Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
51 changes: 51 additions & 0 deletions .github/workflows/codeql.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
name: CodeQL
on:
push:
branches:
- 'main'
pull_request:
branches:
- 'main'
schedule:
- cron: '21 3 * * 3'

permissions: read-all

jobs:
analyze:
name: Analyze
runs-on: ubuntu-latest
permissions:
security-events: write
packages: read
actions: read
contents: read

strategy:
fail-fast: false
matrix:
language: ['go']

steps:
- name: checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0

- name: Set up Go
uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0
with:
go-version: 1.26.5

- name: Initialize CodeQL
uses: github/codeql-action/init@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4.36.3
with:
languages: ${{ matrix.language }}

- name: Build
# Autobuild's heuristic only traced a fraction of the module (79 of 189 files per the
# code-scanning diagnostic). Build the whole module explicitly so CodeQL sees every package.
run: go build ./...

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4.36.3
with:
category: "/language:${{ matrix.language }}"
45 changes: 45 additions & 0 deletions .github/workflows/scorecard.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
name: Scorecard supply-chain security
on:
branch_protection_rule:
schedule:
- cron: '30 2 * * 1'
push:
branches:
- 'main'

permissions: read-all

jobs:
analysis:
name: Scorecard analysis
runs-on: ubuntu-latest
permissions:
security-events: write
id-token: write
contents: read
actions: read

steps:
- name: checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false

- name: Run analysis
uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
with:
results_file: results.sarif
results_format: sarif
publish_results: true

- name: Upload artifact
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: SARIF file
path: results.sarif
retention-days: 5

- name: Upload to code-scanning
uses: github/codeql-action/upload-sarif@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4.36.3
with:
sarif_file: results.sarif
3 changes: 2 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
[![CI](https://github.com/projectsveltos/classifier/actions/workflows/main.yaml/badge.svg)](https://github.com/projectsveltos/classifier/actions)
[![Go Report Card](https://goreportcard.com/badge/github.com/projectsveltos/classifier)](https://goreportcard.com/report/github.com/projectsveltos/classifier)
[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/projectsveltos/classifier/badge)](https://scorecard.dev/viewer/?uri=github.com/projectsveltos/classifier)
[![CodeQL](https://github.com/projectsveltos/classifier/actions/workflows/codeql.yaml/badge.svg)](https://github.com/projectsveltos/classifier/actions/workflows/codeql.yaml)
[![Release](https://img.shields.io/github/v/release/projectsveltos/classifier)](https://github.com/projectsveltos/classifier/releases)
[![License](https://img.shields.io/badge/license-Apache-blue.svg)](LICENSE)
[![Slack](https://img.shields.io/badge/join%20slack-%23projectsveltos-brighteen)](https://join.slack.com/t/projectsveltos/shared_invite/zt-1hraownbr-W8NTs6LTimxLPB8Erj8Q6Q)
Expand Down
47 changes: 47 additions & 0 deletions SECURITY.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
# Security Policy

## Supported Versions

We release security fixes for the latest minor version. We encourage all users to stay on the latest release.

| Version | Supported |
|----------------|--------------------|
| latest release | :white_check_mark: |
| older releases | :x: |

## Reporting a Vulnerability

**Please do not report security vulnerabilities through public GitHub issues.**

If you believe you have found a security vulnerability in any Sveltos repository, please report it responsibly by sending an email to:

**support@projectsveltos.io**

Please include as much of the following information as possible to help us understand and resolve the issue quickly:

- A description of the vulnerability and its potential impact
- The affected component(s) and version(s)
- Step-by-step instructions to reproduce the issue
- Any proof-of-concept or exploit code (if applicable)
- Suggested remediation (if any)

## Response Process

- You will receive an acknowledgement within **2 business days**
- We will investigate and keep you informed of our progress
- Once the issue is confirmed, we will work on a fix and coordinate a release
- We will publicly disclose the vulnerability after a fix is available, giving you credit unless you prefer to remain anonymous

## Scope

This policy covers all projects under the [projectsveltos](https://github.com/projectsveltos) GitHub organization.

## Out of Scope

- Vulnerabilities in dependencies (please report those to the upstream project)
- Issues in non-production branches or unreleased code
- Social engineering attacks

## Thank You

We appreciate responsible disclosure and the work of the security community in keeping Sveltos and its users safe.
8 changes: 4 additions & 4 deletions config/rbac/kustomization.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ resources:
# Comment the following 4 lines if you want to disable
# the auth proxy (https://github.com/brancz/kube-rbac-proxy)
# which protects your /metrics endpoint.
# - auth_proxy_service.yaml
# - auth_proxy_role.yaml
# - auth_proxy_role_binding.yaml
# - auth_proxy_client_clusterrole.yaml
- auth_proxy_service.yaml
- auth_proxy_role.yaml
- auth_proxy_role_binding.yaml
- auth_proxy_client_clusterrole.yaml
14 changes: 14 additions & 0 deletions controllers/classifier_controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -281,6 +281,7 @@ func (r *ClassifierReconciler) reconcileNormal(
logger.V(logs.LogDebug).Error(err, "failed to get matching clusters")
return reconcile.Result{Requeue: true, RequeueAfter: normalRequeueAfter}, nil
}
trackMatchingClusters(classifierScope.Classifier.Name, len(matchingClusters), logger)

// For clusters that no longer match, remove managed labels and clear internal registrations
err = r.cleanUpManagedResources(ctx, classifierScope, matchingClusters, logger)
Expand All @@ -296,6 +297,7 @@ func (r *ClassifierReconciler) reconcileNormal(
logger.V(logs.LogDebug).Error(err, "failed to update status/registrations for matching clusters")
return reconcile.Result{Requeue: true, RequeueAfter: normalRequeueAfter}, nil
}
trackLabelConflicts(classifierScope.Classifier.Name, countUnManagedLabelClusters(matchingStatuses), logger)

// Apply the labels to the clusters
err = r.updateLabelsOnMatchingClusters(ctx, classifierScope, matchingStatuses, logger)
Expand Down Expand Up @@ -969,3 +971,15 @@ func hasUnManagedLabels(statuses []libsveltosv1beta1.MachingClusterStatus) bool
}
return false
}

// countUnManagedLabelClusters returns the number of clusters in statuses with at least one label
// conflict.
func countUnManagedLabelClusters(statuses []libsveltosv1beta1.MachingClusterStatus) int {
count := 0
for i := range statuses {
if len(statuses[i].UnManagedLabels) > 0 {
count++
}
}
return count
}
2 changes: 2 additions & 0 deletions controllers/classifier_deployer.go
Original file line number Diff line number Diff line change
Expand Up @@ -177,6 +177,8 @@ func (r *ClassifierReconciler) deployClassifier(ctx context.Context, classifierS
classifierScope.Classifier.Name, cluster, clusterInfo); updateErr != nil {
l.V(logs.LogInfo).Error(updateErr, "failed to update ClassifierReport deployment status")
errorSeen = updateErr
} else {
trackClassifierOutcome(classifierScope.Classifier.Name, cluster, clusterInfo, l)
}
if clusterInfo.Status != libsveltosv1beta1.SveltosStatusProvisioned {
allProcessed = false
Expand Down
Loading