* added app armor config

* moved security context config to helpers
* added tests

Author: yairsappir

.circleci/tests/golden/wiz-outpost-lite/multiple-runners-security-context.golden.yaml

@@ -74,7 +74,6 @@ spec:
   template:
     metadata:
       annotations:
-        container.apparmor.security.beta.kubernetes.io/wiz-outpost-lite-remediation-aws-rds-003: unconfined
       labels:
         app.kubernetes.io/name: wiz-outpost-lite
         app.kubernetes.io/instance: release-test

.circleci/tests/golden/wiz-outpost-lite/remediation-special-security-context.golden.yaml

@@ -74,7 +74,6 @@ spec:
   template:
     metadata:
       annotations:
-        container.apparmor.security.beta.kubernetes.io/wiz-outpost-lite-remediation-aws-rds-003: unconfined
       labels:
         app.kubernetes.io/name: wiz-outpost-lite
         app.kubernetes.io/instance: release-test

.circleci/tests/golden/wiz-outpost-lite/remediation.golden.yaml

@@ -0,0 +1,379 @@
+---
+# Source: wiz-outpost-lite/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: sa-vcs-event-triggered
+  namespace: release-helm-namespace
+  labels:
+    helm.sh/chart: "GOLDEN_STATIC_VALUE"
+    app.kubernetes.io/name: wiz-outpost-lite
+    app.kubernetes.io/instance: release-test
+    wiz.io/runner: "vcs-event-triggered"
+    app.kubernetes.io/version: "0.1.0"
+    app.kubernetes.io/managed-by: Helm
+---
+# Source: wiz-outpost-lite/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: sa-vcs-scheduled
+  namespace: release-helm-namespace
+  labels:
+    helm.sh/chart: "GOLDEN_STATIC_VALUE"
+    app.kubernetes.io/name: wiz-outpost-lite
+    app.kubernetes.io/instance: release-test
+    wiz.io/runner: "vcs-scheduled"
+    app.kubernetes.io/version: "0.1.0"
+    app.kubernetes.io/managed-by: Helm
+---
+# Source: wiz-outpost-lite/templates/credentials.secret.yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: outpost-lite-agent-creds
+  labels:
+    helm.sh/chart: "GOLDEN_STATIC_VALUE"
+    app.kubernetes.io/name: wiz-outpost-lite
+    app.kubernetes.io/instance: release-test
+    app.kubernetes.io/version: "0.1.0"
+    app.kubernetes.io/managed-by: Helm
+stringData:
+  clientId: "client-1"
+  clientSecret: "secret-2"
+---
+# Source: wiz-outpost-lite/templates/service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: release-test-wiz-outpost-lite-vcs-event-triggered
+  labels:
+    helm.sh/chart: "GOLDEN_STATIC_VALUE"
+    app.kubernetes.io/name: wiz-outpost-lite
+    app.kubernetes.io/instance: release-test
+    wiz.io/runner: "vcs-event-triggered"
+    app.kubernetes.io/version: "0.1.0"
+    app.kubernetes.io/managed-by: Helm
+spec:
+  type: ClusterIP
+  ports:
+    - port: 9090
+      targetPort: metrics
+      protocol: TCP
+      name: metrics
+  selector:
+    app.kubernetes.io/name: wiz-outpost-lite
+    app.kubernetes.io/instance: release-test
+    wiz.io/runner: "vcs-event-triggered"
+---
+# Source: wiz-outpost-lite/templates/service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: release-test-wiz-outpost-lite-vcs-scheduled
+  labels:
+    helm.sh/chart: "GOLDEN_STATIC_VALUE"
+    app.kubernetes.io/name: wiz-outpost-lite
+    app.kubernetes.io/instance: release-test
+    wiz.io/runner: "vcs-scheduled"
+    app.kubernetes.io/version: "0.1.0"
+    app.kubernetes.io/managed-by: Helm
+spec:
+  type: ClusterIP
+  ports:
+    - port: 9090
+      targetPort: metrics
+      protocol: TCP
+      name: metrics
+  selector:
+    app.kubernetes.io/name: wiz-outpost-lite
+    app.kubernetes.io/instance: release-test
+    wiz.io/runner: "vcs-scheduled"
+---
+# Source: wiz-outpost-lite/templates/deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: release-test-wiz-outpost-lite-vcs-event-triggered
+  labels:
+    helm.sh/chart: "GOLDEN_STATIC_VALUE"
+    app.kubernetes.io/name: wiz-outpost-lite
+    app.kubernetes.io/instance: release-test
+    wiz.io/runner: "vcs-event-triggered"
+    app.kubernetes.io/version: "0.1.0"
+    app.kubernetes.io/managed-by: Helm
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: wiz-outpost-lite
+      app.kubernetes.io/instance: release-test
+      wiz.io/runner: "vcs-event-triggered"
+  template:
+    metadata:
+      annotations:
+        container.apparmor.security.beta.kubernetes.io/wiz-outpost-lite-vcs-event-triggered: unconfined
