Calling script instead of using hardcoded value #33817
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: Dylan-G-Roberts The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
Welcome @Dylan-G-Roberts! |
k8s-ci-robot
added
needs-ok-to-test
|
Hi @Dylan-G-Roberts. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
k8s-ci-robot
added
sig/k8s-infra
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
| spec: | ||
| serviceAccountName: k8s-snyk-scan |
There was a problem hiding this comment.
Do we need to have a service account token at all?
If not, maybe let's set automountServiceAccountToken: false instead?
There was a problem hiding this comment.
@dims you've got much more prow job experience than I do, WDYT?
There was a problem hiding this comment.
we do have some jobs with that, so let's give that a shot :)
There was a problem hiding this comment.
I have opened #33970 as a reminder to remove this service account token once we know the job is running properly from its external script call
|
kubernetes/sig-security#128 has merged Let's merge this one and make sure it's still working! /unhold |
k8s-ci-robot
removed
the
do-not-merge/hold
k8s-ci-robot
added
the
lgtm
| spec: | ||
| serviceAccountName: k8s-snyk-scan | ||
| containers: | ||
| - image: golang | ||
| envFrom: | ||
| - secretRef: | ||
| # secret key should be defined as SNYK_TOKEN | ||
| name: snyk-token |
There was a problem hiding this comment.
... we should really mount this as a file and pass it into snyk that way instead of an env
Do we really need this to run in the trusted cluster anyhow though? It doesn't seem like this account is all that sensitive, but the other things in that cluster are and I'd rather have less arbitrary code running there.
(Alternatively, we could run this in a cloudbuild like the image pushing jobs and sandbox it that way)
| repo: kubernetes | ||
| base_ref: master | ||
| path_alias: k8s.io/kubernetes | ||
| repo: sig-security |
There was a problem hiding this comment.
/hold
I trust you all in the abstract, but it's really problematic to have to keep an eye on more sources of arbitrary code in this singular trusted cluster, let's revisit that before making it harder to track down what exactly is running in the trusted cluster. As a general rule we have only allowed:
- launching cloudbuilds with images/builder (which then run in the isolated per-subproject GCP staging project)
- a handful of CI components implemented as jobs
Which are implemented in this repo with a limited approver set.
k8s-ci-robot
added
the
do-not-merge/hold
|
The snyk account just gives us quota with snyk, right? Can we move that out to a less-sensitive cluster and run it there? |
|
cc @kubernetes/sig-k8s-infra-leads |
|
I am 100% in favor of moving this into a less-trusted cluster, it should work fine basically anywhere. How do we do that? |
Second PR fo kubernetes/sig-security#60
This calls the script that was moved to sig-security-tooling/scanning/build-deps-and-release-images.sh
First PR link kubernetes/sig-security#128