Skip to content

Commit 85c498a

Browse files
efbarefbar
authored
Merge pull request #66717 from wolfi-dev/cve-custom-pod-autoscaler-operator-1.4.2-r1-1fac07368670f1e68a5796b87f50224d
custom-pod-autoscaler-operator/1.4.2-r1: cve remediation
2 parents b2ff004 + 9abd60a commit 85c498a

File tree

1 file changed

+67
-2
lines changed

1 file changed

+67
-2
lines changed

custom-pod-autoscaler-operator.yaml

Lines changed: 67 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
package:
22
name: custom-pod-autoscaler-operator
33
version: "1.4.2"
4-
epoch: 1
4+
epoch: 2 # CVE-2025-47906
55
description: Operator for managing Kubernetes Custom Pod Autoscalers (CPA).
66
copyright:
77
- license: Apache-2.0
@@ -73,7 +73,72 @@ test:
7373
uses: test/daemon-check-output
7474
with:
7575
setup: |
76-
helm install custom-pod-autoscaler-operator https://github.com/jthomperoo/custom-pod-autoscaler-operator/releases/download/v${{package.version}}/custom-pod-autoscaler-operator-v${{package.version}}.tgz
76+
# Fix permissions
77+
kubectl apply -f - <<'EOF'
78+
apiVersion: rbac.authorization.k8s.io/v1
79+
kind: ClusterRole
80+
metadata:
81+
name: cpa-operator
82+
rules:
83+
# Manage CPA CRs
84+
- apiGroups: ["custompodautoscaler.com"]
85+
resources: ["custompodautoscalers"]
86+
verbs: ["get", "list", "watch"]
87+
- apiGroups: ["custompodautoscaler.com"]
88+
resources: ["custompodautoscalers/status", "custompodautoscalers/finalizers"]
89+
verbs: ["get", "update", "patch"]
90+
91+
# Core objects the operator reads/creates
92+
- apiGroups: [""]
93+
resources: ["pods", "serviceaccounts", "secrets", "configmaps", "events"]
94+
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
95+
96+
# Workload APIs it may manage for runners
97+
- apiGroups: ["apps"]
98+
resources: ["deployments", "replicasets", "statefulsets"]
99+
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
100+
- apiGroups: ["apps"]
101+
resources: ["deployments/scale", "replicasets/scale", "statefulsets/scale"]
102+
verbs: ["get", "update", "patch"]
103+
- apiGroups: [""]
104+
resources: ["replicationcontrollers"]
105+
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
106+
- apiGroups: [""]
107+
resources: ["replicationcontrollers/scale"]
108+
verbs: ["get", "update", "patch"]
109+
110+
# RBAC: allow creating roles/bindings AND granting perms (escalate/bind)
111+
- apiGroups: ["rbac.authorization.k8s.io"]
112+
resources: ["roles", "rolebindings"]
113+
verbs: ["get", "list", "watch", "create", "update", "patch", "delete", "escalate", "bind"]
114+
# Often helpful so it can bind existing ClusterRoles if needed
115+
- apiGroups: ["rbac.authorization.k8s.io"]
116+
resources: ["clusterroles", "clusterrolebindings"]
117+
verbs: ["get", "list", "watch", "bind"]
118+
---
119+
apiVersion: rbac.authorization.k8s.io/v1
120+
kind: ClusterRoleBinding
121+
metadata:
122+
name: cpa-operator
123+
roleRef:
124+
apiGroup: rbac.authorization.k8s.io
125+
kind: ClusterRole
126+
name: cpa-operator
127+
subjects:
128+
- kind: ServiceAccount
129+
name: cpa
130+
namespace: default
131+
EOF
132+
helm show crds https://github.com/jthomperoo/custom-pod-autoscaler-operator/releases/download/v${{package.version}}/custom-pod-autoscaler-operator-v${{package.version}}.tgz \
133+
| kubectl apply --server-side -f -
134+
kubectl wait --for=condition=Established crd/custompodautoscalers.custompodautoscaler.com --timeout=60s
135+
helm install custom-pod-autoscaler-operator \
136+
https://github.com/jthomperoo/custom-pod-autoscaler-operator/releases/download/v${{package.version}}/custom-pod-autoscaler-operator-v${{package.version}}.tgz \
137+
-n default --create-namespace \
138+
--set serviceAccount.create=false \
139+
--set serviceAccount.name=cpa \
140+
--set rbac.create=false \
141+
--wait
77142
start: "/operator"
78143
timeout: 10
79144
expected_output: |

0 commit comments

Comments
 (0)