fix(build): security

devopstales · Feb 25, 2024 · 2bbdb9d · 2bbdb9d
1 parent fec40a8
commit 2bbdb9d
Show file tree

Hide file tree

Showing 6 changed files with 97 additions and 76 deletions.
diff --git a/Makefile b/Makefile
@@ -1,5 +1,5 @@
 codeSHELL=/bin/bash -o pipefail
-export VERSION=0.1
+export VERSION=3.0
 
 .ONESHELL: # Applies to every targets in the file!
 .PHONY:	all
@@ -41,4 +41,4 @@ kdlogin-build: |
 	rm -f dist/choco/*.nupkg
 	env CGO_ENABLED=0 go build -o dist/linux/kubectl-kdlogin main.go
 	env CGO_ENABLED=0 GOOS=darwin GOARCH=amd64 go build -o dist/osx/kubectl-kdlogin main.go
-	env CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build -o dist/windows/kubectl-kdlogin.exe main.go
+	env CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build -o dist/windows/kubectl-kdlogin.exe main.go
diff --git a/docker/kubedash/Dockerfile b/docker/kubedash/Dockerfile
@@ -31,13 +31,15 @@ RUN addgroup -S -g 10001 kubedash && \
 
 COPY requirements.txt  /code/
 
-RUN apk -U upgrade && \
-    apk add --no-cache postgresql-libs && \
+RUN apk add --no-cache postgresql-libs && \
     apk add --no-cache bash gcc musl-dev linux-headers && \
     apk add --no-cache --virtual .build-deps gcc build-base freetype-dev libpng-dev openblas-dev libffi-dev musl-dev postgresql-dev
 
-RUN pip install --no-cache-dir -r /code/requirements.txt && \
-    apk del gcc build-base freetype-dev libpng-dev openblas-dev libffi-dev musl-dev postgresql-dev llvm14-libs && \
+RUN apk -U upgrade
+
+RUN pip install --no-cache-dir -r /code/requirements.txt
+
+RUN apk del gcc build-base freetype-dev libpng-dev openblas-dev libffi-dev musl-dev postgresql-dev llvm14-libs && \
     apk --purge del .build-deps
 
 COPY entrypoint.sh /entrypoint.sh

diff --git a/docker/kubedash/gunicorn_conf.py b/docker/kubedash/gunicorn_conf.py
@@ -0,0 +1,14 @@
+import os
+
+# Gunicorn config variables
+bind = "0.0.0.0:8000"
+loglevel = "info"
+errorlog = "-"  # stderr
+accesslog = "-"  # stdout
+access_log_format = '%(h)s %(l)s %(u)s %(t)s "%(r)s" %(s)s %(b)s "%(f)s" "%(a)s"'
+worker_tmp_dir = "/tmp/kubedash"
+workers = 1
+graceful_timeout = 120
+timeout = 120
+keepalive = 5
+threads = 3
diff --git a/docker/kubedash/requirements.txt b/docker/kubedash/requirements.txt
@@ -1,40 +1,45 @@
 # flask
-flask>=2.2.2
+flask==2.3.2
+Werkzeug==2.3.8
+Jinja2==3.1.3
+dnspython==2.6.1
+
 # database
-psycopg2
-SQLAlchemy>=2.0.4
-sqlalchemy_utils>=0.39.0
-flask_migrate>=4.0.4
-flask_sqlalchemy>=3.0.2
+psycopg2==2.9.7
+SQLAlchemy==2.0.17
+sqlalchemy_utils==0.41.1
+flask_migrate==4.0.4
+flask_sqlalchemy==3.0.5
 # login
-flask_login>=0.6.2
-flask_session>=0.4.0
-requests_oauthlib>=1.3.1 
-Flask_WTF>=1.1.1
+flask_login==0.6.2
+flask_session==0.5.0
+requests_oauthlib==1.3.1 
+Flask_WTF==1.1.1
 # web security
-flask_talisman>=1.0.0
+flask_talisman==1.0.0
 # kubernetes
-kubernetes>=25.3.0
-flask_healthz>=0.0.3
-pybase64>=1.2.3
+kubernetes==26.1.0
+flask_healthz==0.0.3
+pybase64==1.2.3
 # graphwiz
-pyvis>=0.3.2
+pyvis==0.3.2
 # socket
-flask_socketio>=5.3.2
-gevent-websocket>=0.10.1
-eventlet>=0.33.3
-
-# security
-#gunicorn>20.1.0
-#https://github.com/benoitc/gunicorn/archive/refs/heads/master.zip
-certifi>=2022.12.7
-setuptools>=65.6.3
-pyOpenSSL>=23.0.0
-ipython>=8.10.0 # not directly required, pinned by Snyk to avoid a vulnerability
+flask_socketio==5.3.4
+gevent-websocket==0.10.1
+eventlet==0.35.2
 
