Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: security pipeline issues #700

Merged
merged 14 commits into from
Feb 1, 2023
Merged

fix: security pipeline issues #700

merged 14 commits into from
Feb 1, 2023

Conversation

RealAnna
Copy link
Contributor

@RealAnna RealAnna commented Jan 26, 2023
edited by mowies
Loading

closes #687
closes #678
closes #628
closes #699
closes #717

Adds cert manager to the security pipeline

Modify security pipeline to run from branch images if triggered manually

Also addresses agreed changes from this run

  • Fix Service Does Not Target Pod
  • Fix Root Container Not Mounted Read-only when applicable (Cert-mgn) ignore for operator
  • Ignore ns quota Pod or Container Without ResourceQuota,
  • Ignore ns quota Pod or Container Without LimitRange
  • Investigate and let the team know what AppArmor is (looks like introduced in beta in v1.4) Missing AppArmor Profile
  • Fix ready-health probes in kube-rbac-proxy, if it has the probes Liveness Probe Is Not Defined && Readiness Probe Is Not Defined
  • Separate issue - digest as part of img Image Without Digest (see Image Without Digest #720)
  • Create a ticket to add imgpullpolicy as Helm flag Image Pull Policy Of The Container Is Not Set To Always ( see Make Image Pull Policy configurable via Helm value #721)
  • Disable limit=request (Container Requests Not Equal To It's Limits)
  • Ignore secret read ServiceAccount Allows Access Secrets
  • Ignore secret read RBAC Roles with Read Secrets Permissions
  • Fix the user id manually - high enough - look into Keptn/Keptn Container Running With Low UID

Run with all fixes available here

@codecov
Copy link

codecov bot commented Jan 26, 2023
edited
Loading

Codecov Report

Merging #700 (cbaa386) into main (d33af19) will increase coverage by 0.04%.
The diff coverage is 90.90%.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #700      +/-   ##
==========================================
+ Coverage   57.33%   57.38%   +0.04%     
==========================================
  Files          88       89       +1     
  Lines        7001     7011      +10     
==========================================
+ Hits         4014     4023       +9     
- Misses       2821     2822       +1     
  Partials      166      166
Impacted Files Coverage Δ
...okcontroller/keptnwebhookcertificate_controller.go 52.00% <66.66%> (ø)
operator/controllers/common/providers/common.go 100.00% <100.00%> (ø)
...ontrollers/lifecycle/keptnevaluation/controller.go 81.28% <100.00%> (ø)
...lers/lifecycle/keptnworkloadinstance/controller.go 80.99% <0.00%> (-0.46%) ⬇️
operator/apis/lifecycle/v1alpha2/common/common.go 100.00% <0.00%> (ø)
operator/controllers/common/phasehandler.go 82.08% <0.00%> (+0.83%) ⬆️
Flag Coverage Δ
component-tests 53.08% <100.00%> (-0.43%) ⬇️
keptn-cert-manager ?
klt-cert-manager 67.50% <66.66%> (?)
scheduler 21.17% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

This was linked to issues Jan 27, 2023
Security Scan failed #678
Closed
Security Scan failed #699
Closed
@RealAnna RealAnna linked an issue Jan 30, 2023 that may be closed by this pull request
Security Scan failed #717
Closed
@RealAnna
fix: security pipeline
912e70b 
Signed-off-by: realanna <[email protected]>

fix: security pipeline

Signed-off-by: realanna <[email protected]>

fix: security pipeline

Signed-off-by: realanna <[email protected]>

fix: security pipeline

Signed-off-by: realanna <[email protected]>

fix: security pipeline

Signed-off-by: realanna <[email protected]>

fix: security pipeline

Signed-off-by: realanna <[email protected]>
@RealAnna
fix: add run from branch to security pipeline
2f47888 
Signed-off-by: realanna <[email protected]>

fix: add run from branch to security pipeline

Signed-off-by: realanna <[email protected]>

fix: security pipeline

Signed-off-by: realanna <[email protected]>

fix: add run from branch to security pipeline

Signed-off-by: realanna <[email protected]>

fix: security pipeline

Signed-off-by: realanna <[email protected]>

fix: security pipeline

Signed-off-by: realanna <[email protected]>
@RealAnna
fix: proxy readiness and liveness
9cd6c7e 
Signed-off-by: realanna <[email protected]>

fix: security pipeline

Signed-off-by: realanna <[email protected]>
@RealAnna
fix: Container Running With Low UID
c17ca88 
Signed-off-by: realanna <[email protected]>
@RealAnna
fix: add ignored rules to kics
67f1200 
Signed-off-by: realanna <[email protected]>
@RealAnna
fix: pipeline check cert-manager
4a06ada 
Signed-off-by: realanna <[email protected]>
@RealAnna
fix: fix docker file
52ae420 
Signed-off-by: realanna <[email protected]>
@RealAnna RealAnna force-pushed the fix/678/sec_scan branch 3 times, most recently from 64c7c91 to 60aeba8 Compare January 30, 2023 18:19
@RealAnna
fix: added readOnlyRootFilesystem for cert manager
fefae8d 
Signed-off-by: realanna <[email protected]>
@RealAnna
fix: added Pod port
2d6f698 
Signed-off-by: realanna <[email protected]>

fix: added Pod port

Signed-off-by: realanna <[email protected]>
@RealAnna
remove APP Armor profiles cehcks
1d551cd 
Signed-off-by: realanna <[email protected]>
@RealAnna RealAnna marked this pull request as ready for review January 31, 2023 08:57
mowies
mowies reviewed Jan 31, 2023
View reviewed changes
.github/workflows/security-scans.yml Outdated Show resolved Hide resolved
.github/workflows/security-scans.yml Outdated Show resolved Hide resolved
.github/workflows/security-scans.yml Outdated Show resolved Hide resolved
.github/workflows/security-scans.yml Outdated Show resolved Hide resolved
klt-cert-manager/config/default/manager_auth_proxy_patch.yaml Outdated Show resolved Hide resolved
RealAnna and others added 4 commits January 31, 2023 10:12
@RealAnna @mowies
Update .github/workflows/security-scans.yml
a3fd204 
Co-authored-by: Moritz Wiesinger <[email protected]>
Signed-off-by: RealAnna <[email protected]>
@RealAnna @mowies
Update .github/workflows/security-scans.yml
5e012e0 
Co-authored-by: Moritz Wiesinger <[email protected]>
Signed-off-by: RealAnna <[email protected]>
@RealAnna @mowies
Update .github/workflows/security-scans.yml
312d1a0 
Co-authored-by: Moritz Wiesinger <[email protected]>
Signed-off-by: RealAnna <[email protected]>
@RealAnna
fix based n review
cbaa386 
Signed-off-by: realanna <[email protected]>
@sonarcloud
Copy link

sonarcloud bot commented Jan 31, 2023

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
0.0% 0.0% Duplication

@mowies mowies changed the title fix: security pipeline fix: security pipeline issues Feb 1, 2023
@RealAnna RealAnna merged commit ef5a7c5 into main Feb 1, 2023
@RealAnna RealAnna deleted the fix/678/sec_scan branch February 1, 2023 07:33
@keptn-bot keptn-bot mentioned this pull request Feb 1, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mowies mowies mowies approved these changes

@thisthat thisthat thisthat approved these changes

@thschue thschue Awaiting requested review from thschue

@bacherfl bacherfl Awaiting requested review from bacherfl

@philipp-hinteregger philipp-hinteregger Awaiting requested review from philipp-hinteregger

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@RealAnna @thisthat @mowies