From ceff7a09a4ad41bb3b91369e73d93e67d7a78e28 Mon Sep 17 00:00:00 2001 From: Xe Iaso Date: Fri, 21 Feb 2025 10:48:23 -0500 Subject: kube/alrest: harden against upcoming docker hub changes Signed-off-by: Xe Iaso --- kube/alrest/gitea/cfg/anubis/botPolicies.json | 64 ++++++++++++++++++++++ kube/alrest/minio/deployment.yaml | 2 +- kube/alrest/pocket-id/deployment.yaml | 2 +- kube/alrest/registry/deployment.yaml | 1 - .../pull-through/dockerhub/deployment.yaml | 1 - 5 files changed, 66 insertions(+), 4 deletions(-) create mode 100644 kube/alrest/gitea/cfg/anubis/botPolicies.json diff --git a/kube/alrest/gitea/cfg/anubis/botPolicies.json b/kube/alrest/gitea/cfg/anubis/botPolicies.json new file mode 100644 index 0000000..8ca88e1 --- /dev/null +++ b/kube/alrest/gitea/cfg/anubis/botPolicies.json @@ -0,0 +1,64 @@ +{ + "bots": [ + { + "name": "amazonbot", + "user_agent_regex": "Amazonbot", + "action": "DENY" + }, + { + "name": "googlebot", + "user_agent_regex": "\\+http\\:\\/\\/www\\.google\\.com/bot\\.html", + "action": "ALLOW" + }, + { + "name": "bingbot", + "user_agent_regex": "\\+http\\:\\/\\/www\\.bing\\.com/bingbot\\.htm", + "action": "ALLOW" + }, + { + "name": "us-artificial-intelligence-scraper", + "user_agent_regex": "\\+https\\:\\/\\/github\\.com\\/US-Artificial-Intelligence\\/scraper", + "action": "DENY" + }, + { + "name": "well-known", + "path_regex": "^/.well-known/.*$", + "action": "ALLOW" + }, + { + "name": "favicon", + "path_regex": "^/favicon.ico$", + "action": "ALLOW" + }, + { + "name": "robots-txt", + "path_regex": "^/robots.txt$", + "action": "ALLOW" + }, + { + "name": "rss-readers", + "path_regex": ".*\\.(rss|xml|atom|json)$", + "action": "ALLOW" + }, + { + "name": "lightpanda", + "user_agent_regex": "^Lightpanda/.*$", + "action": "DENY" + }, + { + "name": "headless-chrome", + "user_agent_regex": "HeadlessChrome", + "action": "DENY" + }, + { + "name": "headless-chromium", + "user_agent_regex": "HeadlessChromium", + "action": "DENY" + }, + { + "name": "generic-browser", + "user_agent_regex": "Mozilla", + "action": "CHALLENGE" + } + ] +} \ No newline at end of file diff --git a/kube/alrest/minio/deployment.yaml b/kube/alrest/minio/deployment.yaml index 356bc35..738ca78 100644 --- a/kube/alrest/minio/deployment.yaml +++ b/kube/alrest/minio/deployment.yaml @@ -27,7 +27,7 @@ spec: volumeMounts: - name: data mountPath: /data - image: minio/minio:latest + image: quay.io/minio/minio:latest imagePullPolicy: Always args: - server diff --git a/kube/alrest/pocket-id/deployment.yaml b/kube/alrest/pocket-id/deployment.yaml index 3051834..5c77bb1 100644 --- a/kube/alrest/pocket-id/deployment.yaml +++ b/kube/alrest/pocket-id/deployment.yaml @@ -20,7 +20,7 @@ spec: claimName: pocket-id containers: - name: main - image: ghcr.io/pocket-id/pocket-id:v0.33.0 + image: ghcr.io/pocket-id/pocket-id:v0.35.0 imagePullPolicy: IfNotPresent securityContext: runAsUser: 1000 diff --git a/kube/alrest/registry/deployment.yaml b/kube/alrest/registry/deployment.yaml index 34dd3a8..1b0ef2d 100644 --- a/kube/alrest/registry/deployment.yaml +++ b/kube/alrest/registry/deployment.yaml @@ -30,7 +30,6 @@ spec: containers: - name: registry image: registry:2 - imagePullPolicy: "Always" resources: limits: cpu: "500m" diff --git a/kube/alrest/registry/pull-through/dockerhub/deployment.yaml b/kube/alrest/registry/pull-through/dockerhub/deployment.yaml index 4b475d3..3096bb4 100644 --- a/kube/alrest/registry/pull-through/dockerhub/deployment.yaml +++ b/kube/alrest/registry/pull-through/dockerhub/deployment.yaml @@ -30,7 +30,6 @@ spec: containers: - name: registry image: registry:2 - imagePullPolicy: "Always" resources: limits: cpu: "500m" -- cgit v1.2.3