Merge branch 'develop' into main

clemlesne · Apr 20, 2023 · 905e8dc · 905e8dc
2 parents 470fa19 + a13d229
commit 905e8dc
Show file tree

Hide file tree

Showing 7 changed files with 73 additions and 9 deletions.
diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml
@@ -83,6 +83,28 @@ jobs:
           name: helm-chart
           path: .cr-release-packages
 
+      - name: Render Helm chart locally
+        run: |
+          helm template \
+            --output-dir .helm-template \
+            --values test/helm/azure-pipelines-agent/values.yaml \
+            .cr-release-packages/azure-pipelines-agent-${{ steps.version.outputs.version }}.tgz
+
+      - name: Run SAST Snyk for Helm
+        uses: snyk/actions/iac@master
+        # Snyk can be used to break the build when it detects security issues. In this case we want to upload the issues to GitHub CodeQL.
+        continue-on-error: true
+        with:
+          args: --severity-threshold=medium --sarif
+          file: .helm-template
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+
+      - name: Upload results to GitHub CodeQL
+        uses: github/codeql-action/[email protected]
+        with:
+          sarif_file: snyk.sarif
+
   deploy-helm:
     name: Deploy Helm chart
     needs:
@@ -225,12 +247,14 @@ jobs:
           sbom: true
           tags: ${{ steps.meta.outputs.tags }}
 
-      - name: Run SAST Snyk
+      - name: Run SAST Snyk for container image
         uses: snyk/actions/[email protected]
+        # Snyk can be used to break the build when it detects security issues. In this case we want to upload the issues to GitHub CodeQL.
+        continue-on-error: true
         env:
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
         with:
-          args: --file=src/docker/Dockerfile-${{ matrix.os }} --severity-threshold=high --fail-on=upgradable --sarif
+          args: --file=src/docker/Dockerfile-${{ matrix.os }} --severity-threshold=medium --fail-on=upgradable --sarif
           image: ${{ steps.tag.outputs.tag }}
 
       - name: Upload results to GitHub CodeQL

diff --git a/.snyk b/.snyk
@@ -0,0 +1,10 @@
+# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
+version: v1.25.0
+# ignores vulnerabilities until expiry date; change duration by modifying expiry date
+ignore:
+  SNYK-CC-K8S-10:
+    - '*':
+        reason: Container is explicitely designed to be run as root.
+        expires: 2023-05-19T14:18:40.021Z
+        created: 2023-04-19T14:18:40.024Z
+patch: {}
diff --git a/README.md b/README.md
@@ -6,9 +6,10 @@
 [Azure Pipelines Agent](https://github.com/clemlesne/azure-pipelines-agent) is self-hosted agent in Kubernetes, cheap to run, secure, auto-scaled and easy to deploy.
 
 <!-- github.com badges -->
-[![GitHub Release Date](https://img.shields.io/github/release-date/clemlesne/azure-pipelines-agent)](https://github.com/clemlesne/azure-pipelines-agent/releases)
-[![GitHub Workflow Status (with branch)](https://img.shields.io/github/actions/workflow/status/clemlesne/azure-pipelines-agent/pipeline.yaml?branch=main)](https://github.com/clemlesne/azure-pipelines-agent/actions/workflows/pipeline.yaml)
-[![GitHub all releases](https://img.shields.io/github/downloads/clemlesne/azure-pipelines-agent/total)](https://github.com/clemlesne/azure-pipelines-agent/pkgs/container/azure-pipelines-agent)
+[![Project licence](https://img.shields.io/github/license/clemlesne/azure-pipelines-agent)](https://github.com/clemlesne/azure-pipelines-agent/blob/main/LICENCE)
+[![Last release date](https://img.shields.io/github/release-date/clemlesne/azure-pipelines-agent)](https://github.com/clemlesne/azure-pipelines-agent/releases)
+[![Workflow status](https://img.shields.io/github/actions/workflow/status/clemlesne/azure-pipelines-agent/pipeline.yaml?branch=main)](https://github.com/clemlesne/azure-pipelines-agent/actions/workflows/pipeline.yaml)
+[![All releases download counter](https://img.shields.io/github/downloads/clemlesne/azure-pipelines-agent/total)](https://github.com/clemlesne/azure-pipelines-agent/pkgs/container/azure-pipelines-agent)
 
 <!-- artifacthub.io badges -->
 [![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/azure-pipelines-agent)](https://artifacthub.io/packages/search?repo=azure-pipelines-agent)
@@ -201,6 +202,11 @@ We choose BuildKit for this project. [Its licence](https://raw.githubusercontent
 
 There are two components, the backend, `buildkitd`, and the CLI, `buildctl`.
 
+Requirements:
+
+- Setup special security requirements, you can find them [in the example file `container-build.yaml`](example/helm/container-build.yaml).
+- In the pipeline, run `buildkitd` before using `buildctl`.
+
 ```yaml
 # azure-pipelines.yaml
 variables:

diff --git a/example/helm/container-build.yaml b/example/helm/container-build.yaml
@@ -12,6 +12,12 @@ extraVolumes:
 securityContext:
   seccompProfile:
     type: Unconfined
+  # Has to be true for allowing RootlessKit initializing the user namespace with "newuidmap" setuid binary
+  allowPrivilegeEscalation: true
+  capabilities:
+    # Requires more capabilities for allowing RootlessKit initializing the user namespace with "newuidmap" setuid binary.
+    # TODO: Capabilities could be narrowed by keeping drop=[ALL] and whitelist the required capabilities with add=[...].
+    drop: []
 
 resources:
   limits:

diff --git a/src/docker/jammy-misc/README.md b/src/docker/jammy-misc/README.md
@@ -0,0 +1,4 @@
+Download links:
+
+- [AMD64](http://archive.ubuntu.com/ubuntu/pool/main/o/openssl/?C=M;O=D)
+- [ARM64](http://ports.ubuntu.com/pool/main/o/openssl/?C=M;O=D)
diff --git a/src/helm/azure-pipelines-agent/templates/_helpers.tpl b/src/helm/azure-pipelines-agent/templates/_helpers.tpl
@@ -61,6 +61,19 @@ Create the name of the service account to use.
 {{- end }}
 {{- end }}
 
+{{/*
+Default SecurytyContext object to apply to containers.
+
+Can be overriden by setting ".Values.securityContext".
+*/}}
+{{- define "this.defaultSecurityContext" -}}
+allowPrivilegeEscalation: false
+runAsNonRoot: false
+runAsUser: 0
+capabilities:
+  drop: ["ALL"]
+{{- end }}
+
 {{/*
 Common definition for Pod object.
 
@@ -91,10 +104,7 @@ restartPolicy: {{ .Args.restartPolicy }}
 containers:
   - name: azp-agent
     securityContext:
-      runAsUser: 0
-      {{- with .Values.securityContext }}
-      {{- toYaml . | nindent 6 }}
-      {{- end }}
+      {{- toYaml (mustMergeOverwrite (include "this.defaultSecurityContext" . | fromYaml) .Values.securityContext) | nindent 6 }}
     image: "{{ .Values.image.repository | required "A value for .Values.image.repository is required" }}:{{ .Values.image.flavor | required "A value for .Values.image.flavor is required" }}-{{ default .Chart.Version .Values.image.version }}"
     imagePullPolicy: {{ .Values.image.pullPolicy }}
     lifecycle:

diff --git a/test/helm/azure-pipelines-agent/values.yaml b/test/helm/azure-pipelines-agent/values.yaml
@@ -0,0 +1,4 @@
+pipelines:
+  pat: your-pat
+  pool: your-pool
+  url: https://dev.azure.com/your-org