid": "cdcbaf50-75d3-4991-b739-c7bc07fe8b9b" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "podSelector": {} + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:38:49Z", + "generation": 2, + "labels": { + "uds/generated": "IntraNamespace", + "uds/generation": "1", + "uds/package": "loki" + }, + "name": "allow-loki-egress-all-pods-intranamespace", + "namespace": "loki", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "loki", + "uid": "e7e59ebe-6388-4233-872e-94065e29b3c4" + } + ], + "resourceVersion": "174959", + "uid": "36077323-34b7-4a3c-9f15-907acfb3a22e" + }, + "spec": { + "egress": [ + { + "to": [ + { + "podSelector": {} + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:38:49Z", + "generation": 2, + "labels": { + "uds/generated": "Anywhere", + "uds/generation": "1", + "uds/package": "loki" + }, + "name": "allow-loki-egress-loki-anywhere", + "namespace": "loki", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "loki", + "uid": "e7e59ebe-6388-4233-872e-94065e29b3c4" + } + ], + "resourceVersion": "174960", + "uid": "aa29c669-9f41-4ead-9d04-ef643a4dfc65" + }, + "spec": { + "egress": [ + { + "to": [ + { + "ipBlock": { + "cidr": "0.0.0.0/0", + "except": [ + "169.254.169.254/32" + ] + } + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "loki" + } + }, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:40:25Z", + "generation": 2, + "labels": { + "uds/generation": "1", + "uds/package": "prometheus-stack" + }, + "name": "deny-prometheus-stack-default", + "namespace": "monitoring", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "prometheus-stack", + "uid": "ff51ba04-5590-4945-8ec5-1965bdbcdb76" + } + ], + "resourceVersion": "174963", + "uid": "347b1bee-7524-4837-9fa6-dba07cfe586d" + }, + "spec": { + "podSelector": {}, + "policyTypes": [ + "Ingress", + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:40:25Z", + "generation": 2, + "labels": { + "uds/generated": "IntraNamespace", + "uds/generation": "1", + "uds/package": "prometheus-stack" + }, + "name": "allow-prometheus-stack-ingress-all-pods-intranamespace", + "namespace": "monitoring", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "prometheus-stack", + "uid": "ff51ba04-5590-4945-8ec5-1965bdbcdb76" + } + ], + "resourceVersion": "174964", + "uid": "7777a5fa-8aad-4a8d-ad6c-0ecb4c75e83d" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "podSelector": {} + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:40:25Z", + "generation": 2, + "labels": { + "uds/generated": "IntraNamespace", + "uds/generation": "1", + "uds/package": "prometheus-stack" + }, + "name": "allow-prometheus-stack-egress-all-pods-intranamespace", + "namespace": "monitoring", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "prometheus-stack", + "uid": "ff51ba04-5590-4945-8ec5-1965bdbcdb76" + } + ], + "resourceVersion": "174965", + "uid": "fb903f70-76fc-436b-9e93-43e7608fee4e" + }, + "spec": { + "egress": [ + { + "to": [ + { + "podSelector": {} + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:40:25Z", + "generation": 2, + "labels": { + "uds/generated": "KubeAPI", + "uds/generation": "1", + "uds/package": "prometheus-stack" + }, + "name": "allow-prometheus-stack-egress-kube-prometheus-stack-operator-kubeapi", + "namespace": "monitoring", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "prometheus-stack", + "uid": "ff51ba04-5590-4945-8ec5-1965bdbcdb76" + } + ], + "resourceVersion": "174966", + "uid": "671f5b00-ac45-4814-a922-0390dcaaaedf" + }, + "spec": { + "egress": [ + { + "to": [ + { + "ipBlock": { + "cidr": "172.19.0.3/32" + } + }, + { + "ipBlock": { + "cidr": "10.43.0.1/32" + } + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app": "kube-prometheus-stack-operator" + } + }, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:40:25Z", + "generation": 2, + "labels": { + "uds/generated": "KubeAPI", + "uds/generation": "1", + "uds/package": "prometheus-stack" + }, + "name": "allow-prometheus-stack-egress-prometheus-kubeapi", + "namespace": "monitoring", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "prometheus-stack", + "uid": "ff51ba04-5590-4945-8ec5-1965bdbcdb76" + } + ], + "resourceVersion": "174967", + "uid": "3cb1b9bd-6ba0-4c2b-ab71-2aafa3292366" + }, + "spec": { + "egress": [ + { + "to": [ + { + "ipBlock": { + "cidr": "172.19.0.3/32" + } + }, + { + "ipBlock": { + "cidr": "10.43.0.1/32" + } + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app": "prometheus" + } + }, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:40:25Z", + "generation": 2, + "labels": { + "uds/generated": "KubeAPI", + "uds/generation": "1", + "uds/package": "prometheus-stack" + }, + "name": "allow-prometheus-stack-egress-kube-state-metrics-kubeapi", + "namespace": "monitoring", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "prometheus-stack", + "uid": "ff51ba04-5590-4945-8ec5-1965bdbcdb76" + } + ], + "resourceVersion": "174968", + "uid": "e2b32f01-9cf0-42ab-8682-531e3832a14f" + }, + "spec": { + "egress": [ + { + "to": [ + { + "ipBlock": { + "cidr": "172.19.0.3/32" + } + }, + { + "ipBlock": { + "cidr": "10.43.0.1/32" + } + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "kube-state-metrics" + } + }, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:40:25Z", + "generation": 2, + "labels": { + "uds/generated": "KubeAPI", + "uds/generation": "1", + "uds/package": "prometheus-stack" + }, + "name": "allow-prometheus-stack-egress-kube-prometheus-stack-admission-create-kubeapi", + "namespace": "monitoring", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "prometheus-stack", + "uid": "ff51ba04-5590-4945-8ec5-1965bdbcdb76" + } + ], + "resourceVersion": "174969", + "uid": "5aa261c9-7e7f-4635-8c2f-6bd5e4c146f3" + }, + "spec": { + "egress": [ + { + "to": [ + { + "ipBlock": { + "cidr": "172.19.0.3/32" + } + }, + { + "ipBlock": { + "cidr": "10.43.0.1/32" + } + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app": "kube-prometheus-stack-admission-create" + } + }, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:40:25Z", + "generation": 2, + "labels": { + "uds/generated": "KubeAPI", + "uds/generation": "1", + "uds/package": "prometheus-stack" + }, + "name": "allow-prometheus-stack-egress-kube-prometheus-stack-admission-patch-kubeapi", + "namespace": "monitoring", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "prometheus-stack", + "uid": "ff51ba04-5590-4945-8ec5-1965bdbcdb76" + } + ], + "resourceVersion": "174970", + "uid": "ef7e2fc4-ce21-424a-bfab-0c5f6f73005e" + }, + "spec": { + "egress": [ + { + "to": [ + { + "ipBlock": { + "cidr": "172.19.0.3/32" + } + }, + { + "ipBlock": { + "cidr": "10.43.0.1/32" + } + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app": "kube-prometheus-stack-admission-patch" + } + }, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "Metrics Scraping" + }, + "creationTimestamp": "2024-06-07T14:40:25Z", + "generation": 2, + "labels": { + "uds/generation": "1", + "uds/package": "prometheus-stack" + }, + "name": "allow-prometheus-stack-egress-metrics-scraping", + "namespace": "monitoring", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "prometheus-stack", + "uid": "ff51ba04-5590-4945-8ec5-1965bdbcdb76" + } + ], + "resourceVersion": "174971", + "uid": "8cd1ad66-b953-4656-8f28-ccd27505424a" + }, + "spec": { + "egress": [ + { + "to": [ + { + "namespaceSelector": {} + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "prometheus" + } + }, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:41:05Z", + "generation": 2, + "labels": { + "uds/generation": "1", + "uds/package": "promtail" + }, + "name": "deny-promtail-default", + "namespace": "promtail", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "promtail", + "uid": "1e35a512-9c9c-47a8-877e-272d87932866" + } + ], + "resourceVersion": "174975", + "uid": "8574f041-8228-4288-a54c-e577703e7130" + }, + "spec": { + "podSelector": {}, + "policyTypes": [ + "Ingress", + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:41:05Z", + "generation": 2, + "labels": { + "uds/generated": "KubeAPI", + "uds/generation": "1", + "uds/package": "promtail" + }, + "name": "allow-promtail-egress-all-pods-kubeapi", + "namespace": "promtail", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "promtail", + "uid": "1e35a512-9c9c-47a8-877e-272d87932866" + } + ], + "resourceVersion": "174976", + "uid": "2887cd8d-acdf-4c98-b5c3-c7759d2cf770" + }, + "spec": { + "egress": [ + { + "to": [ + { + "ipBlock": { + "cidr": "172.19.0.3/32" + } + }, + { + "ipBlock": { + "cidr": "10.43.0.1/32" + } + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:42:14Z", + "generation": 2, + "labels": { + "uds/generation": "1", + "uds/package": "authservice" + }, + "name": "deny-authservice-default", + "namespace": "authservice", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "authservice", + "uid": "046a178c-e731-44d8-a487-e424f8034789" + } + ], + "resourceVersion": "174989", + "uid": "df70aa97-b5a9-47c8-bb9e-4280549525ac" + }, + "spec": { + "podSelector": {}, + "policyTypes": [ + "Ingress", + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:42:14Z", + "generation": 2, + "labels": { + "uds/generated": "IntraNamespace", + "uds/generation": "1", + "uds/package": "authservice" + }, + "name": "allow-authservice-ingress-all-pods-intranamespace", + "namespace": "authservice", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "authservice", + "uid": "046a178c-e731-44d8-a487-e424f8034789" + } + ], + "resourceVersion": "174990", + "uid": "28d4089f-be25-4c88-bb45-f45f39d44382" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "podSelector": {} + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:42:14Z", + "generation": 2, + "labels": { + "uds/generated": "IntraNamespace", + "uds/generation": "1", + "uds/package": "authservice" + }, + "name": "allow-authservice-egress-all-pods-intranamespace", + "namespace": "authservice", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "authservice", + "uid": "046a178c-e731-44d8-a487-e424f8034789" + } + ], + "resourceVersion": "174991", + "uid": "df4fcfe9-6685-424e-9e26-cc82c6a87b06" + }, + "spec": { + "egress": [ + { + "to": [ + { + "podSelector": {} + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "annotations": { + "uds/description": "SSO Provider" + }, + "creationTimestamp": "2024-06-07T14:42:14Z", + "generation": 2, + "labels": { + "uds/generated": "Anywhere", + "uds/generation": "1", + "uds/package": "authservice" + }, + "name": "allow-authservice-egress-sso-provider", + "namespace": "authservice", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "authservice", + "uid": "046a178c-e731-44d8-a487-e424f8034789" + } + ], + "resourceVersion": "174992", + "uid": "4afdf83f-9eef-489c-81b1-7757e0e50f5d" + }, + "spec": { + "egress": [ + { + "to": [ + { + "ipBlock": { + "cidr": "0.0.0.0/0", + "except": [ + "169.254.169.254/32" + ] + } + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:42:39Z", + "generation": 2, + "labels": { + "uds/generation": "1", + "uds/package": "velero" + }, + "name": "deny-velero-default", + "namespace": "velero", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "velero", + "uid": "acf82b1d-57d0-47ce-8880-e54543180a04" + } + ], + "resourceVersion": "174995", + "uid": "54a38b70-38b9-41f1-b6c4-1d12a2c9723d" + }, + "spec": { + "podSelector": {}, + "policyTypes": [ + "Ingress", + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:42:39Z", + "generation": 2, + "labels": { + "uds/generated": "Anywhere", + "uds/generation": "1", + "uds/package": "velero" + }, + "name": "allow-velero-egress-velero-anywhere", + "namespace": "velero", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "velero", + "uid": "acf82b1d-57d0-47ce-8880-e54543180a04" + } + ], + "resourceVersion": "174996", + "uid": "0cfec493-e5a0-4cd1-b7b1-89bb302a9d9b" + }, + "spec": { + "egress": [ + { + "to": [ + { + "ipBlock": { + "cidr": "0.0.0.0/0", + "except": [ + "169.254.169.254/32" + ] + } + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "velero" + } + }, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:42:39Z", + "generation": 