Merge pull request #309 from one-covenant/feat/k3s-automated-security

feat(k3s) Add automated security scanners

Author: epappas

orchestrator/ansible/playbooks/deploy-security.yml

@@ -0,0 +1,177 @@
+---
+# Deploy Security Stack (Trivy + Falco) to K3s Cluster
+# Usage: ansible-playbook -i inventories/production.ini playbooks/deploy-security.yml
+- name: Deploy Security Stack (Trivy + Falco)
+  hosts: k3s_server[0]
+  become: yes
+  gather_facts: yes
+
+  vars:
+    kubeconfig_path: "{{ ansible_env.HOME }}/.kube/k3s-basilica-config"
+    k8s_security_dir: "{{ playbook_dir }}/../../k8s/security"
+    trivy_operator_image: "ghcr.io/aquasecurity/trivy-operator:0.20.0"
+    falco_image: "falcosecurity/falco-no-driver:0.37.0"
+    falcosidekick_image: "falcosecurity/falcosidekick:2.28.0"
+
+  tasks:
+    - name: Verify K3s cluster is healthy
+      command: kubectl --kubeconfig={{ kubeconfig_path }} get nodes
+      register: nodes_status
+      changed_when: false
+      failed_when: "'NotReady' in nodes_status.stdout"
+
+    - name: Display cluster nodes
+      debug:
+        msg: "{{ nodes_status.stdout_lines }}"
+
+    # ===== Trivy Deployment =====
+    - name: Create trivy-system namespace
+      kubernetes.core.k8s:
+        kubeconfig: "{{ kubeconfig_path }}"
+        state: present
+        src: "{{ k8s_security_dir }}/trivy/namespace.yaml"
+
+    - name: Deploy Trivy RBAC
+      kubernetes.core.k8s:
+        kubeconfig: "{{ kubeconfig_path }}"
+        state: present
+        src: "{{ k8s_security_dir }}/trivy/rbac.yaml"
+
+    - name: Deploy Trivy Operator
+      kubernetes.core.k8s:
+        kubeconfig: "{{ kubeconfig_path }}"
+        state: present
+        src: "{{ k8s_security_dir }}/trivy/operator-deployment.yaml"
+
+    - name: Wait for Trivy Operator readiness
+      kubernetes.core.k8s_info:
+        kubeconfig: "{{ kubeconfig_path }}"
+        kind: Deployment
+        namespace: trivy-system
+        name: trivy-operator
+        wait: yes
+        wait_timeout: 300
+        wait_condition:
+          type: Available
+          status: "True"
+
+    - name: Verify Trivy Operator pod status
+      command: >
+        kubectl --kubeconfig={{ kubeconfig_path }}
+        get pods -n trivy-system -l app=trivy-operator -o jsonpath='{.items[0].status.phase}'
+      register: trivy_pod_status
+      changed_when: false
+
+    - name: Display Trivy Operator status
+      debug:
+        msg: "Trivy Operator status: {{ trivy_pod_status.stdout }}"
+
+    # ===== Falco Deployment =====
+    - name: Create falco namespace
+      kubernetes.core.k8s:
+        kubeconfig: "{{ kubeconfig_path }}"
+        state: present
+        src: "{{ k8s_security_dir }}/falco/namespace.yaml"
+
+    - name: Deploy Falco RBAC
+      kubernetes.core.k8s:
+        kubeconfig: "{{ kubeconfig_path }}"
+        state: present
+        src: "{{ k8s_security_dir }}/falco/rbac.yaml"
+
+    - name: Deploy Falco ConfigMap
+      kubernetes.core.k8s:
+        kubeconfig: "{{ kubeconfig_path }}"
+        state: present
+        src: "{{ k8s_security_dir }}/falco/configmap.yaml"
+
+    - name: Deploy Falco GPU security rules
+      kubernetes.core.k8s:
+        kubeconfig: "{{ kubeconfig_path }}"
+        state: present
+        src: "{{ k8s_security_dir }}/falco/rules-gpu.yaml"
+
+    - name: Deploy Falco DaemonSet
+      kubernetes.core.k8s:
+        kubeconfig: "{{ kubeconfig_path }}"
+        state: present
+        src: "{{ k8s_security_dir }}/falco/daemonset.yaml"
+
+    - name: Deploy Falcosidekick
+      kubernetes.core.k8s:
+        kubeconfig: "{{ kubeconfig_path }}"
+        state: present
+        src: "{{ k8s_security_dir }}/falco/falcosidekick-deployment.yaml"
+
+    - name: Wait for Falco DaemonSet rollout
+      command: >
+        kubectl --kubeconfig={{ kubeconfig_path }}
+        rollout status daemonset/falco -n falco --timeout=300s
+      register: falco_rollout
+      changed_when: false
+
+    - name: Verify Falco DaemonSet coverage
+      command: >
+        kubectl --kubeconfig={{ kubeconfig_path }}
+        get daemonset -n falco falco -o jsonpath='{.status.numberReady}/{.status.desiredNumberScheduled}'
+      register: falco_coverage
+      changed_when: false
+
+    - name: Display Falco DaemonSet coverage
+      debug:
+        msg: "Falco coverage: {{ falco_coverage.stdout }} pods ready"
+
+    - name: Wait for Falcosidekick readiness
+      kubernetes.core.k8s_info:
+        kubeconfig: "{{ kubeconfig_path }}"
+        kind: Deployment
+        namespace: falco
+        name: falcosidekick
+        wait: yes
+        wait_timeout: 120
+        wait_condition:
+          type: Available
+          status: "True"
+
+    # ===== Common Resources =====
+    - name: Deploy network policies
+      kubernetes.core.k8s:
+        kubeconfig: "{{ kubeconfig_path }}"
+        state: present
+        src: "{{ k8s_security_dir }}/common/network-policies.yaml"
+
+    - name: Deploy resource quotas
+      kubernetes.core.k8s:
+        kubeconfig: "{{ kubeconfig_path }}"
+        state: present
+        src: "{{ k8s_security_dir }}/common/resource-quotas.yaml"
+
+    # ===== Verification =====
+    - name: Get security stack pods
+      command: >
+        kubectl --kubeconfig={{ kubeconfig_path }}
+        get pods -n {{ item }} -o wide
+      loop:
+        - trivy-system
+        - falco
+      register: security_pods
+      changed_when: false
+
+    - name: Display security stack status
+      debug:
+        msg: "{{ item.stdout_lines }}"
+      loop: "{{ security_pods.results }}"
+      loop_control:
+        label: "{{ item.item }}"
+
+    - name: Summary
+      debug:
+        msg:
+          - "Security stack deployed successfully"
+          - "Trivy Operator: {{ trivy_pod_status.stdout }}"
+          - "Falco DaemonSet: {{ falco_coverage.stdout }} pods"
+          - ""
+          - "Next steps:"
+          - "  1. Monitor VulnerabilityReports: kubectl get vulnerabilityreports -A"
+          - "  2. Check Falco logs: kubectl logs -n falco -l app=falco --tail=50"
+          - "  3. View architecture docs: docs/architecture/TRIVY-FALCO-INTEGRATION.md"

