Merge branch 'main' into renovate/pepr

.github/bundles/aks/uds-bundle.yaml

@@ -6,7 +6,7 @@ metadata:
   name: uds-core-aks-nightly
   description: A UDS bundle for deploying UDS Core on AKS
   # x-release-please-start-version
-  version: "0.29.1"
+  version: "0.30.0"
   # x-release-please-end
 
 packages:
@@ -17,7 +17,7 @@ packages:
   - name: core
     path: ../../../build
     # x-release-please-start-version
-    ref: 0.29.1
+    ref: 0.30.0
     # x-release-please-end
     overrides:
       istio-admin-gateway:

.github/bundles/eks/uds-bundle.yaml

@@ -6,7 +6,7 @@ metadata:
   name: uds-core-eks-nightly
   description: A UDS bundle for deploying EKS and UDS Core
   # x-release-please-start-version
-  version: "0.29.1"
+  version: "0.30.0"
   # x-release-please-end
 
 packages:
@@ -17,7 +17,7 @@ packages:
   - name: core
     path: ../../../build
     # x-release-please-start-version
-    ref: 0.29.1
+    ref: 0.30.0
     # x-release-please-end
     optionalComponents:
       - metrics-server

.github/bundles/rke2/uds-bundle.yaml

@@ -6,7 +6,7 @@ metadata:
   name: uds-core-rke2-nightly
   description: A UDS bundle for deploying RKE2 and UDS Core
   # x-release-please-start-version
-  version: "0.29.1"
+  version: "0.30.0"
   # x-release-please-end
 
 packages:
@@ -38,7 +38,7 @@ packages:
   - name: core
     path: ../../../build
     # x-release-please-start-version
-    ref: 0.29.1
+    ref: 0.30.0
     # x-release-please-end
     optionalComponents:
       - metrics-server

.release-please-manifest.json

@@ -1,3 +1,3 @@
 {
-    ".": "0.29.1"
+    ".": "0.30.0"
 }

CHANGELOG.md

@@ -2,6 +2,34 @@
 
 All notable changes to this project will be documented in this file.
 
+## [0.30.0](https://github.com/defenseunicorns/uds-core/compare/v0.29.1...v0.30.0) (2024-10-28)
+
+
+### ⚠ BREAKING CHANGES
+
+* remove uds-runtime from core ([#955](https://github.com/defenseunicorns/uds-core/issues/955))
+
+### Features
+
+* add finalizer for UDS Package CRs ([#953](https://github.com/defenseunicorns/uds-core/issues/953)) ([fa42714](https://github.com/defenseunicorns/uds-core/commit/fa427142b8a7391504eb2133614cf7504e0259ab))
+* adds registry1 flavor of uds runtime ([#925](https://github.com/defenseunicorns/uds-core/issues/925)) ([0011852](https://github.com/defenseunicorns/uds-core/commit/0011852dd6c8f1305e2fa0c837db45f3c1801c31))
+
+
+### Bug Fixes
+
+* batch authservice checksum updates ([#735](https://github.com/defenseunicorns/uds-core/issues/735)) ([100d35b](https://github.com/defenseunicorns/uds-core/commit/100d35bfb05545b2a6adb75c918e6e93eda0a312))
+* logout redirect uri ([#945](https://github.com/defenseunicorns/uds-core/issues/945)) ([8e2b5d8](https://github.com/defenseunicorns/uds-core/commit/8e2b5d840bcddc7af299ff8845836c08a54a35c8))
+* resolve lingering note formatting ([#938](https://github.com/defenseunicorns/uds-core/issues/938)) ([455a530](https://github.com/defenseunicorns/uds-core/commit/455a53020cee8fe9edf629366401c70fd47ef355))
+* vector remap language logic typo ([#959](https://github.com/defenseunicorns/uds-core/issues/959)) ([89af729](https://github.com/defenseunicorns/uds-core/commit/89af7292b11ac9a9d100ba1e6a81c81441472f14))
+
+
+### Miscellaneous
+
+* add proper version update to aks nightly bundle ([#942](https://github.com/defenseunicorns/uds-core/issues/942)) ([2f51c75](https://github.com/defenseunicorns/uds-core/commit/2f51c75d761e3385a3ae46cb62d6375210620c37))
+* block local auth for neuvector ([#965](https://github.com/defenseunicorns/uds-core/issues/965)) ([8f25b41](https://github.com/defenseunicorns/uds-core/commit/8f25b41e4c187680e8353e31cdd4f37e19063338))
+* **deps:** update vector to 0.42.0 ([#946](https://github.com/defenseunicorns/uds-core/issues/946)) ([2f63db2](https://github.com/defenseunicorns/uds-core/commit/2f63db2f26cb30c056f376b1823f758cd403aefe))
+* remove uds-runtime from core ([#955](https://github.com/defenseunicorns/uds-core/issues/955)) ([c6f6664](https://github.com/defenseunicorns/uds-core/commit/c6f66649bef5fef8e14eeb157a1ba76d2e96c78b))
+
 ## [0.29.1](https://github.com/defenseunicorns/uds-core/compare/v0.29.0...v0.29.1) (2024-10-18)
 
