From 6bcaab07300b47fa713a3bb5cf35cecddfb2683f Mon Sep 17 00:00:00 2001 From: Pratik Mahalle Date: Fri, 27 Dec 2024 07:19:19 +0530 Subject: [PATCH 1/2] Remove service account token from ci-kubernetes-snyk-master Prow job --- .../sig-k8s-infra/trusted/sig-security-trusted.yaml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/config/jobs/kubernetes/sig-k8s-infra/trusted/sig-security-trusted.yaml b/config/jobs/kubernetes/sig-k8s-infra/trusted/sig-security-trusted.yaml index 11668b7ee6f0..6315527e1feb 100644 --- a/config/jobs/kubernetes/sig-k8s-infra/trusted/sig-security-trusted.yaml +++ b/config/jobs/kubernetes/sig-k8s-infra/trusted/sig-security-trusted.yaml @@ -17,10 +17,6 @@ periodics: spec: containers: - image: golang - envFrom: - - secretRef: - # secret key should be defined as SNYK_TOKEN - name: snyk-token command: - /bin/bash args: From 3f4e170a326c2afc52917b0412fee9bd21b65aca Mon Sep 17 00:00:00 2001 From: Pratik Mahalle <124587957+pratik-mahalle@users.noreply.github.com> Date: Sun, 5 Jan 2025 01:28:00 +0000 Subject: [PATCH 2/2] SRemove service account token from ci-kubernetes-snyk-master Prow job --- .../trusted/sig-security-trusted.yaml | 35 +++---------------- 1 file changed, 4 insertions(+), 31 deletions(-) diff --git a/config/jobs/kubernetes/sig-k8s-infra/trusted/sig-security-trusted.yaml b/config/jobs/kubernetes/sig-k8s-infra/trusted/sig-security-trusted.yaml index 6315527e1feb..fcc4bde24b7b 100644 --- a/config/jobs/kubernetes/sig-k8s-infra/trusted/sig-security-trusted.yaml +++ b/config/jobs/kubernetes/sig-k8s-infra/trusted/sig-security-trusted.yaml @@ -15,6 +15,7 @@ periodics: base_ref: master path_alias: k8s.io/kubernetes spec: + automountServiceAccountToken: false containers: - image: golang command: @@ -59,10 +60,10 @@ periodics: done fi echo "Build time dependency scan completed" - + # container images scan echo "Fetch the list of k8s images" - curl -Ls https://sbom.k8s.io/$(curl -Ls https://dl.k8s.io/release/latest.txt)/release | grep "SPDXID: SPDXRef-Package-registry.k8s.io" | grep -v sha256 | cut -d- -f3- | sed 's/-/\//' | sed 's/-v1/:v1/' > images + curl -Ls https://sbom.k8s.io/$(curl -Ls https://dl.k8s.io/release/latest.txt)/release | grep "SPDXID: SPDXRef-Package-registry.k8s.io" | grep -v sha256 | cut -d- -f3- | sed 's/-/\//' | sed 's/$/\:latest/' | sort -u > images while read image; do echo "Running container image scan.." EXIT_CODE=0 @@ -85,32 +86,4 @@ periodics: testgrid-alert-email: security-tooling-private@kubernetes.io testgrid-num-failures-to-alert: '1' testgrid-dashboards: sig-security-snyk-scan - description: Run snyk scan on k/k master periodically -- name: auto-refreshing-official-cve-feed - interval: 2h - cluster: k8s-infra-prow-build-trusted - decorate: true - extra_refs: - - org: kubernetes - repo: sig-security - base_ref: main - workdir: true - labels: - preset-service-account: "true" - spec: - serviceAccountName: k8s-cve-feed - containers: - - image: gcr.io/k8s-staging-test-infra/gcloud-in-go:v20230111-cd1b3caf9c - command: - - sh - - "-c" - - "cd sig-security-tooling/cve-feed/hack/ && ./fetch-cve-feed.sh" - env: - - name: CVE_GCS_PATH - value: "gs://k8s-cve-feed" - annotations: - testgrid-create-test-group: "true" - testgrid-alert-email: security-tooling-private@kubernetes.io - testgrid-num-failures-to-alert: '1' - testgrid-dashboards: sig-security-cve-feed - description: Auto refreshing official cve feed KEP 3203 + description: Run snyk scan on k/k master periodically \ No newline at end of file