changing dockerfile imge to non root user

Signed-off-by: Shreyas220 <[email protected]>

handling error

Signed-off-by: Shreyas220 <[email protected]>

somethign

Signed-off-by: Shreyas220 <[email protected]>

somethign

Signed-off-by: Shreyas220 <[email protected]>

somethign

Signed-off-by: Shreyas220 <[email protected]>

testing

Signed-off-by: Shreyas220 <[email protected]>

testing

Signed-off-by: Shreyas220 <[email protected]>

testing

Signed-off-by: Shreyas220 <[email protected]>

testing

Signed-off-by: Shreyas220 <[email protected]>

testing

Signed-off-by: Shreyas220 <[email protected]>

.github/workflows/ginko.yml

@@ -10,6 +10,8 @@ jobs:
   build:
     name: Auto-testing Framework
     runs-on: ubuntu-latest
+    env:
+      RUNTIME: containerd
 
     steps:
       - uses: actions/checkout@v3
@@ -33,7 +35,16 @@ jobs:
           /bin/bash ./install_k3s.sh
  
       - name: Build Docker image
-        run: docker build -t kubearmor/sidekick:latest .
+        run: |
+          docker build -t kubearmor/sidekick:test .
+          sleep 5
+
+      - name: k3s thing 
+        run : sudo systemctl cat k3s
+
+      - name: save docker image
+        run: |
+          docker save kubearmor/sidekick:test | sudo k3s ctr images import -
 
       - name: Add Helm Repository 
         run: |
@@ -72,10 +83,10 @@ jobs:
           kubectl apply -f ./tests/policy.yaml
           kubectl get pods -A
 
-      - name: Install deimos using Helm
+      - name: Install sidekick using Helm
         run: |
-          helm install deimos ./helm/deimos/ --set config.syslog.host=syslog-server-service.default.svc.cluster.local --set config.syslog.port=514 --set config.syslog.format=cef --set config.syslog.protocol=udp --set config.policyreport.enabled=true -n kube-system
-          sleep 10
+          helm install sidekick ./helm/sidekick/ --set image.repository=kubearmor/sidekick --set image.tag=test --set config.syslog.host=syslog-server-service.default.svc.cluster.local --set config.syslog.port=514 --set config.syslog.format=cef --set config.syslog.protocol=udp --set config.policyreport.enabled=true -n kube-system
+          sleep 15
           kubectl get pods -A
 
       - name: Test Sidekick using Ginkgo

.github/workflows/push-main.yml

@@ -26,5 +26,4 @@ jobs:
           context: .
           file: ./Dockerfile
           push: true
-          tags: kubearmor/sidekick:latest
-
+          tags: kubearmor/sidekick:latest

Dockerfile

@@ -1,13 +1,47 @@
-FROM golang:1.20
+# FROM golang:1.20
+
+# WORKDIR /app
+
+# COPY go.mod ./
+# COPY go.sum ./
+# RUN go mod download
+
+# COPY . ./
+
+# RUN go build -o sidekick .
+
+# ENTRYPOINT ["./sidekick"]
+# Build stage
+
+FROM golang:1.20 AS build-stage
 
 WORKDIR /app
 
+# Copy go module files and download dependencies
 COPY go.mod ./
 COPY go.sum ./
 RUN go mod download
 
+# Copy the source code and build the application
 COPY . ./
+RUN CGO_ENABLED=0 go build -o sidekick .
 
-RUN go build -o sidekick .
+# Final stage
+FROM alpine:3.17 AS final-stage
+
+# Add ca-certificates for SSL/TLS communication
+RUN apk add --update --no-cache ca-certificates
+
+# Correcting the path here
+COPY --from=build-stage /app/sidekick /app/sidekick
+
+# Create user for added security
+RUN addgroup -S sidekick && adduser -u 1234 -S sidekick -G sidekick
+
+# Switch to the new user
+USER 1234
+
+WORKDIR /app
 
-ENTRYPOINT ["./sidekick"]
+# Set the entrypoint to the binary
+ENTRYPOINT ["./sidekick"]

helm/deimos/Chart.yaml → helm/sidekick/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v2
-name: deimos
+name: sidekick
 description: A Helm chart for Kubernetes
 