2, + "labels": { + "uds/generated": "KubeAPI", + "uds/generation": "1", + "uds/package": "velero" + }, + "name": "allow-velero-egress-velero-upgrade-crds-kubeapi", + "namespace": "velero", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "velero", + "uid": "acf82b1d-57d0-47ce-8880-e54543180a04" + } + ], + "resourceVersion": "174997", + "uid": "ac8647b6-053b-428b-a131-e091c3fc4af5" + }, + "spec": { + "egress": [ + { + "to": [ + { + "ipBlock": { + "cidr": "172.19.0.3/32" + } + }, + { + "ipBlock": { + "cidr": "10.43.0.1/32" + } + } + ] + } + ], + "podSelector": { + "matchLabels": { + "batch.kubernetes.io/job-name": "velero-upgrade-crds" + } + }, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:38:19Z", + "generation": 74, + "labels": { + "uds/generation": "1", + "uds/package": "neuvector" + }, + "name": "deny-neuvector-default", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "neuvector", + "uid": "91b75744-bd1b-497b-8875-2a258d8b23cc" + } + ], + "resourceVersion": "176365", + "uid": "e76d1965-d0c9-41df-8e13-b662157680cc" + }, + "spec": { + "podSelector": {}, + "policyTypes": [ + "Ingress", + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:38:19Z", + "generation": 74, + "labels": { + "uds/generated": "IntraNamespace", + "uds/generation": "1", + "uds/package": "neuvector" + }, + "name": "allow-neuvector-ingress-all-pods-intranamespace", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "neuvector", + "uid": "91b75744-bd1b-497b-8875-2a258d8b23cc" + } + ], + "resourceVersion": "176366", + "uid": "1a5a1afd-d18c-4bdf-aaa1-71000047dfc7" + }, + "spec": { + "ingress": [ + { + "from": [ + { + "podSelector": {} + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Ingress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:38:19Z", + "generation": 74, + "labels": { + "uds/generated": "IntraNamespace", + "uds/generation": "1", + "uds/package": "neuvector" + }, + "name": "allow-neuvector-egress-all-pods-intranamespace", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "neuvector", + "uid": "91b75744-bd1b-497b-8875-2a258d8b23cc" + } + ], + "resourceVersion": "176367", + "uid": "810c1d2e-76a7-4313-9694-983eee61aaae" + }, + "spec": { + "egress": [ + { + "to": [ + { + "podSelector": {} + } + ] + } + ], + "podSelector": {}, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:38:19Z", + "generation": 74, + "labels": { + "uds/generated": "KubeAPI", + "uds/generation": "1", + "uds/package": "neuvector" + }, + "name": "allow-neuvector-egress-neuvector-controller-pod-kubeapi", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "neuvector", + "uid": "91b75744-bd1b-497b-8875-2a258d8b23cc" + } + ], + "resourceVersion": "176368", + "uid": "0c813cba-4a96-475b-8034-5b98078de1b2" + }, + "spec": { + "egress": [ + { + "to": [ + { + "ipBlock": { + "cidr": "172.19.0.3/32" + } + }, + { + "ipBlock": { + "cidr": "10.43.0.1/32" + } + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app": "neuvector-controller-pod" + } + }, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:38:19Z", + "generation": 74, + "labels": { + "uds/generated": "Anywhere", + "uds/generation": "1", + "uds/package": "neuvector" + }, + "name": "allow-neuvector-egress-neuvector-controller-pod-anywhere", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "neuvector", + "uid": "91b75744-bd1b-497b-8875-2a258d8b23cc" + } + ], + "resourceVersion": "176369", + "uid": "e5155b3d-542d-4093-8eba-cfa7ab19421b" + }, + "spec": { + "egress": [ + { + "to": [ + { + "ipBlock": { + "cidr": "0.0.0.0/0", + "except": [ + "169.254.169.254/32" + ] + } + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app": "neuvector-controller-pod" + } + }, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:38:19Z", + "generation": 74, + "labels": { + "uds/generated": "KubeAPI", + "uds/generation": "1", + "uds/package": "neuvector" + }, + "name": "allow-neuvector-egress-neuvector-updater-pod-kubeapi", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "neuvector", + "uid": "91b75744-bd1b-497b-8875-2a258d8b23cc" + } + ], + "resourceVersion": "176370", + "uid": "7b5cc5bf-f7c5-4116-927b-69abb95da536" + }, + "spec": { + "egress": [ + { + "to": [ + { + "ipBlock": { + "cidr": "172.19.0.3/32" + } + }, + { + "ipBlock": { + "cidr": "10.43.0.1/32" + } + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app": "neuvector-updater-pod" + } + }, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:38:19Z", + "generation": 74, + "labels": { + "uds/generated": "KubeAPI", + "uds/generation": "1", + "uds/package": "neuvector" + }, + "name": "allow-neuvector-egress-neuvector-enforcer-pod-kubeapi", + "namespace": "neuvector", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "neuvector", + "uid": "91b75744-bd1b-497b-8875-2a258d8b23cc" + } + ], + "resourceVersion": "176371", + "uid": "6e0b20e1-921a-491e-a2df-ceae75737076" + }, + "spec": { + "egress": [ + { + "to": [ + { + "ipBlock": { + "cidr": "172.19.0.3/32" + } + }, + { + "ipBlock": { + "cidr": "10.43.0.1/32" + } + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app": "neuvector-enforcer-pod" + } + }, + "policyTypes": [ + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:41:43Z", + "generation": 71, + "labels": { + "uds/generation": "1", + "uds/package": "grafana" + }, + "name": "deny-grafana-default", + "namespace": "grafana", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "grafana", + "uid": "eb4ad385-6506-4881-99b3-b133f70c83ec" + } + ], + "resourceVersion": "176431", + "uid": "fc4c1fb4-9469-4c34-bd5e-23ba883a50e8" + }, + "spec": { + "podSelector": {}, + "policyTypes": [ + "Ingress", + "Egress" + ] + } + }, + { + "apiVersion": "networking.k8s.io/v1", + "kind": "NetworkPolicy", + "metadata": { + "creationTimestamp": "2024-06-07T14:41:43Z", + "generation": 71, + "labels": { + "uds/generated": "Anywhere", + "uds/generation": "1", + "uds/package": "grafana" + }, + "name": "allow-grafana-egress-grafana-anywhere", + "namespace": "grafana", + "ownerReferences": [ + { + "apiVersion": "uds.dev/v1alpha1", + "kind": "Package", + "name": "grafana", + "uid": "eb4ad385-6506-4881-99b3-b133f70c83ec" + } + ], + "resourceVersion": "176432", + "uid": "2dc9ff63-bd48-4121-839c-bf221476f59b" + }, + "spec": { + "egress": [ + { + "to": [ + { + "ipBlock": { + "cidr": "0.0.0.0/0", + "except": [ + "169.254.169.254/32" + ] + } + } + ] + } + ], + "podSelector": { + "matchLabels": { + "app.kubernetes.io/name": "grafana" + } + }, + "policyTypes": [ + "Egress" + ] + } + } + ] +} \ No newline at end of file diff --git a/compliance/validations/istio/secure-communication-with-istiod/tests.yaml b/compliance/validations/istio/secure-communication-with-istiod/tests.yaml new file mode 100644 index 000000000..2948c4bed --- /dev/null +++ b/compliance/validations/istio/secure-communication-with-istiod/tests.yaml @@ -0,0 +1,25 @@ +pass: + - test: default + validation: validation.yaml + resources: resources.json + expected-validation: true + - test: remove-istio-egress-on-metrics-server + validation: validation.yaml + resources: resources.json + permutation: '(.networkPolicies[] | select(.metadata.name == "allow-metrics-server-egress-istiod-communication") | .spec.egress) |= map(select(.to | any(.podSelector | select(.matchLabels.istio != "pilot"))))' + expected-validation: false + - test: change-egress-port-on-metrics-server + validation: validation.yaml + resources: resources.json + permutation: '(.networkPolicies[] | select(.metadata.name == "allow-metrics-server-egress-istiod-communication") | .spec.egress[].ports[] | select(.port == 15012) | .port) |= 1000' + expected-validation: false + - test: change-egress-protocol-on-metrics-server + validation: validation.yaml + resources: resources.json + permutation: '(.networkPolicies[] | select(.metadata.name == "allow-metrics-server-egress-istiod-communication") | .spec.egress[].ports[] | select(.port == 15012) | .protocol) |= "HTTP"' + expected-validation: false + - test: add-disallowed-egress-to-istiod + validation: validation.yaml + resources: resources.json + permutation: '.networkPolicies += [{"kind": "NetworkPolicy", "metadata": {"name": "istiod-egress", "namespace": "not-allowed-netpol"}, "spec": {"egress": [{"ports": [{"port": 15012, "protocol": "TCP"}], "to": [{"podSelector": {"matchLabels": {"istio": "pilot"}}}]}]}}]' + expected-validation: false diff --git a/compliance/validations/istio/secure-communication-with-istiod/validation.yaml b/compliance/validations/istio/secure-communication-with-istiod/validation.yaml new file mode 100644 index 000000000..dd2360545 --- /dev/null +++ b/compliance/validations/istio/secure-communication-with-istiod/validation.yaml @@ -0,0 +1,67 @@ +metadata: + name: secure-communication-with-istiod + uuid: 570e2dc7-e6c2-4ad5-8ea3-f07974f59747 +domain: + type: kubernetes + kubernetes-spec: + resources: + - name: networkPolicies + resource-rule: + group: networking.k8s.io + resource: networkpolicies + namespaces: [] + version: v1 +provider: + type: opa + opa-spec: + rego: | + package validate + import rego.v1 + + # Default values + default validate := false + default msg := "Not evaluated" + + # Expected values + expected_istiod_port := 15012 + expected_istiod_protocol := "TCP" + required_namespaces := {"authservice", "grafana", "keycloak", "loki", "metrics-server", "monitoring", "neuvector", "vector", "velero", "uds-runtime"} + + # Validate NetworkPolicy for Istiod in required namespaces + validate if { + check_netpol_config_correct.result + } + + msg = check_netpol_config_correct.msg + msg_expected_istiod = sprintf("Expected Istiod port: %v, protocol: %v.", [expected_istiod_port, expected_istiod_protocol]) + msg_required_namespaces = concat(", ", required_namespaces) + + check_netpol_config_correct = {"result": true, "msg": msg} if { + required_namespaces == correct_istiod_namespaces + msg := "NetworkPolicies correctly configured for istiod in required namespaces." + } else = {"result": false, "msg": msg} if { + count(required_namespaces-correct_istiod_namespaces) > 0 + msg := sprintf("NetworkPolicies not correctly configured for istiod egress in namespaces: %v.", [concat(", ", (required_namespaces-correct_istiod_namespaces))]) + } else = {"result": false, "msg": msg} if { + count(correct_istiod_namespaces-required_namespaces) > 0 + msg := sprintf("NetworkPolicies configured for istiod egress in improper namespaces: %v.", [concat(", ", (correct_istiod_namespaces-required_namespaces))]) + } + + # Helper to find correct NetworkPolicies + correct_istiod_policies = {policy | + policy := input.networkPolicies[_] + policy.spec.egress[_].to[_].podSelector.matchLabels["istio"] == "pilot" + policy.spec.egress[_].ports[_].port == expected_istiod_port + policy.spec.egress[_].ports[_].protocol == expected_istiod_protocol + } + + # Helper to extract namespaces of correct NetworkPolicies + correct_istiod_namespaces = {policy.metadata.namespace | + policy := correct_istiod_policies[_] + } + output: + validation: validate.validate + observations: + - validate.msg + - validate.msg_expected_istiod + - validate.msg_required_namespaces diff --git a/compliance/validations/istio/tls-origination-at-egress/README.md b/compliance/validations/istio/tls-origination-at-egress/README.md new file mode 100644 index 000000000..c2b65a62e --- /dev/null +++ b/compliance/validations/istio/tls-origination-at-egress/README.md @@ -0,0 +1,9 @@ +# README.md + +**NAME** - tls-origination-at-egress-PLACEHOLDER + +**INPUT** - This validation currently does not collect any resources. + +**POLICY** - This policy is a placeholder for checking TLS origination at egress. + +**NOTES** - The policy needs to be updated to include the necessary resources and logic to check for TLS origination at egress. \ No newline at end of file diff --git a/compliance/validations/istio/tls-origination-at-egress/validation.yaml b/compliance/validations/istio/tls-origination-at-egress/validation.yaml new file mode 100644 index 000000000..65e6d7ca0 --- /dev/null +++ b/compliance/validations/istio/tls-origination-at-egress/validation.yaml @@ -0,0 +1,17 @@ +metadata: + name: tls-origination-at-egress-PLACEHOLDER + uuid: 8be1601e-5870-4573-ab4f-c1c199944815 +domain: + type: kubernetes + kubernetes-spec: + resources: [] +provider: + type: opa + opa-spec: + rego: | + package validate + + default validate := false + + # How to prove TLS origination is configured at egress + # DestinationRule? diff --git a/compliance/validations/istio/tracing-logging-support/README.md b/compliance/validations/istio/tracing-logging-support/README.md new file mode 100644 index 000000000..e1cb56f8d --- /dev/null +++ b/compliance/validations/istio/tracing-logging-support/README.md @@ -0,0 +1,9 @@ +# README.md + +**NAME** - istio-tracing-logging-support + +**INPUT** - This validation collects the "istioConfig" configmap from the "istio-system" namespace. + +**POLICY** - This policy checks that tracing logging is supported in the Istio configuration, specifically by verifying that the "defaultConfig.tracing" is not null and "zipkin.address" field is not empty. + +**NOTES** - Ensure that the Istio ConfigMap is correctly specified in the policy. The policy will fail if tracing logging is not supported in the Istio configuration. \ No newline at end of file diff --git a/compliance/validations/istio/tracing-logging-support/resources.json b/compliance/validations/istio/tracing-logging-support/resources.json new file mode 100644 index 000000000..40e61987a --- /dev/null +++ b/compliance/validations/istio/tracing-logging-support/resources.json @@ -0,0 +1,23 @@ +{ + "istioConfig": { + "accessLogFile": "/dev/stdout", + "defaultConfig": { + "discoveryAddress": "istiod.istio-system.svc:15012", + "gatewayTopology": { + "forwardClientCertDetails": "SANITIZE" + }, + "holdApplicationUntilProxyStarts": true + }, + "defaultProviders": { + "metrics": [ + "prometheus" + ] + }, + "enablePrometheusMerge": true, + "pathNormalization": { + "normalization": "MERGE_SLASHES" + }, + "rootNamespace": "istio-system", + "trustDomain": "cluster.local" + } +} \ No newline at end of file diff --git a/compliance/validations/istio/tracing-logging-support/tests.yaml b/compliance/validations/istio/tracing-logging-support/tests.yaml new file mode 100644 index 000000000..d3afbb1bd --- /dev/null +++ b/compliance/validations/istio/tracing-logging-support/tests.yaml @@ -0,0 +1,10 @@ +pass: + - test: default + validation: validation.yaml + resources: resources.json + expected-validation: false + - test: add-tracing + validation: validation.yaml + resources: resources.json + permutation: '(.istioConfig.defaultConfig.tracing.zipkin.address) |= "zipkin.istio-system.svc.cluster.local:9411"' + expected-validation: true diff --git a/compliance/validations/istio/tracing-logging-support/validation.yaml b/compliance/validations/istio/tracing-logging-support/validation.yaml new file mode 100644 index 000000000..610ea8f30 --- /dev/null +++ b/compliance/validations/istio/tracing-logging-support/validation.yaml @@ -0,0 +1,45 @@ +metadata: + name: istio-tracing-logging-support + uuid: f346b797-be35-40a8-a93a-585db6fd56ec +domain: + type: kubernetes + kubernetes-spec: + resources: + - name: istioConfig + resource-rule: + resource: configmaps + namespaces: + - istio-system + version: v1 + name: istio + field: + jsonpath: .data.mesh + type: yaml +provider: + type: opa + opa-spec: + rego: | + package validate + import rego.v1 + + # Default policy result + default validate := false + default msg := "Not evaluated" + + # Validate Istio configuration for event logging support + validate if { + check_tracing_enabled.result + } + msg = check_tracing_enabled.msg + + check_tracing_enabled = { "result": true, "msg": msg } if { + input.istioConfig.defaultConfig.tracing != null + input.istioConfig.defaultConfig.tracing.zipkin.address != "" + msg := "Tracing logging supported." + } else = { "result": false, "msg": msg } if { + msg := "Tracing logging not supported." + } + output: + validation: validate.validate + observations: + - validate.msg diff --git a/src/istio/oscal-component.yaml b/src/istio/oscal-component.yaml index 6829f34b9..8cb61f754 100644 --- a/src/istio/oscal-component.yaml +++ b/src/istio/oscal-component.yaml @@ -2,1394 +2,328 @@ # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial component-definition: - back-matter: - resources: - - rlinks: - - href: https://github.com/istio/istio/ - title: Istio Operator - uuid: 60826461-D279-468C-9E4B-614FAC44A306 - - description: | - domain: - kubernetes-spec: - create-resources: null - resources: - - description: "" - name: istioMeshConfig - resource-rule: - field: - base64: false - jsonpath: .data.mesh - type: yaml - group: "" - name: istio - namespaces: - - istio-system - resource: configmaps - version: v1 - type: kubernetes - lula-version: "" - metadata: - name: check-istio-logging-all-traffic - uuid: 90738c86-6315-450a-ac69-cc50eb4859cc - provider: - opa-spec: - output: - observations: - - validate.msg - validation: validate.validate - rego: | - package validate - - # Default policy result - default validate = false - default msg = "Logging not enabled or configured" - - # Check if Istio's Mesh Configuration has logging enabled - validate { - logging_enabled.result - } - - msg = logging_enabled.msg - - logging_enabled = {"result": true, "msg": msg} { - # Check for access log file output to stdout - input.istioMeshConfig.accessLogFile == "/dev/stdout" - msg := "Istio is logging all traffic" - } else = {"result": false, "msg": msg} { - msg := "Istio is not logging all traffic" - } - type: opa - title: check-istio-logging-all-traffic - uuid: 90738c86-6315-450a-ac69-cc50eb4859cc - - description: | - domain: - kubernetes-spec: - create-resources: null - resources: - - description: "" - name: pods - resource-rule: - group: "" - name: "" - namespaces: [] - resource: pods - version: v1 - type: kubernetes - lula-version: "" - metadata: - name: istio-prometheus-annotations-validation - uuid: f345c359-3208-46fb-9348-959bd628301e - provider: - opa-spec: - output: - observations: - - validate.msg - - validate.exempt_namespaces_msg - validation: validate.validate - rego: | - package validate - import future.keywords.in - - # Default policy result - default validate = false - default msg = "Not evaluated" - - # Check for required Istio and Prometheus annotations - validate { - has_prometheus_annotation.result - } - msg = has_prometheus_annotation.msg - - # Check for prometheus annotations in pod spec - no_annotation = [sprintf("%s/%s", [pod.metadata.namespace, pod.metadata.name]) | pod := input.pods[_]; not contains_annotation(pod); not is_exempt(pod)] - - has_prometheus_annotation = {"result": true, "msg": msg} { - count(no_annotation) == 0 - msg := "All pods have correct prometheus annotations." - } else = {"result": false, "msg": msg} { - msg := sprintf("Prometheus annotations not found in pods: %s.", [concat(", ", no_annotation)]) - } - - contains_annotation(pod) { - annotations := pod.metadata.annotations - annotations["prometheus.io/scrape"] == "true" - annotations["prometheus.io/path"] != "" - annotations["prometheus.io/port"] == "15020" - } - - # Exemptions - exempt_namespaces = {"kube-system", "istio-system", "uds-dev-stack", "zarf"} - exempt_namespaces_msg = sprintf("Exempted Namespaces: %s", [concat(", ", exempt_namespaces)]) - is_exempt(pod) { - pod.metadata.namespace in exempt_namespaces - } - type: opa - title: istio-prometheus-annotations-validation - uuid: f345c359-3208-46fb-9348-959bd628301e - - description: | - domain: - kubernetes-spec: - create-resources: null - resources: - - description: "" - name: pods - resource-rule: - group: "" - name: "" - namespaces: [] - resource: pods - version: v1 - type: kubernetes - lula-version: "" - metadata: - name: all-pods-istio-injected - uuid: 1761ac07-80dd-47d2-947e-09f67943b986 - provider: - opa-spec: - output: - observations: - - validate.msg - - validate.exempt_namespaces_msg - validation: validate.validate - rego: | - package validate - import rego.v1 - - # Default policy result - default validate := false - default msg := "Not evaluated" - - exempt_namespaces := {"kube-system", "istio-system", "uds-dev-stack", "zarf", "istio-admin-gateway", "istio-tenant-gateway", "istio-passthrough-gateway"} - exempt_namespaces_msg = sprintf("Exempted Namespaces: %s", [concat(", ", exempt_namespaces)]) - - validate if { - has_istio_sidecar.result - } - msg = has_istio_sidecar.msg - - # Check for sidecar and init containers in pod spec - no_sidecar = [sprintf("%s/%s", [pod.metadata.namespace, pod.metadata.name]) | pod := input.pods[_]; not has_sidecar(pod); not is_exempt(pod)] - - has_istio_sidecar = {"result": true, "msg": msg} if { - count(no_sidecar) == 0 - msg := "All pods have Istio sidecar proxy." - } else = {"result": false, "msg": msg} if { - msg := sprintf("Istio sidecar proxy not found in pods: %s.", [concat(", ", no_sidecar)]) - } - - has_sidecar(pod) if { - status := pod.metadata.annotations["sidecar.istio.io/status"] - containers := json.unmarshal(status).containers - initContainers := json.unmarshal(status).initContainers - - has_container_name(pod.spec.containers, containers) - has_container_name(pod.spec.initContainers, initContainers) - } else = false - - has_container_name(containers, names) if { - container := containers[_] - container.name in names - } - - is_exempt(pod) if { - pod.metadata.namespace in exempt_namespaces - } - type: opa - title: all-pods-istio-injected - uuid: 1761ac07-80dd-47d2-947e-09f67943b986 - - description: | - domain: - kubernetes-spec: - create-resources: null - resources: - - description: "" - name: adminGateway - resource-rule: - group: networking.istio.io - name: admin-gateway - namespaces: - - istio-admin-gateway - resource: gateways - version: v1beta1 - - description: "" - name: virtualServices - resource-rule: - group: networking.istio.io - name: "" - namespaces: [] - resource: virtualservices - version: v1beta1 - type: kubernetes - lula-version: "" - metadata: - name: check-istio-admin-gateway-and-usage - uuid: c6c9daf1-4196-406d-8679-312c0512ab2e - provider: - opa-spec: - output: - observations: - - validate.msg - validation: validate.validate - rego: | - package validate - - # Expected admin gateway details - expected_gateway := "admin-gateway" - expected_gateway_namespace := "istio-admin-gateway" - expected_ns_name := sprintf("%s/%s", [expected_gateway_namespace, expected_gateway]) - - # Default policy result - default validate = false - default admin_gw_exists = false - default admin_vs_match = false - default msg = "Not evaluated" - - validate { - result_admin_gw_exixts.result - result_admin_vs_match.result - } - - msg = concat(" ", [result_admin_gw_exixts.msg, result_admin_vs_match.msg]) - - result_admin_gw_exixts = {"result": true, "msg": msg} { - input.adminGateway.kind == "Gateway" - input.adminGateway.metadata.name == expected_gateway - input.adminGateway.metadata.namespace == expected_gateway_namespace - msg := "Admin gateway exists." - } else = {"result": false, "msg": msg} { - msg := "Admin gateway does not exist." - } - - result_admin_vs_match = {"result": true, "msg": msg}{ - count(admin_vs-admin_vs_using_gateway) == 0 - count(all_vs_using_gateway-admin_vs_using_gateway) == 0 - msg := "Admin virtual services are using admin gateway." - } else = {"result": false, "msg": msg} { - msg := sprintf("Mismatch of admin virtual services using gateway. Admin VS not using GW: %s. Non-Admin VS using gateway: %s.", [concat(", ", admin_vs-admin_vs_using_gateway), concat(", ", all_vs_using_gateway-admin_vs_using_gateway)]) - } - - # Count admin virtual services - admin_vs := {adminVs.metadata.name | adminVs := input.virtualServices[_]; adminVs.kind == "VirtualService"; contains(adminVs.metadata.name, "admin")} - - # Count admin VirtualServices correctly using the admin gateway (given by vs name containing "admin") - admin_vs_using_gateway := {adminVs.metadata.name | adminVs := input.virtualServices[_]; adminVs.kind == "VirtualService"; contains(adminVs.metadata.name, "admin"); adminVs.spec.gateways[_] == expected_ns_name} - - # Count all VirtualServices using the admin gateway - all_vs_using_gateway := {vs.metadata.name | vs := input.virtualServices[_]; vs.kind == "VirtualService"; vs.spec.gateways[_] == expected_ns_name} - type: opa - title: check-istio-admin-gateway-and-usage - uuid: c6c9daf1-4196-406d-8679-312c0512ab2e - - description: | - domain: - kubernetes-spec: - create-resources: null - resources: - - description: "" - name: istioConfig - resource-rule: - field: - base64: false - jsonpath: .data.mesh - type: yaml - group: "" - name: istio - namespaces: - - istio-system - resource: configmaps - version: v1 - type: kubernetes - lula-version: "" - metadata: - name: istio-metrics-logging-configured - uuid: 70d99754-2918-400c-ac9a-319f874fff90 - provider: - opa-spec: - output: - observations: - - validate.msg - validation: validate.validate - rego: | - package validate - - # Default policy result - default validate = false - default msg = "Not evaluated" - - # Validate Istio configuration for metrics logging support - validate { - check_metrics_enabled.result - } - msg = check_metrics_enabled.msg - - check_metrics_enabled = { "result": false, "msg": msg } { - input.istioConfig.enablePrometheusMerge == false - msg := "Metrics logging not supported." - } else = { "result": true, "msg": msg } { - msg := "Metrics logging supported." - } - type: opa - title: istio-metrics-logging-configured - uuid: 70d99754-2918-400c-ac9a-319f874fff90 - - description: | - lula-version: "" - metadata: - name: communications-terminated-after-inactivity-PLACEHOLDER - uuid: 663f5e92-6db4-4042-8b5a-eba3ebe5a622 - provider: - opa-spec: - rego: | - package validate - validate := false - - # Check on destination rule, outlier detection? - # -> Doesn't appear that UDS is configured to create destination rules. - type: opa - title: communications-terminated-after-inactivity-PLACEHOLDER - uuid: 663f5e92-6db4-4042-8b5a-eba3ebe5a622 - - description: | - lula-version: "" - metadata: - name: tls-origination-at-egress-PLACEHOLDER - uuid: 8be1601e-5870-4573-ab4f-c1c199944815 - provider: - opa-spec: - rego: | - package validate - default validate := false - # How to prove TLS origination is configured at egress - # DestinationRule? - type: opa - title: tls-origination-at-egress-PLACEHOLDER - uuid: 8be1601e-5870-4573-ab4f-c1c199944815 - - description: | - lula-version: "" - metadata: - name: fips-evaluation-PLACEHOLDER - uuid: 73434890-2751-4894-b7b2-7e583b4a8977 - title: fips-evaluation-PLACEHOLDER - uuid: 73434890-2751-4894-b7b2-7e583b4a8977 - - description: | - domain: - kubernetes-spec: - create-resources: null - resources: - - description: "" - name: authorizationPolicy - resource-rule: - group: security.istio.io - name: keycloak-block-admin-access-from-public-gateway - namespaces: - - keycloak - resource: authorizationpolicies - version: v1beta1 - type: kubernetes - lula-version: "" - metadata: - name: istio-enforces-authorized-keycloak-access - uuid: fbd877c8-d6b6-4d88-8685-2c4aaaab02a1 - provider: - opa-spec: - output: - observations: - - validate.msg - validation: validate.validate - rego: | - package validate - import rego.v1 - - # Default policy result - default validate := false - default msg := "Not evaluated" - - # Validate both AuthorizationPolicy restricts access to Keycloak admin - validate if { - check_auth_policy_for_keycloak_admin_access.result - } - - msg = check_auth_policy_for_keycloak_admin_access.msg - - check_auth_policy_for_keycloak_admin_access = {"result": true, "msg": msg} if { - input.authorizationPolicy.kind == "AuthorizationPolicy" - valid_auth_policy(input.authorizationPolicy) - msg := "AuthorizationPolicy restricts access to Keycloak admin." - } else = {"result": false, "msg": msg} if { - msg := "AuthorizationPolicy does not restrict access to Keycloak admin." - } - - # Define the rule for denying access - expected_keycloak_admin_denial_rule := { - "from": [ - { - "source": { - "notNamespaces": ["istio-admin-gateway"] - } - } - ], - "to": [ - { - "operation": { - "ports": ["8080"], - "paths": ["/admin*", "/realms/master*"] - } - } - ] - } - - # Validate that the authorization policy contains the expected first rule - valid_auth_policy(ap) if { - ap.spec.action == "DENY" - rules := ap.spec.rules - - # Ensure the expected rule is present in the input policy - some i - rules[i] == expected_keycloak_admin_denial_rule - } - type: opa - title: istio-enforces-authorized-keycloak-access - uuid: fbd877c8-d6b6-4d88-8685-2c4aaaab02a1 - - description: | - domain: - kubernetes-spec: - create-resources: null - resources: - - description: "" - name: istioConfig - resource-rule: - field: - base64: false - jsonpath: .data.mesh - type: yaml - group: "" - name: istio - namespaces: - - istio-system - resource: configmaps - version: v1 - type: kubernetes - lula-version: "" - metadata: - name: istio-tracing-logging-support - uuid: f346b797-be35-40a8-a93a-585db6fd56ec - provider: - opa-spec: - output: - observations: - - validate.msg - validation: validate.validate - rego: | - package validate - - # Default policy result - default validate = false - default msg = "Not evaluated" - - # Validate Istio configuration for event logging support - validate { - check_tracing_enabled.result - } - msg = check_tracing_enabled.msg - - check_tracing_enabled = { "result": true, "msg": msg } { - input.istioConfig.defaultConfig.tracing != null - input.istioConfig.defaultConfig.tracing.zipkin.address != "" - msg := "Tracing logging supported." - } else = { "result": false, "msg": msg } { - msg := "Tracing logging not supported." - } - type: opa - title: istio-tracing-logging-support - uuid: f346b797-be35-40a8-a93a-585db6fd56ec - - description: | - lula-version: "" - metadata: - name: egress-gateway-exists-and-configured-PLACEHOLDER - uuid: ecdb90c7-971a-4442-8f29-a8b0f6076bc9 - title: egress-gateway-exists-and-configured-PLACEHOLDER - uuid: ecdb90c7-971a-4442-8f29-a8b0f6076bc9 - - description: | - domain: - kubernetes-spec: - create-resources: null - resources: - - description: "" - name: networkPolicies - resource-rule: - group: networking.k8s.io - name: "" - namespaces: [] - resource: networkpolicies - version: v1 - type: kubernetes - lula-version: "" - metadata: - name: secure-communication-with-istiod - uuid: 570e2dc7-e6c2-4ad5-8ea3-f07974f59747 - provider: - opa-spec: - output: - observations: - - validate.msg_correct - - validate.msg_incorrect - validation: validate.validate - rego: | - package validate - - # Default policy result - default validate = false - default msg_correct = "Not evaluated" - default msg_incorrect = "Not evaluated" - - # Expected values - expected_istiod_port := 15012 - expected_istiod_protocol := "TCP" - required_namespaces := {"authservice", "grafana", "keycloak", "loki", "metrics-server", "monitoring", "neuvector", "vector", "velero"} - - # Validate NetworkPolicy for Istiod in required namespaces - validate { - count(required_namespaces - correct_istiod_namespaces) == 0 - } - - msg_correct = sprintf("NetworkPolicies correctly configured for istiod in namespaces: %v.", [concat(", ", correct_istiod_namespaces)]) - msg_incorrect = msg { - missing_namespace := required_namespaces - correct_istiod_namespaces - count(missing_namespace) > 0 - msg := sprintf("NetworkPolicies not correctly configured for istiod in namespaces: %v.", [concat(", ", missing_namespace)]) - } else = "No incorrect istiod NetworkPolicies found." - - # Helper to find correct NetworkPolicies - correct_istiod_policies = {policy | - policy := input.networkPolicies[_] - policy.spec.egress[_].to[_].podSelector.matchLabels["istio"] == "pilot" - policy.spec.egress[_].ports[_].port == expected_istiod_port - policy.spec.egress[_].ports[_].protocol == expected_istiod_protocol - } - - # Helper to extract namespaces of correct NetworkPolicies - correct_istiod_namespaces = {policy.metadata.namespace | - policy := correct_istiod_policies[_] - } - type: opa - title: secure-communication-with-istiod - uuid: 570e2dc7-e6c2-4ad5-8ea3-f07974f59747 - - description: | - domain: - kubernetes-spec: - create-resources: null - resources: - - description: "" - name: peerAuths - resource-rule: - group: security.istio.io - name: "" - namespaces: [] - resource: peerauthentications - version: v1beta1 - type: kubernetes - lula-version: "" - metadata: - name: enforce-mtls-strict - uuid: ca49ac97-487a-446a-a0b7-92b20e2c83cb - provider: - opa-spec: - output: - observations: - - validate.msg - validation: validate.validate - rego: | - package validate - - import future.keywords.every - - # Default policy result - default validate = false - default all_strict = false - default msg = "Not evaluated" - - validate { - result_all_strict.result - } - - msg = concat(" ", [result_all_strict.msg]) - - # Rego policy logic to evaluate if all PeerAuthentications have mtls mode set to STRICT - result_all_strict = {"result": true, "msg": msg} { - every peerAuthentication in input.peerAuths { - mode := peerAuthentication.spec.mtls.mode - mode == "STRICT" - } - msg := "All PeerAuthentications have mtls mode set to STRICT." - } else = {"result": false, "msg": msg} { - msg := "Not all PeerAuthentications have mtls mode set to STRICT." - } - type: opa - title: enforce-mtls-strict - uuid: ca49ac97-487a-446a-a0b7-92b20e2c83cb - - description: | - lula-version: "" - metadata: - name: authorized-traffic-egress-PLACEHOLDER - uuid: 7455f86d-b79c-4226-9ce3-f3fb7d9348c8 - title: authorized-traffic-egress-PLACEHOLDER - uuid: 7455f86d-b79c-4226-9ce3-f3fb7d9348c8 - - description: | - domain: - kubernetes-spec: - create-resources: null - resources: - - description: "" - name: namespaces - resource-rule: - group: "" - name: "" - namespaces: [] - resource: namespaces - version: v1 - type: kubernetes - lula-version: "" - metadata: - name: all-namespaces-istio-injected - uuid: 0da39859-a91a-4ca6-bd8b-9b117689188f - provider: - opa-spec: - output: - observations: - - validate.msg - - validate.exempted_namespaces_msg - validation: validate.validate - rego: | - package validate - import future.keywords.every - import future.keywords.in - - default validate = false - default msg = "Not evaluated" - - # Validation - validate { - check_non_istio_injected_namespaces.result - } - msg = check_non_istio_injected_namespaces.msg - exempted_namespaces_msg = sprintf("Exempted Namespaces: %s", [concat(", ", exempted_namespaces)]) - - # List of exempted namespaces - exempted_namespaces := {"istio-system", "kube-system", "default", "istio-admin-gateway", - "istio-passthrough-gateway", "istio-tenant-gateway", "kube-node-lease", "kube-public", "uds-crds", - "uds-dev-stack", "uds-policy-exemptions", "zarf"} - - # Collect non-Istio-injected namespaces - non_istio_injected_namespaces := {ns.metadata.name | - ns := input.namespaces[_] - ns.kind == "Namespace" - not ns.metadata.labels["istio-injection"] == "enabled" - not ns.metadata.name in exempted_namespaces - } - - # Check no non-Istio-injected namespaces - check_non_istio_injected_namespaces = { "result": true, "msg": "All namespaces are Istio-injected" } { - count(non_istio_injected_namespaces) == 0 - } else = { "result": false, "msg": msg } { - msg := sprintf("Non-Istio-injected namespaces: %v", [non_istio_injected_namespaces]) - } - type: opa - title: all-namespaces-istio-injected - uuid: 0da39859-a91a-4ca6-bd8b-9b117689188f - - description: | - domain: - kubernetes-spec: - create-resources: null - resources: - - description: "" - name: gateways - resource-rule: - group: networking.istio.io - name: "" - namespaces: [] - resource: gateways - version: v1beta1 - type: kubernetes - lula-version: "" - metadata: - name: gateway-configuration-check - uuid: b0a8f21e-b12f-47ea-a967-2f4a3ec69e44 - provider: - opa-spec: - output: - observations: - - validate.msg - - validate.msg_existing_gateways - - validate.msg_allowed_gateways - validation: validate.validate - rego: | - package validate - import rego.v1 - - # default values - default validate := false - default msg := "Not evaluated" - - validate if { - check_expected_gw.result - check_all_gw_found.result - } - - msg := concat(" ", [check_expected_gw.msg, check_all_gw_found.msg]) - msg_existing_gateways := concat(", ", gateways) - msg_allowed_gateways := concat(", ", allowed) - - # Check