Updated README file

2025-05-23 22:26:40 +03:00 · 2025-05-23 22:26:40 +03:00 · 48ada6fa03
commit 48ada6fa03
parent 5f39f381c1
4 changed files with 48 additions and 106 deletions
--- a/README.md
+++ b/README.md
@ -1,52 +1,61 @@
-# Conftest
+# Security as Code for Automated Deployment k3s in Proxmox environment

-[![Go Report Card](https://goreportcard.com/badge/open-policy-agent/opa)](https://goreportcard.com/report/open-policy-agent/conftest) [![Netlify](https://api.netlify.com/api/v1/badges/2d928746-3380-4123-b0eb-1fd74ba390db/deploy-status)](https://app.netlify.com/sites/vibrant-villani-65041c/deploys)
+## 📘 Описание

-Conftest helps you write tests against structured configuration data. Using Conftest you can
-write tests for your Kubernetes configuration, Tekton pipeline definitions, Terraform code,
-Serverless configs or any other config files.
+Этот проект предоставляет автоматизированный и безопасный способ развертывания кластера [K3s](https://k3s.io/) в среде [Proxmox VE](https://www.proxmox.com/en/proxmox-ve). Используются подходы **Security as Code**, чтобы обеспечить безопасную конфигурацию инфраструктуры на всех этапах — от создания виртуальных машин до установки кластерных компонентов и настройки сетевого взаимодействия.

-Conftest uses the Rego language from [Open Policy Agent](https://www.openpolicyagent.org/) for writing
-the assertions. You can read more about Rego in [How do I write policies](https://www.openpolicyagent.org/docs/how-do-i-write-policies.html)
-in the Open Policy Agent documentation.
+## 🔧 Возможности

-Here's a quick example. Save the following as `policy/deployment.rego`:
+* 📦 Полная автоматизация развертывания K3s-кластера
+* 🔐 Реализация лучших практик безопасности (SSH, firewall, user hardening и пр.)
+* 📜 IaC (Infrastructure as Code) с использованием Ansible, Terraform и Bash

-```rego
-package main
+## 📁 Структура проекта

-deny[msg] {
-  input.kind == "Deployment"
-  not input.spec.template.spec.securityContext.runAsNonRoot
-
-  msg := "Containers must not run as root"
-}
-
-deny[msg] {
-  input.kind == "Deployment"
-  not input.spec.selector.matchLabels.app
-
-  msg := "Containers must provide app label for pod selectors"
-}
+```
+├── ansible/                # Ansible playbooks для настройки VM и K3s
+├── terraform/              # Terraform модули для создания VM в Proxmox
+└── README.md
 ```

-Assuming you have a Kubernetes deployment in `deployment.yaml` you can run Conftest like so:
+## ⚙️ Требования

-```console
-$ conftest test deployment.yaml
-FAIL - deployment.yaml - Containers must not run as root
-FAIL - deployment.yaml - Containers must provide app label for pod selectors
+* Proxmox VE 7.x+
+* Terraform 1.0+
+* Ansible 2.10+
+* Bash (Linux/macOS)
+* Доступ к Proxmox через API
+* SSH-ключ для доступа к виртуальным машинам

-2 tests, 0 passed, 0 warnings, 2 failures, 0 exceptions
+## 🚀 Установка
+
+1. **Склонируйте репозиторий:**
+
+```bash
+git clone https://git.vadzik-iot.ru/vadzik/sac_project.git
+cd k3s-proxmox-sec
 ```

-Conftest isn't specific to Kubernetes. It will happily let you write tests for any configuration files in a variety of different formats. See the [documentation](https://www.conftest.dev/) for [installation instructions](https://www.conftest.dev/install/) and
-more details about the features.
+2. **Настройте переменные окружения и secrets (Terraform/Ansible):**

-## Want to contribute to Conftest?

