diff --git a/documentation/docs/getting-started/upgrading.md b/documentation/docs/getting-started/upgrading.md index 2778e10b5f..c964d450b6 100644 --- a/documentation/docs/getting-started/upgrading.md +++ b/documentation/docs/getting-started/upgrading.md @@ -10,6 +10,15 @@ path: "docs/getting-started/upgrading" sidebar_position: 3 --- +## From 4.X to 5.X + +### Renamed ClusterRole and ClusterRoleBinding +To avoid naming collisions with other cluster‑scoped resources, the operator's ClusterRole formerly called `manager-role` has been renamed to `securecodebox‑manager-role`, and the corresponding ClusterRoleBinding `manager-rolebinding` is now `securecodebox‑manager-rolebinding`. The official Helm chart will automatically create and reference these new names when you update the operator. + +If you maintain a custom deployment that directly references `manager-role` or `manager-rolebinding`, be sure to update those references to `securecodebox‑manager-role` and `securecodebox‑manager-rolebinding` respectively. + +➡️ [Reference: #3002](https://github.com/secureCodeBox/secureCodeBox/pull/3002) + ## From 3.X to 4.X ### Renamed the docker images of demo-targets to include a "demo-target-" prefix diff --git a/operator/Makefile b/operator/Makefile index 94089d8754..3761318cc8 100644 --- a/operator/Makefile +++ b/operator/Makefile @@ -61,7 +61,7 @@ help: ## Display this help. .PHONY: manifests manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects. - $(CONTROLLER_GEN) rbac:roleName="manager-role",headerFile="hack/boilerplate.yaml.txt" crd:maxDescLen=256,headerFile="hack/boilerplate.yaml.txt" webhook paths="./..." output:crd:artifacts:config=crds output:rbac:artifacts:config=templates/rbac + $(CONTROLLER_GEN) rbac:roleName="securecodebox-manager-role",headerFile="hack/boilerplate.yaml.txt" crd:maxDescLen=256,headerFile="hack/boilerplate.yaml.txt" webhook paths="./..." output:crd:artifacts:config=crds output:rbac:artifacts:config=templates/rbac .PHONY: generate generate: controller-gen ## Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations. diff --git a/operator/templates/rbac/role.yaml b/operator/templates/rbac/role.yaml index 619041856e..32e50cf3f5 100644 --- a/operator/templates/rbac/role.yaml +++ b/operator/templates/rbac/role.yaml @@ -5,7 +5,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: manager-role + name: securecodebox-manager-role rules: - apiGroups: - "" diff --git a/operator/templates/rbac/role_binding.yaml b/operator/templates/rbac/role_binding.yaml index a65ad67f10..e34876aa4b 100644 --- a/operator/templates/rbac/role_binding.yaml +++ b/operator/templates/rbac/role_binding.yaml @@ -5,11 +5,11 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: manager-rolebinding + name: securecodebox-manager-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: manager-role + name: securecodebox-manager-role subjects: - kind: ServiceAccount name: {{.Values.serviceAccount.name}} diff --git a/operator/tests/__snapshot__/operator_test.yaml.snap b/operator/tests/__snapshot__/operator_test.yaml.snap index 38f5f4deda..9361f14574 100644 --- a/operator/tests/__snapshot__/operator_test.yaml.snap +++ b/operator/tests/__snapshot__/operator_test.yaml.snap @@ -271,7 +271,7 @@ matches the snapshot: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: manager-role + name: securecodebox-manager-role rules: - apiGroups: - "" @@ -370,11 +370,11 @@ matches the snapshot: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: manager-rolebinding + name: securecodebox-manager-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: manager-role + name: securecodebox-manager-role subjects: - kind: ServiceAccount name: securecodebox-operator @@ -848,7 +848,7 @@ properly-renders-the-service-monitor-when-enabled: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: manager-role + name: securecodebox-manager-role rules: - apiGroups: - "" @@ -947,11 +947,11 @@ properly-renders-the-service-monitor-when-enabled: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: manager-rolebinding + name: securecodebox-manager-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: manager-role + name: securecodebox-manager-role subjects: - kind: ServiceAccount name: securecodebox-operator diff --git a/scanners/trivy/parser/__snapshots__/parser.test.js.snap b/scanners/trivy/parser/__snapshots__/parser.test.js.snap index 5c3251ae00..b7b5750a54 100644 --- a/scanners/trivy/parser/__snapshots__/parser.test.js.snap +++ b/scanners/trivy/parser/__snapshots__/parser.test.js.snap @@ -100044,7 +100044,7 @@ and the severity is therefore considered low.", { "attributes": { "fixedVersion": undefined, - "foundIn": "Target: 'ClusterRole/manager-role' / Class: 'config' / Type: 'kubernetes'", + "foundIn": "Target: 'ClusterRole/securecodebox-manager-role' / Class: 'config' / Type: 'kubernetes'", "id": "KSV048", "installedVersion": undefined, "packageName": undefined, @@ -100055,7 +100055,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Check whether role permits update/create of a malicious pod", - "location": "scb://trivy/?Kind=ClusterRole&Name=manager-role", + "location": "scb://trivy/?Kind=ClusterRole&Name=securecodebox-manager-role", "mitigation": "Create a role which does not permit update/create of a malicious pod", "name": "Do not allow update/create of a malicious pod(Role permits create/update of a malicious pod)", "references": [ @@ -100073,7 +100073,7 @@ and the severity is therefore considered low.", { "attributes": { "fixedVersion": undefined, - "foundIn": "Target: 'ClusterRole/manager-role' / Class: 'config' / Type: 'kubernetes'", + "foundIn": "Target: 'ClusterRole/securecodebox-manager-role' / Class: 'config' / Type: 'kubernetes'", "id": "KSV050", "installedVersion": undefined, "packageName": undefined, @@ -100084,9 +100084,9 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "An effective level of access equivalent to cluster-admin should not be provided.", - "location": "scb://trivy/?Kind=ClusterRole&Name=manager-role", + "location": "scb://trivy/?Kind=ClusterRole&Name=securecodebox-manager-role", "mitigation": "Remove write permission verbs for resource 'roles' and 'rolebindings'", - "name": "Do not allow management of RBAC resources(ClusterRole 'manager-role' should not have access to resources ["roles", "rolebindings"] for verbs ["create", "update", "delete", "deletecollection", "impersonate", "*"])", + "name": "Do not allow management of RBAC resources(ClusterRole 'securecodebox-manager-role' should not have access to resources ["roles", "rolebindings"] for verbs ["create", "update", "delete", "deletecollection", "impersonate", "*"])", "references": [ { "type": "URL", @@ -100102,7 +100102,7 @@ and the severity is therefore considered low.", { "attributes": { "fixedVersion": undefined, - "foundIn": "Target: 'ClusterRole/manager-role' / Class: 'config' / Type: 'kubernetes'", + "foundIn": "Target: 'ClusterRole/securecodebox-manager-role' / Class: 'config' / Type: 'kubernetes'", "id": "KSV050", "installedVersion": undefined, "packageName": undefined, @@ -100113,9 +100113,9 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "An effective level of access equivalent to cluster-admin should not be provided.", - "location": "scb://trivy/?Kind=ClusterRole&Name=manager-role", + "location": "scb://trivy/?Kind=ClusterRole&Name=securecodebox-manager-role", "mitigation": "Remove write permission verbs for resource 'roles' and 'rolebindings'", - "name": "Do not allow management of RBAC resources(ClusterRole 'manager-role' should not have access to resources ["roles", "rolebindings"] for verbs ["create", "update", "delete", "deletecollection", "impersonate", "*"])", + "name": "Do not allow management of RBAC resources(ClusterRole 'securecodebox-manager-role' should not have access to resources ["roles", "rolebindings"] for verbs ["create", "update", "delete", "deletecollection", "impersonate", "*"])", "references": [ { "type": "URL", @@ -152880,7 +152880,7 @@ and the severity is therefore considered low.", { "attributes": { "fixedVersion": undefined, - "foundIn": "Target: 'ClusterRole/manager-role' / Class: 'config' / Type: 'kubernetes'", + "foundIn": "Target: 'ClusterRole/securecodebox-manager-role' / Class: 