From deedb4de1d454ebc395e570c59044a6e9fa5a298 Mon Sep 17 00:00:00 2001 From: mrjoelkamp Date: Mon, 10 Jun 2024 12:27:40 -0500 Subject: [PATCH 01/10] fix: use github advanced security for codeQL --- .github/workflows/codeql.yml | 78 ------------------------------------ 1 file changed, 78 deletions(-) delete mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml deleted file mode 100644 index 684546e..0000000 --- a/.github/workflows/codeql.yml +++ /dev/null @@ -1,78 +0,0 @@ -# For most projects, this workflow file will not need changing; you simply need -# to commit it to your repository. -# -# You may wish to alter this file to override the set of languages analyzed, -# or to provide custom queries or build logic. -# -# ******** NOTE ******** -# We have attempted to detect the languages in your repository. Please check -# the `language` matrix defined below to confirm you have the correct set of -# supported CodeQL languages. -# -name: "CodeQL" - -on: - push: - branches: ["main"] - pull_request: - # The branches below must be a subset of the branches above - branches: ["main"] - schedule: - - cron: "0 0 * * 1" - -permissions: - contents: read - -jobs: - analyze: - name: Analyze - runs-on: ubuntu-latest - permissions: - actions: read - contents: read - security-events: write - - strategy: - fail-fast: false - matrix: - language: ["go"] - # CodeQL supports [ $supported-codeql-languages ] - # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support - - steps: - - name: Harden Runner - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 - with: - egress-policy: audit - - - name: Checkout repository - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 - - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@9fdb3e49720b44c48891d036bb502feb25684276 # v3.25.6 - with: - languages: ${{ matrix.language }} - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. - - # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). - # If this step fails, then you should remove it and run the build manually (see below) - - name: Autobuild - uses: github/codeql-action/autobuild@9fdb3e49720b44c48891d036bb502feb25684276 # v3.25.6 - - # ℹī¸ Command-line programs to run using the OS shell. - # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - - # If the Autobuild fails above, remove it and uncomment the following three lines. - # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. - - # - run: | - # echo "Run, Build Application using script" - # ./location_of_script_within_repo/buildscript.sh - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@9fdb3e49720b44c48891d036bb502feb25684276 # v3.25.6 - with: - category: "/language:${{matrix.language}}" From cc31941d0d4f7d915e97b102e8abb90ca3ffb610 Mon Sep 17 00:00:00 2001 From: mrjoelkamp Date: Mon, 10 Jun 2024 12:49:48 -0500 Subject: [PATCH 02/10] fix: add token to scorecards action --- .github/workflows/scorecards.yml | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 9f54570..98a12f7 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -10,7 +10,7 @@ on: # To guarantee Maintained check is occasionally updated. See # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained schedule: - - cron: '20 7 * * 2' + - cron: "20 7 * * 2" push: branches: ["main"] @@ -40,6 +40,13 @@ jobs: with: persist-credentials: false + - name: Generate GitHub App Token + id: app-token + uses: actions/create-github-app-token@c8f55efbd427e7465d6da1106e7979bc8aaee856 # v1.10.1 + with: + app-id: ${{ vars.DOCKER_READ_APP_ID }} + private-key: ${{ secrets.DOCKER_READ_APP_PRIVATE_KEY }} + - name: "Run analysis" uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534 # v2.3.3 with: @@ -49,7 +56,7 @@ jobs: # - you want to enable the Branch-Protection check on a *public* repository, or # - you are installing Scorecards on a *private* repository # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. - # repo_token: ${{ secrets.SCORECARD_TOKEN }} + repo_token: ${{ steps.app-token.outputs.token }} # Public repositories: # - Publish results to OpenSSF REST API for easy access by consumers From 2e2b9b5df95e6cf2d9ce9654a25f34a7ef54f2a0 