Skip to content

Commit

Permalink
fix: security pipeline issues (#700)
Browse files Browse the repository at this point in the history 
Signed-off-by: realanna <anna.reale@dynatrace.com>
Signed-off-by: RealAnna <89971034+RealAnna@users.noreply.github.com>
Co-authored-by: Moritz Wiesinger <moritz.wiesinger@dynatrace.com>
  • Loading branch information
@RealAnna @mowies
RealAnna and mowies committed Feb 1, 2023
1 parent 6ddbb6d commit ef5a7c5
Show file tree
Hide file tree
Showing 21 changed files with 236 additions and 159 deletions.
138 changes: 79 additions & 59 deletions .github/.kubescape/exceptions.json
View file
Original file line number Diff line number Diff line change
@@ -1,64 +1,84 @@
[
{
"name": "ignore-cluster-role-can-get-secrets",
"policyType": "postureExceptionPolicy",
"actions": [
"alertOnly"
],
"resources": [
{
"designatorType": "Attributes",
"attributes": {
"kind": "ServiceAccount",
"name": "klc-controller-manager"
}
{
"name": "ignore-cluster-role-can-get-secrets",
"policyType": "postureExceptionPolicy",
"actions": [
"alertOnly"
],
"resources": [
{
"designatorType": "Attributes",
"attributes": {
"kind": "ServiceAccount",
"name": "klc-controller-manager"
}
],
"posturePolicies": [
{
"controlID": "C-0015"
}
]
},
{
"name": "ignore-auto-mounting-of-service-account-tokens",
"policyType": "postureExceptionPolicy",
"actions": [
"alertOnly"
],
"resources": [
{
"designatorType": "Attributes",
"attributes": {
"kind": ".*"
}
}
],
"posturePolicies": [
{
"controlID": "C-0015"
}
]
},
{
"name": "ignore-auto-mounting-of-service-account-tokens",
"policyType": "postureExceptionPolicy",
"actions": [
"alertOnly"
],
"resources": [
{
"designatorType": "Attributes",
"attributes": {
"kind": ".*"
}
],
"posturePolicies": [
{
"controlID": "C-0034"
}
]
},
{
"name": "ignore-access-container-service-account",
"policyType": "postureExceptionPolicy",
"actions": [
"alertOnly"
],
"resources": [
{
"designatorType": "Attributes",
"attributes": {
"kind": ".*"
}
}
],
"posturePolicies": [
{
"controlID": "C-0034"
}
]
},
{
"name": "ignore-access-container-service-account",
"policyType": "postureExceptionPolicy",
"actions": [
"alertOnly"
],
"resources": [
{
"designatorType": "Attributes",
"attributes": {
"kind": ".*"
}
],
"posturePolicies": [
{
"controlID": "C-0053"
}
]
}
]
}
],
"posturePolicies": [
{
"controlID": "C-0053"
}
]
},
{
"name": "ignore-validating-webhook-alert",
"policyType": "postureExceptionPolicy",
"actions": [
"alertOnly"
],
"resources": [
{
"designatorType": "Attributes",
"attributes": {
"kind": ".*"
}
}
],
"posturePolicies": [
{
"controlID": "C-0036"
}
]
}
]

8 changes: 7 additions & 1 deletion .github/kics-config.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,12 +2,18 @@ exclude-queries:
# query IDs can be found here: https://docs.kics.io/latest/queries/all-queries/
# The queries below are excluded because they are not relevant or not needed for this project
- 48471392-d4d0-47c0-b135-cdec95eb3eef # Service Account Token Automount Not Disabled
- 48a5beba-e4c0-4584-a2aa-e6894e4cf424 # Pod or Container Without ResourceQuota
- b7bca5c4-1dab-4c2c-8cbe-3050b9d59b14 # RBAC Roles with Read Secrets Permissions
- 4a20ebac-1060-4c81-95d1-1f7f620e983b # Pod or Container Without LimitRange
- 056ac60e-fe07-4acc-9b34-8e1d51716ab9 # ServiceAccount Allows Access Secrets
- aee3c7d2-a811-4201-90c7-11c028be9a46 # Container Requests Not Equal To It's Limits
- 8b36775e-183d-4d46-b0f7-96a6f34a723f # Missing AppArmor Profile

exclude-results:
# Similarity IDs can be found in the JSON result file of kics
- 76f0ba03bcaf9f6e0ff8660beaebff55f74f1d89e38b6831c2b7b468a3dc764b # RBAC Roles with Read Secrets Permissions
- f88463cc96ec0165f0c1d83c279ff2658b8a8bd8adb2aaaf79f64a230df88504 # RBAC Roles with Read Secrets Permissions
- c4886e7b8193614214e9626539430632e8d90cb58499932a82c924266c05d118 # RBAC Roles with Read Secrets Permissions
- 00d587d8e63760f6a5d45ede024de5c793cb9e018ba78e4d9e50b8d671f79ba4 # Readiness Probe not configured for kube-rbac-proxy

no-color: false
no-progress: true
Expand Down
33 changes: 25 additions & 8 deletions .github/workflows/security-scans.yml
View file
Original file line number Diff line number Diff line change
@@ -1,9 +1,13 @@
name: "Security Scans"
on:
workflow_dispatch:
schedule:
- cron: '0 3 * * 1' # run tests at 1 AM (UTC), every monday (1)

