From 94b2b1baca20f06923d77fdaa4343765698bcf12 Mon Sep 17 00:00:00 2001 From: Christian Bianchi Date: Mon, 6 May 2024 13:00:23 +0200 Subject: [PATCH] [Backport] Add global.podSecurityStandards.enforced value for PSS migration. --- .nancy-ignore | 25 +++++++++++++++++++++++++ CHANGELOG.md | 4 ++++ helm/app-operator/templates/psp.yaml | 2 +- helm/app-operator/templates/rbac.yaml | 2 ++ helm/app-operator/values.schema.json | 13 +++++++++++++ helm/app-operator/values.yaml | 4 ++++ pkg/project/project.go | 4 ++-- 7 files changed, 51 insertions(+), 3 deletions(-) diff --git a/.nancy-ignore b/.nancy-ignore index 3c9c4734a..5092be361 100644 --- a/.nancy-ignore +++ b/.nancy-ignore @@ -29,3 +29,28 @@ CVE-2023-25165 until=2023-11-30 # pkg:golang/k8s.io/apiserver@v0.26.1 CVE-2020-8561 until=2023-11-30 + +CVE-2023-29401 +CVE-2022-29153 +CVE-2022-29153 +CVE-2021-41803 +CVE-2022-24687 +CVE-2021-23772 +CVE-2024-0406 +CVE-2020-26892 +CVE-2021-3127 +CVE-2023-47090 +CVE-2024-21626 +CVE-2023-28642 +CVE-2023-27561 +CVE-2023-25809 +CVE-2023-47108 +CVE-2023-48795 +CVE-2023-39325 +CVE-2023-3978 +CVE-2024-24786 +CVE-2019-25210 +CVE-2024-26147 +CVE-2024-25620 +CVE-2023-25165 +CVE-2020-8561 diff --git a/CHANGELOG.md b/CHANGELOG.md index ffca6bc22..c33f5c7e9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,10 @@ and this project's packages adheres to [Semantic Versioning](http://semver.org/s ## [Unreleased] +### Added + +- [Backport] Add global.podSecurityStandards.enforced value for PSS migration. + ## [6.8.1] - 2023-09-14 ### Fixed diff --git a/helm/app-operator/templates/psp.yaml b/helm/app-operator/templates/psp.yaml index 6759499bd..d58aea04e 100644 --- a/helm/app-operator/templates/psp.yaml +++ b/helm/app-operator/templates/psp.yaml @@ -1,4 +1,4 @@ -{{- if .Capabilities.APIVersions.Has "policy/v1beta1" }} +{{- if not (((.Values.global).podSecurityStandards).enforced) }} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: diff --git a/helm/app-operator/templates/rbac.yaml b/helm/app-operator/templates/rbac.yaml index 2b0d472b8..cce3cfb05 100644 --- a/helm/app-operator/templates/rbac.yaml +++ b/helm/app-operator/templates/rbac.yaml @@ -224,6 +224,7 @@ roleRef: name: {{ include "resource.default.name" . }}-catalog apiGroup: rbac.authorization.k8s.io --- +{{- if not (((.Values.global).podSecurityStandards).enforced) }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -254,3 +255,4 @@ roleRef: kind: ClusterRole name: {{ include "resource.psp.name" . }} apiGroup: rbac.authorization.k8s.io +{{- end }} diff --git a/helm/app-operator/values.schema.json b/helm/app-operator/values.schema.json index fa677061e..e1efae734 100644 --- a/helm/app-operator/values.schema.json +++ b/helm/app-operator/values.schema.json @@ -86,6 +86,19 @@ } } }, + "global": { + "type": "object", + "properties": { + "podSecurityStandards": { + "type": "object", + "properties": { + "enforced": { + "type": "boolean" + } + } + } + } + }, "groupID": { "type": "integer" }, diff --git a/helm/app-operator/values.yaml b/helm/app-operator/values.yaml index 409d2169a..cd2975d36 100644 --- a/helm/app-operator/values.yaml +++ b/helm/app-operator/values.yaml @@ -93,3 +93,7 @@ serviceMonitor: interval: "60s" # -- (duration) Prometheus scrape timeout. scrapeTimeout: "45s" + +global: + podSecurityStandards: + enforced: false diff --git a/pkg/project/project.go b/pkg/project/project.go index a362ed0b4..e3dea72c9 100644 --- a/pkg/project/project.go +++ b/pkg/project/project.go @@ -5,7 +5,7 @@ var ( gitSHA = "n/a" name = "app-operator" source = "https://github.com/giantswarm/app-operator" - version = "6.8.1" + //version = "6.8.1" ) func Description() string { @@ -31,5 +31,5 @@ func Source() string { } func Version() string { - return version + return "6.8.1" }