kubewarden-controller
kubewarden-controller copied to clipboard
kubewarden
Fix Kubewarden policies version dates
The Kubewarden policies published in the Artifacthub have wrong dates for their version. For example the allow-privilege-escalation-psp and environment-variable-policy show 19 Jul, 2022 as the last release date. But this is a wrong information.
As @viccuad pointed out, this info seems to come from the artifacthub-pkg.yml file. We should fix this in all our policies. Furthermore, I believe we should have a CI to automatically update this field for us every release.
This filed is coming from the policy template, this should be set only once: when the policy has been created for the 1st time. Hence, I don't think we need to do any automation around that.
Instead, I propose the following actions:
- rust template: update our cargo-generator to compute the value of
createdAtfile at execution time - go, opa, gatekeeper templates: add a
TODOcomment over there, stating the user must change that. Unfortunately there's nothing else we can do over there
This filed is coming from the policy template, this should be set only once: when the policy has been created for the 1st time. Hence, I don't think we need to do any automation around that.
I don't think so. If you see the RSS file. The date is used as the version publication date. If this date should be the policy creation date, we have a bug in the artifacthub.
@tegioz can you help us figure this out? Should we update the field createdAt for each new release?
Considering this docs, I think @flavio is right
Hi @jvanz
Yes, the
createdAtfield should be updated for each release.
Ok! Thanks for the quick feedback!
I am working on this.
@geeksambhu thanks for your help! How do you plan to fix that, are you going to fix all the entries manually or provide some automation?
@geeksambhu I'm sorry, made a mistake in judgement and communication, and this card is closer to completion than I thought.
Thing is, admittedly, this is a somewhat simple card to tackle, but needs quite the background knowledge on Kubewarden, our repos, and artifacthub. So I totally understand if you would prefer to change to a different task.
Let me lay out what is needed for this card to progress:
In the beginning, this card was about going through the list of policies that we own in https://github.com/topics/kubewarden-policy, and editing artifacthub-pkg.yml, preferably with a new CI job, so they are up to date.
This turned out to be a bit more extensive than thought, and it spawned https://github.com/kubewarden/kubewarden-controller/issues/389. We have progressed on that card, which means we have added the needed features to kwctl (our own cli utility, released as 1.6.0-rc2 and soon to be released as 1.6.0), and bumped our github.com/kubewarden/github-actions to a v2 that uses those kwctl features.
This means that was is left over to be done is, to iterate through the ~29 policies that we have and are under the kubewarden org (not community ones):
- Make sure that they have a new
make artifacthub-pkg.ymltarget in their Makefile so that our github-actions@v2 can call it. - Bump their usage of our github-actions to github-actions@v2
- Update
metadata.ymlaccording to errors shown inmake artifacthub-pkg.yml, until a goodartifacthub-pkg.ymlis created. - Commit the changes to
metadata.ymlandartifacthub-pkg.yml. - Bump policy version and release it.
An example of a PR for a policy is: https://github.com/kubewarden/allowed-fsgroups-psp-policy/pull/25.
@geeksambhu , if you select this card, you can tackle just one or several policies, and we can think about different tasks afterwards to not fall into monotony.
Current progress so far:
Rust policies:
- [x] allowed-fsgroups-psp-policy https://github.com/kubewarden/allowed-fsgroups-psp-policy/pull/25 https://github.com/kubewarden/allowed-fsgroups-psp-policy/pull/27
- [x] allowed-proc-mount-types-psp-policy https://github.com/kubewarden/allowed-proc-mount-types-psp-policy/pull/24 https://github.com/kubewarden/allowed-proc-mount-types-psp-policy/pull/27
- [x] allow-privilege-escalation-psp-policy
- [x] apparmor-psp-policy https://github.com/kubewarden/apparmor-psp-policy/pull/25
- [x] capabilities-psp-policy https://github.com/kubewarden/capabilities-psp-policy/pull/34
- [x] deprecated-api-versions-policy https://github.com/kubewarden/deprecated-api-versions-policy/pull/23
- disallow-default-namespace-policy (community policy, done as part of https://github.com/kubewarden/kubewarden-controller/issues/418)
- [x] echo https://github.com/kubewarden/echo/pull/14
- [x] environment-variable-policy https://github.com/kubewarden/environment-variable-policy/pull/16
- [x] env-variable-secrets-scanner-policy https://github.com/kubewarden/env-variable-secrets-scanner-policy/pull/16
- [x] flexvolume-drivers-psp-policy https://github.com/kubewarden/flexvolume-drivers-psp-policy/pull/27
- [x] host-namespaces-psp-policy https://github.com/kubewarden/host-namespaces-psp-policy/pull/21
- probes-policy (community policy, done as part of https://github.com/kubewarden/kubewarden-controller/issues/418)
- [x] pod-privileged-policy https://github.com/kubewarden/pod-privileged-policy/pull/48
- [x] readonly-root-filesystem-psp-policy https://github.com/kubewarden/readonly-root-filesystem-psp-policy/pull/27
- [x] seccomp-psp-policy https://github.com/kubewarden/seccomp-psp-policy/pull/32
- [x] selinux-psp-policy https://github.com/kubewarden/selinux-psp-policy/pull/43
- [x] sleeping-policy https://github.com/kubewarden/sleeping-policy/pull/4
- [x] trusted-repos-policy https://github.com/kubewarden/trusted-repos-policy/pull/40
- [x] user-group-psp-policy https://github.com/kubewarden/user-group-psp-policy/pull/50
- [x] verify-image-signatures https://github.com/kubewarden/verify-image-signatures/pull/64 https://github.com/kubewarden/verify-image-signatures/pull/66
- [x] volumeMounts-policy https://github.com/kubewarden/volumeMounts-policy/pull/18
Go policies:
- [x] hostpaths-psp-policy https://github.com/kubewarden/hostpaths-psp-policy/pull/14
- [x] ingress-policy https://github.com/kubewarden/ingress-policy/pull/26 https://github.com/kubewarden/ingress-policy/pull/28
- [x] safe-annotations-policy https://github.com/kubewarden/safe-annotations-policy/pull/21
- [x] safe-labels-policy https://github.com/kubewarden/safe-labels-policy/pull/19
- [x] sysctl-psp-policy https://github.com/kubewarden/sysctl-psp-policy/pull/17
- [x] volumes-psp-policy https://github.com/kubewarden/volumes-psp-policy/pull/15
Rego policies:
- [x] disallow-service-loadbalancer-policy https://github.com/kubewarden/disallow-service-loadbalancer-policy/pull/5)
- [x] disallow-service-nodeport-policy https://github.com/kubewarden/disallow-service-nodeport-policy/pull/5)
Swift:
- [ ] pod-runtime-class-policy - We can ignore this, we have to rewrite the policy with Go/Rust https://github.com/kubewarden/pod-runtime-class-policy/pull/17 https://github.com/kubewarden/pod-runtime-class-policy/issues/18
just note, if you are working on a PR locally (doing a make annotated-policy.wasm, that triggers a make artifacthub-pkg.yml), you need kwctl version 1.6.0-rc2, which has the kwctl scaffold artifacthub functionality. This same version is used in the github-actions, see here.
@geeksambhu , I will reserve you the first 5 of the list, to see how we are progressing with it: allowed-proc-mount-types-psp-policy allow-privilege-escalation-psp-policy apparmor-psp-policy capabilities-psp-policy deprecated-api-versions-policy
If you grab one, please write here so we can coordinate.
Hi @viccuad , I picked up allowed-proc-mount-types-psp-policy in this PR. I am expecting your feedback. I am working on this allow-privilege-escalation-psp-policy next
Everything is done, except for the pod-runtime policy. This policy is written using Swift, but we want to rewrite that using Rust/Go as tracked by https://github.com/kubewarden/pod-runtime-class-policy/issues/15 We are going to handle the artifact scaffold as part of the policy rewrite