Snyk fixes (#91)

Element84 · Aug 21, 2023 · 04d0124 · 04d0124
1 parent c1ee2cd
commit 04d0124
Show file tree

Hide file tree

Showing 14 changed files with 74 additions and 101 deletions.
diff --git a/.github/workflows/snyk-scan.yml b/.github/workflows/snyk-scan.yml
@@ -21,17 +21,27 @@ jobs:
     steps:
       - uses: actions/checkout@master
 
+      - name: Install Helm Dependencies
+        id: helm_dependencies
+        run: |
+          for dir in $(ls -d charts/*/); do
+              helm dep up $dir
+          done
+
       - name: Render Helm Templates
         id: helm_template_rendering
         run: |
-          helm template charts/swoop-api --output-dir ./output
+          for dir in $(ls -d charts/*/); do
+              helm template $dir -f $dir/values.yaml --output-dir ./output
+          done
 
       - name: Snyk IaC report vulnerabilities
         uses: snyk/actions/iac@master
         continue-on-error: true # To make sure that SARIF upload gets called
         env:
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
         with:
+          file: ./output
           args: --sarif-file-output=snyk.sarif
 
         # Push the Snyk Code results into GitHub Code Scanning tab

diff --git a/charts/local-path-provisioner/templates/clusterrole.yaml b/charts/local-path-provisioner/templates/clusterrole.yaml
@@ -1,8 +1,15 @@
 {{- if .Values.rbac.create -}}
 apiVersion: rbac.authorization.k8s.io/v1
+{{- if .Values.singleNamespace }}
+kind: Role
+{{- else }}
 kind: ClusterRole
+{{- end }}
 metadata:
   name: {{ include "local-path-provisioner.fullname" . }}
+  {{- if .Values.singleNamespace }}
+  namespace: {{ .Release.Namespace | quote }}
+  {{- end }}
   labels:
 {{ include "local-path-provisioner.labels" . | indent 4 }}
 rules:
@@ -11,7 +18,7 @@ rules:
   verbs: ["get", "list", "watch"]
 - apiGroups: [""]
   resources: ["endpoints", "persistentvolumes", "pods"]
-  verbs: ["*"]
+  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
 - apiGroups: [""]
   resources: ["events"]
   verbs: ["create", "patch"]

diff --git a/charts/local-path-provisioner/templates/clusterrolebinding.yaml b/charts/local-path-provisioner/templates/clusterrolebinding.yaml
@@ -1,13 +1,20 @@
 {{- if .Values.rbac.create -}}
 apiVersion: rbac.authorization.k8s.io/v1
+{{- if .Values.singleNamespace }}
+kind: RoleBinding
+{{ else }}
 kind: ClusterRoleBinding
+{{- end }}
 metadata:
   name: {{ include "local-path-provisioner.fullname" . }}
+  {{- if .Values.singleNamespace }}
+  namespace: {{ .Release.Namespace | quote }}
+  {{- end }}
   labels:
 {{ include "local-path-provisioner.labels" . | indent 4 }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
+  kind: Role
   name: {{ template "local-path-provisioner.fullname" . }}
 subjects:
   - kind: ServiceAccount

diff --git a/charts/local-path-provisioner/values.yaml b/charts/local-path-provisioner/values.yaml
@@ -23,6 +23,11 @@ imagePullSecrets: []
 nameOverride: ""
 fullnameOverride: ""
 
+# -- Restrict local provisioner to operate only in a single namespace (the namespace of the
+# Helm release) by apply Roles and RoleBindings instead of the Cluster
+# Use it in clusters with strict access policy.
+singleNamespace: true
+
 ## For creating the StorageClass automatically:
 storageClass:
   create: true

diff --git a/charts/minio/Chart.yaml b/charts/minio/Chart.yaml
@@ -7,8 +7,8 @@ keywords:
   - minio
 sources:
 home:
-dependencies:
-- name: local-path-provisioner
-  condition: local-path-provisioner.enabled
-  version: "0.0.25"
-  repository: "https://element84.github.io/filmdrop-k8s-helm-charts/"
+# dependencies:
+# - name: local-path-provisioner
+#   condition: local-path-provisioner.enabled
+#   version: "0.0.25"
+#   repository: "https://element84.github.io/filmdrop-k8s-helm-charts/"
diff --git a/charts/minio/values.yaml b/charts/minio/values.yaml
@@ -7,6 +7,7 @@ fullnameOverride: ""
 
 local-path-provisioner:
   enabled: true
+  singleNamespace: true
   storageClass:
     provisionerName: filmdrop.io/local-minio-path-provisioner
     name: local-path-class-minio

diff --git a/charts/postgres/Chart.yaml b/charts/postgres/Chart.yaml
@@ -7,8 +7,8 @@ keywords:
   - postgres
 sources:
 home:
-dependencies:
-- name: local-path-provisioner
-  condition: local-path-provisioner.enabled
-  version: "0.0.25"
-  repository: "https://element84.github.io/filmdrop-k8s-helm-charts/"
+# dependencies:
+# - name: local-path-provisioner
+#   condition: local-path-provisioner.enabled
+#   version: "0.0.25"
+#   repository: "https://element84.github.io/filmdrop-k8s-helm-charts/"
diff --git a/charts/postgres/values.yaml b/charts/postgres/values.yaml
@@ -7,6 +7,7 @@ fullnameOverride: ""
 
 local-path-provisioner:
   enabled: true
+  singleNamespace: true
   storageClass:
     provisionerName: filmdrop.io/local-postgres-path-provisioner
     name: local-path-class-postgres

diff --git a/charts/stac-fastapi/Chart.yaml b/charts/stac-fastapi/Chart.yaml
@@ -6,8 +6,8 @@ appVersion: "0.1.0"
 keywords:
   - stac-fastapi
 home:
-dependencies:
-- name: local-path-provisioner
-  condition: local-path-provisioner.enabled
-  version: "0.0.25"
-  repository: "https://element84.github.io/filmdrop-k8s-helm-charts/"
+# dependencies:
+# - name: local-path-provisioner
+#   condition: local-path-provisioner.enabled
+#   version: "0.0.25"
+#   repository: "https://element84.github.io/filmdrop-k8s-helm-charts/"
diff --git a/charts/stac-fastapi/values.yaml b/charts/stac-fastapi/values.yaml
@@ -7,6 +7,7 @@ fullnameOverride: ""
 
 local-path-provisioner:
   enabled: true
+  singleNamespace: true
   storageClass:
     provisionerName: filmdrop.io/local-pgstac-path-provisioner
     name: local-path-class-pgstac

diff --git a/charts/swoop-bundle/Chart.yaml b/charts/swoop-bundle/Chart.yaml
@@ -16,10 +16,10 @@ dependencies:
   condition: swoop-api.enabled
   version: "0.1.0"
   repository: "https://element84.github.io/filmdrop-k8s-helm-charts/"
-- name: swoop-caboose
-  condition: swoop-caboose.enabled
-  version: "0.1.0"
-  repository: "https://element84.github.io/filmdrop-k8s-helm-charts/"
+# - name: swoop-caboose
+#   condition: swoop-caboose.enabled
+#   version: "0.1.0"
+#   repository: "https://element84.github.io/filmdrop-k8s-helm-charts/"
 # - name: swoop-conductor
 #   condition: swoop-caboose.enabled
 #   version: "0.1.0"

diff --git a/charts/swoop-bundle/values.yaml b/charts/swoop-bundle/values.yaml
@@ -171,7 +171,7 @@ swoop-caboose:
     # Helm release) by apply Roles and RoleBindings instead of the Cluster
     # equivalents, and start workflow-controller with the --namespaced flag. Use it
     # in clusters with strict access policy.
-    singleNamespace: false
+    singleNamespace: true
 
     workflow:
       # -- Deprecated; use controller.workflowNamespaces instead.
@@ -522,7 +522,7 @@ swoop-caboose:
 
     server:
       # -- Deploy the Argo Server
-      enabled: true
+      enabled: false
       # -- Value for base href in index.html. Used if the server is running behind reverse proxy under subpath different from /.
       ## only updates base url of resources on client side,
       ## it's expected that a proxy server rewrites the request URL and gets rid of this prefix