if only allowed gateways are in the system - allowed := {"admin", "tenant", "passthrough"} - gateways := {sprintf("%s/%s", [gw.metadata.namespace, gw.metadata.name]) | gw := input.gateways[_]} - allowed_gateways := {sprintf("%s/%s", [gw.metadata.namespace, gw.metadata.name]) | gw := input.gateways[_]; gw_in_list(gw, allowed)} - actual_allowed := {s | g := gateways[_]; s := allowed[_]; contains(g, s)} - - check_expected_gw = {"result": true, "msg": msg} if { - gateways == allowed_gateways - msg := "Only allowed gateways found." - } else = {"result": false, "msg": msg} if { - msg := sprintf("Some disallowed gateways found: %v.", [gateways-allowed_gateways]) - } - - gw_in_list(gw, allowed) if { - contains(gw.metadata.name, allowed[_]) - } - - # Check if the entire set contains all required gateways - check_all_gw_found = {"result": true, "msg": msg} if { - actual_allowed == allowed - msg := "All gateway types found." - } else = {"result": false, "msg": msg} if { - msg := sprintf("Gateway type(s) missing: %v.", [allowed - actual_allowed]) - } - type: opa - title: gateway-configuration-check - uuid: b0a8f21e-b12f-47ea-a967-2f4a3ec69e44 - - description: | - domain: - kubernetes-spec: - create-resources: null - resources: - - description: "" - name: authorizationPolicies - resource-rule: - group: security.istio.io - name: "" - namespaces: [] - resource: authorizationpolicies - version: v1beta1 - type: kubernetes - lula-version: "" - metadata: - name: istio-rbac-enforcement-check - uuid: 7b045b2a-106f-4c8c-85d9-ae3d7a8e0e28 - provider: - opa-spec: - output: - observations: - - validate.msg - - validate.msg_authPolicies - validation: validate.validate - rego: | - package validate - - # Default policy result - default validate = false - default msg = "Istio RBAC not enforced" - - # Evaluation for Istio Authorization Policies - validate { - count(all_auth_policies) > 0 - } - - # Get all authorization policies - all_auth_policies := { sprintf("%s/%s", [authPolicy.metadata.namespace, authPolicy.metadata.name]) | - authPolicy := input.authorizationPolicies[_]; authPolicy.kind == "AuthorizationPolicy" } - - msg = "Istio RBAC enforced" { - validate - } - msg_authPolicies = sprintf("Authorization Policies: %v", [concat(", ", all_auth_policies)]) - type: opa - title: istio-rbac-enforcement-check - uuid: 7b045b2a-106f-4c8c-85d9-ae3d7a8e0e28 - - description: | - lula-version: "" - metadata: - name: istio-rbac-for-approved-personnel-PLACEHOLDER - uuid: 9b361d7b-4e07-40db-8b86-3854ed499a4b - title: istio-rbac-for-approved-personnel-PLACEHOLDER - uuid: 9b361d7b-4e07-40db-8b86-3854ed499a4b - - description: | - lula-version: "" - metadata: - name: external-traffic-managed-PLACEHOLDER - uuid: 19faf69a-de74-4b78-a628-64a9f244ae13 - provider: - opa-spec: - rego: | - package validate - default validate := false - # This policy could check meshConfig.outboundTrafficPolicy.mode (default is ALLOW_ANY) - # Possibly would need a ServiceEntry(?) - # (https://istio.io/latest/docs/tasks/traffic-management/egress/egress-control/#envoy-passthrough-to-external-services) - type: opa - title: external-traffic-managed-PLACEHOLDER - uuid: 19faf69a-de74-4b78-a628-64a9f244ae13 - - description: | - domain: - kubernetes-spec: - create-resources: null - resources: - - description: "" - name: istioddeployment - resource-rule: - group: apps - name: istiod - namespaces: - - istio-system - resource: deployments - version: v1 - - description: "" - name: istiodhpa - resource-rule: - group: autoscaling - name: istiod - namespaces: - - istio-system - resource: horizontalpodautoscalers - version: v2 - type: kubernetes - lula-version: "" - metadata: - name: istio-health-check - uuid: 67456ae8-4505-4c93-b341-d977d90cb125 - provider: - opa-spec: - output: - observations: - - istiohealth.deployment_message - - istiohealth.hpa_message - validation: istiohealth.is_istio_healthy - rego: | - package istiohealth - - default is_istio_healthy = false - default deployment_message = "Deployment status not evaluated" - default hpa_message = "HPA status not evaluated" - - # Check if the Istio Deployment is healthy - is_istio_healthy { - count(input.istioddeployment.status.conditions) > 0 - all_deployment_conditions_are_true - input.istiodhpa.status.currentReplicas >= input.istiodhpa.spec.minReplicas - } - - all_deployment_conditions_are_true { - # Ensure every condition in the array has a status that is not "False" - all_true = {c | c := input.istioddeployment.status.conditions[_]; c.status != "False"} - count(all_true) == count(input.istioddeployment.status.conditions) - } - - deployment_message = msg { - all_deployment_conditions_are_true - msg := "All deployment conditions are true." - } else = msg { - msg := "One or more deployment conditions are false." - } - - hpa_message = msg { - input.istiodhpa.status.currentReplicas >= input.istiodhpa.spec.minReplicas - msg := "HPA has sufficient replicas." - } else = msg { - msg := "HPA does not have sufficient replicas." - } - type: opa - title: istio-health-check - uuid: 67456ae8-4505-4c93-b341-d977d90cb125 - - description: | - domain: - kubernetes-spec: - create-resources: null - resources: - - description: "" - name: gateways - resource-rule: - group: networking.istio.io - name: "" - namespaces: [] - resource: gateways - version: v1beta1 - type: kubernetes - lula-version: "" - metadata: - name: ingress-traffic-encrypted - uuid: fd071676-6b92-4e1c-a4f0-4c8d2bd55aed - provider: - opa-spec: - output: - observations: - - validate.msg - - validate.msg_exempt - validation: validate.validate - rego: | - package validate - import future.keywords.every - - default validate = false - default msg = "Not evaluated" - - # Validation - validate { - check_gateways_allowed.result - } - msg := check_gateways_allowed.msg - msg_exempt := sprintf("Exempted Gateways: %s", [concat(", ", exempt_gateways)]) - - # Collect gateways that do not encrypt ingress traffic - gateways_disallowed = {sprintf("%s/%s", [gateway.metadata.namespace, gateway.metadata.name]) | - gateway := input.gateways[_]; - not allowed_gateway(gateway) - } - - check_gateways_allowed = {"result": true, "msg": "All gateways encrypt ingress traffic"} { - count(gateways_disallowed) == 0 - } else = {"result": false, "msg": msg} { - msg := sprintf("Some gateways do not encrypt ingress traffic: %s", [concat(", ", gateways_disallowed)]) - } - - # Check allowed gateway - allowed_gateway(gateway) { - every server in gateway.spec.servers { - allowed_server(server) - } - } - - exempt_gateways := {"istio-passthrough-gateway/passthrough-gateway"} - allowed_gateway(gateway) { - sprintf("%s/%s", [gateway.metadata.namespace, gateway.metadata.name]) in exempt_gateways - # *Unchecked condition that exempted gateway is only used by virtual services that route https traffic - # Find all virtual services that use this gateway - # Check that vs has https scheme - } - - # Check allowed server spec in gateway - allowed_server(server) { - server.port.protocol == "HTTP" - server.tls.httpsRedirect == true - } - - allowed_server(server) { - server.port.protocol == "HTTPS" - server.tls.mode in {"SIMPLE", "OPTIONAL_MUTUAL"} - } - type: opa - title: ingress-traffic-encrypted - uuid: fd071676-6b92-4e1c-a4f0-4c8d2bd55aed components: - control-implementations: - - description: Controls implemented by Istio and authservice that are inherited by applications + - description: Control Implementation Description implemented-requirements: - - control-id: ac-4 - description: |- - # Control Implementation - Istio encrypts all in-mesh communication at runtime using FIPS verified mTLS in addition to ingress and egress gateways for controlling communication. + - control-id: ac-14 + description: Istio implements with service to service and provides authorization policies that require authentication to access any non-public features. links: - - href: "#67456ae8-4505-4c93-b341-d977d90cb125" + - href: file:../../compliance/validations/istio/healthcheck/validation.yaml rel: lula text: Check that Istio is healthy - - href: "#ca49ac97-487a-446a-a0b7-92b20e2c83cb" - rel: lula - text: Check that Istio is enforcing mtls STRICT - - href: "#1761ac07-80dd-47d2-947e-09f67943b986" + - href: file:../../compliance/validations/istio/authorized-keycloak-access/validation.yaml rel: lula - text: All pods are istio injected with proxyv2 sidecar - - href: "#fd071676-6b92-4e1c-a4f0-4c8d2bd55aed" - rel: lula - text: Check ingress traffic is encrypted - remarks: "# Control Description Information flow control regulates where information is allowed to travel within an information system and between information systems (as opposed to who is allowed to access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include, for example, keeping export-controlled information from being transmitted in the clear to the Internet, blocking outside traffic that claims to be from within the organization, restricting web requests to the Internet that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content." - uuid: 9e158525-96bd-4d4f-a674-7e3eab9aea7a - - control-id: ac-4.4 - description: |- - # Control Implementation - All encrypted HTTPS connections are terminated at the Istio ingress gateway. + text: Validates that Istio is used to authorize access to Keycloak admin console only from admin gateway + remarks: | + ASSESSMENT-OBJECTIVE: + AC-14a. [Assignment: organization-defined user actions] that can be performed on the system without identification or authentication consistent with organizational mission and business functions are identified; + AC-14b. + AC-14b.[01] user actions not requiring identification or authentication are documented in the security plan for the system; + AC-14b.[02] a rationale for user actions not requiring identification or authentication is provided in the security plan for the system. + uuid: 41c51dc3-7db1-4717-b071-83e57897f478 + - control-id: ac-4 + description: Istio encrypts all in-mesh communication at runtime using FIPS verified mTLS in addition to ingress and egress gateways for controlling communication. links: - - href: "#67456ae8-4505-4c93-b341-d977d90cb125" + - href: file:../../compliance/validations/istio/healthcheck/validation.yaml rel: lula text: Check that Istio is healthy - - href: "#ca49ac97-487a-446a-a0b7-92b20e2c83cb" + - href: file:../../compliance/validations/istio/enforce-mtls-strict/validation.yaml rel: lula text: Check that Istio is enforcing mtls STRICT - - href: "#1761ac07-80dd-47d2-947e-09f67943b986" + - href: file:../../compliance/validations/istio/all-pods-istio-injected/validation.yaml rel: lula text: All pods are istio injected with proxyv2 sidecar - - href: "#fd071676-6b92-4e1c-a4f0-4c8d2bd55aed" + - href: file:../../compliance/validations/istio/ingress-traffic-encrypted/validation.yaml rel: lula text: Check ingress traffic is encrypted - remarks: "# Control Description The information system prevents encrypted information from bypassing content-checking mechanisms by decrypting the information; blocking the flow of the encrypted information; terminating communications sessions attempting to pass encrypted information; Assignment: organization-defined procedure or method." - uuid: c3e13abc-3c19-4f08-a2f8-40fcbef5daa7 + remarks: |- + ASSESSMENT-OBJECTIVE: + approved authorizations are enforced for controlling the flow of information within the system and between connected systems based on [Assignment: organization-defined information flow control policies]. + uuid: 210f730b-7fed-42dd-99b4-42466951b080 - control-id: ac-4.21 - description: |- - # Control Implementation - Istio is configured to use ingress and egress gateways to provide logical flow separation. + description: Istio is configured to use ingress and egress gateways to provide logical flow separation. links: - - href: "#67456ae8-4505-4c93-b341-d977d90cb125" + - href: file:../../compliance/validations/istio/healthcheck/validation.yaml rel: lula text: Check that Istio is healthy - - href: "#0da39859-a91a-4ca6-bd8b-9b117689188f" + - href: file:../../compliance/validations/istio/all-namespaces-istio-injected/validation.yaml