 

README.md

@@ -55,7 +55,7 @@ If you want to try out UDS Core, you can use the [k3d-core-demo bundle](./bundle
 <!-- x-release-please-start-version -->
 
 ```bash
-uds deploy k3d-core-demo:0.29.1
+uds deploy k3d-core-demo:0.30.0
 ```
 
 <!-- x-release-please-end -->
@@ -69,7 +69,7 @@ Deploy Istio, Keycloak and Pepr:
 <!-- x-release-please-start-version -->
 
 ```bash
-uds deploy k3d-core-slim-dev:0.29.1
+uds deploy k3d-core-slim-dev:0.30.0
 ```
 
 <!-- x-release-please-end -->

bundles/k3d-slim-dev/uds-bundle.yaml

@@ -6,7 +6,7 @@ metadata:
   name: k3d-core-slim-dev
   description: A UDS bundle for deploying Istio from UDS Core on a development cluster
   # x-release-please-start-version
-  version: "0.29.1"
+  version: "0.30.0"
   # x-release-please-end
 
 packages:
@@ -37,7 +37,7 @@ packages:
   - name: core-base
     path: ../../build/
     # x-release-please-start-version
-    ref: 0.29.1
+    ref: 0.30.0
     # x-release-please-end
     overrides:
       istio-admin-gateway:
@@ -73,7 +73,7 @@ packages:
   - name: core-identity-authorization
     path: ../../build/
     # x-release-please-start-version
-    ref: 0.29.1
+    ref: 0.30.0
     # x-release-please-end
     overrides:
       keycloak:

bundles/k3d-standard/uds-bundle.yaml

@@ -6,7 +6,7 @@ metadata:
   name: k3d-core-demo
   description: A UDS bundle for deploying the standard UDS Core package on a development cluster
   # x-release-please-start-version
-  version: "0.29.1"
+  version: "0.30.0"
   # x-release-please-end
 
 packages:
@@ -37,7 +37,7 @@ packages:
   - name: core
     path: ../../build/
     # x-release-please-start-version
-    ref: 0.29.1
+    ref: 0.30.0
     # x-release-please-end
     optionalComponents:
       - istio-passthrough-gateway

docs/reference/UDS Core/distribution-support.md

@@ -12,6 +12,6 @@ UDS Core is a versatile software baseline designed to operate effectively across
 
 | Distribution    | Category               | Support Level                                                                                             |
 | --------------- | ---------------------- | --------------------------------------------------------------------------------------------------------- |
-| K3d/K3s, Amazon EKS | Tested                 | Supported Kubernetes distributions undergoing testing in CI environments.                                 |
+| K3d/K3s, Amazon EKS, Azure AKS, RKE2 on AWS | Tested                 | Supported Kubernetes distributions undergoing testing in CI environments.                                 |
 | RKE2            | Tested                 | Supported Kubernetes distribution tested in production environments other than CI.                        |
 | Other           | Untested/Unknown state | Compatible Kubernetes distributions that are not explicitly tested, documented, or supported by UDS Core. |

