Group :: Desenvolvimento/Outros
RPM: podsec
Navegação
Main Changelog Spec Patches Sources Download Gear Bugs e FR Repocop
%define u7s_admin_usr u7s-admin
%define u7s_admin_grp u7s-admin
%define kubernetes_grp kube
%define _libexecdir %_prefix/libexec
%define nagiosdir %_prefix/lib/nagios
%define nagios_plugdir %nagiosdir/plugins
%define u7s_admin_homedir %_localstatedir/%u7s_admin_usr
Name: podsec
Version: 1.0.2
Release: alt1
Summary: Set of scripts for Podman Security
License: GPLv2+
Group: Development/Other
Url: https://github.com/alt-cloud/podsec
BuildArch: noarch
Source: %name-%version.tar
BuildRequires(pre): rpm-macros-systemd
Requires: podman >= 4.4.2
Requires: shadow-submap >= 4.5
Requires: nginx >= 1.22.1
Requires: docker-registry >= 2.8.1
Requires: pinentry-common
Requires: jq
Requires: yq
Requires: skopeo >= 1.9.1
Requires: wget
Requires: coreutils
Requires: conntrack-tools
Requires: findutils
Requires: iproute2
Requires: iptables
Requires: openssh-server
Requires: curl
%description
This package contains utilities for:
- setting the most secure container application access policies
(directory /etc/containers/)
- installation of a registry and a web server for access to image signatures
- creating a user with rights to create docker images, signing them and
placing them in the registry
- creating users with rights to run containers in rootless mode
- downloading docker images from the oci archive, placing them
on the local system, signing and placing them on the registry
%package k8s
Summary: Set of scripts for Kubernetes Security
Group: Development/Other
Requires: podsec >= 0.3.1
Requires: kubernetes-kubeadm >= 1.26.3-alt2
Requires: kubernetes-kubelet >= 1.26.3-alt2
Requires: kubernetes-crio >= 1.26.3-alt2
Requires: kubernetes-master >= 1.26.3-alt2
Requires: kubernetes-node >= 1.26.3-alt2
Requires: kubernetes-client >= 1.26.3-alt2
Requires: cri-o >= 1.26.2
Requires: cri-tools >= 1.22.0
Requires: etcd >= 3.4.15
Requires: flannel >= 0.19.2
Requires: cni-plugin-flannel >= 1.1.2
Requires: rootlesskit >= 1.1.0
Requires: slirp4netns >= 1.1.12
Requires: crun >= 1.8.1
Requires: systemd-container
%filter_from_requires /\/etc\/kubernetes\/kubelet/d
%description k8s
This package contains utilities for:
- cluster node configurations
%package k8s-rbac
Summary: Set of scripts for Kubernetes RBAC
Group: Development/Other
Requires: kubernetes-client >= 1.26.3-alt2
Requires: podsec >= %EVR
%description k8s-rbac
This package contains utilities for
- creating RBAC users
- generation of certificates and configuration files for users
- generating cluster and usual roles and binding them to users
%package inotify
Summary: Set of scripts for security monitoring
Group: Development/Other
Requires: inotify-tools
Requires: podsec >= %EVR
Requires: openssh-server
Requires: mailx
Requires: trivy
Requires: vixie-cron
%description inotify
A set of scripts for security monitoring by crontabs or
called from the nagios server side via check_ssh plugin
to monitor and identify security threats
%package dev
Summary: Set of scripts for podsec developers
Group: Development/Other
Requires: podsec >= %EVR
%description dev
A set of scripts for developers
%prep
%setup
%build
%make_build
%install
%makeinstall_std
%pre
groupadd -r -f podman >/dev/null 2>&1 ||:
groupadd -r -f podman_dev >/dev/null 2>&1 ||:
%pre k8s
groupadd -r -f %u7s_admin_grp >/dev/null 2>&1 ||:
useradd -r -m -g %u7s_admin_grp -d %u7s_admin_homedir -G %kubernetes_grp,systemd-journal,podman,fuse \
-c 'usernet user account' %u7s_admin_usr >/dev/null 2>&1 ||:
%post inotify
%post_systemd podsec-inotify-check-containers.service
%post_systemd podsec-inotify-check-kubeapi.service
cd %_sysconfdir/podsec/crontabs/;
rootcrontab="%_var/spool/cron/root"
if [ ! -f $rootcrontab ]; then touch $rootcrontab; fi
for crontab in *
do
if grep $crontab $rootcrontab >/dev/null 2>&1 ; then :;
else
cat $crontab >> $rootcrontab
fi
done
chmod 600 $rootcrontab
%preun inotify
%preun_systemd podsec-inotify-check-containers.service
