github-advanced-security[bot] commented on code in PR #792: URL: https://github.com/apache/dubbo-go-pixiu/pull/792#discussion_r2488780141
########## controllers/config/manager/manager.yaml: ########## @@ -0,0 +1,99 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + control-plane: controller-manager + app.kubernetes.io/name: controllers + app.kubernetes.io/managed-by: kustomize + name: system +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-manager + namespace: system + labels: + control-plane: controller-manager + app.kubernetes.io/name: controllers + app.kubernetes.io/managed-by: kustomize +spec: + selector: + matchLabels: + control-plane: controller-manager + app.kubernetes.io/name: controllers + replicas: 1 + template: + metadata: + annotations: + kubectl.kubernetes.io/default-container: manager + labels: + control-plane: controller-manager + app.kubernetes.io/name: controllers + spec: + # TODO(user): Uncomment the following code to configure the nodeAffinity expression + # according to the platforms which are supported by your solution. + # It is considered best practice to support multiple architectures. You can + # build your manager image using the makefile target docker-buildx. + # affinity: + # nodeAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # nodeSelectorTerms: + # - matchExpressions: + # - key: kubernetes.io/arch + # operator: In + # values: + # - amd64 + # - arm64 + # - ppc64le + # - s390x + # - key: kubernetes.io/os + # operator: In + # values: + # - linux + securityContext: + # Projects are configured by default to adhere to the "restricted" Pod Security Standards. + # This ensures that deployments meet the highest security requirements for Kubernetes. + # For more details, see: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + containers: + - command: + - /manager + args: + - --leader-elect + - --health-probe-bind-address=:8081 + image: controller:latest + name: manager + ports: [] + securityContext: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + # TODO(user): Configure the resources accordingly based on the project requirements. + # More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + resources: + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 10m + memory: 64Mi + volumeMounts: [] + volumes: [] + serviceAccountName: controller-manager Review Comment: ## Service account permissions should be restricted <!--SONAR_ISSUE_KEY:AZpNXU3NEaQO1nTTK_1x-->Bind this Service Account to RBAC or disable "automountServiceAccountToken". <p>See more on <a href="https://sonarcloud.io/project/issues?id=apache_dubbo-go-pixiu&issues=AZpNXU3NEaQO1nTTK_1x&open=AZpNXU3NEaQO1nTTK_1x&pullRequest=792";>SonarQube Cloud</a></p> [Show more details](https://github.com/apache/dubbo-go-pixiu/security/code-scanning/263) ########## controllers/config/rbac/gatewayproxy_admin_role.yaml: ########## @@ -0,0 +1,27 @@ +# This rule is not used by the project controllers itself. +# It is provided to allow the cluster admin to help manage permissions for users. +# +# Grants full permissions ('*') over pixiu.apache.org. +# This role is intended for users authorized to modify roles and bindings within the cluster, +# enabling them to delegate specific permissions to other users or groups as needed. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: controllers + app.kubernetes.io/managed-by: kustomize + name: gatewayproxy-admin-role +rules: +- apiGroups: + - pixiu.apache.org + resources: + - gatewayproxies + verbs: + - '*' Review Comment: ## Wildcards should not be used to define RBAC permissions <!--SONAR_ISSUE_KEY:AZpNXU24EaQO1nTTK_1u-->Replace this wildcard with a clear list of allowed resources. <p>See more on <a href="https://sonarcloud.io/project/issues?id=apache_dubbo-go-pixiu&issues=AZpNXU24EaQO1nTTK_1u&open=AZpNXU24EaQO1nTTK_1u&pullRequest=792";>SonarQube Cloud</a></p> [Show more details](https://github.com/apache/dubbo-go-pixiu/security/code-scanning/262) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
