Skip to content

Commit

Permalink
Add support for injecting tolerations to sonobuoy pod (#1976)
Browse files Browse the repository at this point in the history
* Bump golangci-lint to v1.54.2

We upgraded golang lang 1.20 -> 1.21 by commit
9a64023. But according to [2], go1.21 is
officially supported since golangci-lint v1.54.1. So, this PR upgrades
golangci-lint to v1.54.2.

Signed-off-by: Masashi Honma <[email protected]>

* Bump golang version for build to 1.21.11

According to trivy, golang 1.21.4 has trailing vulnerabilities. We upgrade it
to 1.21.11 to fix the vulnerabilities.

$ trivy image masap20220915/sonobuoy:amd64-v0.57
2024-07-01T09:50:21+09:00	INFO	Vulnerability scanning is enabled
2024-07-01T09:50:21+09:00	INFO	Secret scanning is enabled
2024-07-01T09:50:21+09:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-01T09:50:21+09:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-07-01T09:50:24+09:00	INFO	Detected OS	family="debian" version="12.5"
2024-07-01T09:50:24+09:00	INFO	[debian] Detecting vulnerabilities...	os_version="12" pkg_num=3
2024-07-01T09:50:24+09:00	INFO	Number of language-specific files	num=1
2024-07-01T09:50:24+09:00	INFO	[gobinary] Detecting vulnerabilities...

masap20220915/sonobuoy:amd64-v0.57 (debian 12.5)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

sonobuoy (gobinary)

Total: 9 (UNKNOWN: 0, LOW: 0, MEDIUM: 7, HIGH: 1, CRITICAL: 1)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                            Title                             │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-24790 │ CRITICAL │ fixed  │ 1.21.4            │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for   │
│         │                │          │        │                   │                 │ IPv4-mapped IPv6 addresses                                   │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24790                   │
│         ├────────────────┼──────────┤        │                   ├─────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2023-45288 │ HIGH     │        │                   │ 1.21.9, 1.22.2  │ golang: net/http, x/net/http2: unlimited number of           │
│         │                │          │        │                   │                 │ CONTINUATION frames causes DoS                               │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2023-45288                   │
│         ├────────────────┼──────────┤        │                   ├─────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2023-39326 │ MEDIUM   │        │                   │ 1.20.12, 1.21.5 │ golang: net/http/internal: Denial of Service (DoS) via       │
│         │                │          │        │                   │                 │ Resource Consumption via HTTP requests...                    │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2023-39326                   │
│         ├────────────────┤          │        │                   ├─────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2023-45289 │          │        │                   │ 1.21.8, 1.22.1  │ golang: net/http/cookiejar: incorrect forwarding of          │
│         │                │          │        │                   │                 │ sensitive headers and cookies on HTTP redirect...            │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2023-45289                   │
│         ├────────────────┤          │        │                   │                 ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2023-45290 │          │        │                   │                 │ golang: net/http: memory exhaustion in                       │
│         │                │          │        │                   │                 │ Request.ParseMultipartForm                                   │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2023-45290                   │
│         ├────────────────┤          │        │                   │                 ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2024-24783 │          │        │                   │                 │ golang: crypto/x509: Verify panics on certificates with an   │
│         │                │          │        │                   │                 │ unknown public key algorithm...                              │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24783                   │
│         ├────────────────┤          │        │                   │                 ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2024-24784 │          │        │                   │                 │ golang: net/mail: comments in display names are incorrectly  │
│         │                │          │        │                   │                 │ handled                                                      │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24784                   │
│         ├────────────────┤          │        │                   │                 ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2024-24785 │          │        │                   │                 │ golang: html/template: errors returned from MarshalJSON      │
│         │                │          │        │                   │                 │ methods may break template escaping                          │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24785                   │
│         ├────────────────┤          │        │                   ├─────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2024-24789 │          │        │                   │ 1.21.11, 1.22.4 │ golang: archive/zip: Incorrect handling of certain ZIP files │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24789                   │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴──────────────────────────────────────────────────────────────┘

Signed-off-by: Masashi Honma <[email protected]>

* Fix Windows build

ERROR: failed to solve: failed to compute cache key: mount callback failed on /tmp/containerd-mount1917080101: link /tmp/containerd-mount1917080101/Windows/INF/basicrender.inf /tmp/containerd-mount1917080101/Windows/System32/DriverStore/FileRepository/basicrender.inf_amd64_efdc64af60c69a6d/basicrender.inf: no such file or directory
Error: Process completed with exit code 1.

