From cef339fcb5e7a9fa2b86c3d45783d3fda86a84ef Mon Sep 17 00:00:00 2001 From: tallaxes <18728999+tallaxes@users.noreply.github.com> Date: Thu, 5 Sep 2024 01:18:40 +0000 Subject: [PATCH 1/3] fix: harden harden-runner egress policy --- .github/workflows/approval-comment.yaml | 6 +++++- .github/workflows/ci-test.yml | 14 +++++++++++-- .github/workflows/ci.yml | 14 +++++++++++-- .github/workflows/codeql-analysis.yml | 15 ++++++++++++- .github/workflows/deflake.yml | 10 ++++++++- .github/workflows/dependency-review.yml | 9 +++++++- .github/workflows/e2e-matrix.yaml | 7 +++++-- .github/workflows/e2e.yaml | 28 ++++++++++++++++++++++++- .github/workflows/release-trigger.yaml | 8 ++++++- .github/workflows/resolve-args.yaml | 9 ++++++-- .github/workflows/scorecards.yml | 21 ++++++++++++++++++- 11 files changed, 126 insertions(+), 15 deletions(-) diff --git a/.github/workflows/approval-comment.yaml b/.github/workflows/approval-comment.yaml index f8355869e..dcc545d8e 100644 --- a/.github/workflows/approval-comment.yaml +++ b/.github/workflows/approval-comment.yaml @@ -14,7 +14,11 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 with: - egress-policy: audit + disable-telemetry: true + disable-sudo: true + egress-policy: block + allowed-endpoints: > + github.com:443 - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: diff --git a/.github/workflows/ci-test.yml b/.github/workflows/ci-test.yml index 5dcb0d525..5cdf6ee06 100644 --- a/.github/workflows/ci-test.yml +++ b/.github/workflows/ci-test.yml @@ -21,12 +21,22 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 with: - egress-policy: audit + disable-telemetry: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + coveralls.io:443 + github.com:443 + objects.githubusercontent.com:443 + proxy.golang.org:443 + raw.githubusercontent.com:443 + storage.googleapis.com:443 + sum.golang.org:443 - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - uses: ./.github/actions/install-deps with: - k8sVersion: ${{ matrix.k8sVersion }} + k8sVersion: ${{ matrix.k8sVersion }} - run: K8S_VERSION=${{ matrix.k8sVersion }} make ci-test - name: Send coverage # should only send coverage once https://docs.coveralls.io/parallel-builds diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 088bd73b4..cd8e95a0c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -5,7 +5,7 @@ on: pull_request: workflow_dispatch: permissions: - contents: read + contents: read jobs: ci: runs-on: ubuntu-latest @@ -13,7 +13,17 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 with: - egress-policy: audit + disable-telemetry: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + objects.githubusercontent.com:443 + proxy.golang.org:443 + raw.githubusercontent.com:443 + storage.googleapis.com:443 + sum.golang.org:443 + vuln.go.dev:443 - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - uses: ./.github/actions/install-deps diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index f9674a8a8..ef8ef2af5 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -28,7 +28,20 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 with: - egress-policy: audit + disable-telemetry: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + dc.services.visualstudio.com:443 + github.com:443 + login.microsoftonline.com:443 + objects.githubusercontent.com:443 + proxy.golang.org:443 + raw.githubusercontent.com:443 + storage.googleapis.com:443 + sum.golang.org:443 + uploads.github.com:443 + vuln.go.dev:443 - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - uses: ./.github/actions/install-deps diff --git a/.github/workflows/deflake.yml b/.github/workflows/deflake.yml index 54758dfe8..274573f92 100644 --- a/.github/workflows/deflake.yml +++ b/.github/workflows/deflake.yml @@ -16,7 +16,15 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 with: - egress-policy: audit + disable-telemetry: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + objects.githubusercontent.com:443 + proxy.golang.org:443 + storage.googleapis.com:443 + sum.golang.org:443 - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - uses: ./.github/actions/install-deps diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index bf2dcfbae..661110cc2 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -19,7 +19,14 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 with: - egress-policy: audit + disable-telemetry: true + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.deps.dev:443 + api.github.com:443 + api.securityscorecards.dev:443 + github.com:443 - name: 'Checkout Repository' uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 diff --git a/.github/workflows/e2e-matrix.yaml b/.github/workflows/e2e-matrix.yaml index f8638fc0b..9c2826ce1 100644 --- a/.github/workflows/e2e-matrix.yaml +++ b/.github/workflows/e2e-matrix.yaml @@ -21,7 +21,7 @@ on: permissions: contents: read - + jobs: initialize-generative-params: runs-on: ubuntu-latest @@ -31,7 +31,10 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 with: - egress-policy: audit + disable-telemetry: true + disable-sudo: true + egress-policy: block + allowed-endpoints: > - id: generate-e2e-run-hash run: | diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml index c2d8c52b6..3ca298610 100644 --- a/.github/workflows/e2e.yaml +++ b/.github/workflows/e2e.yaml @@ -47,7 +47,33 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 with: - egress-policy: audit + disable-telemetry: true + egress-policy: block + allowed-endpoints: > + *.azmk8s.io:443 + *.azurecr.io:443 + *.data.mcr.microsoft.com:443 + aka.ms:443 + api.github.com:443 + app.aladdin.microsoft.com:443 + auth.docker.io:443 + azcliextensionsync.blob.core.windows.net:443 + clients3.google.com:80 + dc.services.visualstudio.com:443 + distroless.dev:443 + firebaselogging-pa.googleapis.com:443 + gist.githubusercontent.com:443 + github.com:443 + graph.microsoft.com:443 + index.docker.io:443 + login.microsoftonline.com:443 + management.azure.com:443 + mcr.microsoft.com:443 + objects.githubusercontent.com:443 + proxy.golang.org:443 + raw.githubusercontent.com:443 + storage.googleapis.com:443 + sum.golang.org:443 - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: diff --git a/.github/workflows/release-trigger.yaml b/.github/workflows/release-trigger.yaml index 5e9393669..e4430ec82 100644 --- a/.github/workflows/release-trigger.yaml +++ b/.github/workflows/release-trigger.yaml @@ -19,7 +19,13 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 with: - egress-policy: audit + disable-telemetry: true + disable-sudo: true + egress-policy: block + allowed-endpoints: > + github.com:443 + registry.npmjs.org:443 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: fetch-depth: 0 diff --git a/.github/workflows/resolve-args.yaml b/.github/workflows/resolve-args.yaml index 05c594eee..1bed15aea 100644 --- a/.github/workflows/resolve-args.yaml +++ b/.github/workflows/resolve-args.yaml @@ -7,7 +7,7 @@ on: permissions: contents: read - + jobs: resolve: runs-on: ubuntu-latest @@ -18,7 +18,12 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 with: - egress-policy: audit + disable-sudo: true + disable-telemetry: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - if: github.event_name == 'workflow_run' diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 3a0ad315a..fe000bd34 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -33,7 +33,26 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 with: - egress-policy: audit + disable-sudo: true + disable-telemetry: true + egress-policy: block + allowed-endpoints: > + api.deps.dev:443 + api.github.com:443 + api.osv.dev:443 + api.scorecard.dev:443 + api.securityscorecards.dev:443 + auth.docker.io:443 + bestpractices.coreinfrastructure.org:443 + fulcio.sigstore.dev:443 + github.com:443 + index.docker.io:443 + mcr.microsoft.com:443 + oss-fuzz-build-logs.storage.googleapis.com:443 + rekor.sigstore.dev:443 + sigstore-tuf-root.storage.googleapis.com:443 + tuf-repo-cdn.sigstore.dev:443 + www.bestpractices.dev:443 - name: "Checkout code" uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 From 0396215482d8a6651a8dc769c93f85e55e178292 Mon Sep 17 00:00:00 2001 From: tallaxes <18728999+tallaxes@users.noreply.github.com> Date: Thu, 5 Sep 2024 22:16:01 +0000 Subject: [PATCH 2/3] doc: add comments --- .github/workflows/e2e-matrix.yaml | 1 + .github/workflows/e2e.yaml | 3 +++ 2 files changed, 4 insertions(+) diff --git a/.github/workflows/e2e-matrix.yaml b/.github/workflows/e2e-matrix.yaml index 9c2826ce1..26c47a39c 100644 --- a/.github/workflows/e2e-matrix.yaml +++ b/.github/workflows/e2e-matrix.yaml @@ -34,6 +34,7 @@ jobs: disable-telemetry: true disable-sudo: true egress-policy: block + # no allowed endpoints allowed-endpoints: > - id: generate-e2e-run-hash diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml index 3ca298610..86fdd5510 100644 --- a/.github/workflows/e2e.yaml +++ b/.github/workflows/e2e.yaml @@ -49,6 +49,9 @@ jobs: with: disable-telemetry: true egress-policy: block + # - wildcards to allow for variation in targeted clusters + # - clients3.google.com:80 and firebaselogging-pa.googleapis.com:443 - confirmed Skaffol + # likely telemetry, likely can be avoided/blocked with/after "skaffold config set --global collect-metrics false" allowed-endpoints: > *.azmk8s.io:443 *.azurecr.io:443 From e033f885fd17095998b5f56752443f2905ee4d43 Mon Sep 17 00:00:00 2001 From: tallaxes <18728999+tallaxes@users.noreply.github.com> Date: Thu, 5 Sep 2024 22:24:40 +0000 Subject: [PATCH 3/3] doc: fix typo --- .github/workflows/e2e.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml index 86fdd5510..b86d9e93d 100644 --- a/.github/workflows/e2e.yaml +++ b/.github/workflows/e2e.yaml @@ -50,7 +50,7 @@ jobs: disable-telemetry: true egress-policy: block # - wildcards to allow for variation in targeted clusters - # - clients3.google.com:80 and firebaselogging-pa.googleapis.com:443 - confirmed Skaffol + # - clients3.google.com:80 and firebaselogging-pa.googleapis.com:443 - confirmed Skaffold, # likely telemetry, likely can be avoided/blocked with/after "skaffold config set --global collect-metrics false" allowed-endpoints: > *.azmk8s.io:443