-* See [DEVELOPMENT.md](DEVELOPMENT.md) to build and test Conftest itself.
-* See [CONTRIBUTING.md](CONTRIBUTING.md) to get started.
+3. **Создайте виртуальные машины через Terraform:**

-For discussions and questions join us on the [Open Policy Agent Slack](https://slack.openpolicyagent.org/)
-in the `#opa-conftest` channel.
+```bash
+cd terraform
+terraform init
+terraform apply
+```
+
+4. **Запустите Ansible-плейбук для настройки K3s и обеспечения безопасности:**
+
+```bash
+cd ../ansible
+ansible-playbook site.yml -i inventory.ini
+```
+
+## 🔐 Безопасность
+
+* Минимизация прав пользователей
+* Только доступ по SSH-ключу (пароли отключены)
+* Проверка хэшей и сертификатов при установке
--- a/terraform/LICENSE
+++ b/terraform/LICENSE
@ -1,15 +0,0 @@
-   Conftest - Write tests against your config files
-
-   Copyright (C) 2019 Gareth Rushgrove
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at
-
-       https://www.apache.org/licenses/LICENSE-2.0
-
-   Unless required by applicable law or agreed to in writing, software
-   distributed under the License is distributed on an "AS IS" BASIS,
-   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   See the License for the specific language governing permissions and
-   limitations under the License.
--- a/terraform/README.md
+++ b/terraform/README.md
@ -1,52 +0,0 @@
-# Conftest
-
-[![Go Report Card](https://goreportcard.com/badge/open-policy-agent/opa)](https://goreportcard.com/report/open-policy-agent/conftest) [![Netlify](https://api.netlify.com/api/v1/badges/2d928746-3380-4123-b0eb-1fd74ba390db/deploy-status)](https://app.netlify.com/sites/vibrant-villani-65041c/deploys)
-
-Conftest helps you write tests against structured configuration data. Using Conftest you can
-write tests for your Kubernetes configuration, Tekton pipeline definitions, Terraform code,
-Serverless configs or any other config files.
-
-Conftest uses the Rego language from [Open Policy Agent](https://www.openpolicyagent.org/) for writing
-the assertions. You can read more about Rego in [How do I write policies](https://www.openpolicyagent.org/docs/how-do-i-write-policies.html)
-in the Open Policy Agent documentation.
-
-Here's a quick example. Save the following as `policy/deployment.rego`:
-
-```rego
-package main
-
-deny[msg] {
-  input.kind == "Deployment"
-  not input.spec.template.spec.securityContext.runAsNonRoot
-
-  msg := "Containers must not run as root"
-}
-
-deny[msg] {
-  input.kind == "Deployment"
-  not input.spec.selector.matchLabels.app
-
-  msg := "Containers must provide app label for pod selectors"
-}
-```
-
-Assuming you have a Kubernetes deployment in `deployment.yaml` you can run Conftest like so:
-
-```console
-$ conftest test deployment.yaml
-FAIL - deployment.yaml - Containers must not run as root
-FAIL - deployment.yaml - Containers must provide app label for pod selectors
-
-2 tests, 0 passed, 0 warnings, 2 failures, 0 exceptions
-```
-
-Conftest isn't specific to Kubernetes. It will happily let you write tests for any configuration files in a variety of different formats. See the [documentation](https://www.conftest.dev/) for [installation instructions](https://www.conftest.dev/install/) and
-more details about the features.
-
-## Want to contribute to Conftest?
-
-* See [DEVELOPMENT.md](DEVELOPMENT.md) to build and test Conftest itself.
-* See [CONTRIBUTING.md](CONTRIBUTING.md) to get started.
-
-For discussions and questions join us on the [Open Policy Agent Slack](https://slack.openpolicyagent.org/)
-in the `#opa-conftest` channel.
--- a/terraform/main.tf
+++ b/terraform/main.tf
@ -17,8 +17,8 @@ resource "proxmox_vm_qemu" "proxmox_vm_master" {
  nameserver = "1.1.1.1 8.8.8.8"
  ipconfig0  = "ip=${var.master_ips[count.index]}/${var.networkrange},gw=${var.gateway}"
  skip_ipv6  = true
-  ciuser     = "root"
-  cipassword = "test_passwd"
+  ciuser     = "debian"
+  cipassword = ""
  sshkeys    = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKXXnm9Hl4fPCt/Xjd/8E5tKY+edtM/BvdMOXpx40oWG iac@proxmox.vadzik-iot.ru"

  # Most cloud-init images require a serial device for their display