docs/reference/configuration/pepr-policies.md

@@ -43,7 +43,7 @@ Mutations can be exempted using the same [Pepr Policy Exemptions](#pepr-policy-e
 |[Restrict Volume Types](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-volume-types.yaml) | [`RestrictVolumeTypes`](https://github.com/defenseunicorns/uds-core/blob/v0.27.0/src/pepr/policies/storage.ts#L7-L52) | Implemented: ✅ <br> Subject: **Pod** <br> Severity: **medium** <br><br> Volume types, beyond the core set, should be restricted to limit exposure to potential vulnerabilities in Container Storage Interface (CSI) drivers. In addition, HostPath volumes should not be. |
 |[Restrict Sysctls](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-sysctls.yaml) | Not Implemented | Implemented: ❌ <br> Subject: **Pod** <br> Severity: **high** <br><br> Sysctl can disable security mechanisms or affect all containers on a host, and should be restricted to an allowed "safe" subset. A sysctl is considered safe if it is namespaced and is isolated from other Pods and processes on the same Node. This policy ensures that all sysctls are in the allowed list.
 |[Restrict Image Registries](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-image-registries.yaml) | Not Implemented | Implemented: ❌ <br> Subject: **Pod** <br> Severity: **high** <br><br> Images from unknown, public registries can be of dubious quality and may not be scanned and secured, representing a high degree of risk. Requiring use of known, approved registries helps reduce threat exposure by ensuring image pulls only come from them. This policy validates that all images originate from a registry in the approved list.|
-|[Restrict hostPath Volume Mountable Paths](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-host-path-mount-pv.yaml) | Not Implemented | Implemented: ❌ <br> Subject: **PersistentVolume** <br> Severity: **medium** <br><br> PersistentVolume using hostPath consume the underlying node's file system. If not universally disabled, they should be restricted to specific host paths to prevent access to sensitive information. This policy ensures that PV hostPath is in the allowed list. |
+|[Restrict hostPath Volume PV Paths](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-host-path-mount-pv.yaml) | Not Implemented | Implemented: ❌ <br> Subject: **PersistentVolume** <br> Severity: **medium** <br><br> PersistentVolume using hostPath consume the underlying node's file system. If not universally disabled, they should be restricted to specific host paths to prevent access to sensitive information. This policy ensures that PV hostPath is in the allowed list. |
 |[Restrict hostPath Volume Mountable Paths](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-host-path-mount.yaml) | Not Implemented | Implemented: ❌ <br> Subject: **Pod** <br> Severity: **medium** <br><br>  hostPath volumes consume the underlying node's file system. If hostPath volumes are not universally disabled, they should be restricted to specific host paths to prevent access to sensitive information. This policy ensures that hostPath volume paths are in the allowed list. |
 |[Restrict External IPs (CVE-2020-8554)](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-external-ips.yaml) | Not Implemented | Implemented: ❌ <br> Subject: **Service** <br> Severity: **medium** <br><br>  Service externalIPs can be used for a MITM attack (CVE-2020-8554). This policy restricts externalIPs to a specified list. |
 |[Restrict AppArmor Profile](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies/-/blob/main/chart/templates/restrict-apparmor.yaml) | Not Implemented | Implemented: ❌ <br> Subject: **Pod** <br> Severity: **high** <br><br> On hosts using Debian Linux distros, AppArmor is used as an access control framework. AppArmor uses the 'runtime/default' profile by default. This policy ensures Pods do not override the AppArmor profile with values outside of the allowed list. |

packages/backup-restore/zarf.yaml

@@ -7,7 +7,7 @@ metadata:
   description: "UDS Core (Backup and Restore)"
   authors: "Defense Unicorns - Product"
   # x-release-please-start-version
-  version: "0.29.1"
+  version: "0.30.0"
   # x-release-please-end
   x-uds-dependencies: ["base"]
 

packages/base/zarf.yaml

@@ -7,7 +7,7 @@ metadata:
   description: "UDS Core (Base)"
   authors: "Defense Unicorns - Product"
   # x-release-please-start-version
-  version: "0.29.1"
+  version: "0.30.0"
   # x-release-please-end
   x-uds-dependencies: []
 

packages/identity-authorization/zarf.yaml

@@ -7,7 +7,7 @@ metadata:
   description: "UDS Core (Identity & Authorization)"
   authors: "Defense Unicorns - Product"
   # x-release-please-start-version
-  version: "0.29.1"
+  version: "0.30.0"
   # x-release-please-end
   x-uds-dependencies: ["base"]
 