Mon Sep 17 00:00:00 2001 From: mrjoelkamp Date: Mon, 10 Jun 2024 12:50:26 -0500 Subject: [PATCH 03/10] fix: add token to build_test --- .github/workflows/workflow.yaml | 28 ++++++++++++++++++---- test/bats/test.bats | 42 ++++++++++++++++----------------- 2 files changed, 44 insertions(+), 26 deletions(-) diff --git a/.github/workflows/workflow.yaml b/.github/workflows/workflow.yaml index 7b67dc1..76222db 100644 --- a/.github/workflows/workflow.yaml +++ b/.github/workflows/workflow.yaml @@ -28,10 +28,18 @@ jobs: with: egress-policy: audit - - name: Set up Go 1.19 + - name: Generate GitHub App Token + id: app-token + uses: actions/create-github-app-token@c8f55efbd427e7465d6da1106e7979bc8aaee856 # v1.10.1 + with: + app-id: ${{ vars.DOCKER_READ_APP_ID }} + private-key: ${{ secrets.DOCKER_READ_APP_PRIVATE_KEY }} + repositories: "attest,attest-external-data-provider" + + - name: Set up Go 1.22 uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 with: - go-version: 1.19 + go-version: 1.22 - name: Check out code into the Go module directory uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 @@ -40,7 +48,8 @@ jobs: - name: golangci-lint uses: golangci/golangci-lint-action@a4f60bb28d35aeee14e6880718e0c85ff1882e64 # v6.0.1 with: - version: v1.50.0 + version: v1.59 + github-token: ${{ steps.app-token.outputs.token }} helm_build_test: name: "[Helm] Build and Test" @@ -54,14 +63,22 @@ jobs: with: egress-policy: audit - - name: Set up Go 1.19 + - name: Set up Go 1.22 uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 with: - go-version: 1.19 + go-version: 1.22 - name: Check out code into the Go module directory uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + - name: Generate GitHub App Token + id: app-token + uses: actions/create-github-app-token@c8f55efbd427e7465d6da1106e7979bc8aaee856 # v1.10.1 + with: + app-id: ${{ vars.DOCKER_READ_APP_ID }} + private-key: ${{ secrets.DOCKER_READ_APP_PRIVATE_KEY }} + repositories: "attest,attest-external-data-provider" + - name: Bootstrap e2e env: KIND_VERSION: 0.17.0 @@ -91,6 +108,7 @@ jobs: - name: Build and install attest-external-data-provider run: | ./scripts/generate-tls-cert.sh + export GITHUB_TOKEN=${{ steps.app-token.outputs.token }} make docker-buildx kind-load-image helm install attest-provider charts/external-data-provider \ --set provider.tls.caBundle="$(cat certs/ca.crt | base64 | tr -d '\n\r')" \ diff --git a/test/bats/test.bats b/test/bats/test.bats index a83cf85..d5fb168 100644 --- a/test/bats/test.bats +++ b/test/bats/test.bats @@ -19,33 +19,33 @@ teardown_file() { wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl -n ${GATEKEEPER_NAMESPACE} wait --for=condition=Ready --timeout=60s pod -l control-plane=audit-controller" } -@test "external-data-provider is running" { - wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl -n ${GATEKEEPER_NAMESPACE} wait --for=condition=Ready --timeout=60s pod -l run=external-data-provider" +@test "attest-provider is running" { + wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl -n ${GATEKEEPER_NAMESPACE} wait --for=condition=Ready --timeout=60s pod -l run=attest-provider" } -@test "external data validation" { - run kubectl apply -f validation/external-data-provider-constraint-template.yaml +@test "attest validation" { + run kubectl apply -f validation/attest-constraint-template.yaml assert_success - wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "constraint_enforced constrainttemplate k8sexternaldatavalidation" + wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "constraint_enforced constrainttemplate k8sattestexternaldata" - run kubectl apply -f validation/external-data-provider-constraint.yaml + run kubectl apply -f validation/attest-constraint.yaml assert_success - wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "constraint_enforced k8sexternaldatavalidation deny-images-with-invalid-suffix" + wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "constraint_enforced k8sattestexternaldata deny-images-that-fail-policy" - run kubectl run nginx --image=error_nginx --dry-run=server - # should