Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: security pipeline issues #700

Merged
merged 14 commits into from
Feb 1, 2023
Merged
138 changes: 79 additions & 59 deletions .github/.kubescape/exceptions.json
Original file line number Diff line number Diff line change
@@ -1,64 +1,84 @@
[
{
"name": "ignore-cluster-role-can-get-secrets",
"policyType": "postureExceptionPolicy",
"actions": [
"alertOnly"
],
"resources": [
{
"designatorType": "Attributes",
"attributes": {
"kind": "ServiceAccount",
"name": "klc-controller-manager"
}
{
"name": "ignore-cluster-role-can-get-secrets",
"policyType": "postureExceptionPolicy",
"actions": [
"alertOnly"
],
"resources": [
{
"designatorType": "Attributes",
"attributes": {
"kind": "ServiceAccount",
"name": "klc-controller-manager"
}
],
"posturePolicies": [
{
"controlID": "C-0015"
}
]
},
{
"name": "ignore-auto-mounting-of-service-account-tokens",
"policyType": "postureExceptionPolicy",
"actions": [
"alertOnly"
],
"resources": [
{
"designatorType": "Attributes",
"attributes": {
"kind": ".*"
}
}
],
"posturePolicies": [
{
"controlID": "C-0015"
}
]
},
{
"name": "ignore-auto-mounting-of-service-account-tokens",
"policyType": "postureExceptionPolicy",
"actions": [
"alertOnly"
],
"resources": [
{
"designatorType": "Attributes",
"attributes": {
"kind": ".*"
}
],
"posturePolicies": [
{
"controlID": "C-0034"
}
]
},
{
"name": "ignore-access-container-service-account",
"policyType": "postureExceptionPolicy",
"actions": [
"alertOnly"
],
"resources": [
{
"designatorType": "Attributes",
"attributes": {
"kind": ".*"
}
}
],
"posturePolicies": [
{
"controlID": "C-0034"
}
]
},
{
"name": "ignore-access-container-service-account",
"policyType": "postureExceptionPolicy",
"actions": [
"alertOnly"
],
"resources": [
{
"designatorType": "Attributes",
"attributes": {
"kind": ".*"
}
],
"posturePolicies": [
{
"controlID": "C-0053"
}
]
}
]
}
],
"posturePolicies": [
{
"controlID": "C-0053"
}
]
},
{
"name": "ignore-validating-webhook-alert",
"policyType": "postureExceptionPolicy",
"actions": [
"alertOnly"
],
"resources": [
{
"designatorType": "Attributes",
"attributes": {
"kind": ".*"
}
}
],
"posturePolicies": [
{
"controlID": "C-0036"
}
]
}
]

8 changes: 7 additions & 1 deletion .github/kics-config.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,12 +2,18 @@ exclude-queries:
# query IDs can be found here: https://docs.kics.io/latest/queries/all-queries/
# The queries below are excluded because they are not relevant or not needed for this project
- 48471392-d4d0-47c0-b135-cdec95eb3eef # Service Account Token Automount Not Disabled
- 48a5beba-e4c0-4584-a2aa-e6894e4cf424 # Pod or Container Without ResourceQuota
- b7bca5c4-1dab-4c2c-8cbe-3050b9d59b14 # RBAC Roles with Read Secrets Permissions
- 4a20ebac-1060-4c81-95d1-1f7f620e983b # Pod or Container Without LimitRange
- 056ac60e-fe07-4acc-9b34-8e1d51716ab9 # ServiceAccount Allows Access Secrets
- aee3c7d2-a811-4201-90c7-11c028be9a46 # Container Requests Not Equal To It's Limits
- 8b36775e-183d-4d46-b0f7-96a6f34a723f # Missing AppArmor Profile

exclude-results:
# Similarity IDs can be found in the JSON result file of kics
- 76f0ba03bcaf9f6e0ff8660beaebff55f74f1d89e38b6831c2b7b468a3dc764b # RBAC Roles with Read Secrets Permissions
- f88463cc96ec0165f0c1d83c279ff2658b8a8bd8adb2aaaf79f64a230df88504 # RBAC Roles with Read Secrets Permissions
- c4886e7b8193614214e9626539430632e8d90cb58499932a82c924266c05d118 # RBAC Roles with Read Secrets Permissions
- 00d587d8e63760f6a5d45ede024de5c793cb9e018ba78e4d9e50b8d671f79ba4 # Readiness Probe not configured for kube-rbac-proxy

no-color: false
no-progress: true
Expand Down
34 changes: 26 additions & 8 deletions .github/workflows/security-scans.yml
Original file line number Diff line number Diff line change
@@ -1,9 +1,14 @@
name: "Security Scans"
on:
workflow_dispatch:
schedule:
- cron: '0 3 * * 1' # run tests at 1 AM (UTC), every monday (1)
- cron: '0 3 * * 1' # run tests at 1 AM (UTC), every monday (1) # run integration tests only when triggered manually
RealAnna marked this conversation as resolved.
Show resolved Hide resolved

workflow_dispatch:
inputs:
branch:
description: 'Take CI build artifacts from branch (e.g., master, release-x.y.z)'
required: true
default: 'master'
RealAnna marked this conversation as resolved.
Show resolved Hide resolved
defaults:
run:
shell: bash
Expand All @@ -16,16 +21,29 @@ jobs:
name: "Prepare Security Scans"
runs-on: ubuntu-22.04
steps:
- name: Determine Target Branch for Integration Tests
RealAnna marked this conversation as resolved.
Show resolved Hide resolved
id: determine_branch
run: |
if [[ "${{ github.event.inputs.branch }}" != "" ]]; then
# branch was manually set by user -> probably a workflow_dispatch action
BRANCH=${{ github.event.inputs.branch }}
echo "Using $BRANCH as target branch for integration tests"
RealAnna marked this conversation as resolved.
Show resolved Hide resolved
else
BRANCH='main'
fi
echo "BRANCH=$(echo ${BRANCH})" >> $GITHUB_OUTPUT