 # telemetry
-opentelemetry-sdk==1.20.0
-opentelemetry-api==1.20.0
-opentelemetry-exporter-otlp-proto-http==1.20.0
-opentelemetry-instrumentation-sqlalchemy
-opentelemetry-instrumentation-flask
+opentelemetry-sdk==1.23.0
+opentelemetry-api==1.23.0
+opentelemetry-exporter-otlp-proto-http==1.23.0
+opentelemetry-semantic-conventions==0.44b0
+opentelemetry-instrumentation-sqlalchemy==0.44b0
+opentelemetry-instrumentation-flask==0.44b0
+
+# security
+gunicorn==21.2.0
+certifi==2023.7.22
+setuptools==67.8.0
+ipython==8.14.0 # not directly required, pinned by Snyk to avoid a vulnerability
+pyOpenSSL==24.0.0
+cryptography==42.0.4
diff --git a/src/kubedash/kubedash.py b/src/kubedash/kubedash.py
@@ -11,9 +11,6 @@
 import eventlet
 import eventlet.wsgi
 
-import eventlet
-import eventlet.wsgi
-
 from functions.components import db, sess, login_manager, csrf, socketio
 from functions.helper_functions import string2list, var_test
 from functions.routes import routes
@@ -223,7 +220,7 @@ def readiness():
         connect_database()
     except Exception:
         raise HealthError("Can't connect to the database")
-    
+
 app.config.update(
     HEALTHZ = {
         "live":  app.name + ".liveness",
@@ -240,4 +237,4 @@ def readiness():
         eventlet.wsgi.server(eventlet.listen(('', 8000)), app, debug=False)
     else:
         eventlet.wsgi.server(eventlet.listen(('', 8000)), app, debug=True)
-    
+
diff --git a/src/kubedash/requirements.txt b/src/kubedash/requirements.txt
@@ -1,45 +1,48 @@
 # flask
-flask>=2.2.2
+flask==2.3.2
+Werkzeug==2.3.8
+Jinja2==3.1.3
+dnspython==2.6.1
+
 # database
-psycopg2
-SQLAlchemy>=2.0.4
-sqlalchemy_utils>=0.39.0
-flask_migrate>=4.0.4
-flask_sqlalchemy>=3.0.2
+psycopg2==2.9.7
+SQLAlchemy==2.0.17
+sqlalchemy_utils==0.41.1
+flask_migrate==4.0.4
+flask_sqlalchemy==3.0.5
 # login
-flask_login>=0.6.2
-flask_session>=0.4.0
-requests_oauthlib>=1.3.1 
-Flask_WTF>=1.1.1
+flask_login==0.6.2
+flask_session==0.5.0
+requests_oauthlib==1.3.1 
+Flask_WTF==1.1.1
 # web security
-flask_talisman>=1.0.0
+flask_talisman==1.0.0
 # kubernetes
-kubernetes>=25.3.0
-flask_healthz>=0.0.3
-pybase64>=1.2.3
+kubernetes==26.1.0
+flask_healthz==0.0.3
+pybase64==1.2.3
 # graphwiz
-pyvis>=0.3.2
+pyvis==0.3.2
 # socket
-flask_socketio>=5.3.2
-gevent-websocket>=0.10.1
-eventlet>=0.33.3
-# logging
-Werkzeug==2.3.0
-
-# security
-gunicorn>20.1.0
-#https://github.com/benoitc/gunicorn/archive/refs/heads/master.zip
-certifi>=2022.12.7
-setuptools>=65.6.3
-pyOpenSSL>=23.0.0
-ipython>=8.10.0 # not directly required, pinned by Snyk to avoid a vulnerability
+flask_socketio==5.3.4
+gevent-websocket==0.10.1
+eventlet==0.35.2
 
 # telemetry
-opentelemetry-sdk==1.20.0
-opentelemetry-api==1.20.0
-opentelemetry-exporter-otlp-proto-http==1.20.0
-opentelemetry-instrumentation-sqlalchemy
-opentelemetry-instrumentation-flask
+opentelemetry-sdk==1.23.0
+opentelemetry-api==1.23.0
+opentelemetry-exporter-otlp-proto-http==1.23.0
+opentelemetry-semantic-conventions==0.44b0
+opentelemetry-instrumentation-sqlalchemy==0.44b0
+opentelemetry-instrumentation-flask==0.44b0
+
+# security
+gunicorn==21.2.0
+certifi==2023.7.22
+setuptools==67.8.0
+ipython==8.14.0 # not directly required, pinned by Snyk to avoid a vulnerability
+pyOpenSSL==24.0.0
+cryptography==42.0.4
 
 # test
 pytest>=7.2.1
@@ -50,5 +53,5 @@ pytest-playwright>=0.3.1
 selenium>=4.8.2
 
 # for git-changelog
-GitPython==3.1.33
+GitPython==3.1.41
 gitdb2==3.0.1