workflow_dispatch:
inputs:
branch:
description: 'Take CI build artifacts from branch (e.g., master, release-x.y.z)'
required: true
default: 'main'
defaults:
run:
shell: bash
Expand All @@ -16,16 +20,29 @@ jobs:
name: "Prepare Security Scans"
runs-on: ubuntu-22.04
steps:
- name: Determine Target Branch
id: determine_branch
run: |
if [[ "${{ github.event.inputs.branch }}" != "" ]]; then
# branch was manually set by user -> probably a workflow_dispatch action
BRANCH=${{ github.event.inputs.branch }}
echo "Using $BRANCH as target branch"
else
BRANCH='main'
fi
echo "BRANCH=$(echo ${BRANCH})" >> $GITHUB_OUTPUT
- name: Find latest successful run ID
id: last_run_id
env:
BRANCH: ${{ steps.determine_branch.outputs.BRANCH }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
RUN_ID=$(\
curl -sL \
-H 'Accept: application/vnd.github.v3+json' \
-H "Authorization: token $GITHUB_TOKEN" \
"api.github.com/repos/${{ github.repository }}/actions/workflows/CI.yaml/runs?branch=main" | \
"api.github.com/repos/${{ github.repository }}/actions/workflows/CI.yaml/runs?branch=$BRANCH" | \
jq '[.workflow_runs[] | select(
(.head_commit != null) and ( .conclusion == "success" )
)][0] | .id')
Expand All @@ -48,17 +65,15 @@ jobs:
with:
name: manifests
path: |
./dist/keptn-lifecycle-operator-manifest/
./dist/scheduler-manifest/
./dist/*-manifest/
./dist/*-manifest-test/
- name: Upload images
uses: actions/upload-artifact@v3
with:
name: images
path: |
./dist/functions-runtime-image.tar/
./dist/keptn-lifecycle-operator-image.tar/
./dist/scheduler-image.tar/
./dist/*-image.tar/
security-scans:
name: "Security Scans"
Expand Down Expand Up @@ -154,6 +169,7 @@ jobs:
- "functions-runtime"
- "keptn-lifecycle-operator"
- "scheduler"
- "klt-cert-manager"
steps:
- name: Download images
id: download_images
Expand All @@ -178,6 +194,7 @@ jobs:
artifact:
- "operator"
- "scheduler"
- "klt-cert-manager"

steps:
- name: Set up Go 1.x
Expand Down
2 changes: 1 addition & 1 deletion examples/sample-app/base/manifest.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ spec:
terminationGracePeriodSeconds: 5
initContainers:
- name: init-myservice
image: busybox:1.28
image: busybox:1.32.1
command: ['sh', '-c', 'sleep 30']
containers:
- name: server
Expand Down
2 changes: 1 addition & 1 deletion examples/support/observability/assets/podtatohead-deployment-evaluation/manifest.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ spec:
terminationGracePeriodSeconds: 5
initContainers:
- name: init-myservice
image: busybox:1.28
image: busybox:1.32.1
command: ['sh', '-c', 'sleep 30']
containers:
- name: server
Expand Down
2 changes: 1 addition & 1 deletion functions-runtime/Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM denoland/deno:alpine-1.29.1 AS production
FROM denoland/deno:alpine-1.30.0 AS production

LABEL org.opencontainers.image.source="https://github.com/keptn/lifecycle-toolkit" \
org.opencontainers.image.url="https://keptn.sh" \
Expand Down
91 changes: 53 additions & 38 deletions klt-cert-manager/config/default/manager_auth_proxy_patch.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,42 +13,57 @@ spec:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
- amd64
- arm64
- ppc64le
- s390x
- key: kubernetes.io/os
operator: In
values:
- linux
- key: kubernetes.io/arch
operator: In
values:
- amd64
- arm64
- ppc64le
- s390x
- key: kubernetes.io/os
operator: In
values:
- linux
containers:
- name: kube-rbac-proxy
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
image: gcr.io/kubebuilder/kube-rbac-proxy:v0.13.0
args:
- "--secure-listen-address=0.0.0.0:8443"
- "--upstream=http://127.0.0.1:8080/"
- "--logtostderr=true"
- "--v=0"
ports:
- containerPort: 8443
protocol: TCP
name: https
resources:
limits:
cpu: 500m
memory: 128Mi
requests:
cpu: 5m
memory: 64Mi
- name: manager
args:
- "--health-probe-bind-address=:8081"
- "--metrics-bind-address=127.0.0.1:8080"
- name: kube-rbac-proxy
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
runAsNonRoot: true
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
capabilities:
drop:
- "ALL"
image: gcr.io/kubebuilder/kube-rbac-proxy:v0.13.0
args:
- "--secure-listen-address=0.0.0.0:8443"
- "--upstream=http://127.0.0.1:8080/"
- "--logtostderr=true"
- "--v=0"
ports:
- containerPort: 8443
protocol: TCP
name: https
resources:
limits:
cpu: 500m
memory: 128Mi
requests:
cpu: 5m
memory: 64Mi
livenessProbe:
tcpSocket:
port: 8443
initialDelaySeconds: 5
periodSeconds: 20
readinessProbe:
tcpSocket:
port: 8443
initialDelaySeconds: 5
periodSeconds: 20
- name: manager
args:
- "--health-probe-bind-address=:8081"
- "--metrics-bind-address=127.0.0.1:8080"
7 changes: 5 additions & 2 deletions klt-cert-manager/config/manager/manager.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,8 +26,6 @@ spec:
spec:
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
containers:
- command:
- /manager
Expand All @@ -41,10 +39,15 @@ spec:
fieldRef:
fieldPath: metadata.namespace
securityContext:
seccompProfile:
type: RuntimeDefault
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- "ALL"
runAsUser: 65532
runAsGroup: 65532
livenessProbe:
httpGet:
path: /healthz
Expand Down
Loading

0 comments on commit ef5a7c5

Please sign in to comment.