Trey t
c77ff07ce9
Remediation of the 2026-05-12/13 audits (78 findings + cluster gaps), tracked in deploy-k3s/SECURITY.md, plus fixes from two independent post-remediation reviews. Auth & sessions: - SHA-256 hashed auth-token storage (C1); prior-token cache eviction on re-login (MEDIUM-1) - local Google JWKS verification, iss/aud/exp checks (C2/C3) - constant-time login + generic errors (L1/LIVE-L11/LIVE-L13) - per-account login lockout keyed on distinct source IPs (M5/MEDIUM-3) - verified-email gating, login rate limiting (LIVE-L19, H1-H3) IAP & webhooks: - Apple/Google cross-account replay protection (C5/C6/C10/C13, H5/H6) - migrations 000003-000006 (token hashing, IAP replay, audit_log + webhook_event_log table creation, append-only audit log) Authorization & races: - file-ownership owner-OR-member fix (C7), atomic share-code join (C9/H9), device-token reassignment (C8/LOW-3) Secrets & deploy: - secrets file-mounted at /etc/honeydue/secrets, not env (F8); Redis password out of the ConfigMap (HIGH-1); B2 keys reconciled - digest-pinned images, admin ingress hardening, CSP/HSTS, /metrics lockdown; kubeconfig 0600, etcd secrets-encryption, fail2ban + unattended-upgrades at provision; secret-rotation runbook Build, vet, and the full test suite (incl. -race) pass; the goose migration chain is verified against PostgreSQL 16. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
62 lines
3.0 KiB
YAML
62 lines
3.0 KiB
YAML
# Kyverno image-signature verification policy (audit CODE-L5).
|
|
#
|
|
# ──────────────────────────────────────────────────────────────────────────
|
|
# THIS MANIFEST IS NOT APPLIED BY 03-deploy.sh. It is intentionally outside
|
|
# the script's apply set. Applying it before the prerequisites are in place
|
|
# would block every honeydue Pod from scheduling. Operator steps:
|
|
#
|
|
# 1. Install Kyverno in the cluster (it is an admission controller):
|
|
# kubectl create -f https://github.com/kyverno/kyverno/releases/latest/download/install.yaml
|
|
# 2. Generate a cosign key pair and keep the private key safe:
|
|
# cosign generate-key-pair # -> cosign.key (PRIVATE) + cosign.pub
|
|
# Set COSIGN_KEY=cosign.key in the deploy environment so 03-deploy.sh
|
|
# signs images after pushing them (the signing step is already wired,
|
|
# guarded, into 03-deploy.sh).
|
|
# 3. Paste the contents of cosign.pub into the publicKeys block below.
|
|
# 4. Apply this policy: kubectl apply -f deploy-k3s/manifests/kyverno-verify-images.yaml
|
|
# 5. After confirming honeydue Pods still schedule, flip
|
|
# validationFailureAction from Audit to Enforce.
|
|
#
|
|
# Until then it is a documented, ready-to-use template — not active config.
|
|
# ──────────────────────────────────────────────────────────────────────────
|
|
apiVersion: kyverno.io/v1
|
|
kind: ClusterPolicy
|
|
metadata:
|
|
name: verify-honeydue-images
|
|
annotations:
|
|
policies.kyverno.io/title: Verify honeyDue image signatures
|
|
policies.kyverno.io/description: >-
|
|
Requires that honeyDue application images pulled into the honeydue
|
|
namespace carry a valid cosign signature made with the operator's key.
|
|
spec:
|
|
# Audit first — logs violations without blocking. Switch to Enforce once
|
|
# signing is confirmed working end to end.
|
|
validationFailureAction: Audit
|
|
background: false
|
|
webhookTimeoutSeconds: 30
|
|
rules:
|
|
- name: verify-gitea-image-signatures
|
|
match:
|
|
any:
|
|
- resources:
|
|
kinds:
|
|
- Pod
|
|
namespaces:
|
|
- honeydue
|
|
verifyImages:
|
|
# Only the images we build and sign. Public base images
|
|
# (redis, vmagent) are pinned by digest instead — see their manifests.
|
|
- imageReferences:
|
|
- "gitea.treytartt.com/admin/honeydue-api*"
|
|
- "gitea.treytartt.com/admin/honeydue-worker*"
|
|
- "gitea.treytartt.com/admin/honeydue-admin*"
|
|
- "gitea.treytartt.com/admin/honeydue-web*"
|
|
attestors:
|
|
- count: 1
|
|
entries:
|
|
- keys:
|
|
publicKeys: |-
|
|
-----BEGIN PUBLIC KEY-----
|
|
REPLACE_WITH_CONTENTS_OF_cosign.pub
|
|
-----END PUBLIC KEY-----
|