Skip to content

Commit

Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
#1894 Remove unused functions and k8s permissions
Browse files Browse the repository at this point in the history 
The initial set of kubernetes permissions for the role in the helm
template was adapted from the kubernetes AutoDiscovery, which is based
on kubebuilder. The AWS Cloud AutoDiscovery manually connects to
kubernetes and uses a lot fewer API permissions than the kubernetes
AutoDiscovery. If future features need more permissions they can be
added back again.

Signed-off-by: Lukas Fischer <lukas.fischer@iteratec.com>
Lukas Fischer committed Oct 20, 2023
1 parent 965c2d0 commit b6ba7cd
Showing 3 changed files with 0 additions and 210 deletions.
13 changes: 0 additions & 13 deletions auto-discovery/cloud-aws/pkg/kubernetes/kubernetes.go
View file
Original file line number Diff line number Diff line change
@@ -17,7 +17,6 @@ import (
apierrors "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/types"
utilruntime "k8s.io/apimachinery/pkg/util/runtime"
"k8s.io/cli-runtime/pkg/genericclioptions"
"sigs.k8s.io/controller-runtime/pkg/client"
@@ -185,18 +184,6 @@ func (r *CloudScanReconciler) handleDeleteRequest(ctx context.Context, req Reque
return err
}

func (r *CloudScanReconciler) getScheduledScan(ctx context.Context, name string) (*executionv1.ScheduledScan, error) {
scheduledScan := &executionv1.ScheduledScan{}
err := r.Client.Get(ctx, types.NamespacedName{Name: name, Namespace: r.Config.Kubernetes.Namespace}, scheduledScan)
return scheduledScan, err
}

func (r *CloudScanReconciler) listScheduledScans(ctx context.Context) (*executionv1.ScheduledScanList, error) {
var scheduledscans executionv1.ScheduledScanList
err := r.Client.List(ctx, &scheduledscans, client.InNamespace(r.Config.Kubernetes.Namespace))
return &scheduledscans, err
}

func (r *CloudScanReconciler) createScheduledScan(ctx context.Context, scheduledScan *executionv1.ScheduledScan) (*executionv1.ScheduledScan, error) {
scheduledScan.ObjectMeta.Namespace = r.Config.Kubernetes.Namespace
err := r.Client.Create(ctx, scheduledScan)
41 changes: 0 additions & 41 deletions auto-discovery/cloud-aws/templates/rbac/role.yaml
View file
Original file line number Diff line number Diff line change
@@ -8,51 +8,10 @@ kind: Role
metadata:
name: auto-discovery-cloud-aws
rules:
- apiGroups:
- execution.securecodebox.io
resources:
- scantypes
verbs:
- get
- list
- watch
- apiGroups:
- execution.securecodebox.io
resources:
- scheduledscans
verbs:
- create
- get
- list
- patch
- update
- watch
- delete
- apiGroups:
- execution.securecodebox.io/status
resources:
- scheduledscans
verbs:
- get
- patch
- update
- apiGroups:
- execution.securecodebox.io
resources:
- scans
verbs:
- create
- get
- list
- patch
- update
- watch
- delete
- apiGroups:
- execution.securecodebox.io/status
resources:
- scans
verbs:
- get
- patch
- update
156 changes: 0 additions & 156 deletions auto-discovery/cloud-aws/tests/__snapshot__/auto-discovery_test.yaml.snap
View file
Original file line number Diff line number Diff line change
@@ -5,54 +5,13 @@ matches the snapshot:
metadata:
name: auto-discovery-cloud-aws
rules:
- apiGroups:
- execution.securecodebox.io
resources:
- scantypes
verbs:
- get
- list
- watch
- apiGroups:
- execution.securecodebox.io
resources:
- scheduledscans
verbs:
- create
- get
- list
- patch
- update
- watch
- delete
- apiGroups:
- execution.securecodebox.io/status
resources:
- scheduledscans
verbs:
- get
- patch
- update
- apiGroups:
- execution.securecodebox.io
resources:
- scans
verbs:
- create
- get
- list
- patch
- update
- watch
- delete
- apiGroups:
- execution.securecodebox.io/status
resources:
- scans
verbs:
- get
- patch
- update
2: |
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
@@ -72,118 +31,3 @@ matches the snapshot:
kind: ServiceAccount
metadata:
name: auto-discovery-cloud-aws
4: |
apiVersion: v1
data:
auto-discovery-cloud-aws.yaml: |
{
"aws": {
"queueUrl": "",
"region": ""
},
"kubernetes": {
"namespace": "",
"scanConfigs": [
{
"annotations": {},
"hookSelector": {},
"labels": {},
"name": "trivy",
"parameters": [
"{{ .ImageID }}"
],
"repeatInterval": "168h",
"scanType": "trivy-image"
},
{
"annotations": {},
"hookSelector": {},
"labels": {},
"name": "trivy-sbom",
"parameters": [
"{{ .ImageID }}"
],
"repeatInterval": "168h",
"scanType": "trivy-sbom-image"
}
]
}
}
kind: ConfigMap
metadata:
name: auto-discovery-cloud-aws
5: |
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
control-plane: auto-discovery-cloud-aws
name: auto-discovery-cloud-aws
spec:
replicas: 1
selector:
matchLabels:
control-plane: auto-discovery-cloud-aws
template:
metadata:
labels:
control-plane: auto-discovery-cloud-aws
spec:
containers:
- args:
- --config
- /etc/securecodebox/auto-discovery-cloud-aws.yaml
command:
- /service
env:
- name: AWS_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
key: aws-access-key-id
name: aws-credentials
optional: true
- name: AWS_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
key: aws-secret-access-key
name: aws-credentials
optional: true
- name: AWS_SESSION_TOKEN
valueFrom:
secretKeyRef:
key: aws-session-token
name: aws-credentials
optional: true
image: securecodebox/auto-discovery-cloud-aws:0.0.0
imagePullPolicy: IfNotPresent
name: auto-discovery-cloud-aws
resources:
limits:
cpu: 100m
memory: 100Mi
requests:
cpu: 100m
memory: 20Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
volumeMounts:
- mountPath: /etc/securecodebox/auto-discovery-cloud-aws.yaml
name: config
readOnly: true
subPath: auto-discovery-cloud-aws.yaml
imagePullSecrets:
- name: foo
securityContext:
fsGroup: 1234
serviceAccountName: auto-discovery-cloud-aws
terminationGracePeriodSeconds: 10
volumes:
- configMap:
name: auto-discovery-cloud-aws
name: config

0 comments on commit b6ba7cd

Please sign in to comment.