From 840d4e18735ff4179a55e1006f1bcbdd94687648 Mon Sep 17 00:00:00 2001 From: fhochleitner Date: Wed, 15 Nov 2023 10:04:17 +0100 Subject: [PATCH 1/6] fixes #20 RBAC collector removes labels from labels configMap retain labels and annotations on rbac-configmap by patching the resource instead of using update Signed-off-by: fhochleitner --- util/util.go | 30 +++++++++++++++++++----------- 1 file changed, 19 insertions(+), 11 deletions(-) diff --git a/util/util.go b/util/util.go index a41a028..33df169 100644 --- a/util/util.go +++ b/util/util.go @@ -2,10 +2,13 @@ package util import ( "context" + "fmt" + "gopkg.in/yaml.v3" + "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/types" + "strings" - yaml "gopkg.in/yaml.v3" v1 "k8s.io/api/core/v1" - "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/client-go/kubernetes" ) @@ -15,7 +18,19 @@ func WriteConfigmap(clientset *kubernetes.Clientset, permission map[string]map[s if err != nil { return err } + data := strings.Replace(string(permissions), "\n", "\\n", -1) + patch := []byte(fmt.Sprintf(`{"data":{"labels.yaml": "%s"}}`, data)) + _, err = clientset.CoreV1().ConfigMaps(c.CMNamespace).Patch(context.Background(), c.CMName, types.MergePatchType, patch, metav1.PatchOptions{}) + if err != nil { + if errors.IsNotFound(err) { + return createConfigMap(clientset, err, c, permissions) + } + } + return nil +} + +func createConfigMap(clientset *kubernetes.Clientset, err error, c Config, permissions []byte) error { cm := v1.ConfigMap{ ObjectMeta: metav1.ObjectMeta{ Name: c.CMName, @@ -27,19 +42,12 @@ func WriteConfigmap(clientset *kubernetes.Clientset, permission map[string]map[s }, BinaryData: nil, } - - _, err = clientset.CoreV1().ConfigMaps(c.CMNamespace).Update(context.Background(), &cm, metav1.UpdateOptions{}) + _, err = clientset.CoreV1().ConfigMaps(c.CMNamespace).Create(context.Background(), &cm, metav1.CreateOptions{}) if err != nil { - if errors.IsNotFound(err) { - _, err = clientset.CoreV1().ConfigMaps(c.CMNamespace).Create(context.Background(), &cm, metav1.CreateOptions{}) - if err != nil { - return err - } - return nil - } return err } return nil + return err } func MapsEqual(m1, m2 map[string]map[string]bool) bool { From 159039bcc02927393e95e631add32d1269a81b63 Mon Sep 17 00:00:00 2001 From: fhochleitner Date: Wed, 15 Nov 2023 10:27:53 +0100 Subject: [PATCH 2/6] cleanup after copy&paste errors --- util/util.go | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/util/util.go b/util/util.go index 33df169..92d7667 100644 --- a/util/util.go +++ b/util/util.go @@ -24,13 +24,13 @@ func WriteConfigmap(clientset *kubernetes.Clientset, permission map[string]map[s _, err = clientset.CoreV1().ConfigMaps(c.CMNamespace).Patch(context.Background(), c.CMName, types.MergePatchType, patch, metav1.PatchOptions{}) if err != nil { if errors.IsNotFound(err) { - return createConfigMap(clientset, err, c, permissions) + return createConfigMap(clientset, c, permissions) } } return nil } -func createConfigMap(clientset *kubernetes.Clientset, err error, c Config, permissions []byte) error { +func createConfigMap(clientset *kubernetes.Clientset, c Config, permissions []byte) error { cm := v1.ConfigMap{ ObjectMeta: metav1.ObjectMeta{ Name: c.CMName, @@ -42,12 +42,11 @@ func createConfigMap(clientset *kubernetes.Clientset, err error, c Config, permi }, BinaryData: nil, } - _, err = clientset.CoreV1().ConfigMaps(c.CMNamespace).Create(context.Background(), &cm, metav1.CreateOptions{}) + _, err := clientset.CoreV1().ConfigMaps(c.CMNamespace).Create(context.Background(), &cm, metav1.CreateOptions{}) if err != nil { return err } return nil - return err } func MapsEqual(m1, m2 map[string]map[string]bool) bool { From c03d26827fcee8c24e68ecb6fb336578215c8d7f Mon Sep 17 00:00:00 2001 From: fhochleitner Date: Wed, 15 Nov 2023 10:31:40 +0100 Subject: [PATCH 3/6] fix failing security vulnerability scan step Signed-off-by: fhochleitner --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e0db298..ac41d2d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -40,7 +40,7 @@ jobs: ignore-unfixed: true format: 'sarif' output: 'trivy-results.sarif' - severity: 'CRITICAL,HIGH, MEDIUM, LOW' + severity: 'CRITICAL,HIGH,MEDIUM,LOW' exit-code: '1' - name: Upload Trivy scan results to GitHub Security tab From 1e2f0d7c18408e2220ec0e8d5d3549913271225e Mon Sep 17 00:00:00 2001 From: fhochleitner Date: Wed, 15 Nov 2023 10:37:10 +0100 Subject: [PATCH 4/6] disable exit code in code-scan due to bug in upstream --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ac41d2d..68ebc3c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -41,7 +41,7 @@ jobs: format: 'sarif' output: 'trivy-results.sarif' severity: 'CRITICAL,HIGH,MEDIUM,LOW' - exit-code: '1' +# exit-code: '1' - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v2 From aa926315927d3ea05716ea687a4c6d920878d5e2 Mon Sep 17 00:00:00 2001 From: fhochleitner Date: Wed, 15 Nov 2023 10:47:15 +0100 Subject: [PATCH 5/6] second invocation of trivy with sarif bug --- .github/workflows/release.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 68ebc3c..a6c4f82 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -150,8 +150,7 @@ jobs: input: 'multena-rbac-collector-oci' format: 'sarif' output: 'trivy-results.sarif' - severity: 'CRITICAL,HIGH, MEDIUM, LOW' - exit-code: '1' + severity: 'CRITICAL,HIGH,MEDIUM,LOW' - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v2 From 6e5a850013159729c1cf8fa0c38572fb98f3f66a Mon Sep 17 00:00:00 2001 From: fhochleitner Date: Wed, 15 Nov 2023 10:54:01 +0100 Subject: [PATCH 6/6] ... --- .github/workflows/release.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index a6c4f82..2360809 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -40,7 +40,7 @@ jobs: ignore-unfixed: true format: 'sarif' output: 'trivy-results.sarif' - severity: 'CRITICAL,HIGH,MEDIUM,LOW' + severity: 'CRITICAL,HIGH' # exit-code: '1' - name: Upload Trivy scan results to GitHub Security tab @@ -150,7 +150,7 @@ jobs: input: 'multena-rbac-collector-oci' format: 'sarif' output: 'trivy-results.sarif' - severity: 'CRITICAL,HIGH,MEDIUM,LOW' + severity: 'CRITICAL,HIGH' - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v2