diff --git a/config/jobs/kubernetes/wg-k8s-infra/trusted/sig-security-trusted.yaml b/config/jobs/kubernetes/wg-k8s-infra/trusted/sig-security-trusted.yaml new file mode 100644 index 000000000000..3f4c0d6772da --- /dev/null +++ b/config/jobs/kubernetes/wg-k8s-infra/trusted/sig-security-trusted.yaml @@ -0,0 +1,57 @@ +periodics: +# Periodic CI job for running snyk scans against k/k master +# - It installs snyk CLI and requires 'snyk-token' secret available +# in test infra with key name 'SNYK_TOKEN'. This secret is used to +# populate env var 'SNYK_TOKEN', required for snyk CLI auth. +# - Licenses and few false positive deps (eg version '0.0.0') are +# filtered from the snyk scan results. +- name: ci-kubernetes-snyk-master + interval: 6h + cluster: k8s-infra-prow-build-trusted + decorate: true + extra_refs: + - org: kubernetes + repo: kubernetes + base_ref: master + path_alias: k8s.io/kubernetes + spec: + containers: + - image: golang + envFrom: + - secretRef: + # secret key should be defined as SNYK_TOKEN + name: snyk-token + command: + - /bin/bash + args: + - -c + - | + set -euo pipefail + apt update && apt -y install jq + wget -q -O /usr/local/bin/snyk https://github.com/snyk/snyk/releases/download/v1.605.0/snyk-linux && chmod +x /usr/local/bin/snyk + mkdir -p "${ARTIFACTS}" + if [ -z "${SNYK_TOKEN}" ]; then + echo "SNYK_TOKEN env var is not set, required for snyk scan" + exit 1 + fi + echo "Running snyk scan .." + EXIT_CODE=0 + RESULT_UNFILTERED=$(snyk test --json) || EXIT_CODE=$? + if [ $EXIT_CODE -gt 1 ]; then + echo "Failed to run snyk scan with exit code $EXIT_CODE . Error message: $RESULT_UNFILTERED" + exit 1 + fi + RESULT=$(echo $RESULT_UNFILTERED | jq \ + '{vulnerabilities: .vulnerabilities | map(select((.type != "license") and (.version != "0.0.0"))) | select(length > 0) }') + if [[ ${RESULT} ]]; then + echo "Vulnerability filtering failed" + exit 1 + else + echo "Scan completed" + fi + annotations: + testgrid-create-test-group: "true" + testgrid-alert-email: kubernetes-security-tooling-private@googlegroups.com + testgrid-num-failures-to-alert: '1' + testgrid-dashboards: sig-security-snyk-scan + description: Run snyk scan on k/k master periodically diff --git a/config/jobs/kubernetes/wg-k8s-infra/trusted/wg-k8s-infra-apps.sh b/config/jobs/kubernetes/wg-k8s-infra/trusted/wg-k8s-infra-apps.sh new file mode 100755 index 000000000000..325c74334bad --- /dev/null +++ b/config/jobs/kubernetes/wg-k8s-infra/trusted/wg-k8s-infra-apps.sh @@ -0,0 +1,80 @@ +#!/usr/bin/env bash +# Copyright 2021 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# generates wg-k8s-infra app deployment job configs + +set -o errexit +set -o nounset +set -o pipefail + +SCRIPT_DIR=$(dirname "${BASH_SOURCE[0]}") + +readonly OUTPUT="${SCRIPT_DIR}/wg-k8s-infra-apps.yaml" +# list of subdirs in kubernetes/k8s.io/apps +readonly APPS=( + gcsweb + k8s-io + kubernetes-external-secrets + node-perf-dash + perfdash + prow + publishing-bot + sippy + slack-infra + triageparty-release +) + +cat >"${OUTPUT}" <>"${OUTPUT}" < 0) }') - if [[ ${RESULT} ]]; then - echo "Vulnerability filtering failed" - exit 1 - else - echo "Scan completed" - fi - annotations: - testgrid-create-test-group: "true" - testgrid-alert-email: kubernetes-security-tooling-private@googlegroups.com - testgrid-num-failures-to-alert: '1' - testgrid-dashboards: sig-security-snyk-scan - description: Run snyk scan on k/k master periodically - -postsubmits: - kubernetes/k8s.io: - - name: post-k8sio-groups - cluster: k8s-infra-prow-build-trusted - decorate: true - max_concurrency: 1 - run_if_changed: '^groups/' - branches: - - ^main$ - annotations: - testgrid-create-test-group: 'true' - testgrid-dashboards: wg-k8s-infra-k8sio - testgrid-alert-email: k8s-infra-alerts@kubernetes.io - testgrid-num-failures-to-alert: '1' - rerun_auth_config: - github_team_slugs: - - org: kubernetes - slug: wg-k8s-infra-leads - - org: kubernetes - slug: k8s-infra-group-admins - spec: - serviceAccountName: gsuite-groups-manager - containers: - - image: gcr.io/k8s-staging-infra-tools/k8s-infra:latest - command: - - make - args: - - -C - - groups - - run - - -- - - --confirm - - name: post-k8sio-dns-update - cluster: k8s-infra-prow-build-trusted - decorate: true - max_concurrency: 1 - run_if_changed: "^dns/zone-configs/" - branches: - - ^main$ - annotations: - testgrid-create-test-group: 'true' - testgrid-dashboards: wg-k8s-infra-k8sio - testgrid-alert-email: k8s-infra-alerts@kubernetes.io - testgrid-num-failures-to-alert: '1' - rerun_auth_config: - github_team_slugs: - - org: kubernetes - slug: wg-k8s-infra-leads - spec: - serviceAccountName: k8s-infra-dns-updater - containers: - - image: us.gcr.io/k8s-artifacts-prod/infra-tools/octodns:v20200616-67ce585 - command: - - bash - args: - - -c - - "cd dns && make push-local" - - name: post-k8sio-deploy-prow-build-resources - cluster: k8s-infra-prow-build-trusted - decorate: true - max_concurrency: 1 - run_if_changed: "^infra/gcp/clusters/projects/k8s-infra-prow-build/" - branches: - - ^main$ - annotations: - testgrid-create-test-group: 'true' - testgrid-dashboards: wg-k8s-infra-k8sio - testgrid-alert-email: k8s-infra-alerts@kubernetes.io - testgrid-num-failures-to-alert: '1' - rerun_auth_config: - github_team_slugs: - - org: kubernetes - slug: wg-k8s-infra-leads - - org: kubernetes - slug: test-infra-admins - spec: - serviceAccountName: prow-deployer - containers: - - image: gcr.io/k8s-staging-infra-tools/k8s-infra:latest - command: - - ./infra/gcp/clusters/projects/k8s-infra-prow-build/deploy.sh - - name: post-k8sio-deploy-prow-build-trusted-resources - cluster: k8s-infra-prow-build-trusted - decorate: true - max_concurrency: 1 - run_if_changed: "^infra/gcp/clusters/projects/k8s-infra-prow-build-trusted/" - branches: - - ^main$ - annotations: - testgrid-create-test-group: 'true' - testgrid-dashboards: wg-k8s-infra-k8sio - testgrid-alert-email: k8s-infra-alerts@kubernetes.io - testgrid-num-failures-to-alert: '1' - rerun_auth_config: - github_team_slugs: - - org: kubernetes - slug: wg-k8s-infra-leads - - org: kubernetes - slug: test-infra-admins - spec: - serviceAccountName: prow-deployer - containers: - - image: gcr.io/k8s-staging-infra-tools/k8s-infra:latest - command: - - ./infra/gcp/clusters/projects/k8s-infra-prow-build-trusted/deploy.sh diff --git a/config/testgrids/kubernetes/wg-k8s-infa/config.yaml b/config/testgrids/kubernetes/wg-k8s-infa/config.yaml index 07fe6e80b8a2..c212d36325d9 100644 --- a/config/testgrids/kubernetes/wg-k8s-infa/config.yaml +++ b/config/testgrids/kubernetes/wg-k8s-infa/config.yaml @@ -3,11 +3,17 @@ dashboard_groups: - name: wg-k8s-infra dashboard_names: + - wg-k8s-infra-apps - wg-k8s-infra-canaries - wg-k8s-infra-gcb + - wg-k8s-infra-groups - wg-k8s-infra-k8sio + - wg-k8s-infra-prow dashboards: +- name: wg-k8s-infra-apps - name: wg-k8s-infra-canaries - name: wg-k8s-infra-gcb -- name: wg-k8s-infra-k8sio \ No newline at end of file +- name: wg-k8s-infra-groups +- name: wg-k8s-infra-k8sio +- name: wg-k8s-infra-prow diff --git a/config/tests/jobs/jobs_test.go b/config/tests/jobs/jobs_test.go index 9696b1ec9024..7829d9420c31 100644 --- a/config/tests/jobs/jobs_test.go +++ b/config/tests/jobs/jobs_test.go @@ -327,7 +327,7 @@ func TestK8sInfraTrusted(t *testing.T) { for _, pre := range c.AllStaticPresubmits(nil) { if pre.Cluster == trusted { jobsToFix++ - errs = append(errs, fmt.Errorf("%s: presubmits may not run in cluster: %s", pre.Name, trusted)) + errs = append(errs, fmt.Errorf("%s: presubmits may not run in trusted cluster: %s", pre.Name, trusted)) } }