Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Helm] Fix typo in ingress netpol #10869

Closed
wants to merge 17 commits into from
Closed

[Helm] Fix typo in ingress netpol #10869

wants to merge 17 commits into from

Conversation

C4tWithShell
Copy link
Contributor

No description provided.

C4tWithShell and others added 17 commits August 6, 2024 15:55
@C4tWithShell
Change ingress netpol
6a8c60b
@C4tWithShell
Keep old and new options
ab3d62a
@C4tWithShell
Fix lint
0e90d90
Update versions in application files
6ebe872
@Maffooch
Merge pull request DefectDojo#10853 from DefectDojo/master-into-dev/2…
2d6e89d 
….38.0-2.39.0-dev

Release: Merge back 2.38.0 into dev from: master-into-dev/2.38.0-2.39.0-dev
@renovate
chore(deps): update dependency postcss from 8.4.41 to v8.4.44 (docs/p…
3b55bdf 
…ackage.json) (DefectDojo#10834)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@dependabot
Bump boto3 from 1.35.9 to 1.35.10 (DefectDojo#10841)
7b5079e 
Bumps [boto3](https://github.com/boto/boto3) from 1.35.9 to 1.35.10.
- [Release notes](https://github.com/boto/boto3/releases)
- [Commits](boto/boto3@1.35.9...1.35.10)

---
updated-dependencies:
- dependency-name: boto3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
Bump boto3 from 1.35.10 to 1.35.11 (DefectDojo#10863)
285d315 
Bumps [boto3](https://github.com/boto/boto3) from 1.35.10 to 1.35.11.
- [Release notes](https://github.com/boto/boto3/releases)
- [Commits](boto/boto3@1.35.10...1.35.11)

---
updated-dependencies:
- dependency-name: boto3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
Bump cryptography from 43.0.0 to 43.0.1 (DefectDojo#10862)
78b4e6e 
Bumps [cryptography](https://github.com/pyca/cryptography) from 43.0.0 to 43.0.1.
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](pyca/cryptography@43.0.0...43.0.1)

---
updated-dependencies:
- dependency-name: cryptography
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
Bump sqlalchemy from 2.0.32 to 2.0.33 (DefectDojo#10861)
93c161d 
Bumps [sqlalchemy](https://github.com/sqlalchemy/sqlalchemy) from 2.0.32 to 2.0.33.
- [Release notes](https://github.com/sqlalchemy/sqlalchemy/releases)
- [Changelog](https://github.com/sqlalchemy/sqlalchemy/blob/main/CHANGES.rst)
- [Commits](https://github.com/sqlalchemy/sqlalchemy/commits)

---
updated-dependencies:
- dependency-name: sqlalchemy
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@renovate
chore(deps): update dependency postcss from 8.4.44 to v8.4.45 (docs/p…
b8250ec 
…ackage.json) (DefectDojo#10860)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@dependabot
Bump django-tagulous from 1.3.3 to 2.1.0 (DefectDojo#10821)
4ab7be2 
Bumps [django-tagulous](https://github.com/radiac/django-tagulous) from 1.3.3 to 2.1.0.
- [Changelog](https://github.com/radiac/django-tagulous/blob/main/docs/changelog.rst)
- [Commits](radiac/django-tagulous@v1.3.3...v2.1.0)

---
updated-dependencies:
- dependency-name: django-tagulous
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
Bump jquery-ui from 1.13.3 to 1.14.0 in /components (DefectDojo#10684)
c45cfc7 
Bumps [jquery-ui](https://github.com/jquery/jquery-ui) from 1.13.3 to 1.14.0.
- [Release notes](https://github.com/jquery/jquery-ui/releases)
- [Commits](jquery/jquery-ui@1.13.3...1.14.0)

---
updated-dependencies:
- dependency-name: jquery-ui
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@C4tWithShell
Merge branch 'dev' of https://github.com/DefectDojo/django-DefectDojo
797b9bc 
…into helm/update_ingress_netpol
@C4tWithShell
Fix typo
b1fc3b3
@C4tWithShell
Merge branch 'DefectDojo:master' into helm/update_ingress_netpol
e1f5876
@C4tWithShell
Merge branch 'helm/update_ingress_netpol' of https://github.com/C4tWi…
3c9b762 
…thShell/DefectDojo into helm/update_ingress_netpol
@github-actions github-actions bot added the helm label Sep 5, 2024
@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Sep 5, 2024

DryRun Security Summary

The provided patch updates the network policy configuration for the DefectDojo application in a Kubernetes environment, including correcting the ingress condition, enabling the network policy based on the networkPolicy.enabled value, and defining separate network policies for the application and the Django component to enhance application security.

Expand for full summary

Summary:

The code change in the provided patch is related to the network policy configuration for the DefectDojo application in a Kubernetes environment. The key changes include:

  1. Correcting the condition for the ingress configuration in the network policy.
  2. Enabling the network policy when the networkPolicy.enabled value is set to true.
  3. Defining a network policy that matches the pods with the label app.kubernetes.io/instance: {{ .Release.Name }} and configures the ingress and egress traffic based on the networkPolicy.ingress and networkPolicy.egress settings.
  4. Defining a separate network policy for the Django component of the DefectDojo application, which allows traffic to the Django component on the appropriate port (8443 if TLS is enabled, 8080 otherwise).

From an application security perspective, the network policy implementation is a good security practice as it helps restrict the network traffic to and from the DefectDojo application, reducing the attack surface. The separate network policy for the Django component allows for more granular control over the traffic to the different components of the application. It is important to ensure that the networkPolicy.ingress and networkPolicy.egress configurations are properly defined to allow the necessary traffic while restricting unnecessary access. The use of Kubernetes network policies is a recommended security practice, as it helps to implement the principle of least privilege and reduce the risk of unauthorized access to the application.

Files Changed:

  • helm/defectdojo/templates/network-policy.yaml: This file contains the network policy configuration for the DefectDojo application in a Kubernetes environment. The changes include correcting the condition for the ingress configuration, enabling the network policy based on the networkPolicy.enabled value, and defining the network policy for the application and the Django component.

Code Analysis

We ran 9 analyzers against 1 file and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

mtesauro
mtesauro approved these changes Sep 5, 2024
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@Maffooch Maffooch changed the base branch from dev to bugfix September 9, 2024 14:25
@Maffooch Maffooch changed the base branch from bugfix to dev September 9, 2024 14:25
@kiblik
Copy link
Contributor

kiblik commented Sep 12, 2024
edited
Loading

Hi. Is it possible to merge this into bugfix, please?
I know it will need rebase but it would be nice to have it available.

@C4tWithShell C4tWithShell changed the base branch from dev to bugfix September 12, 2024 08:41
@C4tWithShell
Copy link
Contributor Author

Hi. Is it possible to merge this into bugfix, please? I know it will need rebase but it would be nice to have it available.

Sure, but I will create new PR. Will send a link here

@C4tWithShell C4tWithShell mentioned this pull request Sep 12, 2024
Merged
@C4tWithShell
Copy link
Contributor Author

@kiblik @cneill @Maffooch @mtesauro
New PR to bugfix - #10898

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Maffooch Maffooch Maffooch approved these changes

@mtesauro mtesauro mtesauro approved these changes

@cneill cneill cneill approved these changes

Assignees
No one assigned
Labels
helm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@C4tWithShell @kiblik @cneill @mtesauro @Maffooch