rel: lula text: Check namespaces are istio injected - - href: "#c6c9daf1-4196-406d-8679-312c0512ab2e" + - href: file:../../compliance/validations/istio/check-istio-admin-gateway-and-usage/validation.yaml rel: lula text: Check that Istio is configured with an admin gateway and admin services use it - - href: "#b0a8f21e-b12f-47ea-a967-2f4a3ec69e44" + - href: file:../../compliance/validations/istio/gateway-configuration-check/validation.yaml rel: lula text: Validates that Istio Gateways are available and expected VirtualServices using each Gateway. - remarks: "Separate information flows logically or physically using [Assignment: organization-defined mechanisms and/or techniques] to accomplish [Assignment: organization-defined required separations by types of information]." - uuid: 6e32feb5-ce43-465f-9422-e3ef3276bf5d - - control-id: ac-6.3 - description: |- - # Control Implementation - Configured with an "admin" gateway to restrict access to applications that only need administrative access. - links: - - href: "#67456ae8-4505-4c93-b341-d977d90cb125" - rel: lula - text: Check that Istio is healthy - - href: "#c6c9daf1-4196-406d-8679-312c0512ab2e" - rel: lula - text: Check that Istio is configured with an admin gateway and admin services use it - remarks: "Authorize network access to [Assignment: organization-defined privileged commands] only for [Assignment: organization-defined compelling operational needs] and document the rationale for such access in the security plan for the system." - uuid: 0081f95a-3233-4e07-a6cd-95cb1905c318 + remarks: | + ASSESSMENT-OBJECTIVE: + AC-04(21)[01] information flows are separated logically using [Assignment: organization-defined mechanisms and/or techniques] to accomplish [Assignment: organization-defined required separations]; + AC-04(21)[02] information flows are separated physically using [Assignment: organization-defined mechanisms and/or techniques] to accomplish [Assignment: organization-defined required separations]. + uuid: ee9e5fae-1c95-46c7-9265-dc0035e2bb05 - control-id: ac-6.9 - description: |- - # Control Implementation - Istio produces logs for all traffic in the information system. + description: Istio produces logs for all traffic in the information system. links: - - href: "#67456ae8-4505-4c93-b341-d977d90cb125" + - href: file:../../compliance/validations/istio/healthcheck/validation.yaml rel: lula text: Check that Istio is healthy - - href: "#90738c86-6315-450a-ac69-cc50eb4859cc" + - href: file:../../compliance/validations/istio/check-istio-logging-all-traffic/validation.yaml rel: lula text: Check that Istio is logging all traffic which could contain privileged function calls - - href: "#1761ac07-80dd-47d2-947e-09f67943b986" + - href: file:../../compliance/validations/istio/all-pods-istio-injected/validation.yaml rel: lula text: All pods are istio injected with proxyv2 sidecar - remarks: Log the execution of privileged functions. - uuid: 6d8a6c80-2844-4bfd-bc9d-0f5a71e5c979 - - control-id: ac-14 - description: |- - # Control Implementation - Istio implements with service to service and provides authorization policies that require authentication to access any non-public features. + remarks: |- + ASSESSMENT-OBJECTIVE: + the execution of privileged functions is logged. + uuid: c6d9abd2-0136-468a-908d-181d9bd51962 + - control-id: au-12 + description: Istio provides audit record generation capabilities for a variety of event types, including session, connection, transaction, or activity durations, and the number of bytes received and sent. links: - - href: "#67456ae8-4505-4c93-b341-d977d90cb125" + - href: file:../../compliance/validations/istio/healthcheck/validation.yaml rel: lula text: Check that Istio is healthy - - href: "#fbd877c8-d6b6-4d88-8685-2c4aaaab02a1" + - href: file:../../compliance/validations/istio/check-istio-logging-all-traffic/validation.yaml rel: lula - text: Validates that Istio is used to authorize access to Keycloak admin console only from admin gateway - remarks: 'a. Identify [Assignment: organization-defined user actions] that can be performed on the system without identification or authentication consistent with organizational mission and business functions; and b. Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication."' - uuid: c8c03abd-244d-4813-a966-3feece1bad6a + text: Check that Istio is logging all traffic which could contain audit events + remarks: | + ASSESSMENT-OBJECTIVE: + AU-12a. audit record generation capability for the event types the system is capable of auditing (defined in AU-02_ODP[01]) is provided by [Assignment: organization-defined system components]; + AU-12b. [Assignment: organization-defined personnel or roles] is/are allowed to select the event types that are to be logged by specific components of the system; + AU-12c. audit records for the event types defined in AU-02_ODP[02] that include the audit record content defined in AU-03 are generated. + uuid: 87f99f34-6980-49e1-91cf-c0264fa3407c - control-id: au-2 - description: |- - # Control Implementation - Istio logs all Istio event logs within the system's mesh network. + description: Istio logs all Istio event logs within the system's mesh network. links: - - href: "#67456ae8-4505-4c93-b341-d977d90cb125" + - href: file:../../compliance/validations/istio/healthcheck/validation.yaml rel: lula text: Check that Istio is healthy - - href: "#90738c86-6315-450a-ac69-cc50eb4859cc" + - href: file:../../compliance/validations/istio/check-istio-logging-all-traffic/validation.yaml rel: lula text: Check that Istio is logging all traffic which could contain audit events - remarks: "a. Identify the types of events that the system is capable of logging in support of the audit function: [Assignment: organization-defined event types that the system is capable of logging]; b. Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; c. Specify the following event types for logging within the system: [Assignment: organization-defined event types (subset of the event types defined in AU-2a.) along with the frequency of (or situation requiring) logging for each identified event type]; d. Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and e. Review and update the event types selected for logging [Assignment: organization-defined frequency]." - uuid: 88f300a6-aa21-41b4-919d-29ef3e4381bb + remarks: | + ASSESSMENT-OBJECTIVE: + AU-02a. [Assignment: organization-defined event types] that the system is capable of logging are identified in support of the audit logging function; + AU-02b. the event logging function is coordinated with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; + AU-02c. + AU-02c.[01] [Assignment: organization-defined event types (subset of AU-02_ODP[01])] are specified for logging within the system; + AU-02c.[02] the specified event types are logged within the system [Assignment: organization-defined frequency or situation]; + AU-02d. a rationale is provided for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; + AU-02e. the event types selected for logging are reviewed and updated [Assignment: organization-defined frequency]. + uuid: b3ed3dba-3164-4785-98db-ef22c96c7c62 - control-id: au-3 - description: |- - # Control Implementation - Istio logs all Istio event logs within the system's mesh network. + description: Istio logs all Istio event logs within the system's mesh network. links: - - href: "#67456ae8-4505-4c93-b341-d977d90cb125" + - href: file:../../compliance/validations/istio/healthcheck/validation.yaml rel: lula text: Check that Istio is healthy - - href: "#f346b797-be35-40a8-a93a-585db6fd56ec" + - href: file:../../compliance/validations/istio/tracing-logging-support/validation.yaml rel: lula text: Check that Istio is configured to provide tracing data - remarks: "Ensure that audit records contain information that establishes the following: a. What type of event occurred; b. When the event occurred; c. Where the event occurred; d. Source of the event; e. Outcome of the event; and f. Identity of any individuals, subjects, or objects/entities associated with the event." - uuid: 52756a01-6f5c-49b1-8a6b-972b74a01da4 + remarks: | + ASSESSMENT-OBJECTIVE: + AU-03a. audit records contain information that establishes what type of event occurred; + AU-03b. audit records contain information that establishes when the event occurred; + AU-03c. audit records contain information that establishes where the event occurred; + AU-03d. audit records contain information that establishes the source of the event; + AU-03e. audit records contain information that establishes the outcome of the event; + AU-03f. audit records contain information that establishes the identity of any individuals, subjects, or objects/entities associated with the event. + uuid: 79dee0b0-5848-4b1e-826b-a2e4ec567b90 - control-id: au-3.1 - description: |- - # Control Implementation - Istio has been configured to implement event logging within our environment. This includes capturing metrics related to the duration of sessions, connections, transactions, or activities. Specifically, Istio's telemetry features are utilized to capture these metrics, which provide valuable data that can be used to infer the duration of sessions or connections. + description: Istio has been configured to implement event logging within our environment. This includes capturing metrics related to the duration of sessions, connections, transactions, or activities. Specifically, Istio's telemetry features are utilized to capture these metrics, which provide valuable data that can be used to infer the duration of sessions or connections. links: - - href: "#67456ae8-4505-4c93-b341-d977d90cb125" + - href: file:../../compliance/validations/istio/healthcheck/validation.yaml rel: lula text: Check that Istio is healthy - - href: "#70d99754-2918-400c-ac9a-319f874fff90" + - href: file:../../compliance/validations/istio/metrics-logging-configured/validation.yaml rel: lula text: Check that Istio is configured to provide metrics data - - href: "#1761ac07-80dd-47d2-947e-09f67943b986" + - href: file:../../compliance/validations/istio/all-pods-istio-injected/validation.yaml rel: lula text: All pods are istio injected with proxyv2 sidecar - - href: "#f345c359-3208-46fb-9348-959bd628301e" + - href: file:../../compliance/validations/istio/prometheus-annotations-validation/validation.yaml rel: lula text: Check that pods running sidecar have the correct annotations for prometheus metrics scrape - remarks: "Generate audit records containing the following additional information: [Assignment: organization-defined additional information]. AU-3 (1) [session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands]" - uuid: 16cc258e-d907-47bb-97d9-4e92677cf075 - - control-id: au-12 - description: |- - # Control Implementation - Istio provides audit record generation capabilities for a variety of event types, including session, connection, transaction, or activity durations, and the number of bytes received and sent. - links: - - href: "#67456ae8-4505-4c93-b341-d977d90cb125" - rel: lula - text: Check that Istio is healthy - - href: "#90738c86-6315-450a-ac69-cc50eb4859cc" - rel: lula - text: Check that Istio is logging all traffic which could contain audit events - remarks: "a. Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2a on [Assignment: organization-defined system components]; b. Allow [Assignment: organization-defined personnel or roles] to select the event types that are to be logged by specific components of the system; and c. Generate audit records for the event types defined in AU-2c that include the audit record content defined in AU-3." - uuid: 8f645835-6538-4327-a7aa-453b398f5ef4 + remarks: |- + ASSESSMENT-OBJECTIVE: + generated audit records contain the following [Assignment: organization-defined additional information]. + uuid: b855fff0-5f57-4ea0-b9a7-52973e81784d - control-id: cm-5 - description: |- - # Control Implementation - Istio enforces logical access restrictions associated with changes to the system. Istio's Role-Based Access Control (RBAC) features are used to define and enforce access controls, ensuring that only approved personnel can make changes to the system. + description: Istio enforces logical access restrictions associated with changes to the system. Istio's Role-Based Access Control (RBAC) features are used to define and enforce access controls, ensuring that only approved personnel can make changes to the system. links: - - href: "#67456ae8-4505-4c93-b341-d977d90cb125" + - href: file:../../compliance/validations/istio/healthcheck/validation.yaml rel: lula text: Check that Istio is healthy - - href: "#7b045b2a-106f-4c8c-85d9-ae3d7a8e0e28" + - href: file:../../compliance/validations/istio/rbac-enforcement-check/validation.yaml rel: lula text: Check that Istio is enforcing RBAC - - href: "#9b361d7b-4e07-40db-8b86-3854ed499a4b" + - href: file:../../compliance/validations/istio/rbac-for-approved-personnel/validation.yaml rel: lula text: Check that particular RBAC is ensuring only approved personnel can make changes to the system [PLACEHOLDER] - remarks: Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system. - uuid: 32e53a18-4b64-4a24-935c-11cbac2c62be - - control-id: sc-3 - description: |- - # Control Implementation - Namespaces, Istio gateways, and network policies collectively by providing resource isolation, secure traffic routing, and network segmentation to prevent unauthorized and unintended information transfer. - links: - - href: "#67456ae8-4505-4c93-b341-d977d90cb125" - rel: lula - text: Check that Istio is healthy - - href: "#c6c9daf1-4196-406d-8679-312c0512ab2e" - rel: lula - text: Check that Istio is configured with an admin gateway and admin services use it - - href: "#b0a8f21e-b12f-47ea-a967-2f4a3ec69e44" - rel: lula - text: Validates that Istio Gateways are available and expected VirtualServices using each Gateway. - remarks: Isolate security functions from nonsecurity functions. - uuid: 9e2894a3-2452-4f7a-b8a5-f72b89b23c87 - - control-id: sc-4 - description: |- - # Control Implementation - Istio enforces outbound traffic goes through an Egress Gateway with a Network Policy. - links: - - href: "#67456ae8-4505-4c93-b341-d977d90cb125" - rel: lula - text: Check that Istio is healthy - - href: "#7455f86d-b79c-4226-9ce3-f3fb7d9348c8" - rel: lula - text: Network Policies are in place to ensure that only authorized traffic is allowed to egress the cluster [PLACEHOLDER] - - href: "#ecdb90c7-971a-4442-8f29-a8b0f6076bc9" - rel: lula - text: Egress Gateway exists and is configured [PLACEHOLDER] - remarks: Prevent unauthorized and unintended information transfer via shared system resources. - uuid: 86bc4fb7-f91b-4f2c-b914-65427951018c - - control-id: sc-7.4 - description: |- - # Control Implementation - Istio is configured to provide managed interfaces for external telecommunication services, establish traffic flow policies, and protect the confidentiality and integrity of transmitted information. It also prevents unauthorized exchange of control plane traffic and filters unauthorized control plane traffic. - links: - - href: "#67456ae8-4505-4c93-b341-d977d90cb125" - rel: lula - text: Check that Istio is healthy - - href: "#570e2dc7-e6c2-4ad5-8ea3-f07974f59747" - rel: lula - text: Resources in namespaces can securely communicate with Istio control plane via network policies - - href: "#fbd877c8-d6b6-4d88-8685-2c4aaaab02a1" - rel: lula - text: Validates that Istio is used to authorize access to Keycloak admin console only from admin gateway - - href: "#b0a8f21e-b12f-47ea-a967-2f4a3ec69e44" - rel: lula - text: Validates that Istio Gateways are available and expected VirtualServices using each Gateway. - remarks: "(a) Implement a managed interface for each external telecommunication service; (b) Establish a traffic flow policy for each managed interface; (c) Protect the confidentiality and integrity of the information being transmitted across each interface; (d) Document each exception to the traffic flow policy with a supporting mission or business need and duration of that need; (e) Review exceptions to the traffic flow policy [Assignment: organization-defined frequency] and remove exceptions that are no longer supported by an explicit mission or business need; (f) Prevent unauthorized exchange of control plane traffic with external networks; (g) Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks; and (h) Filter unauthorized control plane traffic from external networks." - uuid: 85df9e6c-3d94-4c60-9a20-8c481831f1e0 - - control-id: sc-7.8 - description: |- - # Control Implementation - is configured to route internal communications traffic to external networks through authenticated proxy servers at managed interfaces, using its Egress Gateway. + remarks: | + ASSESSMENT-OBJECTIVE: + CM-05[01] physical access restrictions associated with changes to the system are defined and documented; + CM-05[02] physical access restrictions associated with changes to the system are approved; + CM-05[03] physical access restrictions associated with changes to the system are enforced; + CM-05[04] logical access restrictions associated with changes to the system are defined and documented; + CM-05[05] logical access restrictions associated with changes to the system are approved; + CM-05[06] logical access restrictions associated with changes to the system are enforced. + uuid: 80a456cf-c642-4b02-a0fb-18b416e90481 + - control-id: sc-10 + description: Istio is configured to manage network connections associated with specific communication sessions. It can be set up to automatically terminate these connections after periods of inactivity, providing an additional layer of security. links: - - href: "#67456ae8-4505-4c93-b341-d977d90cb125" + - href: file:../../compliance/validations/istio/healthcheck/validation.yaml rel: lula text: Check that Istio is healthy - - href: "#ecdb90c7-971a-4442-8f29-a8b0f6076bc9" + - href: file:../../compliance/validations/istio/communications-terminated-after-inactivity/validation.yaml rel: lula - text: Egress Gateway exists and is configured [PLACEHOLDER] - - href: "#19faf69a-de74-4b78-a628-64a9f244ae13" - rel: lula - text: Check that external traffic is managed [PLACEHOLDER] - remarks: "Route [Assignment: organization-defined internal communications traffic] to [Assignment: organization-defined external networks] through authenticated proxy servers at managed interfaces." - uuid: 4b930af3-ae84-43ff-b751-448fe1c2eec8 - - control-id: sc-7.20 - description: |- - # Control Implementation - Istio is configured to dynamically isolate certain internal system components when necessary. This is achieved through Istio's network policies, which allow us to partition or separate system components + text: Istio terminates communication sessions after inactivity [PLACEHOLDER] + remarks: |- + ASSESSMENT-OBJECTIVE: + the network connection associated with a communication session is terminated at the end of the session or after [Assignment: organization-defined time period] of inactivity. + uuid: ad919a09-d186-4edd-9234-ead04f959fff + - control-id: sc-13 + description: Istio provides FIPS encryption in transit for all applications in the mesh, TLS termination at ingress, and TLS origination at egress. links: - - href: "#67456ae8-4505-4c93-b341-d977d90cb125" + - href: file:../../compliance/validations/istio/healthcheck/validation.yaml rel: lula text: Check that Istio is healthy - - href: "#ca49ac97-487a-446a-a0b7-92b20e2c83cb" + - href: file:../../compliance/validations/istio/enforce-mtls-strict/validation.yaml rel: lula text: Check that Istio is enforcing mtls STRICT - - href: "#1761ac07-80dd-47d2-947e-09f67943b986" + - href: file:../../compliance/validations/istio/ingress-traffic-encrypted/validation.yaml rel: lula - text: All pods are istio injected with proxyv2 sidecar - remarks: "Provide the capability to dynamically isolate [Assignment: organization-defined system components] from other system components." - uuid: 30b49a3e-ad38-441d-8c07-5a9018848a02 - - control-id: sc-7.21 - description: |- - # Control Implementation - Istio is configured to isolate system components that perform different mission or business functions. This is achieved through Istio's network policies and mutual TLS, which allow us to control information flows and provide enhanced protection. - links: - - href: "#67456ae8-4505-4c93-b341-d977d90cb125" - rel: lula - text: Check that Istio is healthy - - href: "#ca49ac97-487a-446a-a0b7-92b20e2c83cb" + text: Istio is encrypting ingress traffic + - href: file:../../compliance/validations/istio/tls-origination-at-egress/validation.yaml rel: lula - text: Check that Istio is enforcing mtls STRICT - - href: "#1761ac07-80dd-47d2-947e-09f67943b986" + text: Istio is providing TLS origination at egress [PLACEHOLDER] + - href: file:../../compliance/validations/istio/fips-evaluation/validation.yaml rel: lula - text: All pods are istio injected with proxyv2 sidecar - remarks: "Employ boundary protection mechanisms to isolate [Assignment: organization-defined system components] supporting [Assignment: organization-defined missions and/or business functions]." - uuid: c9a1e9bc-3caa-44ce-a300-ecd722487987 - - control-id: sc-8 - description: |- - # Control Implementation - Istio is configured to protect the confidentiality and integrity of transmitted information across both internal and external networks. This is achieved through Istio's mutual TLS, which encrypts service-to-service communication, ensuring that data in transit is not exposed to the possibility of interception and modification. + text: System is using FIPS-compliant Istio distribution [PLACEHOLDER] + remarks: | + ASSESSMENT-OBJECTIVE: + SC-13a. [Assignment: organization-defined cryptographic uses] are identified; + SC-13b. [Assignment: organization-defined types of cryptography] for each specified cryptographic use (defined in SC-13_ODP[01]) are implemented. + uuid: 675c0823-8e94-4910-9f61-5266d7e7b38c + - control-id: sc-23 + description: Istio is configured to protect session authenticity, establishing confidence in the ongoing identities of other parties and the validity of transmitted information. This is achieved through Istio's mutual TLS, which ensures secure communication. links: - - href: "#67456ae8-4505-4c93-b341-d977d90cb125" + - href: file:../../compliance/validations/istio/healthcheck/validation.yaml rel: lula text: Check that Istio is healthy - - href: "#ca49ac97-487a-446a-a0b7-92b20e2c83cb" + - href: file:../../compliance/validations/istio/enforce-mtls-strict/validation.yaml rel: lula text: Check that Istio is enforcing mtls STRICT - - href: "#1761ac07-80dd-47d2-947e-09f67943b986" - rel: lula - text: All pods are istio injected with proxyv2 sidecar - remarks: "Protect the [Selection (one or more): confidentiality; integrity] of transmitted information." - uuid: 7548b4ee-e4a3-4e3c-a34b-95eccad45f92 - - control-id: sc-8.1 - description: |- - # Control Implementation - Istio is configured to protect the confidentiality and integrity of transmitted information across both internal and external networks. This is achieved through Istio's mutual TLS, which encrypts service-to-service communication, ensuring that data in transit is not exposed to the possibility of interception and modification. + remarks: |- + ASSESSMENT-OBJECTIVE: + the authenticity of communication sessions is protected. + uuid: dac01dde-3bdf-4e70-9d4d-4081c88de380 + - control-id: sc-39 + description: Istio is configured to maintain separate execution domains for each executing process. This is achieved through Istio's sidecar proxy design, where each service in the mesh has its own dedicated sidecar proxy to handle its inbound and outbound traffic. This ensures that communication between processes is controlled and one process cannot modify the executing code of another process. links: - - href: "#67456ae8-4505-4c93-b341-d977d90cb125" + - href: file:../../compliance/validations/istio/healthcheck/validation.yaml rel: lula text: Check that Istio is healthy - - href: "#ca49ac97-487a-446a-a0b7-92b20e2c83cb" - rel: lula - text: Check that Istio is enforcing