Configure Dependency Scanning in .gitlab-ci.yml, creating this file if it does not already exist

.gitlab-ci.yml

@@ -1,81 +1,82 @@
+# You can override the included template(s) by including variable overrides
+# SAST customization: https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings
+# Secret Detection customization: https://docs.gitlab.com/ee/user/application_security/secret_detection/#customizing-settings
+# Dependency Scanning customization: https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#customizing-the-dependency-scanning-settings
+# Note that environment variables can be set in several places
+# See https://docs.gitlab.com/ee/ci/variables/#cicd-variable-precedence
 variables:
   GOCACHE: "${CI_PROJECT_DIR}/_go/cache"
   DOCKER_HOST: tcp://docker:2375
   DOCKER_DRIVER: overlay2
-
 before_script:
-  - mkdir -p ${CI_PROJECT_DIR}/_go/{pkg,bin,cache}
+- mkdir -p ${CI_PROJECT_DIR}/_go/{pkg,bin,cache}
-  - rm -rf /go/pkg
+- rm -rf /go/pkg
-  - ln -s ${CI_PROJECT_DIR}/_go/pkg /go/pkg
+- ln -s ${CI_PROJECT_DIR}/_go/pkg /go/pkg
-  - ln -s ${CI_PROJECT_DIR}/_go/bin /go/bin
+- ln -s ${CI_PROJECT_DIR}/_go/bin /go/bin
-
 cache:
   key: "$CI_COMMIT_REF_NAME"
   paths:
-    - _go
+  - _go
   untracked: true
-
 stages:
-  - deps
+- deps
-  - test
+- test
-  - build
+- build
-  - package
+- package
-  - release
+- release
-
 deps:
   stage: deps
   image: golang:1.12
   script:
-    - go get -mod=readonly
+  - go get -mod=readonly
-
 test:
   stage: test
   dependencies:
-    - deps
+  - deps
   image: golang:1.12
   script:
-    - go fmt $(go list ./...)
+  - go fmt $(go list ./...)
-    - go vet $(go list ./...)
+  - go vet $(go list ./...)
-    - CGO_ENABLED=1 go test -mod=readonly -race $(go list ./...) -coverprofile .testCoverage.txt
+  - CGO_ENABLED=1 go test -mod=readonly -race $(go list ./...) -coverprofile .testCoverage.txt
-
 build:
   stage: build
   dependencies:
-    - deps
+  - deps
   image: golang:1.12
   script:
-    - GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -mod=readonly -o release/default-request-adder -ldflags '-w -s'
+  - GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -mod=readonly -o release/default-request-adder
+    -ldflags '-w -s'
   artifacts:
     paths:
-      - release/
+    - release/
-
 package:
   stage: package
   dependencies:
-    - build
+  - build
   image: docker:stable
   services:
-    - docker:dind
+  - docker:dind
   before_script:
-    - docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY
+  - docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY
   script:
-    - docker build -t $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA .
+  - docker build -t $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA .
-    - docker tag $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME
+  - docker tag $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME
-    - docker push $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
+  - docker push $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
-    - docker push $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME
+  - docker push $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME
-
 release:
   stage: release
   dependencies:
-    - package
+  - package
   image: docker:stable
   services:
-    - docker:dind
+  - docker:dind
   before_script:
-    - docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY
+  - docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY
   script:
-    - docker pull $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
+  - docker pull $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
-    - docker tag $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA $CI_REGISTRY_IMAGE:latest
+  - docker tag $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA $CI_REGISTRY_IMAGE:latest
-    - docker push $CI_REGISTRY_IMAGE:latest
+  - docker push $CI_REGISTRY_IMAGE:latest
   only:
-    - master
+  - master
+include:
+- template: Security/Dependency-Scanning.gitlab-ci.yml

README.MD

@@ -1,4 +1,4 @@
 # Default-request-adder
 A small container which periodically (every 10s) checks for a LimitRange on all non-excluded namespaces named `extreme-request-defaults` and creates it using the configured memory settings if absent.
 
-See the example-dir for an example deployment-file.
+[Example deployment-file](example/deploy.yaml)

example/deploy.yaml

@@ -1,3 +1,40 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: default-request-adder
+  namespace: kube-system
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: default-request-adder
+  namespace: kube-system
+rules:
+  - apiGroups: [""]
+    resources: ["namespaces"]
+    verbs: ["list"]
+  - apiGroups: [""]
+    resources: ["limitranges"]
+    verbs: ["list","create"]
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: default-request-adder
+  namespace: kube-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: default-request-adder
+subjects:
+  - kind: ServiceAccount
+    name: default-request-adder
+    namespace: kube-system
+---
+
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -20,6 +57,7 @@ spec:
       labels:
         app: default-request-adder
     spec:
+      serviceAccountName: default-request-adder
       containers:
         - name: default-request-adder
           resources:

main.go

@@ -54,18 +54,22 @@ func main() {
 	for {
 		namespaces, err := clientset.CoreV1().Namespaces().List(metav1.ListOptions{})
 		if err != nil {
-			panic(err.Error())
+			panic(err)
 		}
 
 		for _, ns := range namespaces.Items {
 			if !nsExcluded(ns.Name, excludedNS) {
 				log.Printf("Checking for LimitRange named extreme-request-defaults in namespace '%v'\n", ns.Name)
-				if limitRanges, err := clientset.CoreV1().LimitRanges(ns.Name).List(metav1.ListOptions{FieldSelector: "metadata.name=extreme-request-defaults"}); err == nil && len(limitRanges.Items) == 0 {
+				if limitRanges, err := clientset.CoreV1().LimitRanges(ns.Name).List(metav1.ListOptions{FieldSelector: "metadata.name=extreme-request-defaults"}); err != nil {
-					log.Printf("Trying to create LimitRange\n")
+					panic(err)
-					if _, err := clientset.CoreV1().LimitRanges(ns.Name).Create(&limitRange); err != nil {
+				} else {
-						log.Printf("Unable to create LimitRange in namespace '%v': Error: %v\n", ns.Name, err)
+					if len(limitRanges.Items) == 0 {
-					} else {
+						log.Printf("Trying to create LimitRange\n")
-						log.Printf("LimitRange extreme-request-defaults created in namespace '%v'\n", ns.Name)
+						if _, err := clientset.CoreV1().LimitRanges(ns.Name).Create(&limitRange); err != nil {
+							log.Printf("Unable to create LimitRange in namespace '%v': Error: %v\n", ns.Name, err)
+						} else {
+							log.Printf("LimitRange extreme-request-defaults created in namespace '%v'\n", ns.Name)
+						}
 					}
 				}
 			}