delineaxpm / dsv-k8s-sidecar Goto Github PK

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Repository problems

Renovate tried to run on this repository, but found these problems.

• WARN: Unable to read vulnerability information

Pending Approval

These branches will be created by Renovate only once you click their checkbox below.

• chore(deps): pin dependencies (actions/cache, actions/checkout, aquaproj/aqua-installer, docker/login-action, elgohr/go-vulncheck-action, github/codeql-action, magefile/mage-action)
• chore(deps): update gomod (github.com/bitfield/script, github.com/golang/protobuf, github.com/gorilla/mux, github.com/magefile/mage, github.com/pterm/pterm, github.com/sheldonhull/magetools, github.com/sirupsen/logrus, github.com/stretchr/testify)
• chore(deps): update ⬆️ regex matched resources to v2.21.3
• chore(deps): update github-actions (major) (actions/checkout, docker/login-action, github/codeql-action, magefile/mage-action)
• 🔐 Create all pending approval PRs at once 🔐

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

• chore(deps): update ⬆️ gomod to v0.17.0
• chore(deps): update ⬆️ gomod to v0.17.0
• chore(deps): update ⬆️ gomod to v1.56.3
• chore(deps): update ⬆️ aqua-packages (DelineaXPM/dsv-cli, anchore/syft, aquaproj/aqua-registry, charmbracelet/glow, cloudflare/cfssl, direnv/direnv, golang/go, goreleaser/goreleaser, gotestyourself/gotestsum, helm/helm, kubernetes-sigs/kind, kubernetes/kubectl, kubernetes/minikube, magefile/mage, miniscruff/changie, stern/stern, terrastruct/d2, tilt-dev/tilt)
• Click on this checkbox to rebase all open PRs at once

Detected dependencies

dockerfile

.devcontainer/Dockerfile

docker/Dockerfile.controller

docker/Dockerfile.sidecar

github-actions

.github/workflows/assign.yml

.github/workflows/conventional-pr.yml

.github/workflows/lint.yml

.github/workflows/release.yml

• actions/checkout v3
• magnetikonline/action-golang-cache v4@777394c89f8ed6fcf1649505277c46c1cd06494d
• aquaproj/aqua-installer v2.0.2@61e2563dfe7674cbf74fe6ec212e444198a3bb00
• magefile/mage-action v2@3b833fb24c0d19eed3aa760b9eb285b4b84f420f
• docker/login-action v2
• magefile/mage-action v2@3b833fb24c0d19eed3aa760b9eb285b4b84f420f

.github/workflows/scan.yml

• actions/checkout v3
• aquaproj/aqua-installer v2.0.2@61e2563dfe7674cbf74fe6ec212e444198a3bb00
• actions/cache v3
• elgohr/go-vulncheck-action 90e331d6e77587505906ef175d4b44a1d2cb6a63
• actions/checkout v3
• github/codeql-action v2
• github/codeql-action v2
• github/codeql-action v2

.github/workflows/stale.yaml

.github/workflows/test.yml

gomod

go.mod

• go 1.18
• github.com/bitfield/script v0.21.4
• github.com/dgrijalva/jwt-go/v4 v4.0.0-preview1
• github.com/ericchiang/k8s v1.2.0
• github.com/golang/mock v1.6.0
• github.com/golang/protobuf v1.2.0
• github.com/gorilla/mux v1.8.0
• github.com/magefile/mage v1.14.0
• github.com/pterm/pterm v0.12.58
• github.com/sheldonhull/magetools v1.0.0
• github.com/sirupsen/logrus v1.2.0
• github.com/stretchr/testify v1.8.2
• google.golang.org/grpc v1.16.0
• golang.org/x/crypto v0.11.0
• golang.org/x/net v0.13.0

helm-values

charts/dsv-k8s-controller/values.yaml

charts/dsv-k8s-sidecar/values.yaml

regex

aqua.yaml

• aquaproj/aqua-registry v4.33.0
• direnv/direnv v2.32.2
• magefile/mage v1.14.0
• charmbracelet/glow v1.5.0
• helm/helm v3.11.1
• kubernetes-sigs/kind v0.17.0
• cloudflare/cfssl v1.6.3
• goreleaser/goreleaser v1.15.2
• anchore/syft v0.73.0
• gotestyourself/gotestsum v1.9.0
• kubernetes/minikube v1.29.0
• miniscruff/changie v1.12.0
• cloudflare/cfssl v1.6.3
• tilt-dev/tilt v0.32.0
• stern/stern v1.24.0
• terrastruct/d2 v0.3.0
• DelineaXPM/dsv-cli v1.40.3

aqua.yaml

• golang/go go1.20.1
• kubernetes/kubectl v1.26.3

.github/workflows/release.yml

• aquaproj/aqua v2.10.1

.github/workflows/scan.yml

• aquaproj/aqua v2.10.1

aqua.yaml

• golang/go 1.20.1

aqua.yaml

• kubernetes/kubectl 1.26.3

I have a few questions to this new sidecar/controller solution.

1. How does the sidecar authenticate towards the controller? If none, do we then have to rely only on network policies to restrict access?

2. How do we prevent the controller's client secret to be copied and used in other contexts? Having the "golden" keys as secrets in Kubernetes does not make the solution more secure than having the real secrets as plain Kubernetes secrets as I see it.
   Other products in the market does a callback to the Kubernetes cluster to verify that the client actually is a running container in a particular cluster & namespace. Does Secret Server have other means for establishing root of trust?