Skip to content

Start fixing govulncheck job by upgrading makefile modules#640

Merged
SgtCoDFish merged 1 commit intomasterfrom
fix-govulncheck
Mar 14, 2025
Merged

Start fixing govulncheck job by upgrading makefile modules#640
SgtCoDFish merged 1 commit intomasterfrom
fix-govulncheck

Conversation

@SgtCoDFish
Copy link
Contributor

@SgtCoDFish SgtCoDFish commented Mar 14, 2025
edited
Loading

This is fixed by upstream makefile modules.

I ran:

make upgrade-klone
make generate

IMPORTANT: Note that this skips two pod security static checks which came from upstream makefile-modules. I didn't want to fix those in this PR, since that would expand the scope of the PR beyond a makefile-modules bump. We'll need to discuss changing the chart to address those reports soon, but that doesn't block this PR

See make/verify-pod-security-standards-exceptions.yaml for the skipped checks; without them, the CI would fail:

│──────────│────────────────────────────────│────────────────────────────────────│─────────────────────────────────────────────────────────│────────│────────│
│ ID (19)  │ POLICY                         │ RULE                               │ RESOURCE                                                │ RESULT │ REASON │
│──────────│────────────────────────────────│────────────────────────────────────│─────────────────────────────────────────────────────────│────────│────────│
│ 1        │ disallow-capabilities          │ autogen-adding-capabilities        │ default/Deployment/venafi-kubernetes-agent-release-name │ Pass   │        │
│ 2        │ disallow-capabilities-strict   │ autogen-require-drop-all           │ default/Deployment/venafi-kubernetes-agent-release-name │ Pass   │        │
│ 3        │ disallow-capabilities-strict   │ autogen-adding-capabilities-strict │ default/Deployment/venafi-kubernetes-agent-release-name │ Pass   │        │
│ 4        │ disallow-host-namespaces       │ autogen-host-namespaces            │ default/Deployment/venafi-kubernetes-agent-release-name │ Pass   │        │
│ 5        │ disallow-host-path             │ autogen-host-path                  │ default/Deployment/venafi-kubernetes-agent-release-name │ Pass   │        │
│ 6        │ disallow-host-ports            │ autogen-host-ports-none            │ default/Deployment/venafi-kubernetes-agent-release-name │ Pass   │        │
│ 7        │ disallow-host-process          │ autogen-host-process-containers    │ default/Deployment/venafi-kubernetes-agent-release-name │ Pass   │        │
│ 8        │ disallow-privilege-escalation  │ autogen-privilege-escalation       │ default/Deployment/venafi-kubernetes-agent-release-name │ Fail   │        │
│ 9        │ disallow-privileged-containers │ autogen-privileged-containers      │ default/Deployment/venafi-kubernetes-agent-release-name │ Pass   │        │
│ 10       │ disallow-proc-mount            │ autogen-check-proc-mount           │ default/Deployment/venafi-kubernetes-agent-release-name │ Pass   │        │
│ 11       │ disallow-selinux               │ autogen-selinux-type               │ default/Deployment/venafi-kubernetes-agent-release-name │ Pass   │        │
│ 12       │ disallow-selinux               │ autogen-selinux-user-role          │ default/Deployment/venafi-kubernetes-agent-release-name │ Pass   │        │
│ 13       │ require-run-as-non-root-user   │ autogen-run-as-non-root-user       │ default/Deployment/venafi-kubernetes-agent-release-name │ Pass   │        │
│ 14       │ require-run-as-nonroot         │ autogen-run-as-non-root            │ default/Deployment/venafi-kubernetes-agent-release-name │ Pass   │        │
│ 15       │ restrict-apparmor-profiles     │ autogen-app-armor                  │ default/Deployment/venafi-kubernetes-agent-release-name │ Pass   │        │
│ 16       │ restrict-seccomp               │ autogen-check-seccomp              │ default/Deployment/venafi-kubernetes-agent-release-name │ Pass   │        │
│ 17       │ restrict-seccomp-strict        │ autogen-check-seccomp-strict       │ default/Deployment/venafi-kubernetes-agent-release-name │ Fail   │        │
│ 18       │ restrict-sysctls               │ autogen-check-sysctls              │ default/Deployment/venafi-kubernetes-agent-release-name │ Pass   │        │
│ 19       │ restrict-volume-types          │ autogen-restricted-volumes         │ default/Deployment/venafi-kubernetes-agent-release-name │ Pass   │        │
│──────────│────────────────────────────────│────────────────────────────────────│─────────────────────────────────────────────────────────│────────│────────│

@SgtCoDFish SgtCoDFish force-pushed the fix-govulncheck branch 2 times, most recently from 0c5ddb4 to 9835005 Compare March 14, 2025 14:25
@SgtCoDFish
fix govulncheck job by upgrading makefile modules
8885746 
This also requires skipping some pod security scanners which were added
in upstream makefile-modules and started failing.

It would be best to fix those issues in a separate commit, so it's
easier to roll them back and to facilitate discussion on whether those
changes are safe.

Signed-off-by: Ashley Davis <ashley.davis@cyberark.com>
maelvls
maelvls approved these changes Mar 14, 2025
View reviewed changes
Copy link
Member

@maelvls maelvls left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks for spending the time fixing this!

@SgtCoDFish SgtCoDFish merged commit b74514d into master Mar 14, 2025
2 checks passed
@SgtCoDFish SgtCoDFish changed the title Fix govulncheck job by pulling more data from git Fix govulncheck job by upgrading makefile modules Mar 14, 2025
@maelvls
Copy link
Member

maelvls commented Mar 14, 2025
edited
Loading

Thanks for adding the table. I see that we are not complying with two of the policies: disallow-privilege-escalation and restrict-seccomp-strict. Do you need help fixing these?

@SgtCoDFish SgtCoDFish deleted the fix-govulncheck branch March 14, 2025 14:51
@SgtCoDFish
Copy link
Contributor Author

SgtCoDFish commented Mar 14, 2025

Thanks for adding the table. I see that we are not complying with two of the policies: disallow-privilege-escalation and restrict-seccomp-strict. Do you need help fixing these?

I think they're easy to fix, but I don't have the bandwidth today to ensure that they're safe to change for the agent.

If you know that the agent doesn't require privilege escalation / if we can adhere to the strict seccomp policy, then by all means we should fix that straight away!

@SgtCoDFish SgtCoDFish changed the title Fix govulncheck job by upgrading makefile modules Start fixing govulncheck job by upgrading makefile modules Mar 14, 2025
@SgtCoDFish SgtCoDFish mentioned this pull request Mar 17, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@maelvls maelvls maelvls approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@SgtCoDFish @maelvls