+      labels:
+        app.kubernetes.io/name: wiz-outpost-lite
+        app.kubernetes.io/instance: release-test
+        wiz.io/runner: "vcs-event-triggered"
+    spec:
+      serviceAccountName: sa-vcs-event-triggered
+      restartPolicy: Always
+      containers:
+        - name: wiz-outpost-lite-vcs-event-triggered
+          image: "wizio.azurecr.io/outpost-lite-runner-vcs:0.1-latest"
+          command: [ "/entrypoint"]
+          imagePullPolicy: Always
+          env:
+          - name: NODE_NAME
+            valueFrom:
+              fieldRef:
+                fieldPath: spec.nodeName
+          - name: K8S_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+          - name: K8S_POD_NAME
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.name
+          - name: OUTPOST
+            value: "1"
+          - name: WIZ_OUTPOST_ID
+            value: "my-outpost-id"
+          - name: WIZ_OUTPOST_RUNNER_ID
+            value: "vcs-event-triggered"
+          - name: WIZ_CLIENT_ID
+            valueFrom:
+              secretKeyRef:
+                name: outpost-lite-agent-creds
+                key: clientId
+          - name: WIZ_CLIENT_SECRET
+            valueFrom:
+              secretKeyRef:
+                name: outpost-lite-agent-creds
+                key: clientSecret
+          - name: OUTPOST_LITE_RUNNER_REGION
+            value: "partition-1"
+          - name: OUTPOST_LITE_RUNNER_METRICS_PORT
+            value: "9090"
+          - name: OUTPOST_LITE_RUNNER_AUTO_UPDATE
+            value: "1"
+          - name: OUTPOST_LITE_RUNNER_CONCURRENCY
+            value: "4"
+          - name: http_proxy
+            valueFrom:
+              secretKeyRef:
+                name: "wiz-http-proxy-configuration"
+                key: "httpProxy"
+                optional: true
+          - name: HTTP_PROXY
+            valueFrom:
+              secretKeyRef:
+                name: "wiz-http-proxy-configuration"
+                key: "httpProxy"
+                optional: true
+          - name: https_proxy
+            valueFrom:
+              secretKeyRef:
+                name: "wiz-http-proxy-configuration"
+                key: "httpsProxy"
+                optional: true
+          - name: HTTPS_PROXY
+            valueFrom:
+              secretKeyRef:
+                name: "wiz-http-proxy-configuration"
+                key: "httpsProxy"
+                optional: true
+          - name: no_proxy
+            valueFrom:
+              secretKeyRef:
+                name: "wiz-http-proxy-configuration"
+                key: "noProxyAddress"
+                optional: true
+          - name: NO_PROXY
+            valueFrom:
+              secretKeyRef:
+                name: "wiz-http-proxy-configuration"
+                key: "noProxyAddress"
+                optional: true
+          - name: SSL_CERT_DIR
+            value: "/usr/local/share/ca-certificates/:/certificates/"
+          ports:
+            - name: metrics
+              containerPort: 9090
+              protocol: TCP
+          resources:
+            limits:
+              memory: 4396M
+            requests:
+              memory: 1024M
+          securityContext:
+            capabilities:
+              add:
+              - SYS_ADMIN
+            privileged: true
+            seLinuxOptions:
+              type: spc_t
+          volumeMounts:
+            - mountPath: /var/wiz
+              name: working-dir
+            - mountPath: /usr/local/share/ca-certificates/
+              name: ca-certificate
+              readOnly: true
+      terminationGracePeriodSeconds: 300
+      volumes:
+        - name: working-dir
+          emptyDir: {}
+        - name: ca-certificate
+          secret:
+            defaultMode: 420
+            secretName: "wiz-http-proxy-configuration"
+            items:
+              - key: caCertificate
+                path: root.crt
+            optional: true
+---
+# Source: wiz-outpost-lite/templates/deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: release-test-wiz-outpost-lite-vcs-scheduled
+  labels:
+    helm.sh/chart: "GOLDEN_STATIC_VALUE"
+    app.kubernetes.io/name: wiz-outpost-lite
+    app.kubernetes.io/instance: release-test
