Minor security hardening

[jotak]

Description

• sha pinning of the remaining github-owned actions
• dependabot setting for docker & actions
• force tls client minversion
• remove bad practice promoted in sample file (wildcard permissions)

Dependencies

n/a

Checklist

• Does the changes in PR need specific configuration or environment set up for testing?
  • if so please describe it in PR description.
• I have added thorough unit tests for the change.
• QE requirements (check 1 from the list):
  • Standard QE validation, with pre-merge tests unless stated otherwise.
  • Regression tests only (e.g. refactoring with no user-facing change).
  • No QE (e.g. trivial change with high reviewer's confidence, or per agreement with the QE team).

To run a perfscale test, comment with: /test flp-node-density-heavy-25nodes

Summary by CodeRabbit

• New Features

  • Added automated update checks for GitHub Actions and Docker-related content.

• Bug Fixes

  • Improved workflow reliability by locking several build and release steps to fixed versions.
  • Updated the release process to create and upload release assets more smoothly.
  • Enforced stronger TLS requirements for client connections.

• Chores

  • Hardened Kubernetes deployment settings and narrowed access permissions for better security.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign memodi for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• DOWNSTREAM_OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

📝 Walkthrough

Walkthrough

Dependabot adds GitHub Actions and Docker update entries. Several workflows pin GitHub Actions to commit SHAs, the release workflow switches to softprops/action-gh-release, Kubernetes deployment permissions are tightened, and ClientTLS.Build() now requires TLS 1.3.

Changes

GitHub automation updates

Layer / File(s)	Summary
Dependabot schedules .github/dependabot.yml	Adds Dependabot update entries for github-actions in .github and docker in contrib/docker.
Workflow action pinning .github/workflows/build_image_pr.yml, .github/workflows/pull_request*.yml, .github/workflows/push_image*.yml, .github/workflows/release.yml	Replaces floating GitHub Actions tags with pinned commit SHAs across checkout, setup-go, artifact, and script steps.
Release publishing .github/workflows/release.yml	Replaces the draft release upload flow with softprops/action-gh-release uploading ./release-assets/* for ${{ env.tag }}.

Runtime security hardening

Layer / File(s)	Summary
Kubernetes hardening contrib/kubernetes/deployment.yaml	Adds a container securityContext and replaces wildcard ClusterRole access with read-only permissions for nodes, pods, services, deployments, and replicasets.
TLS minimum version pkg/api/tls.go	Sets the generated TLS config minimum version to TLS 1.3.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• netobserv/flowlogs-pipeline#1273: Also changes GitHub Actions workflow references and related workflow settings in this repository.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title is concise and clearly reflects the main change: security hardening across workflows, Dependabot, TLS, and RBAC.
Description check	✅ Passed	The description matches the template and includes Description, Dependencies, and Checklist sections with the key items filled in.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

Review ran into problems

🔥 Problems

Linked repositories: Your configuration references 2 linked repositories, but your current plan allows 0. Analyzed ``, skipped netobserv/netobserv-operator, `netobserv/netobserv-ebpf-agent`.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

contrib/kubernetes/deployment.yaml (1)

17-35: 🩺 Stability & Availability | 🟠 Major

Add CPU and memory requests/limits for flowlogs-pipeline.

The flowlogs-pipeline container (lines 17–35) lacks a resources block, leaving scheduling and resource enforcement undefined. Although resources: appears at lines 91/101, those likely belong to another container or init container in this pod spec.

Add the following to ensure stability and availability:

          resources:
            requests:
              cpu: "100m"
              memory: "128Mi"
            limits:
              cpu: "500m"
              memory: "512Mi"

Adjust values based on actual benchmark data.

Location: contrib/kubernetes/deployment.yaml (add under securityContext in the flowlogs-pipeline container).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@contrib/kubernetes/deployment.yaml` around lines 17 - 35, The
flowlogs-pipeline container definition is missing its own resources block, so
add CPU and memory requests/limits directly in the flowlogs-pipeline container
spec in the deployment manifest. Place the resources stanza alongside the
existing image, args, volumeMounts, and securityContext fields for that
container, and ensure it includes requests and limits for both cpu and memory.
Use the flowlogs-pipeline container entry to locate the correct section, since
other resources blocks in the pod spec may belong to different containers.

Source: Path instructions

🧹 Nitpick comments (2)

.github/workflows/release.yml (1)

46-53: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Consider zizmor's gh release suggestion optionally.

zizmor flags softprops/action-gh-release as superfluous. Using gh release create directly is viable and reduces third-party action dependency:

- name: create draft release and upload binaries
  env:
    GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  run: |
    gh release create "${{ env.tag }}" \
      --draft \
      --title "${{ env.tag }}" \
      ./release-assets/*

However, the current action is legitimate and widely-used. This is optional.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml around lines 46 - 53, The release workflow
currently uses softprops/action-gh-release, which zizmor flags as superfluous;
optionally switch the “create draft release and upload binaries” step to a
direct gh release create invocation instead. Update the release job to use
GH_TOKEN with the built-in gh CLI, and preserve the existing behavior of
creating a draft release, setting the title to env.tag, and uploading
release-assets/*.