'config' / Type: 'kubernetes'", "id": "KSV048", "installedVersion": undefined, "packageName": undefined, @@ -152891,7 +152891,7 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "Check whether role permits update/create of a malicious pod", - "location": "scb://trivy/?Kind=ClusterRole&Name=manager-role", + "location": "scb://trivy/?Kind=ClusterRole&Name=securecodebox-manager-role", "mitigation": "Create a role which does not permit update/create of a malicious pod", "name": "Do not allow update/create of a malicious pod(Role permits create/update of a malicious pod)", "references": [ @@ -152909,7 +152909,7 @@ and the severity is therefore considered low.", { "attributes": { "fixedVersion": undefined, - "foundIn": "Target: 'ClusterRole/manager-role' / Class: 'config' / Type: 'kubernetes'", + "foundIn": "Target: 'ClusterRole/securecodebox-manager-role' / Class: 'config' / Type: 'kubernetes'", "id": "KSV050", "installedVersion": undefined, "packageName": undefined, @@ -152920,9 +152920,9 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "An effective level of access equivalent to cluster-admin should not be provided.", - "location": "scb://trivy/?Kind=ClusterRole&Name=manager-role", + "location": "scb://trivy/?Kind=ClusterRole&Name=securecodebox-manager-role", "mitigation": "Remove write permission verbs for resource 'roles' and 'rolebindings'", - "name": "Do not allow management of RBAC resources(ClusterRole 'manager-role' should not have access to resources ["roles", "rolebindings"] for verbs ["create", "update", "delete", "deletecollection", "impersonate", "*"])", + "name": "Do not allow management of RBAC resources(ClusterRole 'securecodebox-manager-role' should not have access to resources ["roles", "rolebindings"] for verbs ["create", "update", "delete", "deletecollection", "impersonate", "*"])", "references": [ { "type": "URL", @@ -152938,7 +152938,7 @@ and the severity is therefore considered low.", { "attributes": { "fixedVersion": undefined, - "foundIn": "Target: 'ClusterRole/manager-role' / Class: 'config' / Type: 'kubernetes'", + "foundIn": "Target: 'ClusterRole/securecodebox-manager-role' / Class: 'config' / Type: 'kubernetes'", "id": "KSV050", "installedVersion": undefined, "packageName": undefined, @@ -152949,9 +152949,9 @@ and the severity is therefore considered low.", }, "category": "Misconfiguration", "description": "An effective level of access equivalent to cluster-admin should not be provided.", - "location": "scb://trivy/?Kind=ClusterRole&Name=manager-role", + "location": "scb://trivy/?Kind=ClusterRole&Name=securecodebox-manager-role", "mitigation": "Remove write permission verbs for resource 'roles' and 'rolebindings'", - "name": "Do not allow management of RBAC resources(ClusterRole 'manager-role' should not have access to resources ["roles", "rolebindings"] for verbs ["create", "update", "delete", "deletecollection", "impersonate", "*"])", + "name": "Do not allow management of RBAC resources(ClusterRole 'securecodebox-manager-role' should not have access to resources ["roles", "rolebindings"] for verbs ["create", "update", "delete", "deletecollection", "impersonate", "*"])", "references": [ { "type": "URL", diff --git a/scanners/trivy/parser/__testFiles__/local-k8s-scan-result.json b/scanners/trivy/parser/__testFiles__/local-k8s-scan-result.json index e66b98d728..62e652839c 100644 --- a/scanners/trivy/parser/__testFiles__/local-k8s-scan-result.json +++ b/scanners/trivy/parser/__testFiles__/local-k8s-scan-result.json @@ -46802,10 +46802,10 @@ }, { "Kind": "ClusterRole", - "Name": "manager-role", + "Name": "securecodebox-manager-role", "Results": [ { - "Target": "ClusterRole/manager-role", + "Target": "ClusterRole/securecodebox-manager-role", "Class": "config", "Type": "kubernetes", "Packages": [], @@ -46940,7 +46940,7 @@ "AVDID": "AVD-KSV-0050", "Title": "Do not allow management of RBAC resources", "Description": "An effective level of access equivalent to cluster-admin should not be provided.", - "Message": "ClusterRole 'manager-role' should not have access to resources [\"roles\", \"rolebindings\"] for verbs [\"create\", \"update\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Message": "ClusterRole 'securecodebox-manager-role' should not have access to resources [\"roles\", \"rolebindings\"] for verbs [\"create\", \"update\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", "Namespace": "builtin.kubernetes.KSV050", "Query": "data.builtin.kubernetes.KSV050.deny", "Resolution": "Remove write permission verbs for resource 'roles' and 'rolebindings'", @@ -47050,7 +47050,7 @@ "AVDID": "AVD-KSV-0050", "Title": "Do not allow management of RBAC resources", "Description": "An effective level of access equivalent to cluster-admin should not be provided.", - "Message": "ClusterRole 'manager-role' should not have access to resources [\"roles\", \"rolebindings\"] for verbs [\"create\", \"update\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Message": "ClusterRole 'securecodebox-manager-role' should not have access to resources [\"roles\", \"rolebindings\"] for verbs [\"create\", \"update\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", "Namespace": "builtin.kubernetes.KSV050", "Query": "data.builtin.kubernetes.KSV050.deny", "Resolution": "Remove write permission verbs for resource 'roles' and 'rolebindings'", @@ -65501,10 +65501,10 @@ }, { "Kind": "ClusterRoleBinding", - "Name": "manager-rolebinding", + "Name": "securecodebox-manager-rolebinding", "Results": [ { - "Target": "ClusterRoleBinding/manager-rolebinding", + "Target": "ClusterRoleBinding/securecodebox-manager-rolebinding", "Class": "config", "Type": "kubernetes", "Packages": [], diff --git a/scanners/trivy/parser/__testFiles__/trivy--k8s-scan-results.json b/scanners/trivy/parser/__testFiles__/trivy--k8s-scan-results.json index 3c602b4f9f..b3d3a85fd4 100644 --- a/scanners/trivy/parser/__testFiles__/trivy--k8s-scan-results.json +++ b/scanners/trivy/parser/__testFiles__/trivy--k8s-scan-results.json @@ -46909,10 +46909,10 @@ }, { "Kind": "ClusterRole", - "Name": "manager-role", + "Name": "securecodebox-manager-role", "Results": [ { - "Target": "ClusterRole/manager-role", + "Target": "ClusterRole/securecodebox-manager-role", "Class": "config", "Type": "kubernetes", "Packages": [], @@ -47047,7 +47047,7 @@ "AVDID": "AVD-KSV-0050", "Title": "Do not allow management of RBAC resources", "Description": "An effective level of access equivalent to cluster-admin should not be provided.", - "Message": "ClusterRole 'manager-role' should not have access to resources [\"roles\", \"rolebindings\"] for verbs [\"create\", \"update\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Message": "ClusterRole 'securecodebox-manager-role' should not have access to resources [\"roles\", \"rolebindings\"] for verbs [\"create\", \"update\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", "Namespace": "builtin.kubernetes.KSV050", "Query": "data.builtin.kubernetes.KSV050.deny", "Resolution": "Remove write permission verbs for resource 'roles' and 'rolebindings'", @@ -47157,7 +47157,7 @@ "AVDID": "AVD-KSV-0050", "Title": "Do not allow management of RBAC resources", "Description": "An effective level of access equivalent to cluster-admin should not be provided.", - "Message": "ClusterRole 'manager-role' should not have access to resources [\"roles\", \"rolebindings\"] for verbs [\"create\", \"update\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", + "Message": "ClusterRole 'securecodebox-manager-role' should not have access to resources [\"roles\", \"rolebindings\"] for verbs [\"create\", \"update\", \"delete\", \"deletecollection\", \"impersonate\", \"*\"]", "Namespace": "builtin.kubernetes.KSV050", "Query": "data.builtin.kubernetes.KSV050.deny", "Resolution": "Remove write permission verbs for resource 'roles' and 'rolebindings'", @@ -53300,10 +53300,10 @@ }, { "Kind": "ClusterRoleBinding", - "Name": "manager-rolebinding", + "Name": "securecodebox-manager-rolebinding", "Results": [ { - "Target": "ClusterRoleBinding/manager-rolebinding", + "Target": "ClusterRoleBinding/securecodebox-manager-rolebinding", "Class": "config", "Type": "kubernetes", "Packages": [],