packages/logging/zarf.yaml

@@ -7,7 +7,7 @@ metadata:
   description: "UDS Core (Logging)"
   authors: "Defense Unicorns - Product"
   # x-release-please-start-version
-  version: "0.29.1"
+  version: "0.30.0"
   # x-release-please-end
   x-uds-dependencies: ["base"]
 

packages/metrics-server/zarf.yaml

@@ -7,7 +7,7 @@ metadata:
   description: "UDS Core (Metrics Server)"
   authors: "Defense Unicorns - Product"
   # x-release-please-start-version
-  version: "0.29.1"
+  version: "0.30.0"
   # x-release-please-end
   x-uds-dependencies: ["base"]
 

packages/monitoring/zarf.yaml

@@ -7,7 +7,7 @@ metadata:
   description: "UDS Core Monitoring (Prometheus and Grafana)"
   authors: "Defense Unicorns - Product"
   # x-release-please-start-version
-  version: "0.29.1"
+  version: "0.30.0"
   # x-release-please-end
   x-uds-dependencies: ["base", "identity-authorization"]
 

packages/runtime-security/zarf.yaml

@@ -7,7 +7,7 @@ metadata:
   description: "UDS Core (Runtime Security)"
   authors: "Defense Unicorns - Product"
   # x-release-please-start-version
-  version: "0.29.1"
+  version: "0.30.0"
   # x-release-please-end
   x-uds-dependencies: ["base", "identity-authorization"]
 

packages/standard/zarf.yaml

@@ -7,7 +7,7 @@ metadata:
   description: "UDS Core"
   authors: "Defense Unicorns - Product"
   # x-release-please-start-version
-  version: "0.29.1"
+  version: "0.30.0"
   # x-release-please-end
 
 components:

src/neuvector/chart/templates/neuvector-deny.yaml

@@ -0,0 +1,20 @@
+# Copyright 2024 Defense Unicorns
+# SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial
+
+{{- if .Values.denyLocalAuth }}
+apiVersion: security.istio.io/v1
+kind: AuthorizationPolicy
+metadata:
+  name: neuvector-deny-local-login
+  namespace: {{ .Release.Namespace }}
+spec:
+  action: DENY
+  selector:
+    matchLabels:
+      app: neuvector-manager-pod
+  rules:
+  - to:
+    - operation:
+        paths: ["/auth"]
+        ports: ["8443"]
+{{- end }}

src/neuvector/chart/templates/uds-package.yaml

@@ -1,5 +1,6 @@
 # Copyright 2024 Defense Unicorns
 # SPDX-License-Identifier: AGPL-3.0-or-later OR LicenseRef-Defense-Unicorns-Commercial
+{{- $neuvectorAdminPass := join "" (list (randAlphaNum 12) (randAlpha 2 | upper) (randAlpha 2 | lower) (randNumeric 2))}}
 
 apiVersion: uds.dev/v1alpha1
 kind: Package
@@ -24,6 +25,13 @@ spec:
         - "https://neuvector.admin.{{ .Values.domain }}/openId_auth"
       secretName: neuvector-secret
       secretTemplate:
+        userinitcfg.yaml: |-
+          always_reload: true
+          users:
+            - username: admin
+              fullname: admin
+              password: {{ $neuvectorAdminPass }}
+              role: admin
         oidcinitcfg.yaml: |-
           always_reload: true
           client_id: clientField(clientId)

src/neuvector/chart/values.yaml

@@ -7,3 +7,5 @@ grafana:
   enabled: false
 
 generateInternalCert: false
+
+denyLocalAuth: true

src/pepr/operator/controllers/istio/injection.ts

@@ -164,7 +164,8 @@ async function killPods(ns: string, enableInjection: boolean) {
     }
 
     for (const pod of group) {
-      log.info(`Deleting pod ${ns}/${pod.metadata?.name} to enable the istio sidecar`);
+      const action = enableInjection ? "enable" : "remove";
+      log.info(`Deleting pod ${ns}/${pod.metadata?.name} to ${action} the istio sidecar`);
       await K8s(kind.Pod).Delete(pod);
     }
   }