mtls STRICT - - href: "#1761ac07-80dd-47d2-947e-09f67943b986" + - href: file:../../compliance/validations/istio/all-pods-istio-injected/validation.yaml rel: lula text: All pods are istio injected with proxyv2 sidecar - remarks: "Implement cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission." - uuid: 69415B92-0490-4A14-9E0F-E1EE61951F9C - - control-id: sc-8.2 - description: |- - # Control Implementation - Istio implements with global configuration. + remarks: |- + ASSESSMENT-OBJECTIVE: + a separate execution domain is maintained for each executing system process. + uuid: 0e72ca49-e9cb-4a74-8701-6f81091197b6 + - control-id: sc-7.4 + description: Istio is configured to provide managed interfaces for external telecommunication services, establish traffic flow policies, and protect the confidentiality and integrity of transmitted information. It also prevents unauthorized exchange of control plane traffic and filters unauthorized control plane traffic. links: - - href: "#67456ae8-4505-4c93-b341-d977d90cb125" + - href: file:../../compliance/validations/istio/healthcheck/validation.yaml rel: lula text: Check that Istio is healthy - - href: "#ca49ac97-487a-446a-a0b7-92b20e2c83cb" - rel: lula - text: Check that Istio is enforcing mtls STRICT to ensure integrity of information sent/received - - href: "#1761ac07-80dd-47d2-947e-09f67943b986" + - href: file:../../compliance/validations/istio/secure-communication-with-istiod/validation.yaml rel: lula - text: All pods are istio injected with proxyv2 sidecar - - href: "#fbd877c8-d6b6-4d88-8685-2c4aaaab02a1" + text: Resources in namespaces can securely communicate with Istio control plane via network policies + - href: file:../../compliance/validations/istio/authorized-keycloak-access/validation.yaml rel: lula text: Validates that Istio is used to authorize access to Keycloak admin console only from admin gateway - remarks: "Maintain the [Selection (one or more): confidentiality; integrity] of information during preparation for transmission and during reception." - uuid: c158b75a-cefc-4794-b124-f1e56ff5646d - - control-id: sc-10 - description: |- - # Control Implementation - Istio is configured to manage network connections associated with specific communication sessions. It can be set up to automatically terminate these connections after periods of inactivity, providing an additional layer of security. + - href: file:../../compliance/validations/istio/gateway-configuration-check/validation.yaml + rel: lula + text: Validates that Istio Gateways are available and expected VirtualServices using each Gateway. + remarks: | + ASSESSMENT-OBJECTIVE: + SC-07(04)(a) a managed interface is implemented for each external telecommunication service; + SC-07(04)(b) a traffic flow policy is established for each managed interface; + SC-07(04)(c) + SC-07(04)(c)[01] the confidentiality of the information being transmitted across each interface is protected; + SC-07(04)(c)[02] the integrity of the information being transmitted across each interface is protected; + SC-07(04)(d) each exception to the traffic flow policy is documented with a supporting mission or business need and duration of that need; + SC-07(04)(e) + SC-07(04)(e)[01] exceptions to the traffic flow policy are reviewed [Assignment: organization-defined frequency]; + SC-07(04)(e)[02] exceptions to the traffic flow policy that are no longer supported by an explicit mission or business need are removed; + SC-07(04)(f) unauthorized exchanges of control plan traffic with external networks are prevented; + SC-07(04)(g) information is published to enable remote networks to detect unauthorized control plane traffic from internal networks; + SC-07(04)(h) unauthorized control plane traffic is filtered from external networks. + uuid: a5bac410-d674-431d-b5fc-2f904842c29c + - control-id: sc-7.8 + description: Istio is configured to route internal communications traffic to external networks through authenticated proxy servers at managed interfaces, using its Egress Gateway. links: - - href: "#67456ae8-4505-4c93-b341-d977d90cb125" + - href: file:../../compliance/validations/istio/healthcheck/validation.yaml rel: lula text: Check that Istio is healthy - - href: "#663f5e92-6db4-4042-8b5a-eba3ebe5a622" + - href: file:../../compliance/validations/istio/egress-gateway-exists-and-configured/validation.yaml rel: lula - text: Istio terminates communication sessions after inactivity [PLACEHOLDER] - remarks: "Maintain the [Selection (one or more): confidentiality; integrity] of information during preparation for transmission and during reception." - uuid: 169c9ad3-0a6c-46ee-80cd-cd8cef5eca5c - - control-id: sc-13 - description: |- - # Control Implementation - Istio provides FIPS encryption in transit for all applications in the mesh, TLS termination at ingress, and TLS origination at egress. + text: Egress Gateway exists and is configured [PLACEHOLDER] + - href: file:../../compliance/validations/istio/external-traffic-managed/validation.yaml + rel: lula + text: Check that external traffic is managed [PLACEHOLDER] + remarks: |- + ASSESSMENT-OBJECTIVE: + [Assignment: organization-defined internal communications traffic] is routed to [Assignment: organization-defined external networks] through authenticated proxy servers at managed interfaces. + uuid: 3f409103-880e-4180-81e7-54f85a6143ae + - control-id: sc-8 + description: Istio is configured to protect the confidentiality and integrity of transmitted information across both internal and external networks. This is achieved through Istio's mutual TLS, which encrypts service-to-service communication, ensuring that data in transit is not exposed to the possibility of interception and modification. links: - - href: "#67456ae8-4505-4c93-b341-d977d90cb125" + - href: file:../../compliance/validations/istio/healthcheck/validation.yaml rel: lula text: Check that Istio is healthy - - href: "#ca49ac97-487a-446a-a0b7-92b20e2c83cb" + - href: file:../../compliance/validations/istio/enforce-mtls-strict/validation.yaml rel: lula text: Check that Istio is enforcing mtls STRICT - - href: "#fd071676-6b92-4e1c-a4f0-4c8d2bd55aed" - rel: lula - text: Istio is encrypting ingress traffic - - href: "#8be1601e-5870-4573-ab4f-c1c199944815" - rel: lula - text: Istio is providing TLS origination at egress [PLACEHOLDER] - - href: "#73434890-2751-4894-b7b2-7e583b4a8977" + - href: file:../../compliance/validations/istio/all-pods-istio-injected/validation.yaml rel: lula - text: System is using FIPS-compliant Istio distribution [PLACEHOLDER] - remarks: 'a. Determine the [Assignment: organization-defined cryptographic uses]; and b. Implement the following types of cryptography required for each specified cryptographic use: [Assignment: organization-defined types of cryptography for each specified cryptographic use]."' - uuid: 2bf5c525-af5f-4b8b-8349-3f6a91e0aab9 - - control-id: sc-23 - description: |- - # Control Implementation - Istio is configured to protect session authenticity, establishing confidence in the ongoing identities of other parties and the validity of transmitted information. This is achieved through Istio's mutual TLS, which ensures secure communication. + text: All pods are istio injected with proxyv2 sidecar + remarks: |- + ASSESSMENT-OBJECTIVE: + the [Selection: (one-or-more) organization-defined confidentiality; integrity] of transmitted information is/are protected. + uuid: e97a451e-44c7-4240-a7a7-adaadd26f01c + - control-id: sc-8.1 + description: Istio is configured to protect the confidentiality and integrity of transmitted information across both internal and external networks. This is achieved through Istio's mutual TLS, which encrypts service-to-service communication, ensuring that data in transit is not exposed to the possibility of interception and modification. links: - - href: "#67456ae8-4505-4c93-b341-d977d90cb125" + - href: file:../../compliance/validations/istio/healthcheck/validation.yaml rel: lula text: Check that Istio is healthy - - href: "#ca49ac97-487a-446a-a0b7-92b20e2c83cb" + - href: file:../../compliance/validations/istio/enforce-mtls-strict/validation.yaml rel: lula text: Check that Istio is enforcing mtls STRICT - remarks: "Protect the [Selection (one or more): confidentiality; integrity] of the following information at rest: [Assignment: organization-defined information at rest]. SC-28 Guidance: The organization supports the capability to use cryptographic mechanisms to protect information at rest. SC-28 Guidance: When leveraging encryption from underlying IaaS/PaaS: While some IaaS/PaaS services provide encryption by default, many require encryption to be configured, and enabled by the customer. The CSP has the responsibility to verify encryption is properly configured. SC-28 Guidance: Note that this enhancement requires the use of cryptography in accordance with SC-13." - uuid: 625bfdc1-0b20-45f3-919b-91afbac77799 - - control-id: sc-39 - description: |- - # Control Implementation - Istio is configured to maintain separate execution domains for each executing process. This is achieved through Istio's sidecar proxy design, where each service in the mesh has its own dedicated sidecar proxy to handle its inbound and outbound traffic. This ensures that communication between processes is controlled and one process cannot modify the executing code of another process. - links: - - href: "#67456ae8-4505-4c93-b341-d977d90cb125" - rel: lula - text: Check that Istio is healthy - - href: "#1761ac07-80dd-47d2-947e-09f67943b986" + - href: file:../../compliance/validations/istio/all-pods-istio-injected/validation.yaml rel: lula text: All pods are istio injected with proxyv2 sidecar - remarks: Maintain a separate execution domain for each executing system process. - uuid: f972ef8d-1eb0-403b-8db8-e65a4f4e2aaa - source: https://raw.githubusercontent.com/GSA/fedramp-automation/93ca0e20ff5e54fc04140613476fba80f08e3c7d/dist/content/rev5/baselines/json/FedRAMP_rev5_HIGH-baseline-resolved-profile_catalog.json - uuid: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c + remarks: |- + ASSESSMENT-OBJECTIVE: + cryptographic mechanisms are implemented to [Selection: (one-or-more) organization-defined prevent unauthorized disclosure of information; detect changes to information] during transmission. + uuid: f3b38f79-9bf7-4024-a1b2-00befd67fda7 props: + - name: generation + ns: https://docs.lula.dev/oscal/ns + value: lula generate component --catalog-source https://raw.githubusercontent.com/GSA/fedramp-automation/refs/tags/fedramp-2.0.0-oscal-1.0.4/dist/content/rev5/baselines/json/FedRAMP_rev5_MODERATE-baseline-resolved-profile_catalog.json --component 'Istio' --requirements ac-4,ac-4.21,ac-6.9,ac-14,au-2,au-3,au-3.1,au-12,cm-5,sc-7.4,sc-7.8,sc-8,sc-8.1,sc-10,sc-13,sc-23,sc-39 --remarks assessment-objective --framework il4 - name: framework ns: https://docs.lula.dev/oscal/ns value: il4 - description: | - Istio Service Mesh - purpose: Istio Service Mesh - responsible-roles: - - party-uuids: - - f3cf70f8-ba44-4e55-9ea3-389ef24847d3 - role-id: provider - title: Istio Controlplane + source: https://raw.githubusercontent.com/GSA/fedramp-automation/refs/tags/fedramp-2.0.0-oscal-1.0.4/dist/content/rev5/baselines/json/FedRAMP_rev5_MODERATE-baseline-resolved-profile_catalog.json + uuid: d2afb4c4-2cd8-5305-a6cc-d1bc7b388d0c + description: Component Description + title: Istio type: software - uuid: 81f6ec5d-9b8d-408f-8477-f8a04f493690 + uuid: 3fad668e-7751-44e6-b1be-4fe773971370 metadata: - last-modified: 2024-07-16T02:47:14.949557671Z + last-modified: 2024-09-17T20:24:07.548382887Z oscal-version: 1.1.2 parties: - links: @@ -1397,7 +331,9 @@ component-definition: rel: website name: Unicorn Delivery Service type: organization - uuid: f3cf70f8-ba44-4e55-9ea3-389ef24847d3 - title: Istio Controlplane - version: "20240614" - uuid: 7e3269fc-fe33-49c9-be88-6c868e21aae1 + uuid: bf31d461-82af-529a-8bdf-09aa488e5b7e + published: 2024-09-03T21:02:56.440962532Z + remarks: Lula Generated Component Definition + title: Istio + version: 0.0.1 + uuid: b0395313-5d50-4c64-b0e7-43014a47ead9