- name: Find latest successful run ID
id: last_run_id
env:
BRANCH: ${{ steps.determine_branch.outputs.BRANCH }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
RUN_ID=$(\
curl -sL \
-H 'Accept: application/vnd.github.v3+json' \
-H "Authorization: token $GITHUB_TOKEN" \
"api.github.com/repos/${{ github.repository }}/actions/workflows/CI.yaml/runs?branch=main" | \
"api.github.com/repos/${{ github.repository }}/actions/workflows/CI.yaml/runs?branch=$BRANCH" | \
jq '[.workflow_runs[] | select(
(.head_commit != null) and ( .conclusion == "success" )
)][0] | .id')
Expand All @@ -48,17 +66,15 @@ jobs:
with:
name: manifests
path: |
./dist/keptn-lifecycle-operator-manifest/
./dist/scheduler-manifest/
./dist/*-manifest/
./dist/*-manifest-test/

- name: Upload images
uses: actions/upload-artifact@v3
with:
name: images
path: |
./dist/functions-runtime-image.tar/
./dist/keptn-lifecycle-operator-image.tar/
./dist/scheduler-image.tar/
./dist/*-image.tar/

security-scans:
name: "Security Scans"
Expand Down Expand Up @@ -154,6 +170,7 @@ jobs:
- "functions-runtime"
- "keptn-lifecycle-operator"
- "scheduler"
- "klt-cert-manager"
steps:
- name: Download images
id: download_images
Expand All @@ -178,6 +195,7 @@ jobs:
artifact:
- "operator"
- "scheduler"
- "klt-cert-manager"

steps:
- name: Set up Go 1.x
Expand Down
2 changes: 1 addition & 1 deletion examples/sample-app/base/manifest.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ spec:
terminationGracePeriodSeconds: 5
initContainers:
- name: init-myservice
image: busybox:1.28
image: busybox:1.32.1
command: ['sh', '-c', 'sleep 30']
containers:
- name: server
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ spec:
terminationGracePeriodSeconds: 5
initContainers:
- name: init-myservice
image: busybox:1.28
image: busybox:1.32.1
command: ['sh', '-c', 'sleep 30']
containers:
- name: server
Expand Down
2 changes: 1 addition & 1 deletion functions-runtime/Dockerfile
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM denoland/deno:alpine-1.29.1 AS production
FROM denoland/deno:alpine-1.30.0 AS production

LABEL org.opencontainers.image.source="https://github.com/keptn/lifecycle-toolkit" \
org.opencontainers.image.url="https://keptn.sh" \
Expand Down
91 changes: 53 additions & 38 deletions klt-cert-manager/config/default/manager_auth_proxy_patch.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -13,42 +13,57 @@ spec:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
- amd64
- arm64
- ppc64le
- s390x
- key: kubernetes.io/os
operator: In
values:
- linux
- key: kubernetes.io/arch
operator: In
values:
- amd64
- arm64
- ppc64le
- s390x
- key: kubernetes.io/os
operator: In
values:
- linux
containers:
- name: kube-rbac-proxy
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- "ALL"
image: gcr.io/kubebuilder/kube-rbac-proxy:v0.13.0
args:
- "--secure-listen-address=0.0.0.0:8443"
- "--upstream=http://127.0.0.1:8080/"
- "--logtostderr=true"
- "--v=0"
ports:
- containerPort: 8443
protocol: TCP
name: https
resources:
limits:
cpu: 500m
memory: 128Mi
requests:
cpu: 5m
memory: 64Mi
- name: manager
args:
- "--health-probe-bind-address=:8081"
- "--metrics-bind-address=127.0.0.1:8080"
- name: kube-rbac-proxy
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
runAsNonRoot: true
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
capabilities:
drop:
- "ALL"
image: gcr.io/kubebuilder/kube-rbac-proxy:v0.13.0
args:
- "--secure-listen-address=0.0.0.0:8443"
- "--upstream=http://127.0.0.1:8080/"
- "--logtostderr=true"
- "--v=0"
ports:
- containerPort: 8443
protocol: TCP
name: https
resources:
limits:
cpu: 500m
memory: 128Mi
requests:
cpu: 5m
memory: 64Mi
livenessProbe:
tcpSocket:
port: 8443
initialDelaySeconds: 15
periodSeconds: 20
readinessProbe:
tcpSocket:
port: 8443
initialDelaySeconds: 15
RealAnna marked this conversation as resolved.
Show resolved Hide resolved
periodSeconds: 20
- name: manager
args:
- "--health-probe-bind-address=:8081"
- "--metrics-bind-address=127.0.0.1:8080"
7 changes: 5 additions & 2 deletions klt-cert-manager/config/manager/manager.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -26,8 +26,6 @@ spec:
spec:
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
containers:
- command:
- /manager
Expand All @@ -41,10 +39,15 @@ spec:
fieldRef:
fieldPath: metadata.namespace
securityContext:
seccompProfile:
type: RuntimeDefault
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- "ALL"
runAsUser: 65532
runAsGroup: 65532
livenessProbe:
httpGet:
path: /healthz
Expand Down
Loading