Skip to content

deps: Update deps to fix kyverno critical vulnerability #516

deps: Update deps to fix kyverno critical vulnerability

deps: Update deps to fix kyverno critical vulnerability #516

Workflow file for this run

# SPDX-License-Identifier: Apache-2.0
# Copyright 2023 Authors of Nimbus
name: PR checks
on:
pull_request:
types: [ opened, reopened, synchronize, ready_for_review ]
paths-ignore:
- '**.md'
- '**.sh'
- 'docs/**'
- 'LICENSE'
permissions: read-all
jobs:
files-changed:
name: Detect what files changed
runs-on: ubuntu-latest
timeout-minutes: 5
outputs:
nimbus: ${{ steps.filter.outputs.nimbus}}
adapters: ${{ steps.filter.outputs.adapters }}
tests: ${{ steps.filter.outputs.tests }}
steps:
- uses: actions/checkout@v4
- uses: dorny/paths-filter@v3.0.2
id: filter
with:
filters: |
nimbus:
- 'api/**'
- 'cmd/**'
- 'internal/**'
- 'pkg/processor/**'
- 'Dockerfile'
- 'Makefile'
- 'go.mod'
adapters:
- 'pkg/adapter/**'
tests:
- 'tests/**'
license:
name: License
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@v4
- name: Check License Header
uses: apache/skywalking-eyes@3ea9df11bb3a5a85665377d1fd10c02edecf2c40
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
static-checks:
needs: files-changed
if: ${{ needs.files-changed.outputs.nimbus == 'true' || needs.files-changed.outputs.adapters == 'true' }}
name: Static checks
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Setup go
uses: actions/setup-go@v5
with:
go-version: '1.22'
- name: go fmt
run: make fmt
- name: Lint
id: lint
uses: golangci/golangci-lint-action@v6
with:
version: v1.54
args: --deadline=30m --out-format=line-number
skip-cache: true # https://github.com/golangci/golangci-lint-action/issues/244#issuecomment-1052197778
go-sec:
needs: files-changed
if: ${{ needs.files-changed.outputs.nimbus == 'true' || needs.files-changed.outputs.adapters == 'true' }}
runs-on: ubuntu-latest
permissions:
security-events: write
env:
GO111MODULE: on
steps:
- name: Checkout Source
uses: actions/checkout@v4
- name: Run Gosec Security Scanner
uses: securego/gosec@master
with:
# we let the report trigger content trigger a failure using the GitHub Security features.
args: '-no-fail -fmt sarif -out results.sarif ./...'
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
build-nimbus-image:
needs: files-changed
if: ${{ needs.files-changed.outputs.nimbus == 'true' }}
name: Build Nimbus Operator image
runs-on: ubuntu-latest
timeout-minutes: 20
steps:
- name: Checkout source code
uses: actions/checkout@v4
- name: Build image
run: make docker-build
- name: Scan image
uses: anchore/scan-action@v4
with:
image: '5gsec/nimbus:latest'
severity-cutoff: critical
output-format: sarif
build-adapters-image:
needs: files-changed
if: ${{ needs.files-changed.outputs.adapters == 'true' }}
strategy:
matrix:
adapters: [ "nimbus-kubearmor", "nimbus-netpol", "nimbus-kyverno", "nimbus-k8tls" ]
name: Build ${{ matrix.adapters }} adapter's image
runs-on: ubuntu-latest
timeout-minutes: 20
steps:
- name: Checkout source code
uses: actions/checkout@v4
- name: Build image
working-directory: ./pkg/adapter/${{ matrix.adapters }}
run: make docker-build
- name: Scan image
uses: anchore/scan-action@v4
with:
image: '5gsec/${{ matrix.adapters }}:latest'
severity-cutoff: critical
output-format: sarif
integration-tests:
needs: files-changed
if: ${{ needs.files-changed.outputs.nimbus == 'true' || needs.files-changed.outputs.tests == 'true' }}
name: Integration-Test
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Install helm
id: helm
uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Create k8s Kind Cluster
uses: helm/kind-action@v1
with:
cluster_name: testing
- name: Build image and load in the kind cluster
run: |
make docker-build
kind load docker-image 5gsec/nimbus:latest --name=testing
- name: Install Nimbus
working-directory: ./deployments/nimbus
run: |
helm upgrade --dependency-update --install nimbus-operator . -n nimbus --create-namespace \
--set image.pullPolicy=Never \
--set autoDeploy.kubearmor=false \
--set autoDeploy.kyverno=false \
--set autoDeploy.netpol=false
- name: Wait for Nimbus to start
run: |
kubectl wait --for=condition=ready --timeout=5m -n nimbus pod -l app.kubernetes.io/name=nimbus
kubectl get pods -n nimbus
- name: Run Tests
run: make integration-test
e2e-tests:
needs: files-changed
if: ${{ needs.files-changed.outputs.nimbus == 'true' || needs.files-changed.outputs.adapters == 'true' || needs.files-changed.outputs.tests == 'true'}}
name: E2E-Test
runs-on: ubuntu-latest
steps:
- name: Checkout source code
uses: actions/checkout@v4
- name: Install helm
id: helm
uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Create k8s Kind Cluster
uses: helm/kind-action@v1
with:
cluster_name: testing
- name: Build nimbus image and load in the kind cluster
run: |
make docker-build
kind load docker-image 5gsec/nimbus:latest --name=testing
- name: Build nimbus-netpol image and load in the kind cluster
working-directory: ./pkg/adapter/nimbus-netpol
run: |
make docker-build
kind load docker-image 5gsec/nimbus-netpol:latest --name=testing
- name: Build nimbus-kubearmor image and load in the kind cluster
working-directory: ./pkg/adapter/nimbus-kubearmor
run: |
make docker-build
kind load docker-image 5gsec/nimbus-kubearmor:latest --name=testing
- name: Build nimbus-kyverno image and load in the kind cluster
working-directory: ./pkg/adapter/nimbus-kyverno
run: |
make docker-build
kind load docker-image 5gsec/nimbus-kyverno:latest --name=testing
- name: Install Nimbus
working-directory: ./deployments/nimbus
run: |
helm upgrade --dependency-update --install nimbus-operator . -n nimbus --create-namespace \
--set image.pullPolicy=Never \
--set autoDeploy.kubearmor=false \
--set autoDeploy.kyverno=false \
--set autoDeploy.netpol=false
- name: Wait for Nimbus to start
run: |
kubectl wait --for=condition=ready --timeout=5m -n nimbus pod -l app.kubernetes.io/name=nimbus
kubectl get pods -n nimbus
- name: Install nimbus-netpol
working-directory: deployments/nimbus-netpol/
run: |
helm upgrade --install nimbus-netpol . -n nimbus --set image.pullPolicy=Never
- name: Wait for nimbus-netpol to start
run: |
kubectl wait --for=condition=ready --timeout=5m -n nimbus pod -l app.kubernetes.io/name=nimbus-netpol
kubectl get pods -n nimbus
- name: Install nimbus-kubearmor
working-directory: deployments/nimbus-kubearmor/
run: |
helm upgrade --dependency-update --install nimbus-kubearmor . -n nimbus --set image.pullPolicy=Never
- name: Wait for nimbus-kubearmor to start
run: |
kubectl wait --for=condition=ready --timeout=5m -n nimbus pod -l app.kubernetes.io/name=nimbus-kubearmor
kubectl get pods -n nimbus
- name: Install nimbus-kyverno
working-directory: deployments/nimbus-kyverno/
run: |
helm upgrade --dependency-update --install nimbus-kyverno . -n nimbus --set image.pullPolicy=Never
- name: Wait for nimbus-kyverno to start
run: |
kubectl wait --for=condition=ready --timeout=5m -n nimbus pod -l app.kubernetes.io/name=nimbus-kyverno
kubectl get pods -n nimbus
- name: Run Tests
run: make e2e-test