diff --git a/charts/swoop-caboose/templates/argo-workflows-crds.yaml b/charts/swoop-caboose/templates/argo-workflows-crds.yaml
@@ -24,11 +24,12 @@
 {{- end -}}
 {{- if or $argoWorkflowsEnabled $crdsInstall }}
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
+Kind: Role
 metadata:
   labels:
     rbac.authorization.k8s.io/aggregate-to-admin: "true"
   name: argo-aggregate-to-admin
+  namespace: {{ .Release.Namespace | quote }}
 rules:
 - apiGroups:
   - argoproj.io
@@ -58,11 +59,12 @@ rules:
   - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
+Kind: Role
 metadata:
   labels:
     rbac.authorization.k8s.io/aggregate-to-edit: "true"
   name: argo-aggregate-to-edit
+  namespace: {{ .Release.Namespace | quote }}
 rules:
 - apiGroups:
   - argoproj.io
@@ -90,11 +92,12 @@ rules:
   - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
+Kind: Role
 metadata:
   labels:
     rbac.authorization.k8s.io/aggregate-to-view: "true"
   name: argo-aggregate-to-view
+  namespace: {{ .Release.Namespace | quote }}
 rules:
 - apiGroups:
   - argoproj.io
@@ -117,9 +120,10 @@ rules:
   - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
+Kind: Role
 metadata:
-  name: argo-cluster-role
+  name: argo-workflows-role
+  namespace: {{ .Release.Namespace | quote }}
 rules:
 - apiGroups:
   - ""
@@ -223,72 +227,6 @@ rules:
   - delete
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: argo-server-cluster-role
-rules:
-- apiGroups:
-  - ""
-  resources:
-  - configmaps
-  verbs:
-  - get
-  - watch
-  - list
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - get
-  - create
-- apiGroups:
-  - ""
-  resources:
-  - pods
-  - pods/exec
-  - pods/log
-  verbs:
-  - get
-  - list
-  - watch
-  - delete
-- apiGroups:
-  - ""
-  resources:
-  - events
-  verbs:
-  - watch
-  - create
-  - patch
-- apiGroups:
-  - ""
-  resources:
-  - serviceaccounts
-  verbs:
-  - get
-  - list
-  - watch
-- apiGroups:
-  - argoproj.io
-  resources:
-  - eventsources
-  - sensors
-  - workflows
-  - workfloweventbindings
-  - workflowtemplates
-  - cronworkflows
-  - clusterworkflowtemplates
-  verbs:
-  - create
-  - get
-  - list
-  - watch
-  - update
-  - patch
-  - delete
----
-apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: argo-binding
@@ -303,13 +241,14 @@ subjects:
   namespace: {{ .Release.Namespace }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+Kind: RoleBinding
 metadata:
-  name: argo-binding
+  name: argo-workflows-binding
+  namespace: {{ .Release.Namespace | quote }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: argo-cluster-role
+  Kind: Role
+  name: argo-workflows-role
 subjects:
 - kind: ServiceAccount
   name: {{ $migrationServiceAccount }}
@@ -331,6 +270,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: {{ $migrationServiceAccount }}-migration-reader
+  namespace: {{ .Release.Namespace | quote }}
 rules:
   - apiGroups: ["batch","extensions"]
     resources: ["jobs"]
@@ -340,6 +280,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: {{ $migrationServiceAccount }}-migration-reader
+  namespace: {{ .Release.Namespace | quote }}
 subjects:
 - kind: ServiceAccount
   name: {{ $migrationServiceAccount }}

diff --git a/charts/swoop-caboose/values.yaml b/charts/swoop-caboose/values.yaml
@@ -115,7 +115,7 @@ argo-workflows:
   # Helm release) by apply Roles and RoleBindings instead of the Cluster
   # equivalents, and start workflow-controller with the --namespaced flag. Use it
   # in clusters with strict access policy.
-  singleNamespace: false
+  singleNamespace: true
 
   workflow:
     # -- Deprecated; use controller.workflowNamespaces instead.
@@ -466,7 +466,7 @@ argo-workflows:
 
   server:
     # -- Deploy the Argo Server
-    enabled: true
+    enabled: false
     # -- Value for base href in index.html. Used if the server is running behind reverse proxy under subpath different from /.
     ## only updates base url of resources on client side,
     ## it's expected that a proxy server rewrites the request URL and gets rid of this prefix