deny pod admission if the image name has an "error_" prefix + run kubectl run nginx --image=nginx --dry-run=server + # should deny pod admission if the image doesn't pass policy assert_failure - assert_match 'error_nginx' "${output}" - assert_match 'error_nginx_invalid' "${output}" + assert_match 'admit: false' "${output}" } -@test "external data mutation" { - run kubectl apply -f mutation/external-data-provider-mutation.yaml - assert_success - wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "mutator_enforced Assign append-valid-suffix-to-image" - - run kubectl run nginx --image=nginx --dry-run=server --output json - assert_success - # should mutate the image field by appending "_valid" suffix - assert_match "nginx_valid" "$(jq -r '.spec.containers[0].image' <<< ${output})" -} +# TODO: write mutating webhook policy +#@test "attest mutation" { +# run kubectl apply -f mutation/external-data-provider-mutation.yaml +# assert_success +# wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "mutator_enforced Assign append-valid-suffix-to-image" +# +# run kubectl run nginx --image=nginx --dry-run=server --output json +# assert_success +# # should mutate the image field by appending "_valid" suffix +# assert_match "nginx_valid" "$(jq -r '.spec.containers[0].image' <<< ${output})" +#} From 9edce85a6236761894d262424d104798470e5f28 Mon Sep 17 00:00:00 2001 From: mrjoelkamp Date: Mon, 10 Jun 2024 13:05:03 -0500 Subject: [PATCH 04/10] fix: lint private mod --- .github/workflows/workflow.yaml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/workflow.yaml b/.github/workflows/workflow.yaml index 76222db..bee3075 100644 --- a/.github/workflows/workflow.yaml +++ b/.github/workflows/workflow.yaml @@ -44,12 +44,17 @@ jobs: - name: Check out code into the Go module directory uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + - name: Download dependencies + run: | + export GOPRIVATE="github.com/docker/attest" + git config --global "url.https://x-access-token:${{ steps.app-token.outputs.token }}@github.com.insteadof" "https://github.com" + go mod download + # source: https://github.com/golangci/golangci-lint-action - name: golangci-lint uses: golangci/golangci-lint-action@a4f60bb28d35aeee14e6880718e0c85ff1882e64 # v6.0.1 with: version: v1.59 - github-token: ${{ steps.app-token.outputs.token }} helm_build_test: name: "[Helm] Build and Test" From d240ef21e236d89ea2a321a1b7e3b0dcbbfd6b53 Mon Sep 17 00:00:00 2001 From: mrjoelkamp Date: Mon, 10 Jun 2024 13:15:53 -0500 Subject: [PATCH 05/10] fix: linting error --- main.go | 1 - 1 file changed, 1 deletion(-) diff --git a/main.go b/main.go index 6813cef..c51664d 100644 --- a/main.go +++ b/main.go @@ -16,7 +16,6 @@ import ( ) const ( - // timeout = 15 * time.Second defaultPort = 8090 certName = "tls.crt" From 67cad270a2e491a732c224430cc3c31fa0026322 Mon Sep 17 00:00:00 2001 From: mrjoelkamp Date: Mon, 10 Jun 2024 13:54:21 -0500 Subject: [PATCH 06/10] fix: e2e namespace --- .github/workflows/workflow.yaml | 1 + test/bats/test.bats | 5 +++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/workflow.yaml b/.github/workflows/workflow.yaml index bee3075..01c7d0e 100644 --- a/.github/workflows/workflow.yaml +++ b/.github/workflows/workflow.yaml @@ -122,4 +122,5 @@ jobs: - name: Run e2e run: | + export GATEKEEPER_NAMESPACE=security bats -t test/bats/test.bats diff --git a/test/bats/test.bats b/test/bats/test.bats index d5fb168..178adf3 100644 --- a/test/bats/test.bats +++ b/test/bats/test.bats @@ -8,7 +8,7 @@ GATEKEEPER_NAMESPACE=${GATEKEEPER_NAMESPACE:-gatekeeper-system} teardown_file() { kubectl delete -f validation/ - kubectl delete -f mutation/ + #kubectl delete -f mutation/ } @test "gatekeeper-controller-manager is running" { @@ -32,7 +32,8 @@ teardown_file() { assert_success wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "constraint_enforced k8sattestexternaldata deny-images-that-fail-policy" - run kubectl run nginx --image=nginx --dry-run=server + run kubectl create ns test + run kubectl run nginx --image=nginx -n test --dry-run=server # should deny pod admission if the image doesn't pass policy assert_failure assert_match 'admit: false' "${output}" From 9797d27a1844d319039320989b20b3905e40daf9 Mon Sep 17 00:00:00 2001 From: mrjoelkamp Date: Mon, 10 Jun 2024 14:31:44 -0500 Subject: [PATCH 07/10] fix: fail closed --- .github/workflows/workflow.