Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(helm): implement readinessProbe and startupProbe for uwsgi container #10506

Merged
merged 3 commits into from
Nov 22, 2024

Conversation

fcecagno
Copy link
Contributor

@fcecagno fcecagno commented Jul 3, 2024

Description

This PR makes it configurable all probes on the uwsgi container, including the startupProbe, which could be useful to speed-up Django launch on Kubernetes.

Copy link

dryrunsecurity bot commented Jul 3, 2024

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security Status Findings
Server-Side Request Forgery Analyzer 0 findings
Configured Codepaths Analyzer 0 findings
IDOR Analyzer 0 findings
Sensitive Files Analyzer 0 findings
SQL Injection Analyzer 0 findings
Authn/Authz Analyzer 0 findings
Secrets Analyzer 0 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

The code changes in this pull request are focused on improving the reliability, security, and observability of the DefectDojo application in a Kubernetes environment. The key changes include the addition of liveness, readiness, and startup probes for the uwsgi and nginx containers, as well as the ability to configure various parameters for these probes. Additionally, the changes include support for TLS configuration, secret management, container security settings, and Prometheus monitoring.

From an application security perspective, these changes are generally positive and demonstrate a proactive approach to ensuring the health and security of the DefectDojo deployment. The configurable probe parameters, TLS support, and secret management practices help to improve the overall security posture of the application. The container security settings and Prometheus monitoring also contribute to the security and observability of the deployment.

Files Changed:

  1. helm/defectdojo/templates/django-deployment.yaml:

    • Added support for configuring liveness, readiness, and startup probes for the uwsgi and nginx containers.
    • Allowed the user to configure various parameters for the probes, such as the initial delay, failure threshold, success threshold, and timeout.
    • Enabled TLS configuration for the application and used Kubernetes secrets to store sensitive information.
    • Allowed the user to configure security context settings for the containers.
    • Included support for Prometheus monitoring.
  2. helm/defectdojo/values.yaml:

    • Updated the liveness, readiness, and startup probes for the uwsgi container, including changes to the initial delay, failure threshold, and other parameters.
    • The changes to the probes help improve the overall health monitoring and readiness of the DefectDojo application, which can contribute to its security and reliability.

Powered by DryRun Security

Copy link
Contributor

This pull request has conflicts, please resolve those before we can evaluate the pull request.

@kiblik
Copy link
Contributor

kiblik commented Aug 12, 2024

@fcecagno, can you try to rebase this PR? I suppose the issue responsible for failing the test might be gone.

Copy link
Contributor

Conflicts have been resolved. A maintainer will review the pull request shortly.

Copy link

dryrunsecurity bot commented Aug 12, 2024

DryRun Security Summary

The pull request introduces changes to the DefectDojo application's health monitoring and readiness, including the addition of liveness, readiness, and startup probes for the UWSGI container, with configurable parameters, and the ability to conditionally enable or disable these probes based on deployment requirements, enhancing the application's security and reliability.

Expand for full summary

Summary:

The code changes in this pull request are focused on improving the health monitoring and readiness of the DefectDojo application, which is a positive security enhancement. The changes primarily involve the configuration of the UWSGI (uWSGI) container, which is part of the Django component of the application.

The key changes include the addition of liveness, readiness, and startup probes for the UWSGI container, as well as the ability to configure various parameters for these probes, such as initial delay, failure threshold, and success criteria. These probes help ensure that the application is fully initialized and ready to receive traffic before accepting requests, reducing the risk of exposing the application in an unstable or vulnerable state.

Additionally, the changes allow for the conditional rendering of the probe configurations, enabling users to enable or disable the probes as needed based on their specific deployment requirements. This flexibility is an important security consideration, as it allows for fine-tuning the application's health monitoring to ensure optimal reliability and availability.

Files Changed:

  1. helm/defectdojo/values.yaml:

    • Added new configuration options for the UWSGI container's liveness, readiness, and startup probes, including initial delay, failure threshold, and other parameters.
    • Enabled the liveness, readiness, and startup probes for the UWSGI container, improving the overall health monitoring and reliability of the DefectDojo application.
  2. helm/defectdojo/templates/django-deployment.yaml:

    • Added the startupProbe configuration for the uwsgi container, which checks the /uwsgi_health endpoint to determine if the application is ready to receive traffic during the startup phase.
    • Modified the livenessProbe and readinessProbe configurations for the uwsgi and nginx containers, allowing for more control over the probe behavior through configurable parameters.
    • Introduced conditional rendering of the livenessProbe, readinessProbe, and startupProbe configurations based on user-defined values, enabling users to enable or disable these probes as needed.

Overall, these changes are focused on improving the health monitoring and readiness of the DefectDojo application, which is an important aspect of application security and overall system reliability.

Code Analysis

We ran 9 analyzers against 2 files and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

@Maffooch
Copy link
Contributor

It looks like there has not been any activity here for a while. In order to keep the list of pull requests in a manageable state, we are closing this one for now. If we are making a mistake here, please reopen the pull request, and leave us a note 😄

@Maffooch Maffooch closed this Nov 15, 2024
@fcecagno
Copy link
Contributor Author

@Maffooch that's alright. Another option would be to merge it, since it looks like it's still an improvement.

@Maffooch Maffooch reopened this Nov 15, 2024
@Maffooch
Copy link
Contributor

Whenever you are ready, please convert the pull request from draft to open 😄

@fcecagno
Copy link
Contributor Author

Whenever you are ready, please convert the pull request from draft to open 😄

😱
Sorry about that, didn't see it was still a draft. It's definitely ready for review.

@fcecagno fcecagno marked this pull request as ready for review November 15, 2024 23:43
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

Copy link
Contributor

This pull request has conflicts, please resolve those before we can evaluate the pull request.

Copy link
Contributor

Conflicts have been resolved. A maintainer will review the pull request shortly.

@Maffooch Maffooch merged commit 63f7e5a into DefectDojo:dev Nov 22, 2024
72 of 73 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants