.github/workflows/cifuzz.yaml

@@ -0,0 +1,24 @@
+name: CIFuzz
+on:
+  pull_request:
+    branches:
+      - main
+
+permissions:
+  contents: read # for actions/checkout to fetch code
+
+jobs:
+  Fuzzing:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v2
+    - name: Restore Go cache
+      uses: actions/cache@v1
+      with:
+        path: /home/runner/work/_temp/_github_home/go/pkg/mod
+        key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+        restore-keys: |
+          ${{ runner.os }}-go-
+    - name: Smoke test Fuzzers
+      run: make fuzz-smoketest

.github/workflows/e2e.yaml

@@ -6,6 +6,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read # for actions/checkout to fetch code
+
 jobs:
   kind:
     runs-on: ubuntu-latest
@@ -19,8 +22,6 @@ jobs:
       - name: Setup Docker Buildx
         id: buildx
         uses: docker/setup-buildx-action@v1
-        with:
-          buildkitd-flags: "--debug"
       - name: Restore Go cache
         uses: actions/cache@v1
         with:
@@ -51,6 +52,8 @@ jobs:
         uses: fluxcd/pkg/actions/kubectl@main
         with:
           version: 1.21.2
+      - name: Setup SOPS
+        uses: fluxcd/pkg/actions/sops@main
       - name: Run controller tests
         run: make test
       - name: Check if working tree is dirty
@@ -92,6 +95,27 @@ jobs:
           make dev-deploy IMG=test/kustomize-controller:latest
           kubectl -n kustomize-system rollout status deploy/source-controller --timeout=1m
           kubectl -n kustomize-system rollout status deploy/kustomize-controller --timeout=1m
+      - name: Run tests for removing kubectl managed fields
+        run: |
+          kubectl create ns managed-fields
+          kustomize build github.com/stefanprodan/podinfo//kustomize?ref=6.0.0 > /tmp/podinfo.yaml
+          kubectl -n managed-fields apply -f /tmp/podinfo.yaml
+          kubectl -n managed-fields apply -f ./config/testdata/managed-fields
+          kubectl -n managed-fields wait kustomization/podinfo --for=condition=ready --timeout=4m
+          OUTDATA=$(kubectl -n managed-fields get deploy podinfo --show-managed-fields -oyaml)
+          if echo "$OUTDATA" | grep -q "kubectl";then
+            echo "kubectl client-side manager not removed"
+            exit 1
+          fi
+          kubectl -n managed-fields apply --server-side --force-conflicts -f /tmp/podinfo.yaml
+          kubectl -n managed-fields annotate --overwrite kustomization/podinfo reconcile.fluxcd.io/requestedAt="$(date +%s)"
+          kubectl -n managed-fields wait kustomization/podinfo --for=condition=ready --timeout=4m
+          OUTDATA=$(kubectl -n managed-fields get deploy podinfo --show-managed-fields -oyaml)
+          if echo "$OUTDATA" | grep -q "kubectl";then
+            echo "kubectl server-side manager not removed"
+            exit 1
+          fi
+          kubectl delete ns managed-fields
       - name: Run overlays tests
         run: |
           kubectl -n kustomize-system apply -k ./config/testdata/overlays

.github/workflows/nightly.yml

@@ -7,6 +7,9 @@ on:
 env:
   REPOSITORY: ${{ github.repository }}
 
+permissions:
+  contents: read # for actions/checkout to fetch code
+
 jobs:
   build:
     runs-on: ubuntu-latest

.github/workflows/rebase.yml

@@ -6,6 +6,11 @@ on:
   issue_comment:
     types: [created]
 
+permissions:
+  contents: read # for actions/checkout to fetch code
+  pull-requests: read
+  repository-projects: write
+
 jobs:
   rebase:
     if: github.event.issue.pull_request != '' && contains(github.event.comment.body, '/rebase') && (github.event.comment.author_association == 'CONTRIBUTOR' || github.event.comment.author_association == 'MEMBER' || github.event.comment.author_association == 'OWNER')

.github/workflows/release.yml

@@ -10,6 +10,11 @@ on:
         default: 'rc'
         required: true
 
+permissions:
+  contents: write # needed to write releases
+  id-token: write # needed for keyless signing
+  packages: write # needed for ghcr access
+
 env:
   CONTROLLER: ${{ github.event.repository.name }}
 