orchestrator/k8s/security/common/network-policies.yaml

@@ -0,0 +1,177 @@
+---
+# Ingress policy for Trivy Operator
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: trivy-operator-ingress
+  namespace: trivy-system
+spec:
+  podSelector:
+    matchLabels:
+      app: trivy-operator
+  policyTypes:
+    - Ingress
+  ingress:
+    # Prometheus scraping from basilica-system
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: basilica-system
+      ports:
+        - protocol: TCP
+          port: 8080
+    # Health checks from kubelet
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: kube-system
+      ports:
+        - protocol: TCP
+          port: 9090
+---
+# Egress policy for Trivy Operator
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: trivy-operator-egress
+  namespace: trivy-system
+spec:
+  podSelector:
+    matchLabels:
+      app: trivy-operator
+  policyTypes:
+    - Egress
+  egress:
+    # K8s API server access
+    - to: []
+      ports:
+        - protocol: TCP
+          port: 443
+        - protocol: TCP
+          port: 6443
+    # DNS
+    - to: []
+      ports:
+        - protocol: UDP
+          port: 53
+        - protocol: TCP
+          port: 53
+    # Container registries (HTTPS)
+    - to: []
+      ports:
+        - protocol: TCP
+          port: 443
+---
+# Ingress policy for Falco DaemonSet (Prometheus scraping)
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: falco-ingress
+  namespace: falco
+spec:
+  podSelector:
+    matchLabels:
+      app: falco
+  policyTypes:
+    - Ingress
+  ingress:
+    # Prometheus scraping from basilica-system
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: basilica-system
+      ports:
+        - protocol: TCP
+          port: 8765
+    # Health checks from kubelet
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: kube-system
+      ports:
+        - protocol: TCP
+          port: 8765
+---
+# Egress policy for Falco DaemonSet
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: falco-egress
+  namespace: falco
+spec:
+  podSelector:
+    matchLabels:
+      app: falco
+  policyTypes:
+    - Egress
+  egress:
+    # K8s API server access
+    - to: []
+      ports:
+        - protocol: TCP
+          port: 443
+        - protocol: TCP
+          port: 6443
+    # DNS
+    - to: []
+      ports:
+        - protocol: UDP
+          port: 53
+        - protocol: TCP
+          port: 53
+    # Falcosidekick communication
+    - to:
+        - podSelector:
+            matchLabels:
+              app: falcosidekick
+      ports:
+        - protocol: TCP
+          port: 2801
+---
+# Network policies for Falcosidekick
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: falcosidekick-egress
+  namespace: falco
+spec:
+  podSelector:
+    matchLabels:
+      app: falcosidekick
+  policyTypes:
+    - Egress
+    - Ingress
+  ingress:
+    # Allow inbound from Falco pods
+    - from:
+        - podSelector:
+            matchLabels:
+              app: falco
+      ports:
+        - protocol: TCP
+          port: 2801
+  egress:
+    # DNS
+    - to: []
+      ports:
+        - protocol: UDP
+          port: 53
+        - protocol: TCP
+          port: 53
+    # External observability (Loki, Prometheus)
+    - to: []
+      ports:
+        - protocol: TCP
+          port: 443
+        - protocol: TCP
+          port: 3100
+        - protocol: TCP
+          port: 9090
+    # Basilica API webhook
+    - to:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: basilica-system
+      ports:
+        - protocol: TCP
+          port: 8080