Updated README file

2025-05-23 22:26:40 +03:00 · 2025-05-23 22:26:40 +03:00 · 48ada6fa03
commit 48ada6fa03
parent 5f39f381c1
4 changed files with 48 additions and 106 deletions
--- a/README.md
+++ b/README.md
@ -1,52 +1,61 @@
-# Conftest
+# Security as Code for Automated Deployment k3s in Proxmox environment
-[![Go Report Card](https://goreportcard.com/badge/open-policy-agent/opa)](https://goreportcard.com/report/open-policy-agent/conftest) [![Netlify](https://api.netlify.com/api/v1/badges/2d928746-3380-4123-b0eb-1fd74ba390db/deploy-status)](https://app.netlify.com/sites/vibrant-villani-65041c/deploys)
+## 📘 Описание
-Conftest helps you write tests against structured configuration data. Using Conftest you can
+Этот проект предоставляет автоматизированный и безопасный способ развертывания кластера [K3s](https://k3s.io/) в среде [Proxmox VE](https://www.proxmox.com/en/proxmox-ve). Используются подходы **Security as Code**, чтобы обеспечить безопасную конфигурацию инфраструктуры на всех этапах — от создания виртуальных машин до установки кластерных компонентов и настройки сетевого взаимодействия.
 write tests for your Kubernetes configuration, Tekton pipeline definitions, Terraform code,
 Serverless configs or any other config files.
-Conftest uses the Rego language from [Open Policy Agent](https://www.openpolicyagent.org/) for writing
+## 🔧 Возможности
 the assertions. You can read more about Rego in [How do I write policies](https://www.openpolicyagent.org/docs/how-do-i-write-policies.html)
 in the Open Policy Agent documentation.
-Here's a quick example. Save the following as `policy/deployment.rego`:
+* 📦 Полная автоматизация развертывания K3s-кластера
 * 🔐 Реализация лучших практик безопасности (SSH, firewall, user hardening и пр.)
 * 📜 IaC (Infrastructure as Code) с использованием Ansible, Terraform и Bash
-```rego
+## 📁 Структура проекта
 package main
-deny[msg] {
+```
-  input.kind == "Deployment"
+├── ansible/                # Ansible playbooks для настройки VM и K3s
-  not input.spec.template.spec.securityContext.runAsNonRoot
+├── terraform/              # Terraform модули для создания VM в Proxmox
-
+└── README.md
  msg := "Containers must not run as root"
 }
 deny[msg] {
  input.kind == "Deployment"
  not input.spec.selector.matchLabels.app
  msg := "Containers must provide app label for pod selectors"
 }
 ```
-Assuming you have a Kubernetes deployment in `deployment.yaml` you can run Conftest like so:
+## ⚙️ Требования
-```console
+* Proxmox VE 7.x+
-$ conftest test deployment.yaml
+* Terraform 1.0+
-FAIL - deployment.yaml - Containers must not run as root
+* Ansible 2.10+
-FAIL - deployment.yaml - Containers must provide app label for pod selectors
+* Bash (Linux/macOS)
 * Доступ к Proxmox через API
 * SSH-ключ для доступа к виртуальным машинам
-2 tests, 0 passed, 0 warnings, 2 failures, 0 exceptions
+## 🚀 Установка
 1. **Склонируйте репозиторий:**
 ```bash
 git clone https://git.vadzik-iot.ru/vadzik/sac_project.git
 cd k3s-proxmox-sec
 ```
-Conftest isn't specific to Kubernetes. It will happily let you write tests for any configuration files in a variety of different formats. See the [documentation](https://www.conftest.dev/) for [installation instructions](https://www.conftest.dev/install/) and
+2. **Настройте переменные окружения и secrets (Terraform/Ansible):**
 more details about the features.
 ## Want to contribute to Conftest?
-* See [DEVELOPMENT.md](DEVELOPMENT.md) to build and test Conftest itself.
+3. **Создайте виртуальные машины через Terraform:**
 * See [CONTRIBUTING.md](CONTRIBUTING.md) to get started.