Source: Linters/SAST tools

contrib/kubernetes/deployment.yaml (1)

30-35: 🩺 Stability & Availability | 🔵 Trivial

Add explicit runAsUser and runAsGroup for defense-in-depth

The image contrib/docker/Dockerfile sets USER 65532:65532, satisfying runAsNonRoot: true. Explicitly set runAsUser and runAsGroup in contrib/kubernetes/deployment.yaml (lines 30–35) to enforce the UID regardless of image changes.

Current fragment

          securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
            runAsNonRoot: true
            capabilities:
              drop: [ALL]

Add:

            runAsUser: 65532
            runAsGroup: 65532

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@contrib/kubernetes/deployment.yaml` around lines 30 - 35, Add explicit user
and group IDs to the Kubernetes pod securityContext in deployment.yaml:
alongside runAsNonRoot, set runAsUser and runAsGroup to 65532 so the workload
continues to run as the intended non-root identity even if the image USER
changes. Update the securityContext block near the existing
allowPrivilegeEscalation, readOnlyRootFilesystem, and capabilities settings.

Source: Path instructions

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/api/tls.go`:
- Line 37: The ClientTLS setup currently hardcodes tls.VersionTLS13, which
breaks TLS 1.2-only endpoints. Update the ClientTLS configuration in tls.go to
make MinVersion configurable instead of fixed, and ensure the code path that
builds the TLS config uses that field with a sensible default that preserves
existing TLS 1.2 compatibility. If you intentionally keep TLS 1.3 as the
minimum, then treat it as a breaking change by updating the release/migration
notes and adding tests that cover TLS 1.2 fallback behavior.

---

Outside diff comments:
In `@contrib/kubernetes/deployment.yaml`:
- Around line 17-35: The flowlogs-pipeline container definition is missing its
own resources block, so add CPU and memory requests/limits directly in the
flowlogs-pipeline container spec in the deployment manifest. Place the resources
stanza alongside the existing image, args, volumeMounts, and securityContext
fields for that container, and ensure it includes requests and limits for both
cpu and memory. Use the flowlogs-pipeline container entry to locate the correct
section, since other resources blocks in the pod spec may belong to different
containers.

---

Nitpick comments:
In @.github/workflows/release.yml:
- Around line 46-53: The release workflow currently uses
softprops/action-gh-release, which zizmor flags as superfluous; optionally
switch the “create draft release and upload binaries” step to a direct gh
release create invocation instead. Update the release job to use GH_TOKEN with
the built-in gh CLI, and preserve the existing behavior of creating a draft
release, setting the title to env.tag, and uploading release-assets/*.

In `@contrib/kubernetes/deployment.yaml`:
- Around line 30-35: Add explicit user and group IDs to the Kubernetes pod
securityContext in deployment.yaml: alongside runAsNonRoot, set runAsUser and
runAsGroup to 65532 so the workload continues to run as the intended non-root
identity even if the image USER changes. Update the securityContext block near
the existing allowPrivilegeEscalation, readOnlyRootFilesystem, and capabilities
settings.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 1fce5369-ca7b-4271-a061-0b46861b6a58

📥 Commits

Reviewing files that changed from the base of the PR and between b13553f and 030d1a4.

📒 Files selected for processing (9)

• .github/dependabot.yml
• .github/workflows/build_image_pr.yml
• .github/workflows/pull_request.yml
• .github/workflows/pull_request_e2e.yml
• .github/workflows/push_image.yml
• .github/workflows/push_image_pr.yml
• .github/workflows/release.yml
• contrib/kubernetes/deployment.yaml
• pkg/api/tls.go

[coderabbitai]

🩺 Stability & Availability | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check whether docs/tests/config samples mention the new TLS 1.3 requirement
# or provide a migration path for existing TLS 1.2 deployments.
fd -e go -e md -e yaml -e yml -e json -e toml | xargs rg -n \
  'ClientTLS|MinVersion|VersionTLS|TLS 1\.2|TLS 1\.3|tlsVersion|min.*tls|caCertPath|insecureSkipVerify'

Repository: netobserv/flowlogs-pipeline

Length of output: 22179

---

TLS 1.3 enforcement is a breaking change for TLS 1.2-only endpoints.

Hardcoding MinVersion: tls.VersionTLS13 in pkg/api/tls.go immediately breaks connections to Kafka brokers or gRPC servers supporting only TLS 1.2. Add a configurable MinVersion field to ClientTLS or publish a major release with explicit migration notes and tests covering TLS 1.2 fallback.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/api/tls.go` at line 37, The ClientTLS setup currently hardcodes
tls.VersionTLS13, which breaks TLS 1.2-only endpoints. Update the ClientTLS
configuration in tls.go to make MinVersion configurable instead of fixed, and
ensure the code path that builds the TLS config uses that field with a sensible
default that preserves existing TLS 1.2 compatibility. If you intentionally keep
TLS 1.3 as the minimum, then treat it as a breaking change by updating the
release/migration notes and adding tests that cover TLS 1.2 fallback behavior.

Source: Path instructions

[github-actions]

New image:

quay.io/netobserv/flowlogs-pipeline:030d1a43

It will expire in two weeks.

To deploy this build, run from the operator repo, assuming the operator is running:

USER=netobserv VERSION=030d1a43 make set-flp-image

[openshift-ci]

@jotak: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/qe-e2e-tests	030d1a4	link	false	/test qe-e2e-tests

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci]

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.