Accept risk of cicd/ansible/rbac.yaml for AVD-KSV-0113

Author: soerenschneider

.trivyignore.yaml

@@ -50,6 +50,7 @@ misconfigurations:
   - id: "AVD-KSV-0113"
     paths:
       - "apps/monitoring/prometheus-vault-token-syncer/rbac.yaml"
+      - "cicd/ansible/rbac.yaml"
   - id: "AVD-KSV-0114"
     paths:
       - "infra/external-secrets/components/resources/rbac-bindings.yaml"

apps/gollum/crd/gollum.soeren.cloud_repositories.yaml

@@ -0,0 +1,185 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.16.4
+  name: repositories.gollum.soeren.cloud
+spec:
+  group: gollum.soeren.cloud
+  names:
+    kind: Repository
+    listKind: RepositoryList
+    plural: repositories
+    singular: repository
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .spec.owner
+      name: Owner
+      type: string
+    - jsonPath: .spec.repo
+      name: Repo
+      type: string
+    - jsonPath: .status.conditions[?(@.status)].status
+      name: Ready
+      type: string
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: RepositorySpec defines the desired state of Repository.
+            properties:
+              memorizeReleases:
+                default: true
+                type: boolean
+              owner:
+                type: string
+              pipelineName:
+                type: string
+              pipelineRunName:
+                type: string
+              repo:
+                type: string
+              url:
+                type: string
+              versionFilter:
+                properties:
+                  arg:
+                    type: string
+                  impl:
+                    enum:
+                    - semver
+                    type: string
+                required:
+                - arg
+                - impl
+                type: object
+              workspaces:
+                additionalProperties:
+                  additionalProperties:
+                    type: string
+                  type: object
+                type: object
+            required:
+            - memorizeReleases
+            - owner
+            - pipelineRunName
+            - repo
+            - url
+            - workspaces
+            type: object
+          status:
+            description: RepositoryStatus defines the observed state of Repository.
+            properties:
+              conditions:
+                items:
+                  description: Condition contains details for one aspect of the current
+                    state of this API Resource.
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+              lastCheck:
+                format: date-time
+                type: string
+              ready:
+                type: boolean
+              releases:
+                additionalProperties:
+                  properties:
+                    hasAssets:
+                      type: boolean
+                    pipelineRuns:
+                      properties:
+                        name:
+                          type: string
+                        timestamp:
+                          format: date-time
+                          type: string
+                      required:
+                      - name
+                      type: object
+                    runsCreated:
+                      type: integer
+                  required:
+                  - hasAssets
+                  - runsCreated
+                  type: object
+                type: object
+            required:
+            - lastCheck
+            - ready
+            - releases
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}

apps/gollum/crd/kustomization.yaml

@@ -0,0 +1,3 @@
+---
+resources:
+  - gollum.soeren.cloud_repositories.yaml

apps/gollum/crd/kustomizeconfig.yaml

@@ -0,0 +1,19 @@
+# This file is for teaching kustomize how to substitute name and namespace reference in CRD
+nameReference:
+- kind: Service
+  version: v1
+  fieldSpecs:
+  - kind: CustomResourceDefinition
+    version: v1
+    group: apiextensions.k8s.io
+    path: spec/conversion/webhook/clientConfig/service/name
+
+namespace:
+- kind: CustomResourceDefinition
+  version: v1
+  group: apiextensions.k8s.io
+  path: spec/conversion/webhook/clientConfig/service/namespace
+  create: false
+
+varReference:
+- path: metadata/annotations

apps/gollum/deployment.yaml

@@ -0,0 +1,76 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: gollum
+  labels:
+    app.kubernetes.io/name: gollum
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: gollum
+  template:
+    metadata:
+      labels:
+        app: gollum
+        app.kubernetes.io/name: gollum
+        app.kubernetes.io/instance: gollum-prod
+        app.kubernetes.io/component: gollum
+        app.kubernetes.io/part-of: gollum
+    spec:
+      securityContext:
+        runAsUser: 34322
+        runAsGroup: 34322
+        fsGroup: 34322
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
+      containers:
+        - name: gollum
+          image: cr.svc.dd.soeren.cloud/gollum
+          imagePullPolicy: Always
+          command:
+            - /manager
+          args:
+            - --leader-elect
+            - --health-probe-bind-address=:8081
+          env:
+            - name: GH_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: gollum-gh-token
+                  key: GH_TOKEN
+                  optional: true
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 34322
+            runAsGroup: 34322
+            privileged: false
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            seccompProfile:
+              type: RuntimeDefault
+            capabilities:
+              drop:
+                - ALL
+          resources:
+            limits:
+              memory: "512Mi"
+            requests:
+              cpu: "10m"
+              memory: "256Mi"
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: 8081
+            initialDelaySeconds: 15
+            periodSeconds: 20
+          readinessProbe:
+            httpGet:
+              path: /readyz
+              port: 8081
+            initialDelaySeconds: 5
+            periodSeconds: 10
+      serviceAccountName: controller-manager
+      terminationGracePeriodSeconds: 10

apps/gollum/kustomization.yaml

@@ -0,0 +1,9 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: gollum-system
+resources:
+  - namespace.yaml
+  - deployment.yaml
+  - crd
+  - rbac

apps/gollum/namespace.yaml

@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: gollum-system

apps/gollum/rbac/kustomization.yaml

@@ -0,0 +1,11 @@
+---
+resources:
+  - service_account.yaml
+  - role.yaml
+  - role_binding.yaml
+  - leader_election_role.yaml
+  - leader_election_role_binding.yaml
+  - metrics_auth_role.yaml
+  - metrics_auth_role_binding.yaml
+  - metrics_reader_role.yaml
+

apps/gollum/rbac/leader_election_role.yaml

@@ -0,0 +1,40 @@
+# permissions to do leader election.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/name: gollum
+    app.kubernetes.io/managed-by: kustomize
+  name: leader-election-role
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch

apps/gollum/rbac/leader_election_role_binding.yaml

@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/name: gollum
+    app.kubernetes.io/managed-by: kustomize
+  name: leader-election-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: leader-election-role
+subjects:
+- kind: ServiceAccount
+  name: controller-manager
+  namespace: gollum-system