diff --git a/.circleci/config.yml b/.circleci/config.yml deleted file mode 100644 index c90ce4e261..0000000000 --- a/.circleci/config.yml +++ /dev/null @@ -1,134 +0,0 @@ -# TODO the workflow is unnecessary complicated due to some deficiencies in our -# deployment pipeline as of time of writing. Therefore the push to Aliyun is -# kind of optional in pull requests so that it does not block the push to the -# app catalog. This is to have faster iterations when working on a daily basis. -# Nevertheless we want the image push to Aliyun to be finished before we want to -# push to the app catalog in case we merge to master or push a tag, which -# indicates a new release. This is to have a more reliable pipeline, with the -# caveat that it takes longer and sometimes even breaks. Once the situation got -# improved we can simplify the circle config again as modified in the pull -# request linked below. -# -# https://github.com/giantswarm/aws-operator/pull/2347 -# -version: 2.1 - -orbs: - architect: giantswarm/architect@4.29.0 - -workflows: - build: - jobs: - - architect/go-build: - name: go-build - binary: aws-operator - resource_class: xlarge - filters: - tags: - only: /^v.*/ - - # Ensure that for every commit (all branches), and for every new release tag, - # an image is pushed to Quay. - - architect/push-to-docker: - context: architect - name: push-to-quay - image: "quay.io/giantswarm/aws-operator" - username_envar: "QUAY_USERNAME" - password_envar: "QUAY_PASSWORD" - requires: - - go-build - filters: - tags: - only: /^v.*/ - - - architect/push-to-docker: - context: architect - name: push-to-docker - image: "docker.io/giantswarm/aws-operator" - username_envar: "DOCKER_USERNAME" - password_envar: "DOCKER_PASSWORD" - requires: - - go-build - # Needed to trigger job also on git tag. - filters: - tags: - only: /^v.*/ - - # Ensure that for every commit to master, and for every new release tag, - # an image gets pushed to the Aliyun registry. - - architect/push-to-docker: - name: push-to-aliyun - image: "giantswarm-registry.cn-shanghai.cr.aliyuncs.com/giantswarm/aws-operator" - username_envar: "ALIYUN_USERNAME" - password_envar: "ALIYUN_PASSWORD" - context: architect - requires: - - go-build - filters: - branches: - only: master - tags: - only: /^v.*/ - - # Allow that for every commit (to a branch other than master), - # and for every new tag that is not a release tag, - # an image _can_ get pushed to the Aliyun registry - # if manually approved. - - hold-push-to-aliyun-pr: - type: approval - context: architect - requires: - - go-build - filters: - branches: - ignore: master - tags: - ignore: /^v.*/ - - architect/push-to-docker: - name: push-to-aliyun-pr - image: "giantswarm-registry.cn-shanghai.cr.aliyuncs.com/giantswarm/aws-operator" - username_envar: "ALIYUN_USERNAME" - password_envar: "ALIYUN_PASSWORD" - context: architect - requires: - - hold-push-to-aliyun-pr - filters: - branches: - ignore: master - tags: - ignore: /.*/ - - # Ensure that for every commit to master and for every - # release tag, there is an app version in the catalog. - - architect/push-to-app-catalog: - name: push-to-app-catalog-master - app_catalog: "control-plane-catalog" - app_catalog_test: "control-plane-test-catalog" - chart: "aws-operator" - context: architect - requires: - - push-to-aliyun - - push-to-quay - - push-to-docker - filters: - branches: - only: master - tags: - only: /^v.*/ - - # Ensure that for every commit (branch other than master) - # there is an app version in the test catalog. - # Note: Making this app usable in china needs manual approval - # of the 'hold-push-to-aliyun-pr' job. - - architect/push-to-app-catalog: - name: push-to-app-catalog-pr - app_catalog: "control-plane-catalog" - app_catalog_test: "control-plane-test-catalog" - chart: "aws-operator" - context: architect - requires: - - push-to-quay - - push-to-docker - filters: - branches: - ignore: master diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md new file mode 100644 index 0000000000..925c90050a --- /dev/null +++ b/.github/pull_request_template.md @@ -0,0 +1,3 @@ +## Checklist + +- [ ] Update changelog in CHANGELOG.md. diff --git a/.github/workflows/zz_generated.run_ossf_scorecard.yaml b/.github/workflows/zz_generated.run_ossf_scorecard.yaml new file mode 100644 index 0000000000..43efbeb699 --- /dev/null +++ b/.github/workflows/zz_generated.run_ossf_scorecard.yaml @@ -0,0 +1,78 @@ +# DO NOT EDIT. Generated with: +# +# devctl@6.23.3 +# + +# This workflow uses actions that are not certified by GitHub. They are provided +# by a third-party and are governed by separate terms of service, privacy +# policy, and support documentation. + +name: Scorecard supply-chain security +on: + # For Branch-Protection check. Only the default branch is supported. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection + branch_protection_rule: + # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained + schedule: + - cron: '15 15 15 * *' + push: + branches: [ "main", "master" ] + workflow_dispatch: {} + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + # Needed to publish results and get a badge (see publish_results below). + id-token: write + # Uncomment the permissions below if installing in a private repository. + # contents: read + # actions: read + + steps: + - name: "Checkout code" + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1 + with: + results_file: results.sarif + results_format: sarif + # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: + # - you want to enable the Branch-Protection check on a *public* repository, or + # - you are installing Scorecard on a *private* repository + # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. + # repo_token: ${{ secrets.SCORECARD_TOKEN }} + + # Public repositories: + # - Publish results to OpenSSF REST API for easy access by consumers + # - Allows the repository to include the Scorecard badge. + # - See https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories: + # - `publish_results` will always be set to `false`, regardless + # of the value entered here. + publish_results: true + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard. + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9 + with: + sarif_file: results.sarif diff --git a/.nancy-ignore b/.nancy-ignore index 6e9cdfa9b6..a3e10a8ec6 100644 --- a/.nancy-ignore +++ b/.nancy-ignore @@ -30,4 +30,15 @@ CVE-2023-25809 CVE-2023-28642 CVE-2023-26125 CVE-2023-29401 -CVE-2023-32731 \ No newline at end of file +CVE-2023-32731 + +CVE-2023-47090 +CVE-2024-21626 +CVE-2023-47108 +CVE-2023-48795 +CVE-2023-39325 +CVE-2023-3978 +CVE-2024-24786 +CVE-2019-25210 +CVE-2024-26147 +CVE-2024-25620 diff --git a/CHANGELOG.md b/CHANGELOG.md index b8ee79e21e..0a61f671fd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +### Added + +- [Bacport] Add global.podSecurityStandards.enforced value for PSS migration. + ## [14.17.1-patch3] - 2023-07-27 ### Changed diff --git a/helm/aws-operator/templates/psp.yaml b/helm/aws-operator/templates/psp.yaml index 942cd2a857..d4d9d0a449 100644 --- a/helm/aws-operator/templates/psp.yaml +++ b/helm/aws-operator/templates/psp.yaml @@ -1,3 +1,4 @@ +{{- if not .Values.global.podSecurityStandards.enforced }} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: @@ -32,3 +33,4 @@ spec: hostNetwork: false hostIPC: false hostPID: false +{{- end }} diff --git a/helm/aws-operator/templates/rbac.yaml b/helm/aws-operator/templates/rbac.yaml index 93906f480a..a46eff27bd 100644 --- a/helm/aws-operator/templates/rbac.yaml +++ b/helm/aws-operator/templates/rbac.yaml @@ -166,6 +166,7 @@ roleRef: name: {{ include "resource.default.name" . }} apiGroup: rbac.authorization.k8s.io --- +{{- if not .Values.global.podSecurityStandards.enforced }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -196,3 +197,4 @@ roleRef: kind: ClusterRole name: {{ include "resource.psp.name" . }} apiGroup: rbac.authorization.k8s.io +{{- end }} diff --git a/helm/aws-operator/values.schema.json b/helm/aws-operator/values.schema.json index 1330646d7c..5cf90fe42e 100644 --- a/helm/aws-operator/values.schema.json +++ b/helm/aws-operator/values.schema.json @@ -416,6 +416,19 @@ } } } + }, + "global": { + "type": "object", + "properties": { + "podSecurityStandards": { + "type": "object", + "properties": { + "enforced": { + "type": "boolean" + } + } + } + } } } } diff --git a/helm/aws-operator/values.yaml b/helm/aws-operator/values.yaml index 2338a98619..ef41cc25b8 100644 --- a/helm/aws-operator/values.yaml +++ b/helm/aws-operator/values.yaml @@ -126,3 +126,7 @@ securityContext: runAsNonRoot: true seccompProfile: type: RuntimeDefault + +global: + podSecurityStandards: + enforced: false