-For discussions and questions join us on the [Open Policy Agent Slack](https://slack.openpolicyagent.org/)
+```bash
-in the `#opa-conftest` channel.
+cd terraform
 terraform init
 terraform apply
 ```
 4. **Запустите Ansible-плейбук для настройки K3s и обеспечения безопасности:**
 ```bash
 cd ../ansible
 ansible-playbook site.yml -i inventory.ini
 ```
 ## 🔐 Безопасность
 * Минимизация прав пользователей
 * Только доступ по SSH-ключу (пароли отключены)
 * Проверка хэшей и сертификатов при установке
--- a/terraform/LICENSE
+++ b/terraform/LICENSE
@ -1,15 +0,0 @@
   Conftest - Write tests against your config files
   Copyright (C) 2019 Gareth Rushgrove
   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at
       https://www.apache.org/licenses/LICENSE-2.0
   Unless required by applicable law or agreed to in writing, software
   distributed under the License is distributed on an "AS IS" BASIS,
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   See the License for the specific language governing permissions and
   limitations under the License.
--- a/terraform/README.md
+++ b/terraform/README.md
@ -1,52 +0,0 @@
 # Conftest
 [![Go Report Card](https://goreportcard.com/badge/open-policy-agent/opa)](https://goreportcard.com/report/open-policy-agent/conftest) [![Netlify](https://api.netlify.com/api/v1/badges/2d928746-3380-4123-b0eb-1fd74ba390db/deploy-status)](https://app.netlify.com/sites/vibrant-villani-65041c/deploys)
 Conftest helps you write tests against structured configuration data. Using Conftest you can
 write tests for your Kubernetes configuration, Tekton pipeline definitions, Terraform code,
 Serverless configs or any other config files.
 Conftest uses the Rego language from [Open Policy Agent](https://www.openpolicyagent.org/) for writing
 the assertions. You can read more about Rego in [How do I write policies](https://www.openpolicyagent.org/docs/how-do-i-write-policies.html)
 in the Open Policy Agent documentation.
 Here's a quick example. Save the following as `policy/deployment.rego`:
 ```rego
 package main
 deny[msg] {
  input.kind == "Deployment"
  not input.spec.template.spec.securityContext.runAsNonRoot
  msg := "Containers must not run as root"
 }
 deny[msg] {
  input.kind == "Deployment"
  not input.spec.selector.matchLabels.app
  msg := "Containers must provide app label for pod selectors"
 }
 ```
 Assuming you have a Kubernetes deployment in `deployment.yaml` you can run Conftest like so:
 ```console
 $ conftest test deployment.yaml
 FAIL - deployment.yaml - Containers must not run as root
 FAIL - deployment.yaml - Containers must provide app label for pod selectors
 2 tests, 0 passed, 0 warnings, 2 failures, 0 exceptions
 ```
 Conftest isn't specific to Kubernetes. It will happily let you write tests for any configuration files in a variety of different formats. See the [documentation](https://www.conftest.dev/) for [installation instructions](https://www.conftest.dev/install/) and
 more details about the features.
 ## Want to contribute to Conftest?
 * See [DEVELOPMENT.md](DEVELOPMENT.md) to build and test Conftest itself.
 * See [CONTRIBUTING.md](CONTRIBUTING.md) to get started.
 For discussions and questions join us on the [Open Policy Agent Slack](https://slack.openpolicyagent.org/)
 in the `#opa-conftest` channel.
--- a/terraform/main.tf
+++ b/terraform/main.tf
@ -17,8 +17,8 @@ resource "proxmox_vm_qemu" "proxmox_vm_master" {
  nameserver = "1.1.1.1 8.8.8.8"
  ipconfig0  = "ip=${var.master_ips[count.index]}/${var.networkrange},gw=${var.gateway}"
  skip_ipv6  = true
-  ciuser     = "root"
+  ciuser     = "debian"
-  cipassword = "test_passwd"
+  cipassword = ""
  sshkeys    = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKXXnm9Hl4fPCt/Xjd/8E5tKY+edtM/BvdMOXpx40oWG iac@proxmox.vadzik-iot.ru"
  # Most cloud-init images require a serial device for their display