Add support for injecting tolerations to sonobuoy pod (#1976)

* Bump golangci-lint to v1.54.2 We upgraded golang lang 1.20 -> 1.21 by commit 9a64023. But according to [2], go1.21 is officially supported since golangci-lint v1.54.1. So, this PR upgrades golangci-lint to v1.54.2. Signed-off-by: Masashi Honma <masashi.honma@gmail.com> * Bump golang version for build to 1.21.11 According to trivy, golang 1.21.4 has trailing vulnerabilities. We upgrade it to 1.21.11 to fix the vulnerabilities. $ trivy image masap20220915/sonobuoy:amd64-v0.57 2024-07-01T09:50:21+09:00 INFO Vulnerability scanning is enabled 2024-07-01T09:50:21+09:00 INFO Secret scanning is enabled 2024-07-01T09:50:21+09:00 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning 2024-07-01T09:50:21+09:00 INFO Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection 2024-07-01T09:50:24+09:00 INFO Detected OS family="debian" version="12.5" 2024-07-01T09:50:24+09:00 INFO [debian] Detecting vulnerabilities... os_version="12" pkg_num=3 2024-07-01T09:50:24+09:00 INFO Number of language-specific files num=1 2024-07-01T09:50:24+09:00 INFO [gobinary] Detecting vulnerabilities... masap20220915/sonobuoy:amd64-v0.57 (debian 12.5) Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0) sonobuoy (gobinary) Total: 9 (UNKNOWN: 0, LOW: 0, MEDIUM: 7, HIGH: 1, CRITICAL: 1) ┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬──────────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │ ├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤ │ stdlib │ CVE-2024-24790 │ CRITICAL │ fixed │ 1.21.4 │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for │ │ │ │ │ │ │ │ IPv4-mapped IPv6 addresses │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24790 │ │ ├────────────────┼──────────┤ │ ├─────────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2023-45288 │ HIGH │ │ │ 1.21.9, 1.22.2 │ golang: net/http, x/net/http2: unlimited number of │ │ │ │ │ │ │ │ CONTINUATION frames causes DoS │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-45288 │ │ ├────────────────┼──────────┤ │ ├─────────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2023-39326 │ MEDIUM │ │ │ 1.20.12, 1.21.5 │ golang: net/http/internal: Denial of Service (DoS) via │ │ │ │ │ │ │ │ Resource Consumption via HTTP requests... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-39326 │ │ ├────────────────┤ │ │ ├─────────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2023-45289 │ │ │ │ 1.21.8, 1.22.1 │ golang: net/http/cookiejar: incorrect forwarding of │ │ │ │ │ │ │ │ sensitive headers and cookies on HTTP redirect... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-45289 │ │ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤ │ │ CVE-2023-45290 │ │ │ │ │ golang: net/http: memory exhaustion in │ │ │ │ │ │ │ │ Request.ParseMultipartForm │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-45290 │ │ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤ │ │ CVE-2024-24783 │ │ │ │ │ golang: crypto/x509: Verify panics on certificates with an │ │ │ │ │ │ │ │ unknown public key algorithm... │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24783 │ │ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤ │ │ CVE-2024-24784 │ │ │ │ │ golang: net/mail: comments in display names are incorrectly │ │ │ │ │ │ │ │ handled │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24784 │ │ ├────────────────┤ │ │ │ ├──────────────────────────────────────────────────────────────┤ │ │ CVE-2024-24785 │ │ │ │ │ golang: html/template: errors returned from MarshalJSON │ │ │ │ │ │ │ │ methods may break template escaping │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24785 │ │ ├────────────────┤ │ │ ├─────────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2024-24789 │ │ │ │ 1.21.11, 1.22.4 │ golang: archive/zip: Incorrect handling of certain ZIP files │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24789 │ └─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴──────────────────────────────────────────────────────────────┘ Signed-off-by: Masashi Honma <masashi.honma@gmail.com> * Fix Windows build ERROR: failed to solve: failed to compute cache key: mount callback failed on /tmp/containerd-mount1917080101: link /tmp/containerd-mount1917080101/Windows/INF/basicrender.inf /tmp/containerd-mount1917080101/Windows/System32/DriverStore/FileRepository/basicrender.inf_amd64_efdc64af60c69a6d/basicrender.inf: no such file or directory Error: Process completed with exit code 1. According to [1], we need to use ltsc2022 as a tag. [1] microsoft/Windows-Containers#493 Signed-off-by: Masashi Honma <masashi.honma@gmail.com> * Add support for injecting tolerations to sonobuoy pod Resolves #1973. We can inject some tolerations to sonobuoy aggregator pod by adding trailing description into sonobuoy config json. { "AggregatorTolerations": [ { "effect": "NoSchedule", "key": "key1", "operator": "Equal", "value": "value1" }, { "effect": "NoSchedule", "key": "key2", "operator": "Equal", "value": "value2" } ] } Signed-off-by: Masashi Honma <masashi.honma@gmail.com> * Bump golang version for build to 1.21.12 To fix trailing warning. Total: 1 (MEDIUM: 1, HIGH: 0, CRITICAL: 0) ┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬──────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │ ├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼──────────────────────────────────────────────────────────┤ │ stdlib │ CVE-2024-24791 │ MEDIUM │ fixed │ 1.21.11 │ 1.21.12, 1.22.5 │ net/http: Denial of service due to improper 100-continue │ │ │ │ │ │ │ │ handling in net/http │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24791 │ └─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴──────────────────────────────────────────────────────────┘ Signed-off-by: Masashi Honma <masashi.honma@gmail.com> --------- Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
vmware-tanzu · Jul 29, 2024 · 9c04b0b · 9c04b0b
1 parent ed6c190
commit 9c04b0b
Show file tree