 # A chart can be either an 'application' or a 'library' chart.

helm/deimos/templates/NOTES.txt → helm/sidekick/templates/NOTES.txt

@@ -6,16 +6,16 @@
   {{- end }}
 {{- end }}
 {{- else if contains "NodePort" .Values.service.type }}
-  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "deimos.fullname" . }})
+  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "sidekick.fullname" . }})
   export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
   echo http://$NODE_IP:$NODE_PORT
 {{- else if contains "LoadBalancer" .Values.service.type }}
      NOTE: It may take a few minutes for the LoadBalancer IP to be available.
-           You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "deimos.fullname" . }}'
-  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "deimos.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
+           You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "sidekick.fullname" . }}'
+  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "sidekick.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
   echo http://$SERVICE_IP:{{ .Values.service.port }}
 {{- else if contains "ClusterIP" .Values.service.type }}
-  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "deimos.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
+  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "sidekick.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
   export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
   echo "Visit http://127.0.0.1:8080 to use your application"
   kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT

helm/deimos/templates/_helpers.tpl → helm/sidekick/templates/_helpers.tpl

@@ -1,7 +1,7 @@
 {{/*
 Expand the name of the chart.
 */}}
-{{- define "deimos.name" -}}
+{{- define "sidekick.name" -}}
 {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
 {{- end }}
 
@@ -10,7 +10,7 @@ Create a default fully qualified app name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
 If release name contains chart name it will be used as a full name.
 */}}
-{{- define "deimos.fullname" -}}
+{{- define "sidekick.fullname" -}}
 {{- if .Values.fullnameOverride }}
 {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
 {{- else }}
@@ -26,16 +26,16 @@ If release name contains chart name it will be used as a full name.
 {{/*
 Create chart name and version as used by the chart label.
 */}}
-{{- define "deimos.chart" -}}
+{{- define "sidekick.chart" -}}
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
 {{- end }}
 
 {{/*
 Common labels
 */}}
-{{- define "deimos.labels" -}}
-helm.sh/chart: {{ include "deimos.chart" . }}
-{{ include "deimos.selectorLabels" . }}
+{{- define "sidekick.labels" -}}
+helm.sh/chart: {{ include "sidekick.chart" . }}
+{{ include "sidekick.selectorLabels" . }}
 {{- if .Chart.AppVersion }}
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- end }}
@@ -45,17 +45,17 @@ app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{/*
 Selector labels
 */}}
-{{- define "deimos.selectorLabels" -}}
-app.kubernetes.io/name: {{ include "deimos.name" . }}
+{{- define "sidekick.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "sidekick.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
 
 {{/*
 Create the name of the service account to use
 */}}
-{{- define "deimos.serviceAccountName" -}}
+{{- define "sidekick.serviceAccountName" -}}
 {{- if .Values.serviceAccount.create }}
-{{- default (include "deimos.fullname" .) .Values.serviceAccount.name }}
+{{- default (include "sidekick.fullname" .) .Values.serviceAccount.name }}
 {{- else }}
 {{- default "default" .Values.serviceAccount.name }}
 {{- end }}

helm/deimos/templates/clusterrole-binding-rbac.yaml → helm/sidekick/templates/clusterrole-binding-rbac.yaml

@@ -1,12 +1,12 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: deimos-clusterRoleBinding
+  name: sidekick-clusterRoleBinding
 subjects:
 - kind: ServiceAccount
-  name: deimos-serviceaccount
+  name: sidekick-serviceaccount
   namespace: {{.Release.Namespace}}
 roleRef:
   kind: ClusterRole
-  name: deimos
+  name: sidekick
   apiGroup: rbac.authorization.k8s.io

helm/deimos/templates/deployment.yaml → helm/sidekick/templates/deployment.yaml

@@ -2,20 +2,20 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   namespace: {{ .Release.Namespace }}
-  name: deimos-deployment
+  name: sidekick-deployment
 spec:
   selector:
     matchLabels:
-      kubearmor-app: deimos
+      kubearmor-app: sidekick
   template:
     metadata:
       labels:
-        kubearmor-app: deimos
+        kubearmor-app: sidekick
     spec:
-      serviceAccountName: deimos-serviceaccount
+      serviceAccountName: sidekick-serviceaccount
       containers:
-      - name: deimos-container
+      - name: sidekick-container
         image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
         envFrom:
         - secretRef:
-            name: deimos-secret
+            name: sidekick-secret

