From 4db14258a82abfd525a0f26868e7c775af132f86 Mon Sep 17 00:00:00 2001 From: Scott Leggett Date: Wed, 21 Feb 2024 14:18:24 +0800 Subject: [PATCH 1/4] fix: add missing helm hook annotations to test objects Previously the test role and rolebinding were being installed unconditionally. With this change they are only installed when running helm test and then removed. Having the role and rolebinding installed unconditionally would mean that any serviceaccount (including the default) would be able to view service objects in the lagoon-logging namespace. This is an unnecessary elevation of privilege, but these service objects do not contain anything sensitive. --- .../templates/tests/cdn-service-annotations.yaml | 7 +++++++ charts/lagoon-logging/templates/tests/test-connection.yaml | 1 + 2 files changed, 8 insertions(+) diff --git a/charts/lagoon-logging/templates/tests/cdn-service-annotations.yaml b/charts/lagoon-logging/templates/tests/cdn-service-annotations.yaml index 2cdfc553..b8300b5c 100644 --- a/charts/lagoon-logging/templates/tests/cdn-service-annotations.yaml +++ b/charts/lagoon-logging/templates/tests/cdn-service-annotations.yaml @@ -3,6 +3,9 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: service-reader + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded rules: - apiGroups: [""] # "" indicates the core API group resources: ["services"] @@ -12,6 +15,9 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: read-services + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded subjects: - kind: Group name: system:serviceaccounts # all serviceaccounts @@ -29,6 +35,7 @@ metadata: {{- include "lagoon-logging.logsDispatcher.labels" . | nindent 4 }} annotations: "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded spec: containers: - name: kubectl diff --git a/charts/lagoon-logging/templates/tests/test-connection.yaml b/charts/lagoon-logging/templates/tests/test-connection.yaml index f22e9440..d91456f8 100644 --- a/charts/lagoon-logging/templates/tests/test-connection.yaml +++ b/charts/lagoon-logging/templates/tests/test-connection.yaml @@ -6,6 +6,7 @@ metadata: {{- include "lagoon-logging.logsDispatcher.labels" . | nindent 4 }} annotations: "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded spec: containers: - name: nc From 5bbf46c60587558e0441e6647c07550f41fa7732 Mon Sep 17 00:00:00 2001 From: Scott Leggett Date: Wed, 21 Feb 2024 14:25:07 +0800 Subject: [PATCH 2/4] chore: bump lagoon-logging chart version --- charts/lagoon-logging/Chart.yaml | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/charts/lagoon-logging/Chart.yaml b/charts/lagoon-logging/Chart.yaml index b05b58eb..ad549cde 100644 --- a/charts/lagoon-logging/Chart.yaml +++ b/charts/lagoon-logging/Chart.yaml @@ -19,7 +19,7 @@ type: application # time you make changes to the chart and its templates, including the app # version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.81.0 +version: 0.81.1 dependencies: - name: logging-operator @@ -31,6 +31,16 @@ dependencies: # It should be started afresh for each release # Valid supported kinds are added, changed, deprecated, removed, fixed and security annotations: + artifacthub.io/containsSecurityUpdates: "true" artifacthub.io/changes: | - - kind: added - description: support for annotations on the CDN service + - kind: security + description: > + Previously the test role and rolebinding were being installed + unconditionally. With this change they are only installed when running + helm test and then removed. + + Having the role and rolebinding installed unconditionally would mean + that any serviceaccount (including the default) would be able to view + service objects in the lagoon-logging namespace. This is an unnecessary + elevation of privilege, but these service objects do not contain + anything sensitive. From 9d53479fc452eebbf529513a5cec411f9d91a86a Mon Sep 17 00:00:00 2001 From: Scott Leggett Date: Wed, 21 Feb 2024 16:54:18 +0800 Subject: [PATCH 3/4] chore: reduce artifacthub changelog entry to one line --- charts/lagoon-logging/Chart.yaml | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) diff --git a/charts/lagoon-logging/Chart.yaml b/charts/lagoon-logging/Chart.yaml index ad549cde..1072bdf3 100644 --- a/charts/lagoon-logging/Chart.yaml +++ b/charts/lagoon-logging/Chart.yaml @@ -34,13 +34,4 @@ annotations: artifacthub.io/containsSecurityUpdates: "true" artifacthub.io/changes: | - kind: security - description: > - Previously the test role and rolebinding were being installed - unconditionally. With this change they are only installed when running - helm test and then removed. - - Having the role and rolebinding installed unconditionally would mean - that any serviceaccount (including the default) would be able to view - service objects in the lagoon-logging namespace. This is an unnecessary - elevation of privilege, but these service objects do not contain - anything sensitive. + description: avoid test role and rolebinding being wrongly installed From fda8f2802da3952cc4921b17a48bcf9d5c52c440 Mon Sep 17 00:00:00 2001 From: Scott Leggett Date: Thu, 22 Feb 2024 09:48:12 +0800 Subject: [PATCH 4/4] chore: ensure test objects are installed in the correct order --- .../templates/tests/cdn-service-annotations.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/charts/lagoon-logging/templates/tests/cdn-service-annotations.yaml b/charts/lagoon-logging/templates/tests/cdn-service-annotations.yaml index b8300b5c..9bbfa400 100644 --- a/charts/lagoon-logging/templates/tests/cdn-service-annotations.yaml +++ b/charts/lagoon-logging/templates/tests/cdn-service-annotations.yaml @@ -6,6 +6,7 @@ metadata: annotations: "helm.sh/hook": test "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + "helm.sh/hook-weight": "-2" rules: - apiGroups: [""] # "" indicates the core API group resources: ["services"] @@ -18,6 +19,7 @@ metadata: annotations: "helm.sh/hook": test "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + "helm.sh/hook-weight": "-1" subjects: - kind: Group name: system:serviceaccounts # all serviceaccounts @@ -36,6 +38,7 @@ metadata: annotations: "helm.sh/hook": test "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + "helm.sh/hook-weight": "0" spec: containers: - name: kubectl