Bump golang.org/x/net from 0.28.0 to 0.33.0

Bumps [golang.org/x/net](https://github.com/golang/net) from 0.28.0 to 0.33.0.
- [Commits](golang/net@v0.28.0...v0.33.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>

Revert "Bump golang.org/x/net from 0.28.0 to 0.33.0"

Revert "OSD-24275: Validate machineCIDR is contained in default ingresscontro…"

Fix admin username that can bypass SDN webhook

Update test case to enforce security context settings

Fix test case for security context enforcement

Fix test case for Security context enforcement

Fix test case for Security Context enforcement

Fix: Add namespace to security context enforcement in tests

Author: dependabot[bot]

build/resources.go

@@ -32,9 +32,6 @@ const (
 	roleName           string = "validation-webhook"
 	prometheusRoleName string = "prometheus-k8s"
 	repoName           string = "managed-cluster-validating-webhooks"
-	// Role and Binding for reading cluster-config-v1 config map...
-	clusterConfigRole        string = "config-v1-reader-wh"
-	clusterConfigRoleBinding string = "validation-webhook-cluster-config-v1-reader"
 	// Used to define what phase a resource should be deployed in by package-operator
 	pkoPhaseAnnotation string = "package-operator.run/phase"
 	// Defines the 'rbac' package-operator phase for any resources related to RBAC
@@ -214,60 +211,6 @@ func createClusterRoleBinding() *rbacv1.ClusterRoleBinding {
 	}
 }
 
-func createClusterConfigRole() *rbacv1.Role {
-	return &rbacv1.Role{
-		TypeMeta: metav1.TypeMeta{
-			Kind:       "Role",
-			APIVersion: rbacv1.SchemeGroupVersion.String(),
-		},
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      clusterConfigRole,
-			Namespace: "kube-system",
-		},
-		Rules: []rbacv1.PolicyRule{
-			{
-				APIGroups: []string{
-					"",
-				},
-				Resources: []string{
-					"configmaps",
-				},
-				Verbs: []string{
-					"get",
-				},
-				ResourceNames: []string{
-					"cluster-config-v1",
-				},
-			},
-		},
-	}
-}
-
-func createClusterConfigRoleBinding() *rbacv1.RoleBinding {
-	return &rbacv1.RoleBinding{
-		TypeMeta: metav1.TypeMeta{
-			Kind:       "RoleBinding",
-			APIVersion: rbacv1.SchemeGroupVersion.String(),
-		},
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      clusterConfigRoleBinding,
-			Namespace: "kube-system",
-		},
-		Subjects: []rbacv1.Subject{
-			{
-				Kind:      "ServiceAccount",
-				Name:      serviceAccountName,
-				Namespace: *namespace,
-			},
-		},
-		RoleRef: rbacv1.RoleRef{
-			Name:     clusterConfigRole,
-			Kind:     "Role",
-			APIGroup: rbacv1.GroupName,
-		},
-	}
-}
-
 func createPrometheusRole() *rbacv1.Role {
 	return &rbacv1.Role{
 		TypeMeta: metav1.TypeMeta{
@@ -884,7 +827,6 @@ func sliceContains(needle string, haystack []string) bool {
 
 func main() {
 	flag.Parse()
-	utils.BuildRun = true
 
 	skip := strings.Split(*excludes, ",")
 	onlyInclude := strings.Split(*only, "")
@@ -909,8 +851,6 @@ func main() {
 		templateResources.Add(utils.DefaultLabelSelector(), runtime.RawExtension{Object: createClusterRoleBinding()})
 		templateResources.Add(utils.DefaultLabelSelector(), runtime.RawExtension{Object: createPrometheusRole()})
 		templateResources.Add(utils.DefaultLabelSelector(), runtime.RawExtension{Object: createPromethusRoleBinding()})
-		templateResources.Add(utils.DefaultLabelSelector(), runtime.RawExtension{Object: createClusterConfigRole()})
-		templateResources.Add(utils.DefaultLabelSelector(), runtime.RawExtension{Object: createClusterConfigRoleBinding()})
 		templateResources.Add(utils.DefaultLabelSelector(), runtime.RawExtension{Object: createServiceMonitor()})
 		templateResources.Add(utils.DefaultLabelSelector(), runtime.RawExtension{Object: createCACertConfigMap()})
 		templateResources.Add(utils.DefaultLabelSelector(), runtime.RawExtension{Object: createService()})