Hide file tree

Showing 6 changed files with 50 additions and 17 deletions.
diff --git a/.github/workflows/ci-lint.yaml b/.github/workflows/ci-lint.yaml
@@ -8,7 +8,7 @@ jobs:
       - name: golangci-lint run
         uses: golangci/golangci-lint-action@v3
         with:
-          version: v1.52.2
+          version: v1.54.2
           skip-pkg-cache: true
           skip-build-cache: true
           args: --timeout=5m0s -v
@@ -26,7 +26,7 @@ jobs:
       - uses: actions/checkout@v3
       - uses: actions/setup-go@v3
         with:
-          go-version: 1.19
+          go-version: 1.21
       - name: go mod tidy
         run: |
           ./scripts/ci/check_go_modules.sh

diff --git a/.github/workflows/ci-test.yaml b/.github/workflows/ci-test.yaml
@@ -182,7 +182,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v3
         with:
-          go-version: 1.19
+          go-version: 1.21
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v3
         with:

diff --git a/pkg/client/gen.go b/pkg/client/gen.go
@@ -410,6 +410,38 @@ func generateAggregatorAndService(w io.Writer, cfg *GenConfig) error {
 	if len(cfg.Config.CustomAnnotations) > 0 {
 		p.ObjectMeta.Annotations = cfg.Config.CustomAnnotations
 	}
+	if len(cfg.Config.AggregatorTolerations) > 0 {
+		for _, t := range cfg.Config.AggregatorTolerations {
+			var toleration corev1.Toleration
+			if val, exists := t["key"]; exists {
+				toleration.Key = val
+			}
+			if val, exists := t["value"]; exists {
+				toleration.Value = val
+			}
+			if val, exists := t["effect"]; exists {
+				if val == "NoSchedule" {
+					toleration.Effect = corev1.TaintEffectNoSchedule
+				} else if val == "NoExecute" {
+					toleration.Effect = corev1.TaintEffectNoExecute
+				} else if val == "PreferNoSchedule" {
+					toleration.Effect = corev1.TaintEffectPreferNoSchedule
+				} else {
+					return errors.New("Invalid effect: " + val)
+				}
+			}
+			if val, exists := t["operator"]; exists {
+				if val == "Equal" {
+					toleration.Operator = corev1.TolerationOpEqual
+				} else if val == "Exists" {
+					toleration.Operator = corev1.TolerationOpExists
+				} else {
+					return errors.New("Invalid operator: " + val)
+				}
+			}
+			p.Spec.Tolerations = append(p.Spec.Tolerations, toleration)
+		}
+	}
 
 	switch cfg.Config.SecurityContextMode {
 	case "none":

