Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TODO: remove service account token from ci-kubernetes-snyk-master Prow job #33970

Open
tabbysable opened this issue Dec 16, 2024 · 6 comments
Open

TODO: remove service account token from ci-kubernetes-snyk-master Prow job #33970

tabbysable opened this issue Dec 16, 2024 · 6 comments
Labels
good first issue Denotes an issue ready for a new contributor, according to the "help wanted" guidelines. help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. sig/security Categorizes an issue or PR as relevant to SIG Security.

Comments

@tabbysable
Copy link
Member

While moving the script out of inline YAML, we discussed whether a service account token was really needed by the Prow job: https://github.com/kubernetes/test-infra/pull/33817/files#r1866396666

For ease of troubleshooting, we plan to merge that PR as-is.

Once it's known working, it would be a nice least-privilege improvement to remove the service account token from that job, since we do not believe it needs one.
@tabbysable tabbysable added the kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. label Dec 16, 2024
@k8s-ci-robot k8s-ci-robot added the needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. label Dec 16, 2024
@tabbysable
Copy link
Member Author

/label sig/security
/label good-first-issue

@k8s-ci-robot
Copy link
Contributor

@tabbysable: The label(s) /label sig/security , /label good-first-issue cannot be applied. These labels are supported: api-review, tide/merge-method-merge, tide/merge-method-rebase, tide/merge-method-squash, team/katacoda, refactor, ci-short, ci-extended, ci-full. Is this label configured under labels -> additional_labels or labels -> restricted_labels in plugin.yaml?

In response to this:

/label sig/security
/label good-first-issue

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@tabbysable
Copy link
Member Author

/sig security
/good-first-issue

@k8s-ci-robot
Copy link
Contributor

@tabbysable:
This request has been marked as suitable for new contributors.

Guidelines

Please ensure that the issue body includes answers to the following questions:

  • Why are we solving this issue?
  • To address this issue, are there any code changes? If there are code changes, what needs to be done in the code and what places can the assignee treat as reference points?
  • Does this issue have zero to low barrier of entry?
  • How can the assignee reach out to you for help?

For more details on the requirements of such an issue, please see here and ensure that they are met.

If this request no longer meets these requirements, the label can be removed
by commenting with the /remove-good-first-issue command.

In response to this:

/sig security
/good-first-issue

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added sig/security Categorizes an issue or PR as relevant to SIG Security. good first issue Denotes an issue ready for a new contributor, according to the "help wanted" guidelines. help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. and removed needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Dec 16, 2024
@tabbysable tabbysable mentioned this issue Dec 16, 2024
Open
@BenTheElder
Copy link
Member

related: https://kubernetes.slack.com/archives/CCK68P2Q2/p1734371958722229

(it seems like probably we should move this out of the "trusted" cluster entirely?)

@andyroediger
Copy link

/assign

@andyroediger andyroediger removed their assignment Dec 24, 2024
@pratik-mahalle pratik-mahalle mentioned this issue Dec 27, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
good first issue Denotes an issue ready for a new contributor, according to the "help wanted" guidelines. help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. sig/security Categorizes an issue or PR as relevant to SIG Security.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@BenTheElder @k8s-ci-robot @tabbysable @andyroediger