-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove service account token from ci-kubernetes-snyk-master Prow job #34043
base: master
Are you sure you want to change the base?
Changes from all commits
6bcaab0
1e303eb
3f4e170
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -15,12 +15,9 @@ periodics: | |
base_ref: master | ||
path_alias: k8s.io/kubernetes | ||
spec: | ||
automountServiceAccountToken: false | ||
containers: | ||
- image: golang | ||
envFrom: | ||
- secretRef: | ||
# secret key should be defined as SNYK_TOKEN | ||
name: snyk-token | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. If we don't need the secret we can also move this out to something like config/jobs/kubernetes/sig-security/snyk.yml and pick a cluster other than There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Moving the configuration to config/jobs/kubernetes/sig-security/snyk.yml and using the eks-prow-build-cluster instead of k8s-infra-prow-build-trusted sounds good. Let's address this in a follow-up PR. |
||
command: | ||
- /bin/bash | ||
args: | ||
|
@@ -63,10 +60,10 @@ periodics: | |
done | ||
fi | ||
echo "Build time dependency scan completed" | ||
|
||
# container images scan | ||
echo "Fetch the list of k8s images" | ||
curl -Ls https://sbom.k8s.io/$(curl -Ls https://dl.k8s.io/release/latest.txt)/release | grep "SPDXID: SPDXRef-Package-registry.k8s.io" | grep -v sha256 | cut -d- -f3- | sed 's/-/\//' | sed 's/-v1/:v1/' > images | ||
curl -Ls https://sbom.k8s.io/$(curl -Ls https://dl.k8s.io/release/latest.txt)/release | grep "SPDXID: SPDXRef-Package-registry.k8s.io" | grep -v sha256 | cut -d- -f3- | sed 's/-/\//' | sed 's/$/\:latest/' | sort -u > images | ||
while read image; do | ||
echo "Running container image scan.." | ||
EXIT_CODE=0 | ||
|
@@ -89,32 +86,4 @@ periodics: | |
testgrid-alert-email: [email protected] | ||
testgrid-num-failures-to-alert: '1' | ||
testgrid-dashboards: sig-security-snyk-scan | ||
description: Run snyk scan on k/k master periodically | ||
- name: auto-refreshing-official-cve-feed | ||
interval: 2h | ||
cluster: k8s-infra-prow-build-trusted | ||
decorate: true | ||
extra_refs: | ||
- org: kubernetes | ||
repo: sig-security | ||
base_ref: main | ||
workdir: true | ||
labels: | ||
preset-service-account: "true" | ||
spec: | ||
serviceAccountName: k8s-cve-feed | ||
containers: | ||
- image: gcr.io/k8s-staging-test-infra/gcloud-in-go:v20230111-cd1b3caf9c | ||
command: | ||
- sh | ||
- "-c" | ||
- "cd sig-security-tooling/cve-feed/hack/ && ./fetch-cve-feed.sh" | ||
env: | ||
- name: CVE_GCS_PATH | ||
value: "gs://k8s-cve-feed" | ||
annotations: | ||
testgrid-create-test-group: "true" | ||
testgrid-alert-email: [email protected] | ||
testgrid-num-failures-to-alert: '1' | ||
testgrid-dashboards: sig-security-cve-feed | ||
description: Auto refreshing official cve feed KEP 3203 | ||
description: Run snyk scan on k/k master periodically |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is actually already true for prowjobs by default