chore: fixed false positive security errors (#9411)

Signed-off-by: odubajDT <ondrej.dubaj@dynatrace.com>
keptn · Jan 10, 2023 · dbb9986 · dbb9986
1 parent 74f793f
commit dbb9986
Show file tree

Hide file tree

Showing 14 changed files with 99 additions and 2 deletions.
diff --git a/.github/.kubescape/controls-inputs.json b/.github/.kubescape/controls-inputs.json
@@ -3,7 +3,8 @@
     "ecr.*amazonaws.com",
     ".*.gcr.io",
     ".*azurecr.io",
-    "docker.io"
+    "docker.io",
+    "docker.keptn.sh"
   ],
   "max_critical_vulnerabilities": [
     "5"
@@ -59,7 +60,9 @@
     "_key_",
     "_secret_"
   ],
-  "sensitiveValuesAllowed": [],
+  "sensitiveValuesAllowed": [
+    "secret-service:8080"
+  ],
   "servicesNames": [
     "nifi-service",
     "argo-server",

diff --git a/.github/.kubescape/exceptions.json b/.github/.kubescape/exceptions.json
@@ -14,5 +14,87 @@
         }
       }
     ]
+  },
+  {
+    "name": "auto-map-service-account",
+    "policyType": "postureExceptionPolicy",
+    "actions": [
+      "alertOnly"
+    ],
+    "resources": [
+      {
+        "designatorType": "Attributes",
+        "attributes": {
+          "kind": "ServiceAccount",
+          "name": "keptn-nats"
+        }
+      },
+      {
+        "designatorType": "Attributes",
+        "attributes": {
+          "kind": "Deployment",
+          "name": "keptn-mongo"
+        }
+      }
+    ],
+    "posturePolicies": [
+        {
+            "controlID": "C-0034"
+        }
+    ]
+  },
+  {
+    "name": "ingress-egress-blocked",
+    "policyType": "postureExceptionPolicy",
+    "actions": [
+      "alertOnly"
+    ],
+    "resources": [
+      {
+        "designatorType": "Attributes",
+        "attributes": {
+          "kind": "Deployment"
+        }
+      },
+      {
+        "designatorType": "Attributes",
+        "attributes": {
+          "kind": "StatefulSet"
+        }
+      }
+    ],
+    "posturePolicies": [
+        {
+            "controlID": "C-0030"
+        }
+    ]
+  },
+  {
+    "name": "immutable-container-filesystem",
+    "policyType": "postureExceptionPolicy",
+    "actions": [
+      "alertOnly"
+    ],
+    "resources": [
+      {
+        "designatorType": "Attributes",
+        "attributes": {
+          "kind": "Deployment",
+          "name": "api-gateway-nginx"
+        }
+      },
+      {
+        "designatorType": "Attributes",
+        "attributes": {
+          "kind": "Deployment",
+          "name": "keptn-mongo"
+        }
+      }
+    ],
+    "posturePolicies": [
+        {
+            "controlID": "C-0017"
+        }
+    ]
   }
 ]
diff --git a/installer/manifests/keptn/templates/api-gateway-nginx.yaml b/installer/manifests/keptn/templates/api-gateway-nginx.yaml
@@ -366,6 +366,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: api-gateway-nginx
+  namespace: {{ .Release.Namespace }}
   labels: {{- include "keptn.common.labels.standard" . | nindent 4 }}
     app.kubernetes.io/name: api-gateway-nginx
 spec:

diff --git a/installer/manifests/keptn/templates/api-service.yaml b/installer/manifests/keptn/templates/api-service.yaml
@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: api-service
+  namespace: {{ .Release.Namespace }}
   labels: {{- include "keptn.common.labels.standard" . | nindent 4 }}
     app.kubernetes.io/name: api-service
 spec:

diff --git a/installer/manifests/keptn/templates/approval-service.yaml b/installer/manifests/keptn/templates/approval-service.yaml
@@ -4,6 +4,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: approval-service
+  namespace: {{ .Release.Namespace }}
   labels: {{- include "keptn.common.labels.standard" . | nindent 4 }}
     app.kubernetes.io/name: approval-service
 spec:

diff --git a/installer/manifests/keptn/templates/bridge.yaml b/installer/manifests/keptn/templates/bridge.yaml
@@ -2,6 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: bridge
+  namespace: {{ .Release.Namespace }}
   labels: {{- include "keptn.common.labels.standard" . | nindent 4 }}
     app.kubernetes.io/name: bridge
 spec:

diff --git a/installer/manifests/keptn/templates/lighthouse-service.yaml b/installer/manifests/keptn/templates/lighthouse-service.yaml
@@ -4,6 +4,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: lighthouse-service
+  namespace: {{ .Release.Namespace }}
   labels: {{- include "keptn.common.labels.standard" . | nindent 4 }}
     app.kubernetes.io/name: lighthouse-service
 spec:

diff --git a/installer/manifests/keptn/templates/mongodb-datastore.yaml b/installer/manifests/keptn/templates/mongodb-datastore.yaml
@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: mongodb-datastore
+  namespace: {{ .Release.Namespace }}
   labels: {{- include "keptn.common.labels.standard" . | nindent 4 }}
     app.kubernetes.io/name: mongodb-datastore
 spec:

diff --git a/installer/manifests/keptn/templates/remediation-service.yaml b/installer/manifests/keptn/templates/remediation-service.yaml
@@ -4,6 +4,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: remediation-service
+  namespace: {{ .Release.Namespace }}
   labels: {{- include "keptn.common.labels.standard" . | nindent 4 }}
     app.kubernetes.io/name: remediation-service
 spec:

diff --git a/installer/manifests/keptn/templates/resource-service.yaml b/installer/manifests/keptn/templates/resource-service.yaml
@@ -18,6 +18,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: resource-service
+  namespace: {{ .Release.Namespace }}
   labels: {{- include "keptn.common.labels.standard" . | nindent 4 }}
     app.kubernetes.io/name: resource-service
 spec:

diff --git a/installer/manifests/keptn/templates/secret-service.yaml b/installer/manifests/keptn/templates/secret-service.yaml
@@ -32,6 +32,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: secret-service
+  namespace: {{ .Release.Namespace }}
   labels: {{- include "keptn.common.labels.standard" . | nindent 4 }}
     app.kubernetes.io/name: secret-service
 spec:

diff --git a/installer/manifests/keptn/templates/shipyard-controller.yaml b/installer/manifests/keptn/templates/shipyard-controller.yaml
@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: shipyard-controller
+  namespace: {{ .Release.Namespace }}
   labels: {{- include "keptn.common.labels.standard" . | nindent 4 }}
     app.kubernetes.io/name: shipyard-controller
 spec:

diff --git a/installer/manifests/keptn/templates/statistics-service.yaml b/installer/manifests/keptn/templates/statistics-service.yaml
@@ -4,6 +4,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: statistics-service
+  namespace: {{ .Release.Namespace }}
   labels: {{- include "keptn.common.labels.standard" . | nindent 4 }}
     app.kubernetes.io/name: statistics-service
 spec:

diff --git a/installer/manifests/keptn/templates/webhook-service.yaml b/installer/manifests/keptn/templates/webhook-service.yaml
@@ -4,6 +4,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: webhook-service
+  namespace: {{ .Release.Namespace }}
   labels: {{- include "keptn.common.labels.standard" . | nindent 4 }}
     app.kubernetes.io/name: webhook-service
 spec: