Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cut down feed ingress vulnerabilities #230

Merged
merged 7 commits into from
Feb 8, 2021
Merged

Cut down feed ingress vulnerabilities #230

merged 7 commits into from
Feb 8, 2021

Conversation

sebbonnet
Copy link
Contributor

@sebbonnet sebbonnet commented Feb 3, 2021
edited
Loading

To cut down on the attack surface
and so reduce the number of vulnerabilities.
The previous debian:strech-slim was showing a lot of vulnerabilities
that have all gone away once switching to alpine (3.13).

Also used trivy to fail the build when either HIGH or CRITICAL
vulnerabilities are found.

@sebbonnet
* Deploy feed to kind and dploy a fake server as aws endpoint
908f7db 
To avoid talking to a real aws service.
The endpoint simply returns OK on any request
which feed-ingress inteprets to mean no ELB.

* Define endpoint for ec2 metadata

So we can make our fake-elb return a mock response
for the instance metadata

* Remove unused feed args

This test doesn't use any ELB,
so no need for feed to run on hostNetwork
or define ports to receive ELB traffic from
@sebbonnet
Migrate to alpine base image
469dffe 
To cut down on the attach surface
and so reduce the number of vulnerabilities.
alpine 3.13 shows we have 0 vulnerablities when run via trivy
@sebbonnet
Revert "* Deploy feed to kind and dploy a fake server as aws endpoint"
22bbf77 
This reverts commit 908f7db.
@sebbonnet
Specific alpine version
520c595 
To make it clear which alpine release
feed-ingress is based on.
@sebbonnet
Fail the build when vulnerabilities found
c4dc61e 
Use trivy to fail the build when either HIGH or
CRITICAL vulnerabilities are found.
@sebbonnet
Add changelog
b604107
@sebbonnet
Copy link
Contributor Author

trivy scan output based on the new image:

Screenshot from 2021-02-03 12-25-42

@sebbonnet
Copy link
Contributor Author

This commit 908f7db showed how we used kind to validate that feed and the vts plugin would work once deployed. We've yet to check the opentracing plugin also works.
Using kind + mock aws service to run integration test would work pretty well (even in travis), but the test setup would need to be done in golang instead of bash to make it easier to maintain and read. This is something we could potentially do if people are interested / feel the value-add is worth it.
Until then we reverted that commit for now, so we have at least a trace of it.

@sebbonnet
Copy link
Contributor Author

We've yet to check the opentracing plugin also works.

We've now tested opentracing too and found that it works fine. The path to the jaeger plugin was wrong, so we fixed it in b102ece.
We've also updated the integration tests we put together earlier with kind to also deploy an all-in-one jaeger using the jaeger-operator so we could make sure the opentracing plugin works and confirm we see jaeger traces when calling our test backend.
The integration tests is stored here: https://github.com/sky-uk/feed/compare/feed-integration-test-with-kind

rewiko
rewiko approved these changes Feb 8, 2021
View reviewed changes
Copy link
Contributor

@rewiko rewiko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@sebbonnet sebbonnet merged commit e387025 into master Feb 8, 2021
@sebbonnet sebbonnet deleted the cut-down-feed-ingress-vulnerabilities branch February 8, 2021 15:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rewiko rewiko rewiko approved these changes

Assignees

@sebbonnet sebbonnet

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@sebbonnet @rewiko