build/selectorsyncset.yaml

@@ -123,35 +123,6 @@ objects:
       - kind: ServiceAccount
         name: prometheus-k8s
         namespace: openshift-monitoring
-    - apiVersion: rbac.authorization.k8s.io/v1
-      kind: Role
-      metadata:
-        creationTimestamp: null
-        name: config-v1-reader-wh
-        namespace: kube-system
-      rules:
-      - apiGroups:
-        - ""
-        resourceNames:
-        - cluster-config-v1
-        resources:
-        - configmaps
-        verbs:
-        - get
-    - apiVersion: rbac.authorization.k8s.io/v1
-      kind: RoleBinding
-      metadata:
-        creationTimestamp: null
-        name: validation-webhook-cluster-config-v1-reader
-        namespace: kube-system
-      roleRef:
-        apiGroup: rbac.authorization.k8s.io
-        kind: Role
-        name: config-v1-reader-wh
-      subjects:
-      - kind: ServiceAccount
-        name: validation-webhook
-        namespace: openshift-validation-webhook
     - apiVersion: monitoring.coreos.com/v1
       kind: ServiceMonitor
       metadata:

cmd/main.go

@@ -21,15 +21,14 @@ import (
 	"github.com/openshift/managed-cluster-validating-webhooks/pkg/k8sutil"
 	"github.com/openshift/managed-cluster-validating-webhooks/pkg/localmetrics"
 	"github.com/openshift/managed-cluster-validating-webhooks/pkg/webhooks"
-	"github.com/openshift/managed-cluster-validating-webhooks/pkg/webhooks/utils"
 )
 
 var log = logf.Log.WithName("handler")
 
 var (
 	listenAddress = flag.String("listen", "0.0.0.0", "listen address")
 	listenPort    = flag.String("port", "5000", "port to listen on")
-	metricsAddr   string
+	testHooks     = flag.Bool("testhooks", false, "Test webhook URI uniqueness and quit?")
 
 	useTLS  = flag.Bool("tls", false, "Use TLS? Must specify -tlskey, -tlscert, -cacert")
 	tlsKey  = flag.String("tlskey", "", "TLS Key for TLS")
@@ -40,18 +39,15 @@ var (
 	metricsPort = "8080"
 )
 
-func init() {
-	// Allow export webhook var to share flag value...
-	flag.BoolVar(&utils.TestHooks, "testhooks", false, "Test webhook URI uniqueness and quit?")
+func main() {
+	var metricsAddr string
 	flag.StringVar(&metricsAddr, "metrics-bind-address", ":"+metricsPort, "The address the metric endpoint binds to.")
 	flag.Parse()
-}
-
-func main() {
 	klog.SetOutput(os.Stdout)
+
 	logf.SetLogger(klogr.New())
 
-	if !utils.TestHooks {
+	if !*testHooks {
 		log.Info("HTTP server running at", "listen", net.JoinHostPort(*listenAddress, *listenPort))
 	}
 	dispatcher := dispatcher.NewDispatcher(webhooks.Webhooks)
@@ -62,12 +58,12 @@ func main() {
 			panic(fmt.Errorf("Duplicate webhook trying to listen on %s", realHook.GetURI()))
 		}
 		seen[name] = true
-		if !utils.TestHooks {
+		if !*testHooks {
 			log.Info("Listening", "webhookName", name, "URI", realHook.GetURI())
 		}
 		http.HandleFunc(realHook.GetURI(), dispatcher.HandleRequest)
 	}
-	if utils.TestHooks {
+	if *testHooks {
 		os.Exit(0)
 	}
 

go.mod

@@ -57,7 +57,6 @@ require (
 	github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
 	github.com/openshift/custom-resource-status v1.1.3-0.20220503160415-f2fdb4999d87 // indirect
 	github.com/openshift/elasticsearch-operator v0.0.0-20220613183908-e1648e67c298 // indirect
-	github.com/openshift/installer v0.16.1 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/prometheus/client_model v0.6.1 // indirect
 	github.com/prometheus/common v0.59.1 // indirect