+    wiz.io/runner: "vcs-scheduled"
+    app.kubernetes.io/version: "0.1.0"
+    app.kubernetes.io/managed-by: Helm
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: wiz-outpost-lite
+      app.kubernetes.io/instance: release-test
+      wiz.io/runner: "vcs-scheduled"
+  template:
+    metadata:
+      annotations:
+        container.apparmor.security.beta.kubernetes.io/wiz-outpost-lite-vcs-scheduled: unconfined
+      labels:
+        app.kubernetes.io/name: wiz-outpost-lite
+        app.kubernetes.io/instance: release-test
+        wiz.io/runner: "vcs-scheduled"
+    spec:
+      serviceAccountName: sa-vcs-scheduled
+      restartPolicy: Always
+      containers:
+        - name: wiz-outpost-lite-vcs-scheduled
+          image: "wizio.azurecr.io/outpost-lite-runner-vcs:0.1-latest"
+          command: [ "/entrypoint"]
+          imagePullPolicy: Always
+          env:
+          - name: NODE_NAME
+            valueFrom:
+              fieldRef:
+                fieldPath: spec.nodeName
+          - name: K8S_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+          - name: K8S_POD_NAME
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.name
+          - name: OUTPOST
+            value: "1"
+          - name: WIZ_OUTPOST_ID
+            value: "my-outpost-id"
+          - name: WIZ_OUTPOST_RUNNER_ID
+            value: "vcs-scheduled"
+          - name: WIZ_CLIENT_ID
+            valueFrom:
+              secretKeyRef:
+                name: outpost-lite-agent-creds
+                key: clientId
+          - name: WIZ_CLIENT_SECRET
+            valueFrom:
+              secretKeyRef:
+                name: outpost-lite-agent-creds
+                key: clientSecret
+          - name: OUTPOST_LITE_RUNNER_REGION
+            value: "partition-1"
+          - name: OUTPOST_LITE_RUNNER_METRICS_PORT
+            value: "9090"
+          - name: OUTPOST_LITE_RUNNER_AUTO_UPDATE
+            value: "1"
+          - name: http_proxy
+            valueFrom:
+              secretKeyRef:
+                name: "wiz-http-proxy-configuration"
+                key: "httpProxy"
+                optional: true
+          - name: HTTP_PROXY
+            valueFrom:
+              secretKeyRef:
+                name: "wiz-http-proxy-configuration"
+                key: "httpProxy"
+                optional: true
+          - name: https_proxy
+            valueFrom:
+              secretKeyRef:
+                name: "wiz-http-proxy-configuration"
+                key: "httpsProxy"
+                optional: true
+          - name: HTTPS_PROXY
+            valueFrom:
+              secretKeyRef:
+                name: "wiz-http-proxy-configuration"
+                key: "httpsProxy"
+                optional: true
+          - name: no_proxy
+            valueFrom:
+              secretKeyRef:
+                name: "wiz-http-proxy-configuration"
+                key: "noProxyAddress"
+                optional: true
+          - name: NO_PROXY
+            valueFrom:
+              secretKeyRef:
+                name: "wiz-http-proxy-configuration"
+                key: "noProxyAddress"
+                optional: true
+          - name: SSL_CERT_DIR
+            value: "/usr/local/share/ca-certificates/:/certificates/"
+          ports:
+            - name: metrics
+              containerPort: 9090
+              protocol: TCP
+          resources:
+            limits:
+              memory: 4396M
+            requests:
+              memory: 1024M
+          securityContext:
+            capabilities:
+              add:
+              - SYS_ADMIN
+            privileged: true
+            seLinuxOptions:
+              type: spc_t
+          volumeMounts:
+            - mountPath: /var/wiz
+              name: working-dir
+            - mountPath: /usr/local/share/ca-certificates/
+              name: ca-certificate
+              readOnly: true
+      terminationGracePeriodSeconds: 30
+      volumes:
+        - name: working-dir
+          emptyDir: {}
+        - name: ca-certificate
+          secret:
+            defaultMode: 420
+            secretName: "wiz-http-proxy-configuration"
+            items:
+              - key: caCertificate
+                path: root.crt
+            optional: true