@@ -31,13 +36,9 @@ jobs:
           echo ::set-output name=VERSION::${VERSION}
       - name: Setup QEMU
         uses: docker/setup-qemu-action@v1
-        with:
-          platforms: all
       - name: Setup Docker Buildx
         id: buildx
         uses: docker/setup-buildx-action@v1
-        with:
-          buildkitd-flags: "--debug"
       - name: Login to GitHub Container Registry
         uses: docker/login-action@v1
         with:
@@ -49,43 +50,51 @@ jobs:
         with:
           username: fluxcdbot
           password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }}
-      - name: Publish multi-arch container image
+      - name: Generate images meta
+        id: meta
+        uses: docker/metadata-action@v3
+        with:
+          images: |
+            fluxcd/${{ env.CONTROLLER }}
+            ghcr.io/fluxcd/${{ env.CONTROLLER }}
+          tags: |
+            type=raw,value=${{ steps.prep.outputs.VERSION }}
+      - name: Publish images
         uses: docker/build-push-action@v2
         with:
           push: true
           builder: ${{ steps.buildx.outputs.name }}
           context: .
           file: ./Dockerfile
           platforms: linux/amd64,linux/arm/v7,linux/arm64
-          tags: |
-            ghcr.io/fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.VERSION }}
-            docker.io/fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.VERSION }}
-          labels: |
-            org.opencontainers.image.title=${{ github.event.repository.name }}
-            org.opencontainers.image.description=${{ github.event.repository.description }}
-            org.opencontainers.image.url=${{ github.event.repository.html_url }}
-            org.opencontainers.image.revision=${{ github.sha }}
-            org.opencontainers.image.version=${{ steps.prep.outputs.VERSION }}
-            org.opencontainers.image.created=${{ steps.prep.outputs.BUILD_DATE }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
       - name: Check images
         run: |
           docker buildx imagetools inspect docker.io/fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.VERSION }}
           docker buildx imagetools inspect ghcr.io/fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.VERSION }}
           docker pull docker.io/fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.VERSION }}
           docker pull ghcr.io/fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.VERSION }}
-      - name: Generate release manifests
+      - uses: sigstore/cosign-installer@main
+      - name: Sign images
+        env:
+          COSIGN_EXPERIMENTAL: 1
+        run: |
+          cosign sign fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.VERSION }}
+          cosign sign ghcr.io/fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.VERSION }}
+      - name: Generate release artifacts
         if: startsWith(github.ref, 'refs/tags/v')
         run: |
           mkdir -p config/release
           kustomize build ./config/crd > ./config/release/${{ env.CONTROLLER }}.crds.yaml
           kustomize build ./config/manager > ./config/release/${{ env.CONTROLLER }}.deployment.yaml
-      - name: Create release
+          echo '[CHANGELOG](https://github.com/fluxcd/${{ env.CONTROLLER }}/blob/main/CHANGELOG.md)' > ./config/release/notes.md
+      - uses: anchore/sbom-action/download-syft@v0
+      - name: Create release and SBOM
         if: startsWith(github.ref, 'refs/tags/v')
-        uses: ncipollo/release-action@v1
+        uses: goreleaser/goreleaser-action@v2
         with:
-          prerelease: true
-          artifacts: "config/release/*.yaml"
-          artifactContentType: "text/plain"
-          body: |
-            [CHANGELOG](https://github.com/fluxcd/${{ env.CONTROLLER }}/blob/main/CHANGELOG.md)
-          token: ${{ secrets.GITHUB_TOKEN }}
+          version: latest
+          args: release --release-notes=config/release/notes.md --rm-dist --skip-validate
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/scan.yml

@@ -8,6 +8,10 @@ on:
   schedule:
     - cron: '18 10 * * 3'
 
+permissions:
+  contents: read # for actions/checkout to fetch code
+  security-events: write # for codeQL to write security events
+
 jobs:
   fossa:
     name: FOSSA

.gitignore

@@ -13,8 +13,9 @@
 
 # Dependency directories (remove the comment below to include it)
 # vendor/
-testbin/
 bin/
 config/release/
 config/crd/bases/gitrepositories.yaml
 config/crd/bases/buckets.yaml
+
+build/

