Add pod logs (#350)

* Add explicit entry for pods/log to the read only role * missing commas in struct init * Extend nancy for 2 months * add cves to nancy * add missed cve to nancy * Update changelog to include description of effort
giantswarm · Oct 25, 2022 · f1d3692 · f1d3692
1 parent cfda6e3
commit f1d3692
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 7 deletions.
diff --git a/.nancy-ignore b/.nancy-ignore
@@ -1,11 +1,19 @@
 # Nancy found vulns for consul api 1.12.0 -> no new version
-CVE-2022-29153 until=2022-09-30
-CVE-2022-24687 until=2022-09-30
+CVE-2022-29153 until=2022-11-30
+CVE-2022-24687 until=2022-11-30
+CVE-2021-41803 until=2022-11-30
 # kataras/iris/[email protected] -> no new version
-CVE-2021-23772 until=2022-09-30
+CVE-2021-23772 until=2022-11-30
 # github.com/valyala/fasthttp
-CVE-2022-21221 until=2022-06-30
+CVE-2022-21221 until=2022-11-30
 # github.com/microcosm-cc/bluemonday
-CVE-2021-42576 until=2022-06-30
+CVE-2021-42576 until=2022-11-30
+# nats server
+CVE-2022-42708 until=2022-11-30
+CVE-2022-42709 until=2022-11-30
+# x/text
+CVE-2022-32149 until=2022-11-30
 # github.com/urfave/negroni
-sonatype-2021-1485 until=2022-09-30
+sonatype-2021-1485 until=2022-11-30
+sonatype-2022-5436 until=2022-11-30
+
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+- Extend readonly ClusterRole to include pods/log so customers can debug failures on the management clusters.
+
 ## [0.30.2] - 2022-08-11
 
 ### Changed
@@ -29,7 +31,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Added
 
-- Add write-silences for flux automation account in every org-namespace 
+- Add write-silences for flux automation account in every org-namespace
 
 ## [0.28.1] - 2022-05-18
 

diff --git a/service/internal/bootstrap/resources.go b/service/internal/bootstrap/resources.go
@@ -98,6 +98,15 @@ func (b *Bootstrap) createReadAllClusterRole(ctx context.Context) error {
 				}
 				policyRules = append(policyRules, policyRule)
 			}
+			// ServerPreferredResources explicitely ignores any resource containing a '/'
+			// but we require this for enabling pods/logs for customer access to
+			// kubernetes pod logging. This is appended as a specific rule instead.
+			policyRule := rbacv1.PolicyRule{
+				APIGroups: []string{""},
+				Resources: []string{"pods/log"},
+				Verbs:     []string{"get", "list"},
+			}
+			policyRules = append(policyRules, policyRule)
 		}
 	}