%preun_systemd podsec-inotify-check-kubeapi.service
%post k8s
%post_systemd u7s.service
%preun k8s
%preun_systemd u7s.service
%files
%_bindir/podsec*
%exclude %_bindir/podsec-save-oci
%exclude %_bindir/podsec-u7s-*
%exclude %_bindir/podsec-k8s-*
%exclude %_bindir/podsec-inotify-*
%_mandir/man?/podsec*
%exclude %_mandir/man?/podsec-k8s-*
%exclude %_mandir/man?/podsec-u7s-*
%exclude %_mandir/man?/podsec-save-oci*
%exclude %_mandir/man?/podsec-inotify-*
%dir %_sysconfdir/podsec
%dir %_libexecdir/podsec
%dir %attr(0755,root,root) %_localstatedir/podsec
%files k8s
%dir %_sysconfdir/podsec/u7s
%config(noreplace) %_sysconfdir/podsec/u7s/*
%config(noreplace) %_sysconfdir/kubernetes/manifests/*
%config(noreplace) %_sysconfdir/kubernetes/audit/*
%_unitdir/user at .service.d/*
%_libexecdir/podsec/u7s
%_localstatedir/podsec/u7s/*
%_modules_loaddir/u7s.conf
%_bindir/podsec-k8s-*
%_bindir/podsec-u7s-*
%exclude %_bindir/podsec-k8s-rbac-*
%exclude %_bindir/podsec-k8s-save-oci
%_mandir/man?/podsec-k8s-*
%exclude %_mandir/man?/podsec-k8s-save-oci*
%_mandir/man?/podsec-u7s-*
%exclude %_mandir/man?/podsec-k8s-rbac-*
%_unitdir/u7s.service
%_userunitdir/*
%dir %attr(0750,%u7s_admin_usr,%u7s_admin_grp) %_sysconfdir/kubernetes/audit/
%dir %attr(0750,%u7s_admin_usr,%u7s_admin_grp) %u7s_admin_homedir
%dir %attr(0750,%u7s_admin_usr,%u7s_admin_grp) %u7s_admin_homedir
%dir %attr(0750,%u7s_admin_usr,%u7s_admin_grp) %_localstatedir/podsec/u7s
%dir %attr(0750,%u7s_admin_usr,%u7s_admin_grp) %_localstatedir/podsec/u7s/etcd
%config(noreplace) %attr(0640,%u7s_admin_usr,%u7s_admin_grp) %u7s_admin_homedir/.bashrc
%files k8s-rbac
%_bindir/podsec-k8s-rbac-*
%_mandir/man?/podsec-k8s-rbac-*
%files inotify
%nagios_plugdir/podsec-inotify-*
%_bindir/podsec-inotify-*
%_mandir/man?/podsec-inotify-*
%_unitdir/podsec-inotify-*
%exclude %_unitdir/u7s.service
%_sysconfdir/podsec/crontabs/*
%files dev
%_bindir/podsec-save-oci
%_bindir/podsec-k8s-save-oci
%_mandir/man?/podsec-k8s-save-oci*
%_mandir/man?/podsec-save-oci*
%changelog
…
Todas as alterações você pod ver aqui
%define u7s_admin_grp u7s-admin
%define kubernetes_grp kube
%define _libexecdir %_prefix/libexec
%define nagiosdir %_prefix/lib/nagios
%define nagios_plugdir %nagiosdir/plugins
%define u7s_admin_homedir %_localstatedir/%u7s_admin_usr
Name: podsec
Version: 1.0.2
Release: alt1
Summary: Set of scripts for Podman Security
License: GPLv2+
Group: Development/Other
Url: https://github.com/alt-cloud/podsec
BuildArch: noarch
Source: %name-%version.tar
BuildRequires(pre): rpm-macros-systemd
Requires: podman >= 4.4.2
Requires: shadow-submap >= 4.5
Requires: nginx >= 1.22.1
Requires: docker-registry >= 2.8.1
Requires: pinentry-common
Requires: jq
Requires: yq
Requires: skopeo >= 1.9.1
Requires: wget
Requires: coreutils
Requires: conntrack-tools
Requires: findutils
Requires: iproute2
Requires: iptables
Requires: openssh-server
Requires: curl
%description
This package contains utilities for:
- setting the most secure container application access policies
(directory /etc/containers/)
- installation of a registry and a web server for access to image signatures
- creating a user with rights to create docker images, signing them and
placing them in the registry
- creating users with rights to run containers in rootless mode
- downloading docker images from the oci archive, placing them
on the local system, signing and placing them on the registry
%package k8s
Summary: Set of scripts for Kubernetes Security
Group: Development/Other
Requires: podsec >= 0.3.1
Requires: kubernetes-kubeadm >= 1.26.3-alt2
Requires: kubernetes-kubelet >= 1.26.3-alt2
Requires: kubernetes-crio >= 1.26.3-alt2
Requires: kubernetes-master >= 1.26.3-alt2
Requires: kubernetes-node >= 1.26.3-alt2
Requires: kubernetes-client >= 1.26.3-alt2
Requires: cri-o >= 1.26.2
Requires: cri-tools >= 1.22.0
Requires: etcd >= 3.4.15
Requires: flannel >= 0.19.2
Requires: cni-plugin-flannel >= 1.1.2
Requires: rootlesskit >= 1.1.0
Requires: slirp4netns >= 1.1.12