.goreleaser.yaml

@@ -0,0 +1,39 @@
+project_name: kustomize-controller
+
+builds:
+  - skip: true
+
+release:
+  prerelease: "true"
+  extra_files:
+    - glob: config/release/*.yaml
+
+checksum:
+  extra_files:
+    - glob: config/release/*.yaml
+
+source:
+  enabled: true
+  name_template: "{{ .ProjectName }}_{{ .Version }}_source_code"
+
+sboms:
+  - id: source
+    artifacts: source
+    documents:
+      - "{{ .ProjectName }}_{{ .Version }}_sbom.spdx.json"
+
+# signs the checksum file
+# all files (including the sboms) are included in the checksum
+# https://goreleaser.com/customization/sign
+signs:
+  - cmd: cosign
+    env:
+      - COSIGN_EXPERIMENTAL=1
+    certificate: "${artifact}.pem"
+    args:
+      - sign-blob
+      - "--output-certificate=${certificate}"
+      - "--output-signature=${signature}"
+      - "${artifact}"
+    artifacts: checksum
+    output: true

CHANGELOG.md

@@ -2,6 +2,69 @@
 
 All notable changes to this project are documented in this file.
 
+## 0.20.0
+
+**Release date:** 2022-02-01
+
+This prerelease comes with security improvements for multi-tenant clusters:
+- Platform admins can enforce impersonation across the cluster using the `--default-service-account` flag.
+  When the flag is set, all `Kustomizations`, which don't have `spec.serviceAccountName` specified,
+  use the service account name provided by `--default-service-account=<SA Name>` in the namespace of the object.
+- Platform admins can disable cross-namespace references with the `--no-cross-namespace-refs=true` flag.
+  When this flag is set, `Kustomizations` can only refer to sources (`GitRepositories` and `Buckets`)
+  in the same namespace as the `Kustomization` object, preventing tenants from accessing another tenant's repositories.
+
+The controller container images are signed with
+[Cosign and GitHub OIDC](https://github.com/sigstore/cosign/blob/22007e56aee419ae361c9f021869a30e9ae7be03/KEYLESS.md),
+and a Software Bill of Materials in [SPDX format](https://spdx.dev) has been published on the release page.
+
+Starting with this version, the controller deployment conforms to the
+Kubernetes [restricted pod security standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted):
+- all Linux capabilities were dropped
+- the root filesystem was set to read-only
+- the seccomp profile was set to the runtime default
+- run as non-root was enabled
+- the user and group ID was set to 65534
+
+**Breaking changes**:
+- The use of new seccomp API requires Kubernetes 1.19.
+- The controller container is now executed under 65534:65534 (userid:groupid).
+  This change may break deployments that hard-coded the user ID of 'controller' in their PodSecurityPolicy.
+- When both `spec.kubeConfig` and `spec.ServiceAccountName` are specified, the controller will impersonate
+  the service account on the target cluster, previously the controller ignored the service account.
+
+Features:
+- Allow setting a default service account for impersonation
+  [#550](https://github.com/fluxcd/kustomize-controller/pull/550)
+- Allow disabling cross-namespace references
+  [#549](https://github.com/fluxcd/kustomize-controller/pull/549)
+- SOPS: Add support for HashiCorp Vault token-based authentication
+  [#538](https://github.com/fluxcd/kustomize-controller/pull/538)
+
+Improvements:
+- Publish SBOM and sign release artifacts
+  [#541](https://github.com/fluxcd/kustomize-controller/pull/541)
+- Drop capabilities, enable seccomp and enforce runAsNonRoot
+  [#539](https://github.com/fluxcd/kustomize-controller/pull/539)
+- docs: Add var substitution operator escape syntax
+  [#537](https://github.com/fluxcd/kustomize-controller/pull/537)
+- Update development documentation
+  [#540](https://github.com/fluxcd/kustomize-controller/pull/540)
+- Refactor Fuzz implementation
+  [#536](https://github.com/fluxcd/kustomize-controller/pull/536)
+
+Fixes:
+* Revoke kubectl managed fields ownership
+  [#527](https://github.com/fluxcd/kustomize-controller/pull/527)
+* Ensure object are finalized under impersonation
+  [#552](https://github.com/fluxcd/kustomize-controller/pull/552)
+* Use patch instead of update when adding finalizers
+  [#535](https://github.com/fluxcd/kustomize-controller/pull/535)
+* Fix preflight validation
+  [#544](https://github.com/fluxcd/kustomize-controller/pull/544)
+* Fix the missing protocol for the first port in manager config
+  [#547](https://github.com/fluxcd/kustomize-controller/pull/547)
+
 ## 0.19.1
 
 **Release date:** 2022-01-13