-
Notifications
You must be signed in to change notification settings - Fork 12
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Gate #57
Gate #57
Conversation
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: davidhadas The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Codecov Report
@@ Coverage Diff @@
## main #57 +/- ##
==========================================
+ Coverage 79.03% 81.13% +2.10%
==========================================
Files 32 35 +3
Lines 2599 2931 +332
==========================================
+ Hits 2054 2378 +324
Misses 433 433
- Partials 112 120 +8
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
/retest all |
@davidhadas: The
Use In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/test all |
/hold |
/unhold |
utils "knative.dev/security-guard/pkg/guard-utils" | ||
) | ||
|
||
const plugVersion string = "0.0.1" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ideally we could pick this dynamically rather than having to hardcore (and have to remember to update on each release)... pretty sure we do this elsewhere in knative, let me find an example...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It seems for executables there is a way todo that using ldflags - from outside during the build of a new release
go build -ldflags="-X 'main.Version=v1.0.0'"
I don't know for packages - or if it makes sense.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Think I was thinking of a combination of knative/pkg#2548 and knative-extensions/kn-plugin-quickstart#327
Still wonder if there's a better way to get this info (maybe similar to what we do in serving to add the version as a label), but it isn't blocking
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are the various "Log entries created from user input" warnings something we should address?
config/deploy-queue-proxy.yaml
Outdated
@@ -0,0 +1,27 @@ | |||
# Copyright 2019 The Knative Authors |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Need to double-check that this doesn't overwrite the existing config-deployment... might be better to just have the setup-guard-service script patch the existing configmap with the current QP image...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I tested by adding a test: boom
parameter to config.deployment - this parameter remains when doing security-guard ko apply -Rf ./config
while the image changes - note that the _example is removed after such a change.
after ko apply -Rf config/core
at serving
data:
_example: |-
################################
# #
# EXAMPLE CONFIGURATION #
# #
################################
# This block is not actually functional configuration,
...
# NOTE THAT THIS IS AN EXPERIMENTAL / ALPHA FEATURE
concurrency-state-endpoint: ""
queueSidecarImage: us.icr.io/knat/queue-39be6f1d08a095bd076a71d288d295b6@sha256:086b8a7d8bc2104672609a1918274f2e4b075076f52c0fbbc4c3f044b64eb5fe
test: boom
after ko apply -Rf ./config
at security-guard
data:
queue-sidecar-image: us.icr.io/knat/queue-958f2fa0da7e00e1e412a537ecf9d1cc@sha256:021e6438111346ea5d5aff064d6c3ad2cea6c3a92cc7e7708f644f8a1fc34a1e
test: boom
utils "knative.dev/security-guard/pkg/guard-utils" | ||
) | ||
|
||
const plugVersion string = "0.0.1" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Think I was thinking of a combination of knative/pkg#2548 and knative-extensions/kn-plugin-quickstart#327
Still wonder if there's a better way to get this info (maybe similar to what we do in serving to add the version as a label), but it isn't blocking
This seems like a false positive - the data is sanitized in place, maybe this is why the alert is issued. |
They aren't being triggered anymore after the most recent commits |
Co-authored-by: Paul Schweigert <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
This PR finalizes the guard-gate