UNCLASSIFIED - NO CUI

Snippets Groups Projects

Currently supported Big Bang Version is 2.50

Merged Justen Mehl requested to merge harden-automounttoken-argo into master 1 year ago

General MR

Summary

Closes #1827

This MR leverages the mutating Kyverno policy named update-automountserviceaccounttokens to harden all ServiceAccounts in the argocd namespace/package, and to place Pod exceptions where applicable (depending if the application truly needs access to the K8s API).

Justification for Pod exceptions are placed in comments alongside the code.

Manual testing according to the packages' DEVELOPMENT_MAINTENANCE.md has shown no loss of functionality. Pipeline tests are passing.

Edited 1 year ago by Justen Mehl

Activity

Justen Mehl changed milestone to %2.16.0 1 year ago

changed milestone to %2.16.0
Justen Mehl added argocd kindenhancement priority7 statusdoing labels 1 year ago

added argocd kindenhancement priority7 statusdoing labels
Justen Mehl assigned to @justen.mehl 1 year ago

assigned to @justen.mehl
Justen Mehl changed the description 1 year ago

changed the description
Justen Mehl added 7 commits 1 year ago
added 7 commits

362321cf...c16f6411 - 6 commits from branch master

55f95c41 - harden argo

Compare with previous version
Justen Mehl added 1 commit 1 year ago
added 1 commit

8837c5aa - harden default SA

Compare with previous version
Justen Mehl added 1 commit 1 year ago
added 1 commit

587a7c1f - fix SA typo

Compare with previous version
Justen Mehl changed title from Draft: Harden automounttoken argo to Draft: Mitigate automountServiceAccountToken findings in Argo 1 year ago

changed title from Draft: Harden automounttoken argo to Draft: Mitigate automountServiceAccountToken findings in Argo
Justen Mehl mentioned in merge request big-bang/product/packages/argocd!190 (merged) 1 year ago

mentioned in merge request big-bang/product/packages/argocd!190 (merged)
Justen Mehl added 13 commits 1 year ago
added 13 commits

587a7c1f...a25971dc - 10 commits from branch master

d14d6039 - harden argo

6dbb9b16 - harden default SA

b55d3a2e - fix SA typo

Compare with previous version
Toggle commit list
Justen Mehl marked this merge request as ready 1 year ago

marked this merge request as ready
Justen Mehl added statusreview label and removed statusdoing label 1 year ago

added statusreview label and removed statusdoing label
bigbang bot requested review from @michaelmartin, @ryan.j.garcia, @ryan.thompson.44, and @chris.oconnell 1 year ago

requested review from @michaelmartin, @ryan.j.garcia, @ryan.thompson.44, and @chris.oconnell
bigbang bot @bb8-bot · 1 year ago

Developer

@rgsjustins @andrewshoell : You have been tagged in this merge request for the purpose of conducting secondary review.
Christopher O'Connell @chris.oconnell · 1 year ago

Owner

Resolved 1 year ago by Justen Mehl

Any thoughts on using a wildcard in the service account names? I feel like this will break anytime an arcod upstream service account name changes, or if a new SA is added we won't be tracking that

Last reply by Justen Mehl 1 year ago
Justen Mehl added 18 commits 1 year ago
added 18 commits

b55d3a2e...a2b29c76 - 16 commits from branch master

0bdb9f94 - harden argo

15b99875 - fix SA typo

Compare with previous version
Justen Mehl added statusdoing label and removed statusreview label 1 year ago

added statusdoing label and removed statusreview label
Justen Mehl marked this merge request as draft 1 year ago

marked this merge request as draft
bigbang bot changed milestone to %2.17.0 1 year ago

changed milestone to %2.17.0
Justen Mehl removed review request for @ryan.j.garcia, @ryan.thompson.44, @michaelmartin, and @chris.oconnell 1 year ago

removed review request for @ryan.j.garcia, @ryan.thompson.44, @michaelmartin, and @chris.oconnell

Please register or sign in to reply

UNCLASSIFIED - NO CUI