helm/deimos/templates/secrets.yaml → helm/sidekick/templates/secrets.yaml

@@ -1,10 +1,10 @@
 {{- if eq .Values.config.existingSecret "" }}
-{{- $fullName := include "deimos.fullname" . -}}
+{{- $fullName := include "sidekick.fullname" . -}}
 ---
 apiVersion: v1
 kind: Secret
 metadata:
-  name: deimos-secret
+  name: sidekick-secret
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/instance: {{ .Release.Name }}

helm/deimos/templates/service.yaml → helm/sidekick/templates/service.yaml

@@ -1,7 +1,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: deimos
+  name: sidekick
 rules:
 - apiGroups: [""] # "" indicates the core API group
   resources: ["pods","pods/log"]

helm/deimos/templates/serviceaccount.yaml → helm/sidekick/templates/serviceaccount.yaml

@@ -2,4 +2,4 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   namespace: {{ .Release.Namespace }}
-  name: deimos-serviceaccount
+  name: sidekick-serviceaccount

helm/sidekick/templates/tests/test-connection.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: "{{ include "sidekick.fullname" . }}-test-connection"
+  labels:
+    {{- include "sidekick.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": test
+spec:
+  containers:
+    - name: wget
+      image: busybox
+      command: ['wget']
+      args: ['{{ include "sidekick.fullname" . }}:{{ .Values.service.port }}']
+  restartPolicy: Never

helm/deimos/values.yaml → helm/sidekick/values.yaml

@@ -13,15 +13,15 @@ extraVolumeMounts:
 extraVolumes:
   - name: my-secret-volume
     secret:
-      secretName: deimos-secret
+      secretName: sidekick-secret
 
 image:
   # -- The image registry to pull from
   registry: docker.io
   # -- The image repository to pull from
-  repository: gladium08/deimos
+  repository: kubearmor/sidekick
   # -- The image tag to pull
-  tag: new110
+  tag: latest
   # -- The image pull policy
   pullPolicy: Always
 
@@ -174,7 +174,7 @@ config:
   alertmanager:
     # -- AlertManager <http://host:port>, if not `empty`, AlertManager is *enabled*
     hostport: ""
-    # -- alertmanager endpoint on which deimos posts alerts, choice is: `"/api/v1/alerts" or "/api/v2/alerts" , default is "/api/v1/alerts"`
+    # -- alertmanager endpoint on which sidekick posts alerts, choice is: `"/api/v1/alerts" or "/api/v2/alerts" , default is "/api/v1/alerts"`
     endpoint: "/api/v1/alerts"
     # -- minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""`
     minimumpriority: ""
@@ -290,7 +290,7 @@ config:
     checkcert: true
 
   aws:
-    # -- AWS IAM role ARN for deimos service account to associate with (optionnal if you use EC2 Instance Profile)
+    # -- AWS IAM role ARN for sidekick service account to associate with (optionnal if you use EC2 Instance Profile)
     rolearn: ""
     # -- External id for the role to assume (optional if you use EC2 Instance Profile)
     externalid: ""
@@ -305,7 +305,7 @@ config:
     cloudwatchlogs:
       # -- AWS CloudWatch Logs Group name, if not empty, CloudWatch Logs output is *enabled*
       loggroup: ""
-      # -- AWS CloudWatch Logs Stream name, if empty, deimos will try to create a log stream
+      # -- AWS CloudWatch Logs Stream name, if empty, sidekick will try to create a log stream
       logstream: ""
       # -- minimum priority of event to use this output, order is `emergency\|alert\|critical\|error\|warning\|notice\|informational\|debug or ""`
       minimumpriority: ""
@@ -702,7 +702,7 @@ config:
   policyreport:
     # -- if true; policyreport output is *enabled*
     enabled: false
-    # -- Kubeconfig file to use (only if deimos is running outside the cluster)
+    # -- Kubeconfig file to use (only if sidekick is running outside the cluster)
     kubeconfig: "~/.kube/config"
     # -- the max number of events that can be in a policyreport
     maxevents: 1000
@@ -896,7 +896,7 @@ ingress:
   #    hosts:
   #      - chart-example.local
 
-# -- The resources for deimos pods
+# -- The resources for sidekick pods
 resources: {}
   # We usually recommend not to specify default resources and to leave this as a conscious
   # choice for the user. This also increases chances charts run on environments with little