diff --git a/pkg/config/config.go b/pkg/config/config.go
@@ -147,16 +147,17 @@ type Config struct {
 	///////////////////////////////////////////////
 	// Sonobuoy configuration
 	///////////////////////////////////////////////
-	WorkerImage              string            `json:"WorkerImage" mapstructure:"WorkerImage"`
-	ImagePullPolicy          string            `json:"ImagePullPolicy" mapstructure:"ImagePullPolicy"`
-	ForceImagePullPolicy     bool              `json:"ForceImagePullPolicy,omitempty" mapstructure:"ForceImagePullPolicy"`
-	ImagePullSecrets         string            `json:"ImagePullSecrets" mapstructure:"ImagePullSecrets"`
-	CustomAnnotations        map[string]string `json:"CustomAnnotations,omitempty" mapstructure:"CustomAnnotations"`
-	AggregatorPermissions    string            `json:"AggregatorPermissions" mapstructure:"AggregatorPermissions"`
-	ServiceAccountName       string            `json:"ServiceAccountName" mapstructure:"ServiceAccountName"`
-	ExistingServiceAccount   bool              `json:"ExistingServiceAccount,omitempty" mapstructure:"ExistingServiceAccount,omitempty"`
-	E2EDockerConfigFile      string            `json:"E2EDockerConfigFile,omitempty" mapstructure:"E2EDockerConfigFile,omitempty"`
-	NamespacePSAEnforceLevel string            `json:"NamespacePSAEnforceLevel,omitempty" mapstructure:"NamespacePSAEnforceLevel,omitempty"`
+	WorkerImage              string              `json:"WorkerImage" mapstructure:"WorkerImage"`
+	ImagePullPolicy          string              `json:"ImagePullPolicy" mapstructure:"ImagePullPolicy"`
+	ForceImagePullPolicy     bool                `json:"ForceImagePullPolicy,omitempty" mapstructure:"ForceImagePullPolicy"`
+	ImagePullSecrets         string              `json:"ImagePullSecrets" mapstructure:"ImagePullSecrets"`
+	CustomAnnotations        map[string]string   `json:"CustomAnnotations,omitempty" mapstructure:"CustomAnnotations"`
+	AggregatorPermissions    string              `json:"AggregatorPermissions" mapstructure:"AggregatorPermissions"`
+	AggregatorTolerations    []map[string]string `json:"AggregatorTolerations,omitempty" mapstructure:"AggregatorTolerations"`
+	ServiceAccountName       string              `json:"ServiceAccountName" mapstructure:"ServiceAccountName"`
+	ExistingServiceAccount   bool                `json:"ExistingServiceAccount,omitempty" mapstructure:"ExistingServiceAccount,omitempty"`
+	E2EDockerConfigFile      string              `json:"E2EDockerConfigFile,omitempty" mapstructure:"E2EDockerConfigFile,omitempty"`
+	NamespacePSAEnforceLevel string              `json:"NamespacePSAEnforceLevel,omitempty" mapstructure:"NamespacePSAEnforceLevel,omitempty"`
 
 	// ProgressUpdatesPort is the port on which the Sonobuoy worker will listen for status updates from its plugin.
 	ProgressUpdatesPort string `json:"ProgressUpdatesPort,omitempty" mapstructure:"ProgressUpdatesPort"`

diff --git a/scripts/build_funcs.sh b/scripts/build_funcs.sh
@@ -13,7 +13,7 @@ LINUX_ARCH=(amd64 arm64 ppc64le s390x)
 
 # Currently only under a single arch, can iterate over these and still assume arch value.
 WIN_ARCH=amd64
-WINVERSIONS=("1809" "1903" "1909" "2004" "20H2")
+WINVERSIONS=("ltsc2022")
 
 # Not used for pushing images, just for local building on other GOOS. Defaults to
 # grabbing from the local go env but can be set manually to avoid that requirement.
@@ -28,14 +28,14 @@ IMAGE_BRANCH=$(git rev-parse --abbrev-ref HEAD | sed 's/\///g')
 GIT_REF_LONG=$(git rev-parse --verify HEAD)
 
 BUILDMNT=/go/src/$GOTARGET
-BUILD_IMAGE=golang:1.21.4
+BUILD_IMAGE=golang:1.21.12
 AMD_IMAGE=gcr.io/distroless/static:nonroot
 ARM_IMAGE=gcr.io/distroless/static:nonroot-arm64
 PPC64LE_IMAGE=gcr.io/distroless/static:nonroot-ppc64le
 S390X_IMAGE=gcr.io/distroless/static:nonroot-s390x
 WIN_AMD64_BASEIMAGE=mcr.microsoft.com/windows/nanoserver
 TEST_IMAGE=testimage:v0.1
-LINT_IMAGE=golangci/golangci-lint:v1.52.2
+LINT_IMAGE=golangci/golangci-lint:v1.54.2
 KIND_CLUSTER=kind
 
 SCRIPT_DIR="$( cd -- "$( dirname -- "${BASH_SOURCE[0]:-$0}"; )" &> /dev/null && pwd 2> /dev/null; )"

diff --git a/test/integration/testImage/Dockerfile b/test/integration/testImage/Dockerfile
@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM golang:1.21.4 AS base
+FROM golang:1.21.12 AS base
 WORKDIR /src
 
 # Handle the go modules first to take advantage of Docker cache.