Requires: crun >= 1.8.1
Requires: systemd-container
%filter_from_requires /\/etc\/kubernetes\/kubelet/d
%description k8s
This package contains utilities for:
- cluster node configurations
%package k8s-rbac
Summary: Set of scripts for Kubernetes RBAC
Group: Development/Other
Requires: kubernetes-client >= 1.26.3-alt2
Requires: podsec >= %EVR
%description k8s-rbac
This package contains utilities for
- creating RBAC users
- generation of certificates and configuration files for users
- generating cluster and usual roles and binding them to users
%package inotify
Summary: Set of scripts for security monitoring
Group: Development/Other
Requires: inotify-tools
Requires: podsec >= %EVR
Requires: openssh-server
Requires: mailx
Requires: trivy
Requires: vixie-cron
%description inotify
A set of scripts for security monitoring by crontabs or
called from the nagios server side via check_ssh plugin
to monitor and identify security threats
%package dev
Summary: Set of scripts for podsec developers
Group: Development/Other
Requires: podsec >= %EVR
%description dev
A set of scripts for developers
%prep
%setup
%build
%make_build
%install
%makeinstall_std
%pre
groupadd -r -f podman >/dev/null 2>&1 ||:
groupadd -r -f podman_dev >/dev/null 2>&1 ||:
%pre k8s
groupadd -r -f %u7s_admin_grp >/dev/null 2>&1 ||:
useradd -r -m -g %u7s_admin_grp -d %u7s_admin_homedir -G %kubernetes_grp,systemd-journal,podman,fuse \
-c 'usernet user account' %u7s_admin_usr >/dev/null 2>&1 ||:
%post inotify
%post_systemd podsec-inotify-check-containers.service
%post_systemd podsec-inotify-check-kubeapi.service
cd %_sysconfdir/podsec/crontabs/;
rootcrontab="%_var/spool/cron/root"
if [ ! -f $rootcrontab ]; then touch $rootcrontab; fi
for crontab in *
do
if grep $crontab $rootcrontab >/dev/null 2>&1 ; then :;
else
cat $crontab >> $rootcrontab
fi
done
chmod 600 $rootcrontab
%preun inotify
%preun_systemd podsec-inotify-check-containers.service
%preun_systemd podsec-inotify-check-kubeapi.service
%post k8s
%post_systemd u7s.service
%preun k8s
%preun_systemd u7s.service
%files
%_bindir/podsec*
%exclude %_bindir/podsec-save-oci
%exclude %_bindir/podsec-u7s-*
%exclude %_bindir/podsec-k8s-*
%exclude %_bindir/podsec-inotify-*
%_mandir/man?/podsec*
%exclude %_mandir/man?/podsec-k8s-*
%exclude %_mandir/man?/podsec-u7s-*
%exclude %_mandir/man?/podsec-save-oci*
%exclude %_mandir/man?/podsec-inotify-*
%dir %_sysconfdir/podsec
%dir %_libexecdir/podsec
%dir %attr(0755,root,root) %_localstatedir/podsec
%files k8s
%dir %_sysconfdir/podsec/u7s
%config(noreplace) %_sysconfdir/podsec/u7s/*
%config(noreplace) %_sysconfdir/kubernetes/manifests/*
%config(noreplace) %_sysconfdir/kubernetes/audit/*
%_unitdir/user at .service.d/*
%_libexecdir/podsec/u7s
%_localstatedir/podsec/u7s/*
%_modules_loaddir/u7s.conf
%_bindir/podsec-k8s-*
%_bindir/podsec-u7s-*
%exclude %_bindir/podsec-k8s-rbac-*
%exclude %_bindir/podsec-k8s-save-oci
%_mandir/man?/podsec-k8s-*
%exclude %_mandir/man?/podsec-k8s-save-oci*
%_mandir/man?/podsec-u7s-*
%exclude %_mandir/man?/podsec-k8s-rbac-*
%_unitdir/u7s.service
%_userunitdir/*
%dir %attr(0750,%u7s_admin_usr,%u7s_admin_grp) %_sysconfdir/kubernetes/audit/
%dir %attr(0750,%u7s_admin_usr,%u7s_admin_grp) %u7s_admin_homedir
%dir %attr(0750,%u7s_admin_usr,%u7s_admin_grp) %u7s_admin_homedir
%dir %attr(0750,%u7s_admin_usr,%u7s_admin_grp) %_localstatedir/podsec/u7s
%dir %attr(0750,%u7s_admin_usr,%u7s_admin_grp) %_localstatedir/podsec/u7s/etcd
%config(noreplace) %attr(0640,%u7s_admin_usr,%u7s_admin_grp) %u7s_admin_homedir/.bashrc
%files k8s-rbac
%_bindir/podsec-k8s-rbac-*
%_mandir/man?/podsec-k8s-rbac-*
%files inotify
%nagios_plugdir/podsec-inotify-*
%_bindir/podsec-inotify-*
%_mandir/man?/podsec-inotify-*
%_unitdir/podsec-inotify-*
%exclude %_unitdir/u7s.service
%_sysconfdir/podsec/crontabs/*
%files dev
%_bindir/podsec-save-oci
%_bindir/podsec-k8s-save-oci
%_mandir/man?/podsec-k8s-save-oci*
%_mandir/man?/podsec-save-oci*
%changelog
…
Todas as alterações você pod ver aqui