According to [1], we need to use ltsc2022 as a tag.

[1] microsoft/Windows-Containers#493

Signed-off-by: Masashi Honma <[email protected]>

* Add support for injecting tolerations to sonobuoy pod

Resolves #1973.

We can inject some tolerations to sonobuoy aggregator pod by adding trailing
description into sonobuoy config json.

{
  "AggregatorTolerations": [
    {
      "effect": "NoSchedule",
      "key": "key1",
      "operator": "Equal",
      "value": "value1"
    },
    {
      "effect": "NoSchedule",
      "key": "key2",
      "operator": "Equal",
      "value": "value2"
    }
  ]
}

Signed-off-by: Masashi Honma <[email protected]>

* Bump golang version for build to 1.21.12

To fix trailing warning.

Total: 1 (MEDIUM: 1, HIGH: 0, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬──────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                          Title                           │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼──────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-24791 │ MEDIUM   │ fixed  │ 1.21.11           │ 1.21.12, 1.22.5 │ net/http: Denial of service due to improper 100-continue │
│         │                │          │        │                   │                 │ handling in net/http                                     │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24791               │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴──────────────────────────────────────────────────────────┘
Signed-off-by: Masashi Honma <[email protected]>

---------

Signed-off-by: Masashi Honma <[email protected]>
  • Loading branch information
masap authored Jul 29, 2024
1 parent ed6c190 commit 9c04b0b
Show file tree
Hide file tree
Showing 6 changed files with 50 additions and 17 deletions.
4 changes: 2 additions & 2 deletions .github/workflows/ci-lint.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ jobs:
- name: golangci-lint run
uses: golangci/golangci-lint-action@v3
with:
version: v1.52.2
version: v1.54.2
skip-pkg-cache: true
skip-build-cache: true
args: --timeout=5m0s -v
Expand All @@ -26,7 +26,7 @@ jobs:
- uses: actions/checkout@v3
- uses: actions/setup-go@v3
with:
go-version: 1.19
go-version: 1.21
- name: go mod tidy
run: |
./scripts/ci/check_go_modules.sh
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/ci-test.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -182,7 +182,7 @@ jobs:
- name: Set up Go
uses: actions/setup-go@v3
with:
go-version: 1.19
go-version: 1.21
- name: Run GoReleaser
uses: goreleaser/goreleaser-action@v3
with:
Expand Down
32 changes: 32 additions & 0 deletions pkg/client/gen.go
Original file line number Diff line number Diff line change
Expand Up @@ -410,6 +410,38 @@ func generateAggregatorAndService(w io.Writer, cfg *GenConfig) error {
if len(cfg.Config.CustomAnnotations) > 0 {
p.ObjectMeta.Annotations = cfg.Config.CustomAnnotations
}
if len(cfg.Config.AggregatorTolerations) > 0 {
for _, t := range cfg.Config.AggregatorTolerations {
var toleration corev1.Toleration
if val, exists := t["key"]; exists {
toleration.Key = val
}
if val, exists := t["value"]; exists {
toleration.Value = val
}
if val, exists := t["effect"]; exists {
if val == "NoSchedule" {
toleration.Effect = corev1.TaintEffectNoSchedule
} else if val == "NoExecute" {
toleration.Effect = corev1.TaintEffectNoExecute
} else if val == "PreferNoSchedule" {
toleration.Effect = corev1.TaintEffectPreferNoSchedule
} else {
return errors.New("Invalid effect: " + val)
}
}
if val, exists := t["operator"]; exists {
if val == "Equal" {
toleration.Operator = corev1.TolerationOpEqual
} else if val == "Exists" {
toleration.Operator = corev1.TolerationOpExists
} else {
return errors.New("Invalid operator: " + val)
}
}
p.Spec.Tolerations = append(p.Spec.Tolerations, toleration)
}
}