go.sum

@@ -187,8 +187,6 @@ github.com/openshift/elasticsearch-operator v0.0.0-20220613183908-e1648e67c298 h
 github.com/openshift/elasticsearch-operator v0.0.0-20220613183908-e1648e67c298/go.mod h1:6dxhWPY3Wr/0b0eGrFpV7gcyeS+ne48Mo9OQ9dxrLNI=
 github.com/openshift/hive/apis v0.0.0-20230327212335-7fd70848a6d5 h1:adHXZ1WFqCvXpargpTa6divneeUuvV2xr/D6NWgbqS8=
 github.com/openshift/hive/apis v0.0.0-20230327212335-7fd70848a6d5/go.mod h1:VIxA5HhvBmsqVn7aUVQYs004B9K4U5A+HrFwvRq2nK8=
-github.com/openshift/installer v0.16.1 h1:PmjALN9x1NVNVi3SCqfz0ZwVCgOkQLQWo2nHYXREq/A=
-github.com/openshift/installer v0.16.1/go.mod h1:VWGgpJgF8DGCKQjbccnigglhZnHtRLCZ6cxqkXN4Ck0=
 github.com/openshift/operator-custom-metrics v0.5.1 h1:1pk4YMUV+cmqfV0f2fyxY62cl7Gc76kwudJT+EdcfYM=
 github.com/openshift/operator-custom-metrics v0.5.1/go.mod h1:0dYDHi/ubKRWzsC9MmW6bRMdBgo1QSOuAh3GupTe0Sw=
 github.com/openshift/osde2e-common v0.0.0-20231010150014-8a4449a371e6 h1:MPcnO0eeWEyjLBA4mMgJ8pv8u7DjKC7yS+a39R+zhqs=

osde2e/managed_cluster_validating_webhooks_test.go

@@ -27,6 +27,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/client-go/dynamic"
 	"k8s.io/client-go/kubernetes/scheme"
+	"k8s.io/utils/pointer"
 	"sigs.k8s.io/controller-runtime/pkg/client/config"
 	"sigs.k8s.io/controller-runtime/pkg/log"
 	"sigs.k8s.io/e2e-framework/klient/k8s"
@@ -105,6 +106,36 @@ var _ = Describe("Managed Cluster Validating Webhooks", Ordered, func() {
 		Expect(err).ToNot(HaveOccurred())
 	})
 
+	It("should create a pod with the correct security context", func() {
+		pod := &v1.Pod{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "testpod",
+				Namespace: namespaceName,
+			},
+			Spec: v1.PodSpec{
+				Containers: []v1.Container{
+					{
+						Name:  "test",
+						Image: "quay.io/jitesoft/nginx:mainline",
+						SecurityContext: &v1.SecurityContext{
+							AllowPrivilegeEscalation: pointer.BoolPtr(false),
+							Capabilities: &v1.Capabilities{
+								Drop: []v1.Capability{"ALL"},
+							},
+							RunAsNonRoot: pointer.BoolPtr(true),
+							SeccompProfile: &v1.SeccompProfile{
+								Type: v1.SeccompProfileTypeRuntimeDefault,
+							},
+						},
+					},
+				},
+			},
+		}
+
+		err := client.Create(context.TODO(), pod)
+		Expect(err).NotTo(HaveOccurred())
+	})
+
 	Describe("sre-pod-validation", Ordered, func() {
 		const (
 			privilegedNamespace   = "openshift-backplane"
@@ -120,21 +151,47 @@ var _ = Describe("Managed Cluster Validating Webhooks", Ordered, func() {
 			name := envconf.RandomName("testpod", 12)
 			pod = &v1.Pod{
 				ObjectMeta: metav1.ObjectMeta{
-					Name: name,
+					Name:      name,
+					Namespace: testNsName,
 				},
 				Spec: v1.PodSpec{
 					Containers: []v1.Container{
 						{
-							Name:  "test",
+							Name:  "test-ubi",
 							Image: "registry.access.redhat.com/ubi8/ubi-minimal",
+							SecurityContext: &v1.SecurityContext{
+								AllowPrivilegeEscalation: pointer.BoolPtr(false),
+								Capabilities: &v1.Capabilities{
+									Drop: []v1.Capability{"ALL"},
+								},
+								RunAsNonRoot: pointer.BoolPtr(true),
+								SeccompProfile: &v1.SeccompProfile{
+									Type: v1.SeccompProfileTypeRuntimeDefault,
+								},
+							},
+						},
+						{
+							Name:  "test-nginx",
+							Image: "quay.io/jitesoft/nginx:mainline",
+							SecurityContext: &v1.SecurityContext{
+								AllowPrivilegeEscalation: pointer.BoolPtr(false),
+								Capabilities: &v1.Capabilities{
+									Drop: []v1.Capability{"ALL"},
+								},
+								RunAsNonRoot: pointer.BoolPtr(true),
+								SeccompProfile: &v1.SeccompProfile{
+									Type: v1.SeccompProfileTypeRuntimeDefault,
+								},
+							},
 						},
 					},
 					Tolerations: []v1.Toleration{
 						{
 							Key:    "node-role.kubernetes.io/master",
 							Value:  "toleration-key-value",
 							Effect: v1.TaintEffectNoSchedule,
-						}, {
+						},
+						{
 							Key:    "node-role.kubernetes.io/infra",
 							Value:  "toleration-key-value2",
 							Effect: v1.TaintEffectNoSchedule,