From 8848ba8e6c98dccc74d445e11e5fce6836fc8aae Mon Sep 17 00:00:00 2001 From: jonny Date: Tue, 22 Oct 2024 17:33:23 +0100 Subject: [PATCH 1/2] fix: correct pod security context block indentation --- snyk-monitor/templates/deployment.yaml | 26 +++++++++++++------------- test/integration/kubernetes.spec.ts | 9 +++++++++ test/setup/deployers/helm.ts | 1 + 3 files changed, 23 insertions(+), 13 deletions(-) diff --git a/snyk-monitor/templates/deployment.yaml b/snyk-monitor/templates/deployment.yaml index 25e257756..ff639dacb 100644 --- a/snyk-monitor/templates/deployment.yaml +++ b/snyk-monitor/templates/deployment.yaml @@ -33,19 +33,19 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} spec: - {{- with .Values.podSecurityContext }} - securityContext: - {{- $fsGroupOverride := dict }} - {{- if hasKey $.Values.securityContext "fsGroup" }} - {{- $fsGroupOverride = dict "fsGroup" (int $.Values.securityContext.fsGroup) }} - {{- end }} - {{- merge $fsGroupOverride . | toYaml | nindent 8 }} - {{- else }} - {{- if .Values.securityContext.fsGroup }} - securityContext: - fsGroup: {{ int .Values.securityContext.fsGroup }} - {{- end }} - {{- end }} + {{- with .Values.podSecurityContext }} + securityContext: + {{- $fsGroupOverride := dict }} + {{- if hasKey $.Values.securityContext "fsGroup" }} + {{- $fsGroupOverride = dict "fsGroup" (int $.Values.securityContext.fsGroup) }} + {{- end }} + {{- merge $fsGroupOverride . | toYaml | nindent 8 }} + {{- else }} + {{- if .Values.securityContext.fsGroup }} + securityContext: + fsGroup: {{ int .Values.securityContext.fsGroup }} + {{- end }} + {{- end }} affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: diff --git a/test/integration/kubernetes.spec.ts b/test/integration/kubernetes.spec.ts index 0ffc09c96..e91af5d0a 100644 --- a/test/integration/kubernetes.spec.ts +++ b/test/integration/kubernetes.spec.ts @@ -776,6 +776,15 @@ test('snyk-monitor secure configuration is as expected', async () => { namespace, ); const deployment = response.body; + expect(deployment.spec?.template.spec).toEqual( + expect.objectContaining({ + securityContext: { + fsGroup: 65534, + fsGroupChangePolicy: 'Always', + }, + }), + ); + expect(deployment.spec?.template?.spec?.containers?.[0]).toEqual( expect.objectContaining({ securityContext: { diff --git a/test/setup/deployers/helm.ts b/test/setup/deployers/helm.ts index 6b65065b6..dccf0f742 100644 --- a/test/setup/deployers/helm.ts +++ b/test/setup/deployers/helm.ts @@ -39,6 +39,7 @@ async function deployKubernetesMonitor( '--set rbac.serviceAccount.annotations."foo"="bar" ' + '--set volumes.projected.serviceAccountToken=true ' + '--set securityContext.fsGroup=65534 ' + + '--set podSecurityContext.fsGroupChangePolicy="Always" ' + '--set skopeo.compression.level=1 ' + '--set workers.count=5 ' + '--set sysdig.enabled=true ', From 96c1d40cf23569444944346a0d0bd9408612d571 Mon Sep 17 00:00:00 2001 From: jonny Date: Wed, 23 Oct 2024 10:17:29 +0100 Subject: [PATCH 2/2] chore: temporarily ingore transitive vuln --- .snyk | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.snyk b/.snyk index f0e80b9c4..e79dc8fd6 100644 --- a/.snyk +++ b/.snyk @@ -14,4 +14,10 @@ ignore: Waiting for a patch: https://security.snyk.io/vuln/SNYK-JS-MICROMATCH-6838728 expires: 2024-12-19T12:00:00.000Z created: 2024-05-16T12:00:00.000Z + SNYK-JS-JSONPATHPLUS-7945884: + - '*': + reason: >- + Waiting for transient dependency to update + expires: 2024-12-19T12:00:00.000Z + created: 2024-10-23T12:00:00.000Z patch: {}