switch cfg.Config.SecurityContextMode {
case "none":
Expand Down
21 changes: 11 additions & 10 deletions pkg/config/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -147,16 +147,17 @@ type Config struct {
///////////////////////////////////////////////
// Sonobuoy configuration
///////////////////////////////////////////////
WorkerImage string `json:"WorkerImage" mapstructure:"WorkerImage"`
ImagePullPolicy string `json:"ImagePullPolicy" mapstructure:"ImagePullPolicy"`
ForceImagePullPolicy bool `json:"ForceImagePullPolicy,omitempty" mapstructure:"ForceImagePullPolicy"`
ImagePullSecrets string `json:"ImagePullSecrets" mapstructure:"ImagePullSecrets"`
CustomAnnotations map[string]string `json:"CustomAnnotations,omitempty" mapstructure:"CustomAnnotations"`
AggregatorPermissions string `json:"AggregatorPermissions" mapstructure:"AggregatorPermissions"`
ServiceAccountName string `json:"ServiceAccountName" mapstructure:"ServiceAccountName"`
ExistingServiceAccount bool `json:"ExistingServiceAccount,omitempty" mapstructure:"ExistingServiceAccount,omitempty"`
E2EDockerConfigFile string `json:"E2EDockerConfigFile,omitempty" mapstructure:"E2EDockerConfigFile,omitempty"`
NamespacePSAEnforceLevel string `json:"NamespacePSAEnforceLevel,omitempty" mapstructure:"NamespacePSAEnforceLevel,omitempty"`
WorkerImage string `json:"WorkerImage" mapstructure:"WorkerImage"`
ImagePullPolicy string `json:"ImagePullPolicy" mapstructure:"ImagePullPolicy"`
ForceImagePullPolicy bool `json:"ForceImagePullPolicy,omitempty" mapstructure:"ForceImagePullPolicy"`
ImagePullSecrets string `json:"ImagePullSecrets" mapstructure:"ImagePullSecrets"`
CustomAnnotations map[string]string `json:"CustomAnnotations,omitempty" mapstructure:"CustomAnnotations"`
AggregatorPermissions string `json:"AggregatorPermissions" mapstructure:"AggregatorPermissions"`
AggregatorTolerations []map[string]string `json:"AggregatorTolerations,omitempty" mapstructure:"AggregatorTolerations"`
ServiceAccountName string `json:"ServiceAccountName" mapstructure:"ServiceAccountName"`
ExistingServiceAccount bool `json:"ExistingServiceAccount,omitempty" mapstructure:"ExistingServiceAccount,omitempty"`
E2EDockerConfigFile string `json:"E2EDockerConfigFile,omitempty" mapstructure:"E2EDockerConfigFile,omitempty"`
NamespacePSAEnforceLevel string `json:"NamespacePSAEnforceLevel,omitempty" mapstructure:"NamespacePSAEnforceLevel,omitempty"`

// ProgressUpdatesPort is the port on which the Sonobuoy worker will listen for status updates from its plugin.
ProgressUpdatesPort string `json:"ProgressUpdatesPort,omitempty" mapstructure:"ProgressUpdatesPort"`
Expand Down
6 changes: 3 additions & 3 deletions scripts/build_funcs.sh
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ LINUX_ARCH=(amd64 arm64 ppc64le s390x)

# Currently only under a single arch, can iterate over these and still assume arch value.
WIN_ARCH=amd64
WINVERSIONS=("1809" "1903" "1909" "2004" "20H2")
WINVERSIONS=("ltsc2022")

# Not used for pushing images, just for local building on other GOOS. Defaults to
# grabbing from the local go env but can be set manually to avoid that requirement.
Expand All @@ -28,14 +28,14 @@ IMAGE_BRANCH=$(git rev-parse --abbrev-ref HEAD | sed 's/\///g')
GIT_REF_LONG=$(git rev-parse --verify HEAD)

BUILDMNT=/go/src/$GOTARGET
BUILD_IMAGE=golang:1.21.4
BUILD_IMAGE=golang:1.21.12
AMD_IMAGE=gcr.io/distroless/static:nonroot
ARM_IMAGE=gcr.io/distroless/static:nonroot-arm64
PPC64LE_IMAGE=gcr.io/distroless/static:nonroot-ppc64le
S390X_IMAGE=gcr.io/distroless/static:nonroot-s390x
WIN_AMD64_BASEIMAGE=mcr.microsoft.com/windows/nanoserver
TEST_IMAGE=testimage:v0.1
LINT_IMAGE=golangci/golangci-lint:v1.52.2
LINT_IMAGE=golangci/golangci-lint:v1.54.2
KIND_CLUSTER=kind

SCRIPT_DIR="$( cd -- "$( dirname -- "${BASH_SOURCE[0]:-$0}"; )" &> /dev/null && pwd 2> /dev/null; )"
Expand Down
2 changes: 1 addition & 1 deletion test/integration/testImage/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@
# See the License for the specific language governing permissions and
# limitations under the License.

FROM golang:1.21.4 AS base
FROM golang:1.21.12 AS base
WORKDIR /src

# Handle the go modules first to take advantage of Docker cache.
Expand Down

0 comments on commit 9c04b0b

Please sign in to comment.