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/workflow.yaml b/.github/workflows/workflow.yaml index 01c7d0e..02456fc 100644 --- a/.github/workflows/workflow.yaml +++ b/.github/workflows/workflow.yaml @@ -104,6 +104,9 @@ jobs: helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts helm install gatekeeper/gatekeeper \ --version ${GATEKEEPER_VERSION} \ + --set postInstall.probeWebhook.httpTimeout=300 \ + --set postInstall.probeWebhook.waitTimeout=300 \ + --set validatingWebhookFailurePolicy=Fail \ --set enableExternalData=true \ --name-template=gatekeeper \ --namespace security \ From 9b1325a0e4672c06930d7732011137e99a6f1624 Mon Sep 17 00:00:00 2001 From: mrjoelkamp Date: Mon, 10 Jun 2024 14:48:31 -0500 Subject: [PATCH 08/10] fix: update dependencies --- .github/workflows/workflow.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/workflow.yaml b/.github/workflows/workflow.yaml index 02456fc..c5e1fd6 100644 --- a/.github/workflows/workflow.yaml +++ b/.github/workflows/workflow.yaml @@ -86,8 +86,8 @@ jobs: - name: Bootstrap e2e env: - KIND_VERSION: 0.17.0 - BATS_VERSION: 1.8.2 + KIND_VERSION: 0.23.0 + BATS_VERSION: 1.11.0 run: | mkdir -p $GITHUB_WORKSPACE/bin echo "${GITHUB_WORKSPACE}/bin" >> $GITHUB_PATH @@ -96,7 +96,7 @@ jobs: - name: Create a kind cluster and install Gatekeeper env: - GATEKEEPER_VERSION: 3.11.0 + GATEKEEPER_VERSION: 3.16.3 KUBERNETES_VERSION: 1.26.0 run: | kind create cluster --image kindest/node:v${KUBERNETES_VERSION} --name gatekeeper From cc8881eea178b9193bcd8afa1e7fda74c325f4db Mon Sep 17 00:00:00 2001 From: mrjoelkamp Date: Mon, 10 Jun 2024 15:11:20 -0500 Subject: [PATCH 09/10] fix: postInstall error --- .github/workflows/workflow.yaml | 5 +++-- test/bats/test.bats | 1 + 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/workflow.yaml b/.github/workflows/workflow.yaml index c5e1fd6..fed2908 100644 --- a/.github/workflows/workflow.yaml +++ b/.github/workflows/workflow.yaml @@ -104,9 +104,10 @@ jobs: helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts helm install gatekeeper/gatekeeper \ --version ${GATEKEEPER_VERSION} \ - --set postInstall.probeWebhook.httpTimeout=300 \ - --set postInstall.probeWebhook.waitTimeout=300 \ + --set postInstall.probeWebhook.enabled=false \ + --set postInstall.labelNamespace.enabled=false \ --set validatingWebhookFailurePolicy=Fail \ + --set validatingWebhookTimeoutSeconds=15 \ --set enableExternalData=true \ --name-template=gatekeeper \ --namespace security \ diff --git a/test/bats/test.bats b/test/bats/test.bats index 178adf3..683e3f3 100644 --- a/test/bats/test.bats +++ b/test/bats/test.bats @@ -21,6 +21,7 @@ teardown_file() { @test "attest-provider is running" { wait_for_process ${WAIT_TIME} ${SLEEP_TIME} "kubectl -n ${GATEKEEPER_NAMESPACE} wait --for=condition=Ready --timeout=60s pod -l run=attest-provider" + sleep 5 # we need a readiness probe https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-readiness-probes } @test "attest validation" { From f13e25469957acbf5cca0ffca95f680a4aad532a Mon Sep 17 00:00:00 2001 From: mrjoelkamp Date: Mon, 10 Jun 2024 15:41:57 -0500 Subject: [PATCH 10/10] fix: webhook ignore and use postInstall probe --- .github/workflows/workflow.yaml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/workflows/workflow.yaml b/.github/workflows/workflow.yaml index fed2908..cb42b33 100644 --- a/.github/workflows/workflow.yaml +++ b/.github/workflows/workflow.yaml @@ -104,9 +104,6 @@ jobs: helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts helm install gatekeeper/gatekeeper \ --version ${GATEKEEPER_VERSION} \ - --set postInstall.probeWebhook.enabled=false \ - --set postInstall.labelNamespace.enabled=false \ - --set validatingWebhookFailurePolicy=Fail \ --set validatingWebhookTimeoutSeconds=15 \ --set enableExternalData=true \ --name-template=gatekeeper \